使用 ASP.NET 和 TFS api 的直通(模拟)身份验证 [英] Passthrough (impersonation) authentication with ASP.NET and TFS api

问题描述

我正在尝试在使用 TFS2010 API 的 ASP.NET 网站内启用直通或模拟身份验证.

I'm trying to enable passthrough or impersonation authentication inside an ASP.NET website that uses the TFS2010 API.

我在使用 Cassini 时可以正常工作，但是使用 IIS 7.5 (Windows 7) 时出现问题.

I've got this working correctly with Cassini, however with IIS 7.5 (Windows 7) something is going wrong.

我发现 这篇博文 ，并尝试了以下内容:

I found this blog post on the subject, and tried the following:

private static void Test()
{
    TfsTeamProjectCollection baseUserTpcConnection = 
            new TfsTeamProjectCollection(new Uri(Settings.TfsServer));
    
    // Fails as 'baseUserTpcConnection' isn't authenticated
    IIdentityManagementService ims = 
            baseUserTpcConnection.GetService<IIdentityManagementService>();
    
    // Read out the identity of the user we want to impersonate
    TeamFoundationIdentity identity = ims.ReadIdentity(
            IdentitySearchFactor.AccountName, 
            HttpContext.Current.User.Identity.Name,
            MembershipQuery.None, 
            ReadIdentityOptions.None);

    TfsTeamProjectCollection impersonatedTpcConnection = new 
            TfsTeamProjectCollection(new Uri(Settings.TfsServer), 
            identity.Descriptor);
}

当我使用 Cassini 时，除此之外什么都不需要

When I use Cassini nothing is needed besides

collection = new TfsTeamProjectCollection(new Uri(server));

我已启用 web.config 设置(并安装了 Windows Auth 模块):

I have enabled the web.config settings (and have the Windows Auth module installed):

<authentication mode="Windows"/>
<identity impersonate="true" />

有什么明显我遗漏的地方吗?

Is there something obvious that I've missed out?

推荐答案

解决方案 1

这是委托方法.正如 Paul 指出的，这是您活动目录中的一个设置:

Solution 1

This is the delegation method. As Paul points out it's a single setting in your active directory:

1. 在Active Directory 用户和计算机"的计算机节点中找到 IIS 服务器.控制台.

1. Find the IIS server in the computers node of the "Active Directory users and Computers" console.

点击委托选项卡，然后选择第二个选项:

Click on the delegation tab, and select the second option:

在您的 IIS 根文件夹中创建一个缓存"目录

Create a 'Cache' directory in your IIS root folder

将以下内容添加到您的 web.config:

Add the following to your web.config:

1. 确保您的 web.config 包含:




1. 在 IIS 身份验证中打开 Windows 身份验证和模拟并禁用其他所有内容:

避免上述步骤的另一种解决方案是在 TFS:8080 站点下简单地将您的应用程序作为新应用程序运行.当您在与您的应用正在调用的网络服务相同的上下文中运行时，跳跃问题将被移除.

Another solution to avoid the steps above is to simply run your application under the TFS:8080 site, as a new application. The hop issue is then removed as you are running in the same context as the web service that your app is calling.

• 创建一个新的应用程序池，使用网络标识.
• 确保您的应用程序已关闭匿名身份验证
• 确保它已打开 Windows 身份验证.
• 添加 到网络配置.

• Create a new app pool, use network identity.
• Make sure your application has anonymous authentication turned off
• Make sure it has windows authentication turned on.
• Add <identity impersonate="true" /> to the web config.

这篇关于使用 ASP.NET 和 TFS api 的直通(模拟)身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！