ASP.NET验证与SiteMinder的 [英] ASP.NET Authentication with Siteminder
问题描述
我们的网站目前是设置为使用Windows身份验证。当请求得到我们的code和授权特定的文件是在我们的web.config授权元素控制用户安全主体被自动设置。
Our site currently is setup to use windows authentication. The user security principal is automatically set when the request gets to our code and authorization to specific files is controlled with authorization elements in our web.config.
我们现在已经被授权到我们的服务器上安装的SiteMinder来处理身份验证。正因为如此,用户安全主体不会自动设置和我们无需修改code不知道用户是确定授权谁。
We've now been mandated to install siteminder on our server to handle authentication. Because of this the user security principal is not automatically set and our code without modification doesn't know who the user is to determine authorization.
我已经制定了以下code,以解决这个问题。它需要从SiteMinder的注入到请求的报头的用户名和它创建一个用户安全主体
I've developed the following code to solve that problem. It takes the user name from a header that siteminder injects into the request and it creates a user security principal.
protected void Application_AuthenticateRequest(object sender, EventArgs e)
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
string userSSO = null;
//Siteminder gives us user like in this format domain\user
userSSO = HttpContext.Current.Request.Headers["SMUser"];
if (userSSO != null && userSSO != "")
{
//we have to take the id in the format siteminder gives us and switch it over to upn format like this user@domain
string [] delimiters = {"\\"};
string [] aryUserSSO = userSSO.Split(delimiters, StringSplitOptions.RemoveEmptyEntries);
string UPN = aryUserSSO[1] + "@" + aryUserSSO[0] + "domain.com";
//now we create identity and princal objects using the UPN
WindowsIdentity identity = new WindowsIdentity(UPN, "WindowsAuthentication");
WindowsPrincipal principal = new WindowsPrincipal(identity);
HttpContext.Current.User = principal;
}
}
这code正常工作,只要程序池的IIS上的标识设置为以LocalSystem运行。但是,如果您设置程序池的身份别的像网络服务或ApplicationPoolIdentity更少的权限,您会收到以下错误消息。
This code works fine so long as the identity of the AppPool on IIS is set to run as LocalSystem. However, if you set the identity of the AppPool to anything else with fewer permissions like NetworkService or ApplicationPoolIdentity you get the following error message.
试图执行未经授权的操作。说明:
当前Web的执行过程中发生未处理的异常
请求。请检查堆栈跟踪有关的详细信息
错误以及它起源于code。
Server Error in '/Form1' Application.
Attempted to perform an unauthorized operation. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
异常详细信息:System.UnauthorizedAccessException:尝试
执行未经授权的操作。
Exception Details: System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
ASP.NET未被授权访问所请求的资源。考虑
授予访问权限的资源添加到ASP.NET请求
身份。 ASP.NET有一个基进程标识(通常
{MACHINE} \\ ASPNET,在IIS 5或网络服务IIS 6和IIS 7,和
在IIS 7.5所使用,如果配置的应用程序池标识)
该应用程序没有模拟。如果该应用程序是
通过模仿,身份会
匿名用户(通常为IUSR_MACHINENAME)或经过身份验证
请求用户。
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
要ASP.NET访问权限授予一个文件,右键单击该文件在资源管理器,
选择属性,然后选择安全选项卡。点击添加来添加
适当的用户或组。突出显示ASP.NET帐户,
检查框所需的访问。
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
源错误:
的执行过程中生成了未处理的异常
当前Web请求。有关的起源和位置信息
除了可以使用异常堆栈跟踪下面来识别。
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
堆栈跟踪:
[UnauthorizedAccessException:试图执行未经授权的
操作]结果
System.Security.Principal.WindowsIdentity.get_AuthenticationType()
+300 System.Web.Hosting.IIS7WorkerRequest.SetPrincipal(IPrincipal的用户,IntPtr的pManagedPrincipal)+181结果
System.Web.HttpContext.SetPrincipalNoDemand(主要的IPrincipal,
布尔needToSetNativePrincipal)701结果
System.Web.HttpContext.set_User(IPrincipal的值)+49结果
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+ 182 System.Web.HttpApplication.ExecuteStep(IExecutionStep一步,布尔和放大器; completedSynchronously)+266
[UnauthorizedAccessException: Attempted to perform an unauthorized
operation.]
System.Security.Principal.WindowsIdentity.get_AuthenticationType()
+300 System.Web.Hosting.IIS7WorkerRequest.SetPrincipal(IPrincipal user, IntPtr pManagedPrincipal) +181
System.Web.HttpContext.SetPrincipalNoDemand(IPrincipal principal,
Boolean needToSetNativePrincipal) +701
System.Web.HttpContext.set_User(IPrincipal value) +49
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+182 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +266
----------------------------------------------- ---------------------------------版本信息:Microsoft .NET Framework版本:4.0.30319;
ASP.NET版本:4.0.30319.1022
-------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1022
此外,在服务器上的事件查看器显示这一点。
Also, the event viewer on the servers shows this.
以下异常是由网络事件提供抛出
在应用程序/ Form1的(在应用程序EventLogProvider
寿命最多只有一个例外,将每个供应商记录
实例):
The following exception was thrown by the web event provider 'EventLogProvider' in the application '/Form1' (in an application lifetime a maximum of one exception will be logged per provider instance):
System.UnauthorizedAccessException的:试图执行一个
未经授权的操作。在
System.Security.Principal.WindowsIdentity.get_AuthenticationType()结果
在
System.Web.Management.EventLogWebEventProvider.AddWebRequestInformationDataFields(ArrayList的
数据域,WebRequestInformation reqInfo)在
System.Web.Management.EventLogWebEventProvider.ProcessEvent(WebBaseEvent
eventRaised)在
System.Web.Management.WebBaseEvent.RaiseInternal(WebBaseEvent
eventRaised,ArrayList的firingRuleInfos,的Int32的index0,index1之间的Int32)
System.UnauthorizedAccessException: Attempted to perform an
unauthorized operation. at
System.Security.Principal.WindowsIdentity.get_AuthenticationType()
at
System.Web.Management.EventLogWebEventProvider.AddWebRequestInformationDataFields(ArrayList
dataFields, WebRequestInformation reqInfo) at
System.Web.Management.EventLogWebEventProvider.ProcessEvent(WebBaseEvent
eventRaised) at
System.Web.Management.WebBaseEvent.RaiseInternal(WebBaseEvent
eventRaised, ArrayList firingRuleInfos, Int32 index0, Int32 index1)
每这篇文章(<一个href=\"http://stackoverflow.com/questions/8290791/the-following-exception-was-thrown-by-the-web-event-provider-eventlogprovider\">The以下异常被我认为这个问题必须是我的code试图写入到事件日志,但没有权限在网络事件提供'EventLogProvider')抛出。然而,随着(以thie artcile列出的步骤后的http://support.thycotic.com/KB/a220/giving-application-pool-access-to-event-log.aspx) istill不起作用。
Per this article (The following exception was thrown by the web event provider 'EventLogProvider') I thought the problem must be that my code was trying to write to the EventLog but didn't have permissions. However, after following the steps outlined in thie artcile (http://support.thycotic.com/KB/a220/giving-application-pool-access-to-event-log.aspx) istill doesn't work.
我希望有人能告诉我,这是我的code试图向ApplicationPoolIdentity无权访问做服务器上做的,我们可以计算出额外的权限有什么需要被授予ApplicationPoolIdentity
I'm hoping someone can tell me what it is my code is trying to do on the server that ApplicationPoolIdentity doesn't have access to do and that we can figure out what additional permissions need to be granted to ApplicationPoolIdentity.
推荐答案
您的问题不是SiteMinder的,而是要模拟任意用户帐户,其中你从SiteMinder的头越来越名字。
Your problem isn't Siteminder but rather that you want to impersonate arbitrary user accounts the name of which you're getting from the siteminder header.
//now we create identity and princal objects using the UPN
WindowsIdentity identity = new WindowsIdentity(UPN, "WindowsAuthentication");
WindowsPrincipal principal = new WindowsPrincipal(identity);
HttpContext.Current.User = principal;
在为了做到这一点你需要作为操作系统的一部分特权。
In order to do this you'd need the "Act as part of the operating system" privilege.
由于 MSDN文章指出本地系统中已经有此这是为什么它的工作的时候,这是该帐户。
As the msdn article notes LocalSystem already has this which is why it worked when that was the account.
有很多,为什么你不应该授予该特权里面的文章警告。
There are lots of warnings inside the article about why you shouldn't grant that privilege.
这确实让我不知道到底为什么你这样做?
This does make me wonder exactly why you are doing this?
这篇关于ASP.NET验证与SiteMinder的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
