在IIS7 windows 2008中启用双跃点委派的步骤 [英] Steps to enable double-hop delegation in IIS7 windows 2008

问题描述

我的ASP.NET Web应用程序在我们的Intranet上使用Windows身份验证。我希望它能够向同一域上的另一台服务器发出服务器端的http请求，该服务器也需要进行Windows身份验证。

my ASP.NET web application uses windows authentication on our intranet. I want it to be able to make a server-side http request to another server on the same domain that also requires windows authentication.

我已按照暂时的说明进行操作在此处发出附加请求时模拟经过身份验证的用户：

I've followed the instructions on temporarily impersonating the authenticated user when making the additional request here:

http://msdn.microsoft.com/en-us/library/ff647404.aspx

使用以下代码：

using System.Security.Principal;

// Obtain the authenticated user's Identity
WindowsIdentity winId = (WindowsIdentity)HttpContext.Current.User.Identity;
WindowsImpersonationContext ctx = null;
try
{
  // Start impersonating
  ctx = winId.Impersonate();
  // Now impersonating
  // Access resources using the identity of the authenticated user
  var request = WebRequest.Create("http://intranet/secureapp");
  request.Credentials = CredentialCache.DefaultCredentials;
  var response = request.GetResponse();
  using (var streamReader = new StreamReader(response.GetResponseStream()))
  {
      Response.Write(streamReader.ReadToEnd());
  }
}
// Prevent exceptions from propagating
catch
{
}
finally
{
  // Revert impersonation
  if (ctx != null)
    ctx.Undo();
}
// Back to running under the default ASP.NET process identity 

但是，不幸的是，我总是得到401未经授权的错误。

But, unfortunately, I always get a 401 unauthorized error.

我是否需要使用活动目录配置我们的网络服务器以允许它委派认证用户（可以是任何用户）大约200个用户中的一个，所以不想要做任何200次的事:)）？如果是这样，有人可以告诉我该怎么做吗？

Do I need to configure our webserver with active directory to allow it to delegate the autenticated user (could be any one of about 200 users, so don't want to have to do anything 200 times :))? If so, can anyone tell me how to do this?

推荐答案

使用Windows配置Kerberos / Delegation有几个步骤。

There are several steps to configuring Kerberos/Delegation with Windows.

首先，您需要配置ASP.NET以使用委派。我假设你在web.config中配置了这个。

First, you need to configure ASP.NET to use delegation. I assume you have this configured in your web.config.

然后，您需要配置ASP.NET服务帐户以进行委派。有时你必须创建一个SPN。

Then you need to configure the ASP.NET Service Account for delegation. Sometimes you have to create an SPN.

然后为IIS服务器和Active Directory中的帐户启用委派。

Then enable delegation for the IIS server AND the account in Active Directory.

提供分步说明这里： http://msdn.microsoft.com/en-us/library/ms998355 .aspx
按照步骤1-3进行操作。

Step by step instructions are provided here: http://msdn.microsoft.com/en-us/library/ms998355.aspx Follow Steps 1-3.

这篇关于在IIS7 windows 2008中启用双跃点委派的步骤的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！