stackoom
  简体   繁体   中英

Why can't I open a file using impersonation on a remote machine?

 原文  2009-08-11 18:53:12       c#/ .net/ wcf/ security/ impersonation

Question

I have a WCF service written in C# being hosted on a remote machine, running as the local administrator account. From my machine logged in as an active directory user, I am sending a command that simply tells it to open a file on the network. I have access to the file, but the administrator account on the host machine does not. I'm using the [OperationBehavior(Impersonation=ImpersonationOption.Required)] meta tag on the method that requires impersonation, and I have the credential type and security modes set correctly. I can verify that account is indeed trying to be impersonated by comparing Windows Identities, but I still get an access denied exception. I'm thinking it has something to do with active directory not authenticating the impersonated user. Is there something I'm missing?

2 answers

solution1
 5 ACCPTED  2009-08-11 19:13:23

You are entering the domain of Kerberos security and two hops-authentication.
You have two options:

  • Take the red pill : try to get the two hops-authentication to work. Make sure you have at least a Windows Server 2003 domain, time properly synchronized between all machines and setup proper delegation for the spefic users/computer accounts. If you're really "lucky" you'll have to configure SPNs with SetSPN.

  • Take the blue pill : forget two hops-authentication, impersonate the WCF service under an account that has just enough rights, and check authorization in an earlier step.

Forgive my frustration, but I do think that my brief experience with this topic has cost me at least 10 years of my life. I hate to see that happend to anyone else. Anyways, this post should give you enough Google keywords if you're feeling brave.

Eventlog and network monitor are useful for debugging...

solution2
 1  2009-08-11 19:05:11

You also probably need to set up delegation from the web server to the file server. This will allow the file server to trust credentials that the web server has validated. See this MSDN article on how to set up delegation for your application, particularly the section on configuring AD.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I use impersonation to manipulate files/directories on a remote machine with UNC? Why can't I open xls file in browser using TransmitFile? Lauch a process on a remote machine with impersonation c# Why can't WCF Restful service be accessed on remote network machine? Reading remote file using ASP.NET impersonation Why can't I open a PDF file with ImageMagickNet? “Requested registry access is not allowed” When Attempting to Run PowerShell Script on Remote Machine Using Impersonation How can i get a file from remote machine? Open Document/file on client with impersonation Can WCF open process in remote machine?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM