ASP.NET假冒NT AUTHORITY \\ IUSR但模仿是禁用的。 ASP.NET错误？ [英] ASP.NET impersonates NT AUTHORITY\IUSR but impersonation is disabled. ASP.NET bug?

问题描述

我在Windows 7上运行的ASP.NET 4.0应用程序/ IIS中的ASP.NET v4.0的经典之作应用程序池，它被配置为作为网络服务运行7.5。该应用程序有它连接到本地SQL Server实例的 Application_EndRequest 处理程序。在SQL连接字符串指定集成安全性= SSPI 。 Web.config中做的不的有＆LT;身份冒充=真/方式＆gt;

I have an ASP.NET 4.0 application running on Windows 7 / IIS 7.5 in the "ASP.NET v4.0 Classic" application pool, which is configured to run as Network Service. The application has an Application_EndRequest handler which connects to a local SQL Server instance. The SQL connection string specifies Integrated Security=SSPI. Web.config does not have <identity impersonate="true" />.

当我浏览到的http：//本地主机/测试网站/ ，以下抛出异常：

When I browse to http://localhost/TestSite/, the following exception is thrown:

System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'NT AUTHORITY\IUSR'.
   ...
   at System.Data.SqlClient.SqlConnection.Open()
   at Global.Application_EndRequest(Object sender, EventArgs e)

这是例外的不的，当我浏览到 HTTP抛出：//localhost/TestSite/default.aspx （在IIS中配置默认​​文档）或任何其他.aspx页面中;在应用程序中正确地连接到SQL Server为NT AUTHORITY \\ NETWORK SERVICE，这是一个有效的登录这些情况。

This exception is not thrown when I browse to http://localhost/TestSite/default.aspx (the default document configured in IIS) or any other .aspx page; in those cases the application correctly connects to SQL Server as "NT AUTHORITY\NETWORK SERVICE", which is a valid login.

为什么会ASP.NET模拟NT AUTHORITY \\ IUSR在EndRequest即使模拟被禁用？这是在ASP.NET中的错误？

下面的Global.asax.cs文件演示了此问题：

The following Global.asax.cs file demonstrates the problem:

public class Global : HttpApplication
{
    public Global()
    {
        this.BeginRequest += delegate { Log("BeginRequest"); };
        this.PreRequestHandlerExecute += delegate { Log("PreRequestHandlerExecute"); };
        this.PostRequestHandlerExecute += delegate { Log("PostRequestHandlerExecute"); };
        this.EndRequest += delegate { Log("EndRequest"); };
    }

    protected void Application_EndRequest(Object sender, EventArgs e)
    {
        try
        {
            using (SqlConnection connection = new SqlConnection("Server=.;Integrated Security=SSPI"))
            {
                connection.Open();
            }
        }
        catch (Exception ex)
        {
            Trace.WriteLine(ex);
        }
    }

    private static void Log(string eventName)
    {
        HttpContext context = HttpContext.Current;
        Type impersonationContextType = typeof(HttpContext).Assembly.GetType("System.Web.ImpersonationContext", true);
        Trace.WriteLine(string.Format("ThreadId={0} {1} {2} Impersonating={3}",
            Thread.CurrentThread.ManagedThreadId,
            context.Request.Url,
            eventName,
            impersonationContextType.InvokeMember("CurrentThreadTokenExists", BindingFlags.NonPublic | BindingFlags.Static | BindingFlags.GetProperty, null, context, null)));
    }
}

下面是跟踪输出：

ThreadId=3 http://localhost/TestSite/ BeginRequest Impersonating=False
ThreadId=3 http://localhost/TestSite/ PreRequestHandlerExecute Impersonating=False
ThreadId=7 http://localhost/TestSite/default.aspx BeginRequest Impersonating=False
ThreadId=7 http://localhost/TestSite/default.aspx PreRequestHandlerExecute Impersonating=False
ThreadId=7 http://localhost/TestSite/default.aspx PostRequestHandlerExecute Impersonating=False
ThreadId=7 http://localhost/TestSite/default.aspx EndRequest Impersonating=False
ThreadId=7 http://localhost/TestSite/ PostRequestHandlerExecute Impersonating=True
ThreadId=7 http://localhost/TestSite/ EndRequest Impersonating=True
System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'NT AUTHORITY\IUSR'.
   ...
   at System.Data.SqlClient.SqlConnection.Open()
   at Global.Application_EndRequest(Object sender, EventArgs e)

请注意，为测试网站/ 的请求（它被映射到 DefaultHttpHandler ）似乎酿出的嵌套的的请求测试网站/ Default.aspx的（它被映射到 ASP.default_aspx ）。 ASP.NET处理完之后测试网站/ Default.aspx的，冒充NT AUTHORITY \\ IUSR，当它恢复处理请求测试网站/ 。

Note that a request to TestSite/ (which is mapped to DefaultHttpHandler) seems to spawn a nested request to TestSite/default.aspx (which is mapped to ASP.default_aspx). After ASP.NET finishes processing TestSite/default.aspx, it impersonates "NT AUTHORITY\IUSR" when it resumes processing the request to TestSite/.

更新：我已经提交了这个问题<一href=\"http://connect.microsoft.com/VisualStudio/feedback/details/742531/asp-net-impersonates-nt-authority-iusr-but-impersonation-is-disabled\">Microsoft连接。

UPDATE: I've submitted this issue to Microsoft Connect.

推荐答案

最有可能，为您的服务器，网站或应用程序的设置选项，使匿名身份验证模式会导致页面请求，以作为IUSR用户进行处理。不要紧，你的应用程序不要求模拟; IIS是迫使它。 （顺便说一句，模仿是Windows的土地通称假设另一个用户的凭据，这是不特定于ASP.NET。）

Most likely, the settings for your server, site or application are set so that "Anonymous Authentication" mode causes page requests to be handled as the IUSR user. It doesn't matter that your application is not requesting impersonation; IIS is forcing it. (By the way, "impersonation" is generic term in Windows-land for assuming another user's credentials. It is not specific to ASP.NET.)

一点背景：


出于安全原因，IIS允许你的服务器场下不同的系统凭据匿名和验证的请求。

A bit of background:

For security reasons, IIS allows your server to field "anonymous" and "authenticated" requests under different system credentials.

现在，在IIS 7.5中，如果您启用匿名身份验证和窗体身份验证（这是典型的），你的网站用户通过表单登录之前，它认为你的用户匿名。用户使用窗体身份验证登录后，它认为你的用户身份验证。

Now, in IIS 7.5, if you have both anonymous authentication and Forms authentication enabled (which is typical), before your website user logs in via Forms, it considers your user "anonymous". After your user logs in with Forms Auth, it considers your user "authenticated."

我发现这种行为，首先因为它是从IIS 6.0，这是不知道窗体身份验证的变化令人费解，并认为一切形式验证的用户是匿名的！

I found this behavior confusing at first because it's a change from IIS 6.0, which wasn't aware of Forms auth, and considered all Forms-Authenticated users to be anonymous!

如果你愿意，你可以改变下的匿名请求派出的身份。我的preference（这听起来像你太）是他们下的同一系统的凭据，我的网站的应用程序池运行以使IIS做到这一点，请执行以下操作：

If you want, you can change the identity under which anonymous requests are fielded. My preference (and it sounds like yours too) is that they run under the same system credentials as my site's app pool. To make IIS do that, do the following:

1. 打开IIS管理器（inetmgr）


2. 在连接面板中，向下钻取到你的网站的节点，然后选择它


3. 在右侧面板中的IIS组下，双击身份验证图标。


4. 在匿名身份验证，从上下文菜单中单击鼠标右键，选择编辑...。


5. 在弹出的对话框中，选择应用程序池标识单选按钮。


6. 单击确定。

步骤5也搞不清楚我在第一，因为我觉得应用程序池标识的意思是应用程序池伪帐户（IIS 7.5中的另一个新功能）。它真正的意思，当然，是同一帐户的应用程序池配置为下运行，不管它是什么。

Step 5 also confused me at first, because I thought "application pool identity" meant "the application pool pseudo-account" (another new feature in IIS 7.5). What it really means, of course, is "the same account the app pool is configured to run under, whatever that is."

如果你想要的服务器，甚至一个特定的网站下单只是应用这种行为在默认情况下为所有的网站，你可以配置在这些级别的身份验证选项了。只需选择要在连接窗格中配置的节点，然后重复步骤3-6。

If you want this behavior by default for all of your websites on that server, or even just single application under a particular site, you can configure the authentication options at those levels too. Just select the node you want to configure in the Connections pane, then repeat steps 3-6.

这篇关于ASP.NET假冒NT AUTHORITY \\ IUSR但模仿是禁用的。 ASP.NET错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！