模拟无效 - 网络共享 [英] Impersonation NOT working - Network Share
问题描述
我创建了一个指向网络共享的虚拟目录 (IIS 7.0).此虚拟目录位于我的 Web 应用程序根目录下.
I have created a virtual Directory (IIS 7.0), which points to a network share. This virtual directory resides under my web application root.
我尝试通过域凭据使用匿名访问.另外,我尝试使用模拟如下...
I tried using anonymous access with domain credentials. Also, I tried using impersonation as below...
<identity impersonate="true" userName="<supplied username>"
password="<supplied password>" />
问题:应用程序始终使用 IUSR 连接到该共享并获得拒绝访问".我需要强制我的应用程序使用上面的域名.
ISSUE: Application is always using IUSR to connect to that share and getting "ACCESS DENIED". I need to force my application to Use domain name above.
更新
1. 在运行 procmon 时,我每次都可以在访问被拒绝之前看到FAST IO DISALLOWED"消息.不确定是否相关.
2. 我怀疑这里是双跳问题的症状.但不知道如何真正验证它或如何绕过它而不真正更改对 Kerbros 的身份验证.
UPDATES
1. While running procmon I can see "FAST IO DISALLOWED" message everytime before access denied. Not really sure if its related.
2. I suspect symptoms of Double Hop Issue here. But don't know how really to validate it or how to get around it without really changing authentication to Kerbros.
谢谢!
推荐答案
IIS 7 默认以 集成模式"运行.
你不能再冒充那里
(您不会收到有关模拟的错误消息,但只是不会提升权限).
IIS 7 by default runs in "integrated mode".
You can no-longer impersonate there
(you don't get an error message on impersonation, but it just doesn't elevate privileges).
您需要将应用程序的 ASP.NET app-pool 切换到 经典模式" 才能使用模拟.
请注意,这也意味着您将失去所有依赖于集成模式的功能.
You need to switch the ASP.NET app-pool of your application to "classic mode" in order to use impersonation.
Note that this also means that you loose all the features that depend on integrated mode.
另一种可能的解决方案可能是创建一个指向 smb 共享的符号链接,授予符号链接的 IUSR 权限,并让操作系统处理其余部分(不知道这是否有效,鉴于 MSFT 的跟踪记录,我我猜它没有).
Another possible solution might be to create a symbolic link pointing to the smb share, giving IUSR permission to the symlink, and let the operating system handle the rest (don't know if that works, and given MSFT's track record, I'd guess that it doesn't).
mklink /d C:inetpubwwwrootyour_application_rootShareName \ServerShareNameDirectory
mklink 但是需要 Windows Vista+,即 Windows Server 2008+
mklink however requries Windows Vista+, that is to say Windows Server 2008+
这篇关于模拟无效 - 网络共享的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
