如何获得露天登录票无需用户密码,而是与用户主要名称冒充用户(UPN) [英] How to get Alfresco login ticket without user password, but with impersonating user with user principal name (UPN)
问题描述
我正在写有功能越来越露天登录票,而无需使用用户密码,只用一个用户主体名称(UPN)的DLL。我打电话露天REST API服务的 / wcservice 的。我使用NTLM在露天。
我用的WindowsIdentity 构造冒充用户这里<一个解释href=\"http://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingbyusingwindowsidentity\" rel=\"nofollow\">http://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingbyusingwindowsidentity.我检查和用户正常模拟(我检查 WindowsIdentity.GetCurrent()。名称属性)。
模拟用户后,我尽量让的HttpWebRequest 和 CredentialsCache.DefaultNetworkCredentials 设置其凭据。我得到的错误:
远程服务器返回错误:(401)未经授权。
在System.Net.HttpWebRequest.GetResponse()
当我使用新的NetworkCredential(用户名,P @ ssw0rd)设置要求的凭证,我得到的露天登录票(的HTTPStatus code.OK ,200)。
有什么办法,我能得到的Alfresco登录票,无需用户密码?
下面是code,我使用:
私人字符串GetTicket(字符串UPN){
身份的WindowsIdentity =新的WindowsIdentity(UPN);
WindowsImpersonationContext语境= NULL; 尝试{
上下文= identity.Impersonate(); MakeWebRequest();
}
赶上(例外五){
返回e.Message + Environment.NewLine + e.StackTrace;
}
最后{
如果(上下文!= NULL){
context.Undo();
}
}
}私人字符串MakeWebRequest(){
字符串URI =HTTP:// alfrescoserver /户外/ wcservice /毫克/ UTIL /登录;
HttpWebRequest的请求= WebRequest.Create(URI),为的HttpWebRequest; request.CookieContainer =新的CookieContainer(1); //request.Credentials =新的NetworkCredential(用户名,P @ ssw0rd); //它的工作原理与此
request.Credentials = CredentialCache.DefaultNetworkCredentials; //它不会与这方面的工作
//request.Credentials = CredentialCache.DefaultCredentials; //它不会与此擦出火花 尝试{
使用(HttpWebResponse响应= request.GetResponse()作为HttpWebResponse){
StreamReader的SR =新的StreamReader(response.GetResponseStream()); 返回sr.ReadToEnd();
}
}
赶上(例外五){
回报(e.Message + Environment.NewLine + e.StackTrace);
}
}
下面是从露天stdout.log记录(如果它以任何方式帮助):
17:18:04550 DEBUG [app.servlet.NTLMAuthenticationFilter]处理请求:/户外/ wcservice /毫克/ UTIL /登录SID:7453F7BD4FD2E6A61AD40A31A37733A5
17:18:04550 DEBUG [web.scripts.DeclarativeRegistry]网页脚本索引查找为URI /毫克/ UTIL /登录了0.526239ms
17:18:04550 DEBUG [app.servlet.NTLMAuthenticationFilter] 10新NTLM身份验证请求,** ** **(10 ** ** **:。1229)。
17:18:04566 DEBUG [app.servlet.NTLMAuthenticationFilter]处理请求:/户外/ wcservice /毫克/ UTIL /登录SID:7453F7BD4FD2E6A61AD40A31A37733A5
17:18:04566 DEBUG [web.scripts.DeclarativeRegistry]网页脚本索引查找为URI /毫克/ UTIL /登录了0.400909ms
17:18:04566 DEBUG [app.servlet.NTLMAuthenticationFilter]所获TYPE1 [类型:0xe20882b7,领域:其中,NotSet&GT;,Wks年度:其中,NotSet&GT;]
17:18:04566 DEBUG [app.servlet.NTLMAuthenticationFilter]客户端域空
17:18:04675 DEBUG [app.servlet.NTLMAuthenticationFilter]发送NTLM 2型客户 - [类型2:0x80000283,目标:AlfrescoServerA篇:197e2631cc3f9e0a]
我已经解决了这个问题!
我相信,我们有一个的双跃点问题的。
这是必须做来解决这个问题:
- 用户运行我的DLL必须 Windows Server 2003域
用户 - 服务使用我的DLL必须有
注册服务主体名称在
与用户域控制器
运行它(用户在运行我的DLL) - 用户运行我的DLL不能有
敏感帐户,不能被
在域名选择的委托选项
控制器 - 用户运行我的DLL必须有
信任此用户来委派
任何服务(仅Kerberos)或信任
此用户来委派
指定的服务选项
在域控制器选择(如果
用户在Windows Server 2003
功能域此选项
只有当您注册
这种服务主体名称
用户) - 用户运行我的DLL必须有 TrustedToAuthForDelegation 用户帐户控制(UAC)设置为true
- 计算机运行使用服务
我的DLL必须具备的信任计算机
委派任何服务(Kerberos的
只)或信任计算机作为
委派指定的服务
只有选项中选择域名
控制器
这一切(甚至更多)微软文档中解释<一个href=\"http://www.microsoft.com/downloads/en/details.aspx?familyid=99b0f94f-e28a-4726-bffe-2f64ae2f59a2&displaylang=en\"相对=nofollow>疑难解答Kerberos委派。它包含:
- 清单为Active Directory,
- 清单客户端应用程序,
- 检查表中间层,
- 清单后端
加
- 常见配置示例
场景。
设置 TrustedToAuthForDelegation 用户帐户控制(UAC)在PowerShell中由Active Directory cmdlet时做解释的这里。
您可以在ASP.NET 2.0 阅读更多有关 Windows身份验证
当然,露天必须启用Kerberos登录。
I'm writing a DLL that has function for getting Alfresco login ticket without using user password, using only a user principal name (UPN). I’m calling alfresco REST API service /wcservice. I use NTLM in Alfresco.
I’m impersonating users using WindowsIdentity constructor as explained here http://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingbyusingwindowsidentity. I checked and user is properly impersonated (I checked WindowsIdentity.GetCurrent().Name property).
After impersonating a user, I try to make HttpWebRequest and set its credentials with CredentialsCache.DefaultNetworkCredentials. I get the error:
The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
When I use new NetworkCredential("username", "P@ssw0rd") to set request credentials, I get Alfresco login ticket (HttpStatusCode.OK, 200).
Is there any way that I can get Alfresco login ticket without user password?
Here is the code that I'm using:
private string GetTicket(string UPN) {
WindowsIdentity identity = new WindowsIdentity(UPN);
WindowsImpersonationContext context = null;
try {
context = identity.Impersonate();
MakeWebRequest();
}
catch (Exception e) {
return e.Message + Environment.NewLine + e.StackTrace;
}
finally {
if (context != null) {
context.Undo();
}
}
}
private string MakeWebRequest() {
string URI = "http://alfrescoserver/alfresco/wcservice/mg/util/login";
HttpWebRequest request = WebRequest.Create(URI) as HttpWebRequest;
request.CookieContainer = new CookieContainer(1);
//request.Credentials = new NetworkCredential("username", "p@ssw0rd"); // It works with this
request.Credentials = CredentialCache.DefaultNetworkCredentials; // It doesn’t work with this
//request.Credentials = CredentialCache.DefaultCredentials; // It doesn’t work with this either
try {
using (HttpWebResponse response = request.GetResponse() as HttpWebResponse) {
StreamReader sr = new StreamReader(response.GetResponseStream());
return sr.ReadToEnd();
}
}
catch (Exception e) {
return (e.Message + Environment.NewLine + e.StackTrace);
}
}
Here are records from Alfresco stdout.log (if it helps in any way):
17:18:04,550 DEBUG [app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcservice/mg/util/login SID:7453F7BD4FD2E6A61AD40A31A37733A5
17:18:04,550 DEBUG [web.scripts.DeclarativeRegistry] Web Script index lookup for uri /mg/util/login took 0.526239ms
17:18:04,550 DEBUG [app.servlet.NTLMAuthenticationFilter] New NTLM auth request from 10.**.**.** (10.**.**.**:1229)
17:18:04,566 DEBUG [app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcservice/mg/util/login SID:7453F7BD4FD2E6A61AD40A31A37733A5
17:18:04,566 DEBUG [web.scripts.DeclarativeRegistry] Web Script index lookup for uri /mg/util/login took 0.400909ms
17:18:04,566 DEBUG [app.servlet.NTLMAuthenticationFilter] Received type1 [Type1:0xe20882b7,Domain:<NotSet>,Wks:<NotSet>]
17:18:04,566 DEBUG [app.servlet.NTLMAuthenticationFilter] Client domain null
17:18:04,675 DEBUG [app.servlet.NTLMAuthenticationFilter] Sending NTLM type2 to client - [Type2:0x80000283,Target:AlfrescoServerA,Ch:197e2631cc3f9e0a]
I've solved the problem!
I believe that we had a double-hop problem.
This is what had to be done to solve this problem:
- User that runs my DLL must be Windows Server 2003 domain user
- Service that uses my DLL must have registered Service Principal Name in Domain controller with user that runs it (user that runs my DLL)
- User that runs my DLL must not have Account is sensitive and cannot be delegated option selected in Domain controller
- User that runs my DLL must have Trust this user for delegation to any service (Kerberos only) or Trust this user for delegation to specified services only option selected in Domain controller (if the user is in Windows Server 2003 functional domain this option is available only when you register Service Principal Name with this user)
- User that runs my DLL must have TrustedToAuthForDelegation user account control (UAC) set to true
- Computer that runs service that uses my DLL must have Trust computer for delegation to any service (Kerberos only) or Trust computer for delegation to specified services only option selected in Domain Controller
This all (and more) is explained in Microsoft document Troubleshooting Kerberos Delegation. It contains:
- checklist for Active Directory,
- checklist for Client application,
- checklist for Middle tier,
- checklist for Back-end
plus
- configuration examples for common scenarios.
Setting TrustedToAuthForDelegation user account control (UAC) is done in PowerShell by Active Directory cmdlet explained here.
You can read more about Windows Authentication in ASP.NET 2.0.
Of course, Alfresco must have Kerberos login enabled.
这篇关于如何获得露天登录票无需用户密码,而是与用户主要名称冒充用户(UPN)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
