在 Kerberos 上模拟委托或多于一跳?彻底迷路 [英] Impersonate with Delegation or More than one hop on Kerberos? Completely lost

问题描述

我在这里的问题是如何处理安全性和模拟的正确实现，该模拟将在客户端机器上工作并正确验证到我的 IIS 服务器，该服务器将仍然有效的模拟票与 LDAP 请求一起传递.

My issue here is how to deal with security and a proper implementation of impersonation which will work from a client machine and authenticate properly to my IIS server which passes the still valid impersonation ticket along with the LDAP request.

My System 是运行在我公司内部网上的独立服务器，它托管域控制器、LDAP 服务器等，并使用 Kerberos 协议.

My System is an independent server running on my company intranet which hosts the domain controller, LDAP server, etc, and uses Kerberos protocol.

• 系统信息:在 Windows 7 x64 上使用 Windows 身份验证和模拟的 IIS7
• 网络信息:IIS 6、LDAP、Kerberos

这是我的 VB.NET 方法.

Here is my VB.NET method.

Protected FirstName, LastName, EMail As String
Protected Sub Lookup(ByVal UserName As String)
    UserName = Trim(UserName)
    UserName = Replace(UserName, "", "/")
    UserName = Right(UserName, Len(UserName) - InStr(1, UserName, "/"))

    Using (Hosting.HostingEnvironment.Impersonate) 'ADDED
        Dim directoryEntry As New DirectoryEntry("LDAP://dl/DC=dl,DC=net")
        'directoryEntry.AuthenticationType = AuthenticationTypes.Delegation 'REMOVED

        Dim ds As New DirectorySearcher(directoryEntry)
        Dim r As SearchResult
        Try
            ds.PropertiesToLoad.Add("givenName") 'First Name
            ds.PropertiesToLoad.Add("sn")        'Last Name
            ds.PropertiesToLoad.Add("mail")      'Email

            ds.Filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & UserName & "))"
            r = ds.FindOne 'Query LDAP; find record with UserName.

            'Populates all the variables retrieved from LDAP.
            FirstName = If(r.Properties.Contains("givenName"), Trim(r.Properties("givenName").Item(0)), "")
            LastName = If(r.Properties.Contains("sn"), Trim(r.Properties("sn").Item(0)), "")
            If IsNothing(r.Properties.Contains("mail")) Then
                EMail = If(r.Properties.Contains("userPrincipalName"), Trim(r.Properties("userPrincipalName").Item(0)), "")
            Else
                EMail = If(r.Properties.Contains("mail"), Trim(r.Properties("mail").Item(0)), "")
            End If
            EMail = EMail.ToLower
        Catch ex As Exception
            'Error Logging to Database Here
        End Try
    End Using
End Sub

请提出任何必要的问题，以获得帮助我所需的信息.我一直在研究这个数周，似乎 Impersonation 有如此多的变量，我很容易迷路.我只是不知道如何在我的代码中实现这一点......我对 .NET 还很陌生:(

Please ask any questions necessary to get the information you need to help me. I've been researching this for weeks and it seems that Impersonation has such an insane number of variables that I could easily get lost. I just can't figure out how to implement this in my code... I'm still fairly new to .NET :(

推荐答案

您不应该需要配置 AuthenticationType 以使其工作.但是，您需要确保托管上述代码的服务帐户(或计算机帐户，如果是网络服务)可以委托给您环境中所有 DC 上的 LDAP 服务.

You shouldn't need to configure an AuthenticationType for this to work. You will however need to ensure that the service account (or computer account if network service) hosting the code above is allowed to delegate to the LDAP service on all of the DCs in your environment.

这篇关于在 Kerberos 上模拟委托或多于一跳?彻底迷路的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！