模拟不工作 - 网络共享 [英] Impersonation NOT working - Network Share
问题描述
我创建了一个虚拟目录(IIS 7.0),它指向一个网络共享。此虚拟目录所在在我的Web应用程序根目录。
I have created a virtual Directory (IIS 7.0), which points to a network share. This virtual directory resides under my web application root.
我尝试使用带有域凭据的匿名访问。此外,我尝试使用模拟如下...
I tried using anonymous access with domain credentials. Also, I tried using impersonation as below...
<identity impersonate="true" userName="<supplied username>"
password="<supplied password>" />
问题:应用程序总是利用IUSR连接到该共享并得到拒绝访问。我需要强制我的应用程序使用的域名之上。
ISSUE: Application is always using IUSR to connect to that share and getting "ACCESS DENIED". I need to force my application to Use domain name above.
更新
1.在运行procmon中,我可以看到快速IO不允许的消息之前每次访问被拒绝。若其相关真的确定。
2.我怀疑这里双跳问题的症状。但不知道如何真正验证它,或者如何解决它没有真正改变身份验证Kerbros。
UPDATES
1. While running procmon I can see "FAST IO DISALLOWED" message everytime before access denied. Not really sure if its related.
2. I suspect symptoms of Double Hop Issue here. But don't know how really to validate it or how to get around it without really changing authentication to Kerbros.
谢谢!
推荐答案
默认运行IIS 7中集成模式。
你可以没有再冒充有
(你没有得到上模拟一个错误信息,但它只是不提升权限)
IIS 7 by default runs in "integrated mode".
You can no-longer impersonate there
(you don't get an error message on impersonation, but it just doesn't elevate privileges).
您需要的ASP.NET的应用程序池应用程序的切换到经典模式为了使用模拟。
请注意,这也意味着你失去所有依赖于集成模式的功能。
You need to switch the ASP.NET app-pool of your application to "classic mode" in order to use impersonation.
Note that this also means that you loose all the features that depend on integrated mode.
另一种可能的解决办法是创建指向SMB共享一个符号链接,给IUSR权限符号链接,而让操作系统处理其余部分(不知道其是否正常工作,并给予MSFT的纪录,我倒是猜测,事实并非如此)。
Another possible solution might be to create a symbolic link pointing to the smb share, giving IUSR permission to the symlink, and let the operating system handle the rest (don't know if that works, and given MSFT's track record, I'd guess that it doesn't).
mklink /d C:\inetpub\wwwroot\your_application_root\ShareName \\Server\ShareName\Directory
不过MKLINK requries的Windows Vista +,也就是说在Windows Server 2008 +
mklink however requries Windows Vista+, that is to say Windows Server 2008+
这篇关于模拟不工作 - 网络共享的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
