简体繁体 English

应用程序池身份或模拟

[英]Application pool identity or Impersonation

原文 2011-04-29 01:22:00 9 5 asp.net/ iis/ asmx/ impersonation/ integrated-security

(A question of similar vein has been asked before but both the question and the accepted answer do not provide the detail I am looking for) （之前已经提出过类似的问题，但问题和接受的答案都没有提供我正在寻找的细节）

With the intention of running an asmx web service under a dedicated domain account what are the usage scenarios and/or pros and cons of using an Application Pool with the identity of the domain account versus Impersonation?为了在专用域帐户下运行 asmx web 服务，使用具有域帐户身份的应用程序池与模拟有哪些使用场景和/或优缺点？

We have 3 small internal web services that run under relatively low load and we would like to switch them to running under their own domain accounts (for the purpose of integrated security with SQL Server etc).我们有 3 个小型内部 web 服务，它们在相对较低的负载下运行，我们希望将它们切换到在自己的域帐户下运行（为了与 SQL 服务器等集成安全性）。 I appear to have the choice of creating dedicated app pools for each application, or having a single app pool for all the applications and using impersonation in each.我似乎可以选择为每个应用程序创建专用应用程序池，或者为所有应用程序创建一个应用程序池并在每个应用程序中使用模拟。

I understand app pools provide worker process isolation and there are considerations for performance when using impersonation, however those aside what else would dictate the correct option?我知道应用程序池提供了工作进程隔离，并且在使用模拟时需要考虑性能，但是除了这些之外还有什么可以决定正确的选项？

5 个解决方案

Typically, you will choose different identity for worker process (or do ASP.NET impersonation) because there is need to access local/network resources that needs specific permissions.通常，您将为工作进程选择不同的身份（或进行 ASP.NET 模拟），因为需要访问需要特定权限的本地/网络资源。 Obvious dis-advantage is that your application code may run under more permissions than it may need and thereby increasing the vulnerability against malicious attacks.明显的缺点是您的应用程序代码可能在比它可能需要的更多权限下运行，从而增加了抵御恶意攻击的漏洞。

ASP.NET impersonation would have more overhead because user context needs be switched for each request. ASP.NET 模拟会产生更多开销，因为需要为每个请求切换用户上下文。 I will suggest to go with separate app pool approach - only disadvantage with app pool approach is that you have process for each one of them and so there will be overhead (from OS perspective) for each process.我会建议 go 使用单独的应用程序池方法 - 应用程序池方法的唯一缺点是每个进程都有进程，因此每个进程都会有开销（从操作系统的角度来看）。 If your applications are smaller and don't have strong memory demands then this should not be an issue,如果您的应用程序较小并且没有强大的 memory 需求，那么这应该不是问题，

If you want your web services to connect to SQL via Windows authentication, you will almost certainly want to set up each application with the dedicated app pool option.如果您希望您的 web 服务通过 Windows 身份验证连接到 SQL，您几乎肯定会希望使用专用应用程序池选项设置每个应用程序。 This requires the least amount of setup and administration.这需要最少的设置和管理。

If you go the impersonation route, you'll need to account for the "two-hop" issue.如果您使用 go 模拟路由，则需要考虑“两跳”问题。 When a user calls a web service that is using impersonation, the web service can access local resources, as that user.当用户调用使用模拟的 web 服务时，web 服务可以作为该用户访问本地资源。 However, if the web service tries to connect to a non-local resource (eg, a database running on a separate server), the result will be an authentication error.但是，如果 web 服务尝试连接到非本地资源（例如，运行在单独服务器上的数据库），结果将是身份验证错误。 The reason is that NTLM prevents your credentials from making more than one "hop".原因是 NTLM 会阻止您的凭据进行多次“跳跃”。 To workaround this, you would need to use Kerberos delegation.要解决此问题，您需要使用 Kerberos 委派。 Delegation isn't difficult to set up, but it does require Domain Admin privileges, which can make things difficult in some corporate environments.委派的设置并不难，但它确实需要域管理员权限，这在某些公司环境中可能会使事情变得困难。

In addition, using impersonation means that you need to manage database permissions for each user that may visit your web service.此外，使用模拟意味着您需要为每个可能访问您的 web 服务的用户管理数据库权限。 The combination of database roles and AD groups will go a long way in simplifying this, but it's an extra administrative step that you may not wish to conduct.数据库角色和 AD 组的组合将大大简化此操作，但这是您可能不希望执行的额外管理步骤。 It's also a possible security risk, as certain users may end up with privileges that are greater than your web services are anticipating.这也是一个可能的安全风险，因为某些用户最终可能会获得比您的 web 服务预期更高的权限。

Impersonation is useful when you need a common end user experience with other Windows services that are based on Windows security.当您需要与基于 Windows 安全性的其他 Windows 服务的共同最终用户体验时，模拟非常有用。

For example, Microsoft SharePoint servers use impersonation because you can access SharePoint document libraries with web browsers and with the standard Windows shares UI (connect / disconnect to a network share, based on the SMB protocol). For example, Microsoft SharePoint servers use impersonation because you can access SharePoint document libraries with web browsers and with the standard Windows shares UI (connect / disconnect to a network share, based on the SMB protocol). To ensure security is consistent between the two, in this case, you need impersonation.为了确保两者之间的安全性一致，在这种情况下，您需要模拟。

Other than this kind of scenario, impersonation is most of the time not useful (but can cost a lot in terms of scalability)除了这种情况，模拟在大多数情况下是没有用的（但在可扩展性方面可能会花费很多）

Application pool pros:应用程序池优点：

You don't have to be a.Net programmer to understand what's going on.您不必成为 .Net 程序员也能理解正在发生的事情。

The security aspect leaves the domain of the programmer and falls under the remit of infrastructure安全方面离开了程序员的领域，属于基础设施的职权范围

Easy to change through IIS with proper saftey checks that the username is correct when setting up the app pool.通过 IIS 轻松更改设置应用程序池时，通过适当的安全检查用户名是否正确。 Ie It won't let you enter an incorrect username.即它不会让您输入错误的用户名。

Impersonation pros:模仿优点：

Privileges can be documented and traced back through changes to configuration through source control history if configuration files are stored there.如果配置文件存储在那里，则可以通过源控制历史记录对配置的更改进行记录和追溯。

Impersonation cons:模仿缺点：