堆栈内存溢出
  简体   繁体   English

为什么我不能在远程计算机上使用模拟打开文件?

[英]Why can't I open a file using impersonation on a remote machine?

 原文  2009-08-11 18:53:12       c#/ .net/ wcf/ security/ impersonation

问题描述

I have a WCF service written in C# being hosted on a remote machine, running as the local administrator account. 我有一个用C#编写的WCF服务托管在远程机器上,作为本地管理员帐户运行。 From my machine logged in as an active directory user, I am sending a command that simply tells it to open a file on the network. 从我作为活动目录用户登录的计算机,我发送的命令只是告诉它在网络上打开一个文件。 I have access to the file, but the administrator account on the host machine does not. 我有权访问该文件,但主机上的管理员帐户却没有。 I'm using the [OperationBehavior(Impersonation=ImpersonationOption.Required)] meta tag on the method that requires impersonation, and I have the credential type and security modes set correctly. 我在需要模拟的方法上使用[OperationBehavior(Impersonation = ImpersonationOption.Required)]元标记,并且我正确设置了凭据类型和安全模式。 I can verify that account is indeed trying to be impersonated by comparing Windows Identities, but I still get an access denied exception. 我可以通过比较Windows身份来验证帐户确实是在冒充,但我仍然会获得访问被拒绝的异常。 I'm thinking it has something to do with active directory not authenticating the impersonated user. 我认为这与活动目录有关,而不是对模拟用户进行身份验证。 Is there something I'm missing? 有什么我想念的吗?

2 个解决方案

解决方案1
 5 已采纳  2009-08-11 19:13:23

You are entering the domain of Kerberos security and two hops-authentication. 您正在进入Kerberos安全域和两个跃点身份验证。
You have two options: 您有两种选择:

  • Take the red pill : try to get the two hops-authentication to work. 拿红色药丸 :尝试让两个啤酒花认证工作。 Make sure you have at least a Windows Server 2003 domain, time properly synchronized between all machines and setup proper delegation for the spefic users/computer accounts. 确保您至少拥有一个Windows Server 2003域,在所有计算机之间正确同步的时间,并为特定用户/计算机帐户设置正确的委派。 If you're really "lucky" you'll have to configure SPNs with SetSPN. 如果你真的“幸运”,你将不得不使用SetSPN配置SPN。

  • Take the blue pill : forget two hops-authentication, impersonate the WCF service under an account that has just enough rights, and check authorization in an earlier step. 拿蓝色药丸 :忘记两次啤酒花 - 身份验证,在具有足够权限的帐户下模拟WCF服务,并在之前的步骤中检查授权。

Forgive my frustration, but I do think that my brief experience with this topic has cost me at least 10 years of my life. 请原谅我的挫败感,但我认为我对这个话题的简短经验至少花了我10年的生命。 I hate to see that happend to anyone else. 我讨厌看到发生在其他任何人身上。 Anyways, this post should give you enough Google keywords if you're feeling brave. 无论如何,如果你感到勇敢,这篇文章应该会给你足够的谷歌关键词。

Eventlog and network monitor are useful for debugging... 事件日志和网络监视器对于调试很有用......

解决方案2
 1  2009-08-11 19:05:11

You also probably need to set up delegation from the web server to the file server. 您可能还需要设置从Web服务器到文件服务器的委派。 This will allow the file server to trust credentials that the web server has validated. 这将允许文件服务器信任Web服务器已验证的凭据。 See this MSDN article on how to set up delegation for your application, particularly the section on configuring AD. 请参阅此MSDN文章 ,了解如何为应用程序设置委派,尤其是有关配置AD的部分。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用模拟在具有 UNC 的远程计算机上操作文件/目录? - How can I use impersonation to manipulate files/directories on a remote machine with UNC? 为什么我不能使用TransmitFile在浏览器中打开xls文件? - Why can't I open xls file in browser using TransmitFile? 在具有模拟C#的远程计算机上启动进程 - Lauch a process on a remote machine with impersonation c# 为什么无法在远程网络计算机上访问WCF Restful服务? - Why can't WCF Restful service be accessed on remote network machine? 使用ASP.NET模拟读取远程文件 - Reading remote file using ASP.NET impersonation 为什么我不能用ImageMagickNet打开PDF文件? - Why can't I open a PDF file with ImageMagickNet? “尝试使用模拟在远程计算机上运行PowerShell脚本时,不允许”请求注册表访问“ - “Requested registry access is not allowed” When Attempting to Run PowerShell Script on Remote Machine Using Impersonation 我如何从远程计算机获取文件? - How can i get a file from remote machine? 通过模拟在客户端上打开文档/文件 - Open Document/file on client with impersonation WCF可以在远程计算机中打开进程吗? - Can WCF open process in remote machine?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM