模拟在ASP.NET MVC [英] Impersonation in ASP.NET MVC
问题描述
我在Intranet一个MVC Web应用程序,并希望能够创造我们的FTP服务器上的文件发送给外部合作伙伴。
I have a MVC web application on an intranet and want to be able to create files on our FTP server to send to outside partners.
在code为模拟使用WindowsImpersonationContext。
The code for impersonation uses the WindowsImpersonationContext.
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
StreamWriter sw = System.IO.File.CreateText("PathOnFTPServer");
sw.Write("data");
impersonationContext.Undo();
下面是正在发生的事情和我的问题的原因:
Here's what's happening and the reason for my question:
pre假冒
User.Identity.Name:我的Windows凭据]
User.Identity.Name: [my windows credentials]
System.Security.Principal.WindowsIdentity.GetCurrent()名称:NT AUTHORITY \\ NETWORK SERVICE
System.Security.Principal.WindowsIdentity.GetCurrent().Name: NT AUTHORITY\NETWORK SERVICE
邮政假冒
User.Identity:我的Windows凭据]
User.Identity: [my windows credentials]
GetCurrent.Name:我的Windows凭据]
GetCurrent.Name: [my windows credentials]
冒充撤消
User.Identity:我的Windows凭据]
User.Identity: [my windows credentials]
GetCurrent.Name:NT AUTHORITY \\ NETWORK SERVICE
GetCurrent.Name: NT AUTHORITY\NETWORK SERVICE
所以,我冒充之前,当前用户是系统帐号,但模拟之后,它被使用的有权限到FTP服务器上创建的文本文件我的Windows域帐户。在code工作在本地使用Visual Studio的Web服务器而不是当我我们的测试服务器上部署它IIS。
So, before I impersonate, the current user is the System Account but after impersonation, it is using my windows domain account which has permission to create text files on the FTP server. The code works locally using the visual studio web server but not when I deploy it on IIS on our test server.
我收到一个拒绝访问错误。什么是对,当正确的用户正在模拟的错误的原因?
I'm getting an access denied error. What would be the reason for the error when the correct user is being impersonated?
推荐答案
模拟允许机器对机器模拟,所以客户端浏览器和服务器都在同一页上,当涉及到的模拟。当你再尝试访问网络共享,计算机不信任的模拟凭据。
Impersonation allows machine to machine impersonation, so the client browser and the server are on the same page when it comes to the impersonation. When you then attempt to access the network share, the computer doesn't trust the impersonated credentials.
您需要启用代表团对IIS机器在Active Directory中。转到Active Directory用户和计算机,找到电脑,单击属性,和信任计算机作为委派。 (您可能需要重新启动IIS这个工作,我不记得了)。
You need to enable delegation for the IIS machine in Active Directory. Go to Active Directory Users and Computers, find the computer, click properties, and 'Trust computer for delegation'. (You might need to restart IIS for this to work, I don't remember).
有比这一点,我不完全理解的方式更多的理论,但这应该工作。无论是对还是不是别人可以发表评论!
There is way more theory than this that I don't fully understand, but this should work. Whether it is right or not someone else could comment on!
另外,它的工作原理在开发机器上的原因是开发服务器运行作为开发人员,而不是(本地)\\ Network服务。
Also, the reason it works on your development machine is that the development server runs as the developer, not (Local)\Network Service.
有一个像样的链接:
<一个href=\"http://msdn.microsoft.com/en-us/library/cc949004.aspx\">http://msdn.microsoft.com/en-us/library/cc949004.aspx
什么是模拟和代表团之间的区别?
模拟流动原始调用者的身份到后端在同一台计算机上的资源。代表团流动原始调用者的身份到后端资源不是运行服务的计算机的其他计算机上。
Impersonation flows the original caller’s identity to back-end resources on the same computer. Delegation flows the original caller’s identity to back-end resources on computers other than the computer running the service.
例如,如果服务在IIS中运行的不带模拟,该服务将访问使用ASP.NET账户资源在IIS 5.0,或网络服务帐户在IIS 6.0中。使用模拟,如果客户端使用原调用方的账户连接,该服务将使用原调用方的帐户,而不是系统ASP.NET帐户访问资源,如在同一台机器上的SQL Server数据库。代表团是除了SQL Server数据库可能是一个不同的机器是远程的服务类似。
For example, if a service is running within IIS without impersonation, the service will access resources using the ASP.NET account in IIS 5.0, or the Network Service account in IIS 6.0. With impersonation, if the client is connecting using the original caller’s account, the service will access resources such as a SQL Server database on the same machine using the original caller’s account instead of the system ASP.NET account. Delegation is similar except that the SQL Server database could be on a different machine that is remote to the service.
这篇关于模拟在ASP.NET MVC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
