使用ASP.NET设置模拟 [英] Set up impersonation with ASP.NET

问题描述

为了初步了解，我创建了一个非常简单的项目，该项目试图计算两个目录中的文件数.不允许User1访问Directory2，并且不允许User2访问Directory1.由于模拟，根据调用我的应用程序的用户，我应该只能得到一个号码.两个用户都被设置为管理员.

for a first understanding, I have created a very simple project which tries to count the number of files in two directories. User1 is not allowed to access Directory2 and User2 is not allowed to access Directory1. Due to impersonation I should get only one number, depending on the user who is calling my application. Both user are set up as administrators.

因此，我在Visual Studio 2015(在Windows 8.1上运行)中创建了一个新的MVC项目，并选择使用Windows身份验证.一旦应用程序启动并运行(在ISS Express中)，我将在我的计算机上切换到User1(没有Active Directory)并在Internet Explorer中调用该网站(是的，在设置中启用了集成Windows身份验证") .使用此设置，HttpContext.User.Identity中的用户是User1，而WindowsIdentity.GetCurrent()是我的开发用户，即我在Visual Studio中使用的用户.

So I have created a new MVC-project in Visual Studio 2015 (running on Windows 8.1) and selected to use Windows authentication. Once the application is up and running (in ISS Express), I switch to User1 on my machine (there is no Active Directory) and call the website in Internet Explorer (yes, "Integrated Windows authentication" is enabled in the settings). With this setup, the user in HttpContext.User.Identity is User1 and WindowsIdentity.GetCurrent() is my development user, the one I am working with in Visual Studio.

我还尝试过手动模拟:

I have also tried to impersonate manually:

WindowsIdentity winId = (WindowsIdentity)User.Identity;
WindowsImpersonationContext ctx = null;
try
{
    ctx = winId.Impersonate();

    // GetNumbers() tries to get the number of files for both directories       
    numbers = GetNumbers();
}
catch (Exception e)
{
}
finally
{
    if (ctx != null)
    {
        ctx.Undo();
    }
}

不幸的是，我得到一个异常未提供所需的模拟级别，或者提供的模拟级别无效."有人声称这解决了他们的问题: https://kc. mcafee.com/corporate/index?page=content&id=KB56194 不适合我.我已将User1和我自己的用户添加到列表中，并重新启动了计算机.没变化.

Unfortunately, I get the exception "Either a required impersonation level was not provided, or the provided impersonation level is invalid." Some people were claiming the this one solved their problem: https://kc.mcafee.com/corporate/index?page=content&id=KB56194 Not for me. I've added User1 and my own user to the lists and restarted the computer. No change.

给我一​​点希望的是模拟登录和单独登录，如

The only thing which gives me a little bit of hope is the impersonation with a separate login, as described on https://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingusinglogonuser The disadvantages are quite obvious: I have to have the user's password and why should I login again if the user already did it for me.

尽管这是一个新项目，但我没有进行重大更改，但更多信息仅用于健全性检查...

Although this is a new project without major changes by me, some more information just for sanity check...

我的Web.config

<authentication mode="Windows" />
<authorization>
  <deny users="?" />
</authorization>

我的项目设置是

• 匿名身份验证"为false
• "Windows身份验证"为true
• 受管点线模式"为Integrated

• "Anonymous authentication" is false
• "Windows authentication" is true
• "Managed pipline mode" is Integrated

关于要使此简单项目按预期工作需要进行哪些更改的任何建议?

Any suggestions on what to change to make this simple project work as expected?

最诚挚的问候， 卡斯滕

Best regards, Carsten

推荐答案

我终于设法使其正常运行(IIS Express和IIS)！如上所述，第一种方法仅是原型.最终目标是创建一个在服务器A上运行的GUI和在服务器B上运行的API.两者均使用ASP.NET来实现.

I finally managed to get it to work (IIS Express and IIS)! As mentioned above, the first approach was a prototype only. The final goal was to create a GUI which runs on server A and an API which runs on server B. Both implemented with ASP.NET.

GUI和API的Web.config获得了以下设置:

The Web.config of the GUI and the API got these settings:

<system.web>
  <authentication mode="Windows" />
  <authorization>
    <deny users="?" />
  </authorization>
  <identity impersonate="true" />
</system.web>

项目属性(选择项目后按F4)管理的管线模式"设置为Classic.

The project property (press F4 after selecting the project) "Managed pipline mode" is set to Classic.

在SO的某个地方，我看到了关于模拟是否也应与HttpClient一起使用的讨论.有人说，是的.好吧，这不适合我.如果您使用各种HTTP方法，则WebClient没什么好玩的.所以我切换到RestSharp:

Somewhere on SO I saw a discussion about if the impersonation should work with HttpClient as well. It was said, it does. Well, it did not for me. And the WebClient is no fun if you are using a variety of HTTP methods. So I switched to RestSharp:

RestClient client = new RestClient(baseUrl);
client.Authenticator = new NtlmAuthenticator();

• Visual Studio特别说明:您必须以管理员身份启动Visual Studio，否则模拟将无法在IIS Express上使用！
• IIS的特殊说明:应用程序池必须使用Classic托管管道模式".
• 特别说明(测试时):首先，API要求我进行身份验证，但不应进行身份验证.原因很简单:开发机器上的用户user1的密码与目标机器上的user1的密码相同...
• Special note for Visual Studio: You have to start Visual Studio as administrator or else the impersonation will not work on IIS Express!
• Special note for IIS: The application pool has to use Classic "Managed pipeline mode".
• Special note (while testing): At first, the API asked me to authenticate, which it should not. The reason was quite simple: My user user1 on my development machine had another password then the user1 on my target machine...

我希望这对某人有帮助.

I hope this helps someone.

这篇关于使用ASP.NET设置模拟的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！