使用ASP.NET设置模拟 [英] Set up impersonation with ASP.NET
问题描述
为了初步了解,我创建了一个非常简单的项目,该项目试图计算两个目录中的文件数.不允许User1
访问Directory2
,并且不允许User2
访问Directory1
.由于模拟,根据调用我的应用程序的用户,我应该只能得到一个号码.两个用户都被设置为管理员.
for a first understanding, I have created a very simple project which tries to count the number of files in two directories. User1
is not allowed to access Directory2
and User2
is not allowed to access Directory1
. Due to impersonation I should get only one number, depending on the user who is calling my application. Both user are set up as administrators.
因此,我在Visual Studio 2015(在Windows 8.1上运行)中创建了一个新的MVC项目,并选择使用Windows身份验证.一旦应用程序启动并运行(在ISS Express中),我将在我的计算机上切换到User1
(没有Active Directory)并在Internet Explorer中调用该网站(是的,在设置中启用了集成Windows身份验证") .使用此设置,HttpContext.User.Identity
中的用户是User1
,而WindowsIdentity.GetCurrent()
是我的开发用户,即我在Visual Studio中使用的用户.
So I have created a new MVC-project in Visual Studio 2015 (running on Windows 8.1) and selected to use Windows authentication. Once the application is up and running (in ISS Express), I switch to User1
on my machine (there is no Active Directory) and call the website in Internet Explorer (yes, "Integrated Windows authentication" is enabled in the settings). With this setup, the user in HttpContext.User.Identity
is User1
and WindowsIdentity.GetCurrent()
is my development user, the one I am working with in Visual Studio.
我还尝试过手动模拟:
I have also tried to impersonate manually:
WindowsIdentity winId = (WindowsIdentity)User.Identity;
WindowsImpersonationContext ctx = null;
try
{
ctx = winId.Impersonate();
// GetNumbers() tries to get the number of files for both directories
numbers = GetNumbers();
}
catch (Exception e)
{
}
finally
{
if (ctx != null)
{
ctx.Undo();
}
}
不幸的是,我得到一个异常未提供所需的模拟级别,或者提供的模拟级别无效."有人声称这解决了他们的问题: https://kc. mcafee.com/corporate/index?page=content&id=KB56194 不适合我.我已将User1
和我自己的用户添加到列表中,并重新启动了计算机.没变化.
Unfortunately, I get the exception "Either a required impersonation level was not provided, or the provided impersonation level is invalid." Some people were claiming the this one solved their problem: https://kc.mcafee.com/corporate/index?page=content&id=KB56194 Not for me. I've added User1
and my own user to the lists and restarted the computer. No change.
The only thing which gives me a little bit of hope is the impersonation with a separate login, as described on https://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingusinglogonuser The disadvantages are quite obvious: I have to have the user's password and why should I login again if the user already did it for me.
尽管这是一个新项目,但我没有进行重大更改,但更多信息仅用于健全性检查...
Although this is a new project without major changes by me, some more information just for sanity check...
我的Web.config
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
我的项目设置是
- 匿名身份验证"为
false
- "Windows身份验证"为
true
- 受管点线模式"为
Integrated
- "Anonymous authentication" is
false
- "Windows authentication" is
true
- "Managed pipline mode" is
Integrated
关于要使此简单项目按预期工作需要进行哪些更改的任何建议?
Any suggestions on what to change to make this simple project work as expected?
最诚挚的问候, 卡斯滕
Best regards, Carsten
推荐答案
我终于设法使其正常运行(IIS Express和IIS)!如上所述,第一种方法仅是原型.最终目标是创建一个在服务器A上运行的GUI和在服务器B上运行的API.两者均使用ASP.NET来实现.
I finally managed to get it to work (IIS Express and IIS)! As mentioned above, the first approach was a prototype only. The final goal was to create a GUI which runs on server A and an API which runs on server B. Both implemented with ASP.NET.
GUI和API的Web.config
获得了以下设置:
The Web.config
of the GUI and the API got these settings:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="true" />
</system.web>
项目属性(选择项目后按F4
)管理的管线模式"设置为Classic
.
The project property (press F4
after selecting the project) "Managed pipline mode" is set to Classic
.
在SO的某个地方,我看到了关于模拟是否也应与HttpClient
一起使用的讨论.有人说,是的.好吧,这不适合我.如果您使用各种HTTP方法,则WebClient
没什么好玩的.所以我切换到RestSharp:
Somewhere on SO I saw a discussion about if the impersonation should work with HttpClient
as well. It was said, it does. Well, it did not for me. And the WebClient
is no fun if you are using a variety of HTTP methods. So I switched to RestSharp:
RestClient client = new RestClient(baseUrl);
client.Authenticator = new NtlmAuthenticator();
- Visual Studio特别说明:您必须以管理员身份启动Visual Studio,否则模拟将无法在IIS Express上使用!
- IIS的特殊说明:应用程序池必须使用
Classic
托管管道模式". - 特别说明(测试时):首先,API要求我进行身份验证,但不应进行身份验证.原因很简单:开发机器上的用户
user1
的密码与目标机器上的user1
的密码相同... - Special note for Visual Studio: You have to start Visual Studio as administrator or else the impersonation will not work on IIS Express!
- Special note for IIS: The application pool has to use
Classic
"Managed pipeline mode". - Special note (while testing): At first, the API asked me to authenticate, which it should not. The reason was quite simple: My user
user1
on my development machine had another password then theuser1
on my target machine...
我希望这对某人有帮助.
I hope this helps someone.
这篇关于使用ASP.NET设置模拟的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!