Tridion CoreService 身份验证/模拟 [英] Tridion CoreService Authentication/Impersonation

问题描述

我开发了一个使用核心服务的 .Net 库.该库从工作流自动化决策中的 VBScript 调用，并使用核心服务执行与该工作流过程相关的一些活动.

I have developed a .Net Library that uses the Core Service. This library is called from VBScript from a Workflow Automated Decision and uses Core Service to perform some activities related to that workflow process.

我能够使用我们为 Tridion 拥有的服务帐户成功连接到该服务:

I was able to successfully connect to the service using a service account we have for Tridion:

CoreServiceClient client = new CoreServiceReference.CoreServiceClient(
                                                       binding, endpoint);
client.ChannelFactory.Credentials.Windows.ClientCredential = 
        new NetworkCredential(serviceAccountUsername, serviceAccountPassword);
client.ChannelFactory.Credentials.Windows.AllowedImpersonationLevel = 
        System.Security.Principal.TokenImpersonationLevel.Delegation;

相关绑定属性设置如下:

With the relevant binding attributes set as the following:

binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = 
        HttpClientCredentialType.Windows;

我遇到的问题是，当我调用核心服务时，我在 CMS 框上收到以下 Tridion 内容管理器错误:

The problem I am having is that when I make calls to the Core Service, I am getting the following Tridion Content Manager error on the CMS box:

用户 NT AUTHORITY\NETWORK SERVICE 的访问被拒绝.

Access is denied for the user NT AUTHORITY\NETWORK SERVICE.

如何配置我的客户端，以便使用 Tridion 服务帐户而不是 NT AUTHORITY\NETWORK SERVICE 执行操作?

How can I configure my client so that the operations are performed using the Tridion service account instead of NT AUTHORITY\NETWORK SERVICE?

推荐答案

如果您想在服务帐户下运行，您可能应该使用 SessionAwareCoreServiceClient 然后模拟您要使用的帐户.

If you want to run under a service account, you should probably be using a SessionAwareCoreServiceClient and then impersonate the account you want to use.

var client = new SessionAwareCoreServiceClient(binding, endpoint);
client.Impersonate("Administrator");

但由于我的大多数核心服务客户端实际上都打算在不同的机器上运行，所以我不能使用 Impersonate(至少在不引入 巨大em> 安全漏洞)，所以我像这样初始化我的客户端:

But since most of my Core Service clients are actually meant to run on a different machine, I can't use Impersonate (at least not without introducing a huge security leak), so instead I initialize my clients like this:

var client = ...
var credentials = CredentialCache.DefaultNetworkCredentials;
if (!string.IsNullOrWhiteSpace(userName) && !string.IsNullOrWhiteSpace(password))
{
    credentials = new NetworkCredential(userName, password);
}
client.ChannelFactory.Credentials.Windows.ClientCredential = credentials;

这篇关于Tridion CoreService 身份验证/模拟的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！