如何在没有用户密码的情况下获取 Alfresco 登录票,但使用用户主体名称 (UPN) 模拟用户 [英] How to get Alfresco login ticket without user password, but with impersonating user with user principal name (UPN)
问题描述
我正在编写一个 DLL,它具有在不使用用户密码的情况下获取 Alfresco 登录票的功能,仅使用用户主体名称 (UPN).我正在调用 alfresco REST API 服务 /wcservice.我在 Alfresco 中使用 NTLM.
I'm writing a DLL that has function for getting Alfresco login ticket without using user password, using only a user principal name (UPN). I’m calling alfresco REST API service /wcservice. I use NTLM in Alfresco.
我正在使用 WindowsIdentity 构造函数模拟用户,如下所述 http://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingbyusingwindowsidentity.我检查并正确模拟了用户(我检查了 WindowsIdentity.GetCurrent().Name 属性).
I’m impersonating users using WindowsIdentity constructor as explained here http://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingbyusingwindowsidentity. I checked and user is properly impersonated (I checked WindowsIdentity.GetCurrent().Name property).
模拟用户后,我尝试创建 HttpWebRequest 并使用 CredentialsCache.DefaultNetworkCredentials 设置其凭据.我收到错误:
After impersonating a user, I try to make HttpWebRequest and set its credentials with CredentialsCache.DefaultNetworkCredentials. I get the error:
The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
当我使用 new NetworkCredential("username", "P@ssw0rd") 设置请求凭据时,我得到 Alfresco 登录票证 (HttpStatusCode.OK, 200).
When I use new NetworkCredential("username", "P@ssw0rd") to set request credentials, I get Alfresco login ticket (HttpStatusCode.OK, 200).
有什么办法不用用户密码就可以拿到Alfresco登录票吗?
Is there any way that I can get Alfresco login ticket without user password?
这是我正在使用的代码:
Here is the code that I'm using:
private string GetTicket(string UPN) {
WindowsIdentity identity = new WindowsIdentity(UPN);
WindowsImpersonationContext context = null;
try {
context = identity.Impersonate();
MakeWebRequest();
}
catch (Exception e) {
return e.Message + Environment.NewLine + e.StackTrace;
}
finally {
if (context != null) {
context.Undo();
}
}
}
private string MakeWebRequest() {
string URI = "http://alfrescoserver/alfresco/wcservice/mg/util/login";
HttpWebRequest request = WebRequest.Create(URI) as HttpWebRequest;
request.CookieContainer = new CookieContainer(1);
//request.Credentials = new NetworkCredential("username", "p@ssw0rd"); // It works with this
request.Credentials = CredentialCache.DefaultNetworkCredentials; // It doesn’t work with this
//request.Credentials = CredentialCache.DefaultCredentials; // It doesn’t work with this either
try {
using (HttpWebResponse response = request.GetResponse() as HttpWebResponse) {
StreamReader sr = new StreamReader(response.GetResponseStream());
return sr.ReadToEnd();
}
}
catch (Exception e) {
return (e.Message + Environment.NewLine + e.StackTrace);
}
}
以下是来自 Alfresco stdout.log 的记录(如果有帮助的话):
Here are records from Alfresco stdout.log (if it helps in any way):
17:18:04,550 DEBUG [app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcservice/mg/util/login SID:7453F7BD4FD2E6A61AD40A31A37733A5
17:18:04,550 DEBUG [web.scripts.DeclarativeRegistry] Web Script index lookup for uri /mg/util/login took 0.526239ms
17:18:04,550 DEBUG [app.servlet.NTLMAuthenticationFilter] New NTLM auth request from 10.**.**.** (10.**.**.**:1229)
17:18:04,566 DEBUG [app.servlet.NTLMAuthenticationFilter] Processing request: /alfresco/wcservice/mg/util/login SID:7453F7BD4FD2E6A61AD40A31A37733A5
17:18:04,566 DEBUG [web.scripts.DeclarativeRegistry] Web Script index lookup for uri /mg/util/login took 0.400909ms
17:18:04,566 DEBUG [app.servlet.NTLMAuthenticationFilter] Received type1 [Type1:0xe20882b7,Domain:<NotSet>,Wks:<NotSet>]
17:18:04,566 DEBUG [app.servlet.NTLMAuthenticationFilter] Client domain null
17:18:04,675 DEBUG [app.servlet.NTLMAuthenticationFilter] Sending NTLM type2 to client - [Type2:0x80000283,Target:AlfrescoServerA,Ch:197e2631cc3f9e0a]
推荐答案
我已经解决了问题!
我相信我们有一个 双跳问题.
为了解决这个问题,必须这样做:
This is what had to be done to solve this problem:
- 运行我的 DLL 的用户必须是 Windows Server 2003 域用户
- 使用我的 DLL 的服务必须具有注册服务主体名称在域控制器与用户运行它(运行我的 DLL 的用户)
- 运行我的 DLL 的用户不得具有帐户敏感,不能在域中选择了委派选项控制器
- 运行我的 DLL 的用户必须具有信任此用户进行委派任何服务(仅限 Kerberos) 或 信任该用户委托给仅指定服务选项在域控制器中选择(如果用户在 Windows Server 2003 中功能域这个选项是仅在您注册时可用服务主体名称与此用户)
- 运行我的 DLL 的用户必须将 TrustedToAuthForDelegation 用户帐户控制 (UAC) 设置为 true
- 运行服务的计算机使用我的 DLL 必须具有 信任计算机委托给任何服务(Kerberosonly) 或 信任计算机委托给指定的服务域中仅选择了选项控制器
- User that runs my DLL must be Windows Server 2003 domain user
- Service that uses my DLL must have registered Service Principal Name in Domain controller with user that runs it (user that runs my DLL)
- User that runs my DLL must not have Account is sensitive and cannot be delegated option selected in Domain controller
- User that runs my DLL must have Trust this user for delegation to any service (Kerberos only) or Trust this user for delegation to specified services only option selected in Domain controller (if the user is in Windows Server 2003 functional domain this option is available only when you register Service Principal Name with this user)
- User that runs my DLL must have TrustedToAuthForDelegation user account control (UAC) set to true
- Computer that runs service that uses my DLL must have Trust computer for delegation to any service (Kerberos only) or Trust computer for delegation to specified services only option selected in Domain Controller
这一切(以及更多)在 Microsoft 文档 Kerberos 委派故障排除.它包含:
This all (and more) is explained in Microsoft document Troubleshooting Kerberos Delegation. It contains:
- Active Directory 清单,
- 客户申请清单,
- 中间层检查清单,
- 后端检查清单
加上
- 常见的配置示例场景.
设置 TrustedToAuthForDelegation 用户帐户控制 (UAC) 是通过 Active Directory cmdlet 在 PowerShell 中完成的,这里.
Setting TrustedToAuthForDelegation user account control (UAC) is done in PowerShell by Active Directory cmdlet explained here.
您可以阅读有关 ASP.NET 2.0 中的 Windows 身份验证的更多信息.
You can read more about Windows Authentication in ASP.NET 2.0.
当然,Alfresco 必须启用 Kerberos 登录.
Of course, Alfresco must have Kerberos login enabled.
这篇关于如何在没有用户密码的情况下获取 Alfresco 登录票,但使用用户主体名称 (UPN) 模拟用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
