模拟用户访问远程服务器上的文件-访问被拒绝 [英] Impersonate user to access file on remote server - Access denied

查看：267 发布时间：2020/11/27 5:04:58 c# asp.net asp.net-mvc impersonation iis-8.5

本文介绍了模拟用户访问远程服务器上的文件-访问被拒绝的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我有一个MVC Web应用程序，该应用程序应允许用户下载作为UNC路径存储在数据库中的文件.这些文件可以位于远程服务器/共享上的任意位置.

I have an MVC web application that is supposed to allow users to download files that are stored as UNC paths in a database. These files can be in any number of locations on remote servers/shares.

例如服务器1托管用于下载服务器2上存储的文件的Web应用程序

E.g. Server 1 hosts the web application that is used to download a file stored on Server 2

我不想将这些文件夹的权限授予托管服务帐户，因为安全性应取决于用户有权访问的内容.因此，我正在尝试使用模拟来检索文件.

I do not want to give permissions to these folders to the hosting service account, as the security should be dependent on what the user has access to. Therefore, I'm attempting to use Impersonation to retrieve the file.

当我在本地计算机上调试时，一切正常.它会冒充我的用户并下载文件.

When I debug on my local machine, everything works great. It impersonates my user and downloads the file.

部署到测试服务器时，出现以下错误:

When I deploy to my test server, I'm getting the following error:

拒绝访问路径'\\ Server2 \ SharedFolder \ somefile.txt'

Access to the path '\\Server2\SharedFolder\somefile.txt' is denied

我尝试了

I've tried various pieces from this Microsoft link, but am not having much luck.

我尝试过的方案:

仅授予AppPool服务帐户的权限就可以了，但是正如我所说，这并不理想
实施模拟代码中的特定用户，它与硬编码的用户名和密码完美配合.这种情况也不理想.
实施上述文章中的模拟代码中的身份验证用户.这似乎正是我所需要的，但这就是生成Access Denied错误的原因.

Just giving the permission to the service account of the AppPool works fine, but as I said, isn't ideal
Implementing the Impersonate a Specific User in Code from the above article, which works perfectly with a hard-coded user and password. This situation is also not ideal.
Implementing the Impersonate the Authenticating User in Code from the above article. This seems to be exactly what I need, but this is what generates the Access Denied error.

我要工作的代码:

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =   
    ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

//Code to read all bytes from the file path

impersonationContext.Undo();

我已登录，并且模拟后的System.Security.Principal.WindowsIdentity.GetCurrent().Name确实返回了预期的用户(我的帐户而不是服务帐户)，因此它确实可以正常工作.

I have logging, and System.Security.Principal.WindowsIdentity.GetCurrent().Name after the impersonation does return the intended user (my account instead of the service account), so it does appear to be working.

我认为这可能是两跳的事情，因此我还为服务器和服务帐户添加了SPN，确保将其在AD中的委派设置为允许任何服务.那也没有帮助.

I thought maybe it was a double-hop thing, so I have also added SPNs for the server and the service account, making sure their Delegation in AD was set to allow for any service. That hasn't helped either.

此问题似乎与我完全一样，但是最终解决方案没有后续措施.我确实尝试了流程监视器"部分，但是根本没有帮助.

This question seems to have the exact same problem as me, but there's no follow-up on what the final solution was. I did try the Process Monitor part, but it didn't help at all.

我不知道为何模拟"似乎可以正常工作，但我拒绝访问第二台服务器上的文件.

I'm at a loss to why Impersonation seems to be working, but I'm denied access to a file on a second server.

更新1 我在IIS设置上进行了更多尝试，并尝试正确设置Kerberos.我的IIS身份验证中唯一启用的功能是"Windows身份验证".

Update 1 I've played around more with my IIS settings and trying to get Kerberos properly set up. The only thing enabled in my IIS Authentication is "Windows Authentication".

当我在Impersonate()通话后吐出详细信息时，我发现是ImpersonationLevel = Impersonation

When I spit out details after my Impersonate() call, I'm finding that ImpersonationLevel = Impersonation

是应该的还是应该返回Delegation?

Is that how it should be, or should that be returning Delegation ?

模拟用户访问远程服务器上的文件-访问被拒绝 [英] Impersonate user to access file on remote server - Access denied

问题描述

推荐答案

相关文章

C#/.NET最新文章

热门教程

热门工具

登录关闭

模拟用户访问远程服务器上的文件-访问被拒绝 [英] Impersonate user to access file on remote server - Access denied

问题描述

推荐答案

相关文章

C#/.NET最新文章

热门教程

热门工具

登录 关闭

登录关闭