AD用户认证 [英] AD User Authentication

问题描述

我试图创建一个ASP.NET（.NET 3.5）的网站通过Exchange Web服务连接到我们的Exchange 2010服务器，我可以连接到EWS当我定义的用户名，密码和域进行身份验证，但我想，如果可能的话，不包括在我的code登录详细信息。

I am attempting to create an ASP.NET (.NET 3.5) website to connect to our Exchange 2010 server through Exchange Web Services, I am able to connect to EWS when I define the username, password and domain to authenticate with but I would like, if possible, to not include login details in my code.

在IIS我已经启用了集成Windows身份验证的网站，在该网站我有web.config中＆LT;身份验证模式=窗口/＆GT;

In IIS I have enabled Integrated Windows Authentication for the site, in web.config of the site I have <authentication mode="Windows"/>.

以下code是什么，我一直与沃金：

The following code is what I have been woking with:

svc.UseDefaultCredentials = True
svc.Credentials = New WebCredentials()
svc.Url = New Uri(svcURL)

通过上面的code我收到的消息：

With the above code I am receiving the message:

使作为帐户的请求不具有一个信箱时，就
  必须为所有尊贵的指定邮箱主SMTP地址
  文件夹的ID。

When making a request as an account that does not have a mailbox, you must specify the mailbox primary SMTP address for any distinguished folder Ids.

当我尝试使用 svc.Credentials = CredentialCache.DefaultNetworkCredentials （在 svc.Credentials =新WebCredentials的（））我收到错误消息：

When I attempt to use svc.Credentials = CredentialCache.DefaultNetworkCredentials (in place of svc.Credentials = New WebCredentials()) I receive the error message:

无法投类型的对象System.Net.SystemNetworkCredential来
  键入'Microsoft.Exchange.WebServices.Data.ExchangeCredentials。

Unable to cast object of type 'System.Net.SystemNetworkCredential' to type 'Microsoft.Exchange.WebServices.Data.ExchangeCredentials'.

如前所述，那么只有在工作的事情是定义用户凭证通过硬编码的用户​​登录信息，进行身份验证，而我宁愿不做： svc.Credentials =新WebCredentials（用户名 ，密码，域）

As mentioned, the only thing that has worked is to define the user credentials to authenticate to by hardcoding user login details, which I would rather not do: svc.Credentials = New WebCredentials("username","password","domain")

任何人都已经能够使用当前的登录的用户在一个ASP.NET网站的凭据EWS验证？

Has anyone been able to authenticate to EWS using the credentials of the current logged in user in an ASP.NET website?

推荐答案

默认情况下，不可能从一台服务器（服务器在其上托管ASP.NET站点）到另一个委派用户的凭据（您的Exchange服务器）。这就是所谓的服务器跳和Windows将默认作为一种安全措施prevent它。

By default it is not possible to delegate a user's credentials from one server (the server on which you are hosting your ASP.NET site) to another (your Exchange server). This is known as a "server hop" and Windows will prevent it by default as a security measure.

您有几个选项来解决此问题：

You have a couple of options to work around this:

1. 使用Kerberos：：当启用Kerberos它使人们有可能使用Windows身份验证时，委派服务器之间的用户凭据。我不知道如何设置Kerberos作为我只是一个不起眼的开发者，但也许你的系统管理员可以帮助您的具体细节。据我所知，你需要设置你的ASP.NET服务器，以允许用户授权。


2. 设置IIS应用程序池的用户身份：：如果Kerberos是不是一种选择，你可能会改变你的ASP.NET站点在其下运行的应用程序池的标识。首先定义在IIS管理器中的新应用程序池。然后去到该应用程序池高级设置对话框，并设置身份被允许访问您的Exchange服务器的域用户。在这里的应用程序池标识更多信息：的http：/ /technet.microsoft.com/en-us/library/cc771170(v=WS.10).aspx 。


3. 设置的＆lt;同一性GT;元素：如果您由于某种原因无法更改应用程序池，您可以使用在＆lt试试你的ASP.NET网站的模拟;身份＆GT;元素web.config文件。 ASP.NET让你在注册表存储的凭据，这样你就不必把它们直接在您的web.config文件的选项。更多资讯： http://msdn.microsoft。 COM / EN-US /库/ 72wdk8cc（v = VS.90）的.aspx


4. 是在＆lt;的appSettings> ellement和加密：最后的选择我能想到的是简单地把凭据在你的web.config文件中正常＆LT;的appSettings>，然后加密整个＆LT; appSettings>部分。使用的你会然后只需读取从code中的的appSettings AppSettingsReader类。 .NET可以让你的web.config文件的加密部分开箱，你可以在不活动注意到，部分被加密读取设置。 .NET解密需要你的照顾。在此处了解详情： http://msdn.microsoft.com/en-us/library /zhhddkxy.aspx

1. Using Kerberos: When Kerberos is enabled it makes it possible to delegate user credentials between servers when using Windows authentication. I do not know the exact details on how to set up Kerberos as I am only a humble developer but maybe your system administrator can assist you. AFAIK, you need to set up your ASP.NET server to allow user delegation.
2. Setting the user identity of your IIS application pool: If Kerberos is not an option, you may change the identity of the application pool that your ASP.NET site is running under. First define a new application pool in IIS manager. Then go to the Advanced Settings dialog for that application pool and set the identity to a domain user that is allowed to access your Exchange server. More info on the application pool identity here: http://technet.microsoft.com/en-us/library/cc771170(v=WS.10).aspx.
3. Setting the <identity> element: If you for some reason cannot change the application pool, you may try impersonation of your ASP.NET web site using the <identity> element in your web.config file. ASP.NET gives you the option of storing the credentials in the registry so that you do not have to put them directly in your web.config file. More info here: http://msdn.microsoft.com/en-us/library/72wdk8cc(v=vs.90).aspx
4. Using the <appSettings> ellement and encryption: The last option I can think of is to simply put the credentials in your web.config file as normal <appSettings> and then encrypt the entire <appSettings> section. You would then simply read the appSettings from your code using the AppSettingsReader class. .NET allows you to encrypt sections of the web.config file out of the box and you can read the settings without event noticing that the section is encrypted. .NET takes care of decrypting for you. More info here: http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx

这篇关于AD用户认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！