IIS7 Impersonation无法访问TFS存储库 [英] IIS7 Impersonation doesn't work to access TFS repository
问题描述
我正在尝试构建一个在TFS中添加工作项的ASP.NET页面。
我已启用模拟和Windows身份验证:
< authentication mode =Windows/>
< identity impersonate =truepassword =userName =/>
< customErrors mode =Off/>
在页面中,我访问TFS并尝试添加工作项:
TfsTeamProjectCollection prjCollection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri(xxx));
WorkItemStore store = prjCollection.GetService< WorkItemStore>();
...
但是,它仅在我选择 SpecificUser 在 ASP.NET模拟中并存储凭据。选择经过身份验证的用户时,它不起作用。
我检查过SpecificUser与Authenticated用户相同,但是我在后一种情况下得到了许可错误(这表明模仿无法正常工作)。
TF30063:你不是授权访问XXX。 ---> System.Net.WebException:远程服务器返回错误:(401)未经授权。
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.AsyncWebRequest.ExecRequest(Object obj)
---内部异常堆栈跟踪结束---
at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.ProcessHttpResponse(HttpWebResponse response,Stream responseStream,WebException webException,XmlReader& xmlResponseReader)
at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.ExecWebServiceRequest(HttpWebRequest request,XmlWriter requestXml,String methodName,HttpWebResponse& response)
at Microsoft.TeamFoundation.Framework.Client.LocationWebService.Connect(Int32 connectOptions,ServiceTypeFilter [] serviceTypeFilters,Int32 lastChangeId)
at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.Connect (ConnectOptions connectOptions)
at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.EnsureConnected(Conn ectOptions optionsNeeded)$。b $ b at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.get_InstanceId()
at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.InitializeInternal()
at Microsoft.TeamFoundation.Client。 TfsTeamProjectCollection.InitializeTeamFoundationObject(String fullName,Object instance)
at Microsoft.TeamFoundation.Client.TfsConnection.CreateServiceInstance(Assembly assembly,String fullName)
at Microsoft.TeamFoundation.Client.TfsConnection.GetService(Type serviceType)
at Microsoft.TeamFoundation.Client.TfsConnection.GetService [T]()
at ASP.index_aspx .__ Render__control1(HtmlTextWriter __w,Control parameterContainer)
以下变量在两种情况下看起来都相同:
HttpContext。 Current.Request.LogonUserIdentity.Name
HttpContext.Current.Request.IsAuthenticated
HttpContext.Current.User.Identity.Name
System.Environmen t.UserName
System.Security.Principal.WindowsIdentity.GetCurrent()。名称
任何想法?
编辑:
确实,正如John在下面提到的,问题是由 Kerberos委派引起的。
我发现以下文章和随附的工具在解释和减轻这个问题时非常有用:
问题。
I'm trying to build an ASP.NET page that adds a work item in TFS.
I have enabled impersonation and Windows authentication:
<authentication mode="Windows" />
<identity impersonate="true" password="" userName="" />
<customErrors mode="Off" />
In the page, I access TFS and try to add a work item:
TfsTeamProjectCollection prjCollection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("xxx"));
WorkItemStore store = prjCollection.GetService<WorkItemStore>();
...
However, it only works when I select SpecificUser in ASP.NET Impersonation and store the credentials. It doesn't work when the Authenticated user is selected.
I've checked that the SpecificUser is the same as the Authenticated one, but I get permission errors in the latter case (which indicates that the impersonation doesn't work correctly).
TF30063: You are not authorized to access XXX. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.AsyncWebRequest.ExecRequest(Object obj)
--- End of inner exception stack trace ---
at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.ProcessHttpResponse(HttpWebResponse response, Stream responseStream, WebException webException, XmlReader& xmlResponseReader)
at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.ExecWebServiceRequest(HttpWebRequest request, XmlWriter requestXml, String methodName, HttpWebResponse& response)
at Microsoft.TeamFoundation.Framework.Client.LocationWebService.Connect(Int32 connectOptions, ServiceTypeFilter[] serviceTypeFilters, Int32 lastChangeId)
at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.Connect(ConnectOptions connectOptions)
at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.EnsureConnected(ConnectOptions optionsNeeded)
at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.get_InstanceId()
at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.InitializeInternal()
at Microsoft.TeamFoundation.Client.TfsTeamProjectCollection.InitializeTeamFoundationObject(String fullName, Object instance)
at Microsoft.TeamFoundation.Client.TfsConnection.CreateServiceInstance(Assembly assembly, String fullName)
at Microsoft.TeamFoundation.Client.TfsConnection.GetService(Type serviceType)
at Microsoft.TeamFoundation.Client.TfsConnection.GetService[T]()
at ASP.index_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer)
The following variables look the same for both cases:
HttpContext.Current.Request.LogonUserIdentity.Name
HttpContext.Current.Request.IsAuthenticated
HttpContext.Current.User.Identity.Name
System.Environment.UserName
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Any ideas?
EDIT:
Indeed, as John mentioned below, the issue is caused by Kerberos Delegation.
I've found the following article and accompanying tool very useful in explaining and mitigating this:
DelegConfig - A Tool To help resolve Kerberos authentication and delegation issues
I think you may have a "double hop" problem.
这篇关于IIS7 Impersonation无法访问TFS存储库的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
