ASP.NET模拟和SQL Server的信任连接呼叫 [英] ASP.NET Impersonation and SQL Server Trusted Connection Calls
问题描述
我工作的ASP.NET页面,我们在code冒充请求的用户上。我们用下面的code开始模仿。
I am working on an ASP.NET page that we, in code impersonate the requesting user. We are using the following code to start impersonating.
Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity
currentWindowsIdentity = CType(User.Identity, System.Security.Principal.WindowsIdentity)
impersonationContext = currentWindowsIdentity.Impersonate()
这之后,我们已经验证了应用程序在适当的环境下运行,通过调用:
After this we have validated that the application is running under the proper context by calling:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
这将返回用户的正确身份,文件访问和其他项目出现使用他们的账户是。但是使用Microsoft应用程序数据应用程序块提供SQLHelper类时调出到数据库使用受信任的连接认证失败为NT AUTHORITY \\ ANONYMOUS登录用户。
This returns the proper identity of the user, and file access and other items appear to be using their account. However when using the Microsoft Application Data Application Block SqlHelper class to call out to a database using a trusted connection authentication fails for the "NT AUTHORITY\ANONYMOUS LOGON" user.
我们可以失败,目前的身份仍然是我们所期望的帐户,而不是匿名登录帐户后重新验证。
We can re-validate after the failure that the current identity is still our desired account and NOT the ANONYMOUS LOGIN account.
有没有人有一个想法,这是为什么?或者更具体如何,我们可以围绕它得到什么?
Does anyone have an idea why this is? Or more specifically how we can get around it?
修改
大约从这些页面的调用是如何工作的一些额外的信息。
Edit Some additional information about how the calls from these pages work.
我们从做.aspx页面中的冒充电话。
We do the impersonate call from the .aspx page.
在我们冒充我们调出被referecned商业逻辑组件。
After we impersonate we call out to a "business logic" assembly that is referecned.
我们知道上下文的身份仍然是正确的在这里。
We know that the context identity is still correct here.
在此之后,商业逻辑组装调用实际执行受信任的连接呼叫另一个装配。我们不能修改该数据访问组件,认证异常由本届大会报告为好。
After that, the "business logic" assembly calls another assembly that actually executes the trusted connection call. We cannot modify this "data access" assembly, the authentication exception is reported by this assembly as well.
推荐答案
我觉得@约翰Sonmez是正确的,你打双跳问题。模拟只是故事的一半,您还需要看看代表团(假设你的网络使用Kerberos身份验证)。下面的文章是最有用的,帮助我度过了同样的问题。
I think @John Sonmez is right, you're hitting the Double Hop issue. Impersonation is only half of the story, you also need to look at Delegation (assuming your network is using Kerberos authentication). The articles below were the most useful in helping me through the same issue
这篇关于ASP.NET模拟和SQL Server的信任连接呼叫的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
