使用表单授权模拟用户 [英] Impersonate User with Forms Authorization

问题描述

我正在使用表单授权"针对活动目录登录到我的Web应用程序，我要做的是在用户登录时模拟该用户.但是我遇到了一些问题，当我通过IIS或web.config启用模拟时，出现500错误，这是我的web.config的这一部分:

I am using Forms Authorization to login to my web application against the active directory, what I am trying to do is when the user logins, impersonate that user. But I am running into a few problems, when I enable impersonate either via IIS or web.config I get a 500 error, here is that section of my web.config:

<customErrors mode="Off"/>
<authentication mode="Forms">
  <forms name=".ADAuthCookie" loginUrl="~/Login/Index" timeout="45" slidingExpiration="false" protection="All" path="/" />
</authentication>
<identity impersonate="true" />
<membership defaultProvider="ADMembershipProvider">
  <providers>
    <clear />
    <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
  </providers>
</membership>

如果我在identity元素中设置凭据，则可以在不调整IIS的情况下使用它:

If I set my credentials in the identity element it works without adjusting my IIS:

<identity impersonate="true" userName="domain\username" password="password" />

这是我在IIS中的授权，这也是它当前所设置的:

Here is my authorization in my IIS, this is what its currently set too:

如果我禁用匿名并启用模拟，则会出现500错误.

If I disable Anonymous and enable impersonation, I get a 500 error.

我在做什么错了，如何获得与身份验证一起使用的表单身份验证.

What am I doing wrong and how do I get Forms Authentication to work with Impersonation.

这是我的登录控制器:

[HttpPost]
public ActionResult Index(Login model, string returnUrl)
{
    if (!ModelState.IsValid)
    {

        ModelState.AddModelError("", "The user name or password provided is incorrect.");

        return View(model);
    }

    if (Membership.ValidateUser(model.UserName, model.Password))
    {
        FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
        if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
            && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
        {
            return Redirect(returnUrl);
        }

        return RedirectToAction("Index", "Home");
    }

    ModelState.AddModelError("", "The user name or password provided is incorrect.");

    return View(model);
}

更新

我通过<validation validateIntegratedModeConfiguration="false" />传递了500错误，但是除非我设置凭据，否则模拟人仍然无法正常工作.我可以在外面设置登录人员的凭据吗?

I got passed the 500 error via <validation validateIntegratedModeConfiguration="false" />, but the impersonate is still not working unless I set the credentials. Is there away I can set the credentials of the person logging in?

更新

运行此代码时，我可以看到它填充了正确的用户名，并且模拟设置为true，我在做什么错了?

When I run this code, I can see that it is populated with the correct username and impersonate is set to true, what am I doing wrong?

System.Security.Principal.WindowsIdentity.GetCurrent()

推荐答案

重点在于:我要尝试的是用户登录时模拟该用户.

您要寻找的就是所谓的委托.

What you are looking for is called delegation.

不使用用户名和密码的委派依赖于集成的 Windows身份验证.除非使用用户名和密码并执行

Delegation without using username and password of the user relies on Integrated Windows Authentication. You cannot achieve it using Forms Authentication unless use username and password of the user and do protocol transition.

出于学习目的，本文显示了如何在代码中进行操作的示例通过使用从登录页面收到的用户名和密码.

For learning purpose, This post shows an example of how you can do it in code by using the username and password which you receive from login page.

我知道这可能令人失望，但是如果您需要委派，则应该依靠Windows身份验证并配置浏览器，IIS和ASP.NET应用程序.要查看完整的指南，请查看如何为委托方案配置ASP.NET应用程序.

I know this may be disappointing, but if you need delegation, you should rely on Windows Authentication and configure browser, IIS and ASP.NET application. To see a complete guide take a look at How to configure an ASP.NET application for a delegation scenario.

这不是配置的完整指南，但是向您显示了最重要的配置:

This is not a complete guide of the configurations, however shows you the most important configurations:

• 设置浏览器:要设置浏览器，对于IE，您需要选中 Internet的 Advanced 标签中的启用Windows集成身份验证.选项.

• 设置IIS :要设置IIS，您需要禁用IIS上的所有身份验证，包括 Anonymous Authentication ，而仅启用 Windows身份验证 .

• Setup browser : To setup browser, for IE, you need to check Enable Windows Integrated Authentication in Advanced tab of Internet Options.

• Setup IIS : To setup IIS, you need to disable all authentications on IIS including Anonymous Authentication and just enable Windows Authentication.

设置ASP.NET应用程序:在web.config中，您需要设置<authentication mode="Windows" />，还需要设置<identity impersonate="true" />和<allow users="*" /><deny users="?" />

Setup ASP.NET Application: In the web.config you need to set <authentication mode="Windows" /> and also set <identity impersonate="true" /> and also <allow users="*" /><deny users="?" />

这篇关于使用表单授权模拟用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！