模拟和代表团 [英] Impersonation and Delegation

问题描述

我使用的模拟被用于访问UNC文件，如下分享。

I am using impersonation is used to access file on UNC share as below.

  var ctx = ((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate();
  string level = WindowsIdentity.GetCurrent().ImpersonationLevel);

在使用IIS6两个Windows 2003服务器，我得到不同的模拟级别：的代表团的一台服务器上的模拟的其他服务器上。

On two Windows 2003 servers using IIS6, I am getting different impersonation levels: Delegation on one server and Impersonation on the other server.

这导致我在哪里无法访问与'模拟'级服务器上的UNC共享的问题。

This causes issues where I am unable to access the UNC share on the server with 'Impersonation' level.

这可能是造成这种差异？我通过对应用程序池，网站和虚拟目录的machine.config和IIS设置搜索 - 但无法找到这个问题的原因

What could be causing this difference? I searched through machine.config and IIS settings for the app pool, site and virtual directories - but aren't able to find the cause of this problem.

推荐答案

这听起来像电脑中的一个由您的Active Directory受信任的委派，但对方不是。如果应用程序池标识是网络服务，确保计算机帐户在AD标记为受信委派。

It sounds like one of the computer is trusted for delegation by your Active Directory, but the other is not. If the app pool identity is Network Service, make sure the Computer Account is marked "Trusted for Delegation" in AD.

您可能需要问你的AD管理员强制复制，然后注销/到您的工作站刷新Kerberos票据缓存。

You may need to ask your AD admin to force a replication and then log out/in to your workstation to refresh your Kerberos ticket cache.

这篇关于模拟和代表团的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！