在 IIS7 windows 2008 中启用双跳委托的步骤 [英] Steps to enable double-hop delegation in IIS7 windows 2008

问题描述

我的 ASP.NET Web 应用程序在我们的 Intranet 上使用 Windows 身份验证.我希望它能够向同一域上的另一台服务器发出服务器端 http 请求，该服务器也需要 Windows 身份验证.

my ASP.NET web application uses windows authentication on our intranet. I want it to be able to make a server-side http request to another server on the same domain that also requires windows authentication.

在此处发出附加请求时，我已按照有关临时模拟已验证用户的说明进行操作:

I've followed the instructions on temporarily impersonating the authenticated user when making the additional request here:

http://msdn.microsoft.com/en-us/library/ff647404.aspx

使用这样的代码:

using System.Security.Principal;

// Obtain the authenticated user's Identity
WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
  // Start impersonating
  ctx = winId.Impersonate();
  // Now impersonating
  // Access resources using the identity of the authenticated user
  var request = WebRequest.Create("http://intranet/secureapp");
  request.Credentials = CredentialCache.DefaultCredentials;
  var response = request.GetResponse();
  using (var streamReader = new StreamReader(response.GetResponseStream()))
  {
      Response.Write(streamReader.ReadToEnd());
  }
}
// Prevent exceptions from propagating
catch
{
}
finally
{
  // Revert impersonation
  if (ctx != null)
    ctx.Undo();
}
// Back to running under the default ASP.NET process identity 

但是，不幸的是，我总是收到 401 未经授权的错误.

But, unfortunately, I always get a 401 unauthorized error.

我是否需要使用活动目录配置我们的网络服务器以允许它委派经过身份验证的用户(可能是大约 200 个用户中的任何一个，所以不想做任何事情 200 次 :))?如果是这样，谁能告诉我该怎么做?

Do I need to configure our webserver with active directory to allow it to delegate the autenticated user (could be any one of about 200 users, so don't want to have to do anything 200 times :))? If so, can anyone tell me how to do this?

推荐答案

使用 Windows 配置 Kerberos/Delegation 有几个步骤.

There are several steps to configuring Kerberos/Delegation with Windows.

首先，您需要配置 ASP.NET 以使用委托.我假设你已经在 web.config 中配置了这个.

First, you need to configure ASP.NET to use delegation. I assume you have this configured in your web.config.

然后您需要为委派配置 ASP.NET 服务帐户.有时您必须创建一个 SPN.

Then you need to configure the ASP.NET Service Account for delegation. Sometimes you have to create an SPN.

然后为 IIS 服务器和 Active Directory 中的帐户启用委派.

Then enable delegation for the IIS server AND the account in Active Directory.

此处提供了分步说明:http://msdn.microsoft.com/en-us/library/ms998355.aspx执行步骤 1-3.

Step by step instructions are provided here: http://msdn.microsoft.com/en-us/library/ms998355.aspx Follow Steps 1-3.

这篇关于在 IIS7 windows 2008 中启用双跳委托的步骤的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！