没有具有假冒身分的IsInRole AD群组 [英] No IsInRole AD groups with Impersonation

问题描述

大家好，

我正在创建一个具有数据库的Web应用程序.要通过模拟用户对web.config文件中db的权限来登录该数据库，请执行以下操作:

Hello All,

I am creating a web application that has a database. To log onto that database by impersonating a user with right to the db in the web.config file:

<identity impersonate="true" username="domain\user" password="password" />

这样可以正常工作，并且我可以毫无问题地进入数据库.

在页面init上，我需要检查用户是否有权访问该应用程序.为此，我定义了3个组:管理员"，写"和读".

这就是问题所在.

我正在使用以下代码返回系统用户:

This impersonate works correctly and I am able to get to the database with no problems.

On page init I need to check to see if the user has access to the application. For this I have defined 3 groups: Admin, Write and Read.

This is where the problem come into play.

I am using the following code to return to the system user:

using (WindowsImpersonationContext impersonated = WindowsIdentity.Impersonate(IntPtr.Zero))
            {
                WindowsIdentity curIdentity = WindowsIdentity.GetCurrent();
                WindowsPrincipal wp = new WindowsPrincipal(curIdentity);
                bool isInRole = .IsInRole(WebConfigurationManager.AppSettings[role.ToString()]);
            
            }

我已经验证了这是否使我成为当前登录到系统的用户，但是由于某种原因，它为所有组都带来了False.

为了进行测试，我从web.config文件中删除了模拟子句，然后重新运行IsInRole进程，并为所有组收到True.

我尝试的另一件事是再次从web.config文件中删除模拟子句.接下来，我创建了一个模拟类，该类在抓住用户角色后使用.这样可以使我获得正确的角色，但要保留它们，我必须将它们存储在会话变量中(出于安全原因，我不想这样做)，因为一旦冒充我就无法返回并重新抓住安全组.

模拟时如何丢失系统用户权限?

感谢您的宝贵时间，
Aaron

I have verified that this gives me the current user who is logged onto the system but for some reason it brings back False for all groups.

For testing purposes I removed the impersonation clause from the web.config file and re-ran the IsInRole process and received True for all groups.

The other thing I tried was to again remove the impersonation clause from the web.config file. Next I created a impersonation class that I used after I had grabbed the users roles. This allowed me to get the correct roles but to keep them I would have to store them in a session variable (which I do not want to do for security reasons) because as soon as I impersonate I can''t go back and re-grab the security groups.

How am I losing the systems users rights when I do an impersonation?

Thanks for your time,
Aaron

推荐答案

不确定，我创建了一个带有模拟的示例，并检查了已登录用户是否属于某个角色，并且也没有进行了模拟，都给了我积极的结果.不知道为什么要面对这个问题.您可以将您的验证码发送给我吗?但是，如果要使用有权访问db的用户连接数据库，为什么不使用带有用户名和密码的连接字符串.

使用连接字符串时，无论登录的用户是什么，它都会使用指定的用户连接到db.

Not sure, I have created a sample with impersonation and checked whether the signed in user belong to a role or not, and without impersanation also, both gave me positive results. Not sure why you are facing the issue. can you send me your code to repro. But if you want to connect to database using a user having access to db, why not use connection string, with the user name and password.

When you use connection string, it uses the specified user to connect to db, irrespective of the user logged in.

这篇关于没有具有假冒身分的IsInRole AD群组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！