ASP.NET MVC 中的模拟 [英] Impersonation in ASP.NET MVC
问题描述
我在 Intranet 上有一个 MVC Web 应用程序,希望能够在我们的 FTP 服务器上创建文件以发送给外部合作伙伴.
I have a MVC web application on an intranet and want to be able to create files on our FTP server to send to outside partners.
模拟代码使用 WindowsImpersonationContext.
The code for impersonation uses the WindowsImpersonationContext.
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
StreamWriter sw = System.IO.File.CreateText("PathOnFTPServer");
sw.Write("data");
impersonationContext.Undo();
这是正在发生的事情以及我提出问题的原因:
Here's what's happening and the reason for my question:
预模拟
User.Identity.Name:[我的 Windows 凭据]
User.Identity.Name: [my windows credentials]
System.Security.Principal.WindowsIdentity.GetCurrent().名称:NT AUTHORITYNETWORK SERVICE
System.Security.Principal.WindowsIdentity.GetCurrent().Name: NT AUTHORITYNETWORK SERVICE
发布假冒
User.Identity:[我的 Windows 凭据]
User.Identity: [my windows credentials]
GetCurrent.Name:[我的 Windows 凭据]
GetCurrent.Name: [my windows credentials]
模拟撤销
User.Identity:[我的 Windows 凭据]
User.Identity: [my windows credentials]
GetCurrent.Name: NT AUTHORITYNETWORK SERVICE
GetCurrent.Name: NT AUTHORITYNETWORK SERVICE
因此,在我模拟之前,当前用户是系统帐户,但在模拟之后,它使用的是我的 Windows 域帐户,该帐户有权在 FTP 服务器上创建文本文件.该代码使用 Visual Studio Web 服务器在本地运行,但当我在测试服务器上的 IIS 上部署它时则不运行.
So, before I impersonate, the current user is the System Account but after impersonation, it is using my windows domain account which has permission to create text files on the FTP server. The code works locally using the visual studio web server but not when I deploy it on IIS on our test server.
我收到拒绝访问错误.假冒正确的用户时出现错误的原因是什么?
I'm getting an access denied error. What would be the reason for the error when the correct user is being impersonated?
推荐答案
Impersonation 允许机器对机器进行模拟,因此在进行模拟时客户端浏览器和服务器在同一页面上.当您随后尝试访问网络共享时,计算机不信任模拟的凭据.
Impersonation allows machine to machine impersonation, so the client browser and the server are on the same page when it comes to the impersonation. When you then attempt to access the network share, the computer doesn't trust the impersonated credentials.
您需要在 Active Directory 中为 IIS 机器启用委派.转到 Active Directory 用户和计算机,找到计算机,单击属性,然后单击信任计算机以进行委派".(您可能需要重新启动 IIS 才能使其工作,我不记得了).
You need to enable delegation for the IIS machine in Active Directory. Go to Active Directory Users and Computers, find the computer, click properties, and 'Trust computer for delegation'. (You might need to restart IIS for this to work, I don't remember).
我不完全理解比这更多的理论,但这应该有效.对不对别人可以评论!
There is way more theory than this that I don't fully understand, but this should work. Whether it is right or not someone else could comment on!
此外,它在您的开发机器上运行的原因是开发服务器作为开发人员运行,而不是(本地)网络服务.
Also, the reason it works on your development machine is that the development server runs as the developer, not (Local)Network Service.
一个不错的链接:
http://msdn.microsoft.com/en-us/library/cc949004.aspx
模拟和委托有什么区别?
模拟将原始调用者的身份传送到同一台计算机上的后端资源.委托将原始调用者的身份传送到运行服务的计算机以外的计算机上的后端资源.
Impersonation flows the original caller’s identity to back-end resources on the same computer. Delegation flows the original caller’s identity to back-end resources on computers other than the computer running the service.
例如,如果服务在 IIS 中运行而没有模拟,则该服务将使用 IIS 5.0 中的 ASP.NET 帐户或 IIS 6.0 中的网络服务帐户访问资源.通过模拟,如果客户端使用原始调用者的帐户进行连接,则服务将使用原始调用者的帐户而不是系统 ASP.NET 帐户访问同一台计算机上的 SQL Server 数据库等资源.除了 SQL Server 数据库可以位于远离服务的另一台计算机上之外,委托与此类似.
For example, if a service is running within IIS without impersonation, the service will access resources using the ASP.NET account in IIS 5.0, or the Network Service account in IIS 6.0. With impersonation, if the client is connecting using the original caller’s account, the service will access resources such as a SQL Server database on the same machine using the original caller’s account instead of the system ASP.NET account. Delegation is similar except that the SQL Server database could be on a different machine that is remote to the service.
这篇关于ASP.NET MVC 中的模拟的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
