ASP.Net模拟方法的差异
[英]Difference in ASP.Net impersonation methods
问题描述
In this MSDN article on "How to implement impersonation in an ASP.NET application" they list 4 different ways to change the account that's used to execute the web request. 
在有关“如何在ASP.NET应用程序中实现模拟”的MSDN 文章中 ,它们列出了4种不同的方式来更改用于执行Web请求的帐户。 Unfortunately, it doesn't describe the differences between these alternatives. 不幸的是,它没有描述这些替代方案之间的差异。
I'm trying to impersonate the IIS authenticated user to copy some files off their local machine. 我正在尝试模拟经过IIS身份验证的用户,以从其本地计算机上复制一些文件。 It works when I use the WIN32 api LogonUserA and impersonate a specific user. 当我使用WIN32 api LogonUserA并模拟特定用户时,它可以工作。 But I need the webapp to work with many users (I don't have an account that can access everyone's files). 但是我需要Webapp才能与许多用户一起使用(我没有可以访问每个人文件的帐户)。
I thought simply setting Impersonate = "true" and configuring IIS should work but something is different. 我认为只需设置Impersonate =“ true”并配置IIS应该可以,但是有所不同。 When I check Environment.UserName it appears to be impersonating the correct account but I am getting "Access is denied" errors. 当我检查Environment.UserName时,它似乎在模拟正确的帐户,但出现“访问被拒绝”错误。
Anyone know the difference between these impersonation methods? 有人知道这些模拟方法之间的区别吗? Is it possible to impersonate the IIS authenticated user and then do some file operations with it? 是否可以模拟IIS身份验证的用户,然后对其进行一些文件操作?
Update : From the feedback I've been getting I need to be more clear about what I'm facing. 更新 :从得到的反馈中,我需要更加清楚自己所面临的问题。
Environment setup : IIS: disable anonymous authentication, enable integrated windows authentication ASP.Net's web.config: authentication mode = "windows", impersonate = true, deny anonymous users 环境设置 :IIS:禁用匿名身份验证,启用集成的Windows身份验证ASP.Net的web.config:身份验证模式=“ windows”,模拟= true,拒绝匿名用户
Suppose I'm accessing the page as "userA": 假设我以“ userA”身份访问该页面:
Scenario 1 : impersonate the IIS Authenticated user 方案1 :模拟IIS Authenticated用户
try{
File.Copy(srcFile, destFile); // Access Denied even though userA has access to srcFile.
} catch(Exception ex) {
...
}
Scenario 2 : impersonate userA with LogonUser 方案2 :使用LogonUser模拟userA
try{
// Impersonater is a wrapper around the WIN32 LogonUser API
using(Impersonater imp = new Impersonator("domain", "userA", "pwd"))
{
File.Copy(srcFile, destFile); // Works
}
} catch(Exception ex) {
...
}
In both cases, I'm impersonating "userA". 在这两种情况下,我都是模拟“ userA”。
2 个解决方案
解决方案1
3 2012-11-20 04:22:21
Q: Anyone know the difference between these impersonation methods?
A: First some background on how IIS handles request. 答:首先是IIS如何处理请求的一些背景知识。
There is a specific system user called IUSR_ computername (default in IIS6) which the IIS-server uses to handle file access. 有一个称为IUSR_ 计算机名的特定系统用户(IIS6中的默认用户),IIS服务器使用该用户来处理文件访问。 And there is a process running on the IIS server called Aspnet_wp.exe which runs under an account called ASPNET or NetworkService. 在名为Aspnet_wp.exe的IIS服务器上运行的进程在名为ASPNET或NetworkService的帐户下运行。
So when a request is made to the server, the IIS reacts and if the request is to a ASP.NET application it passes the request to that process. 因此,当向服务器发出请求时,IIS会做出反应,如果请求是针对ASP.NET应用程序,它将把请求传递给该进程。
This means that if the IIS-server is setup to use the IUSR_ computername (anonymous) access method. 这意味着如果将IIS服务器设置为使用IUSR_ 计算机名 (匿名)访问方法。 The server will use that account to process the request, and if it sees that it is an ASP.NET application it will transfer the request to the ASP.NET process. 服务器将使用该帐户来处理请求,并且如果看到它是ASP.NET应用程序,它将把请求转移到ASP.NET进程。
By default impersonation is disabled, this means that the request will run under the ASPNET or NetworkService account when the ASP.NET process handles the request. 默认情况下,模拟是禁用的,这意味着当ASP.NET进程处理请求时,请求将在ASPNET或NetworkService帐户下运行。
Now to the difference between the impersonation methods: 现在到模拟方法之间的区别:
Impersonate the IIS authenticated account or user
模拟IIS身份验证的帐户或用户
Uses an account that the IIS is setup to use.使用安装了IIS的帐户。 Usually IUSR_ computername . 通常为IUSR_ 计算机名 。
Usage:<identity impersonate="true" />用法: <identity impersonate="true" />Impersonation enabled for a specific identity
为特定身份启用了模拟
Uses a specific account that is specified.使用指定的特定帐户。
Usage:<identity impersonate="true" userName="accountname" password="password" />用法: <identity impersonate="true" userName="accountname" password="password" />
The third option is the default state, which is to disable impersonation. 第三个选项是默认状态,即禁用模拟。
Q: Is it possible to impersonate the IIS authenticated user and then do some file operations with it?
A: Depends on the priviliges of the IIS authenticated user. 答:取决于IIS身份验证用户的特权。 If the account has permission to manipulate files (NTFS permission in Windows), the answer would be yes. 如果该帐户具有操作文件的权限(Windows中为NTFS权限),则答案为是。
Read more here: 在这里阅读更多:
解决方案2
2 2012-11-21 03:34:16
I believe you've run into the "double hop" issue described here . 我相信您已经遇到了此处描述的“双跳”问题。 Basically, the connection between the client and IIS is one hop, the connection between IIS and the network share is the second one and with impersonation double hops are not allowed by default. 基本上,客户端与IIS之间的连接是一跳,IIS与网络共享之间的连接是第二跳,并且默认情况下不允许模拟双跳。 That means in your first example the user should be able to access resources local to the IIS machine but not remote ones. 这意味着在第一个示例中,用户应该能够访问IIS计算机本地的资源,但不能访问远程资源。
When the credentials are entered on the IIS programmatically, there's no second hop. 通过凭据在IIS上以编程方式输入凭据时,就没有第二跳了。 That's the difference you're looking for. 这就是您要寻找的差异。
To support your requirements, you need to implement delegation rather than impersonation . 为了满足您的要求,您需要实现委派而不是模拟 。 Please have a look at MSDN for more info. 请查看MSDN了解更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.