在 Kerberos 上模拟委托或多于一跳?彻底迷路 [英] Impersonate with Delegation or More than one hop on Kerberos? Completely lost
问题描述
我在这里的问题是如何处理安全性和模拟的正确实现,该模拟将在客户端机器上工作并正确验证到我的 IIS 服务器,该服务器将仍然有效的模拟票与 LDAP 请求一起传递.
My issue here is how to deal with security and a proper implementation of impersonation which will work from a client machine and authenticate properly to my IIS server which passes the still valid impersonation ticket along with the LDAP request.
My System 是运行在我公司内部网上的独立服务器,它托管域控制器、LDAP 服务器等,并使用 Kerberos 协议.
My System is an independent server running on my company intranet which hosts the domain controller, LDAP server, etc, and uses Kerberos protocol.
- 系统信息:在 Windows 7 x64 上使用 Windows 身份验证和模拟的 IIS7
- 网络信息:IIS 6、LDAP、Kerberos
这是我的 VB.NET 方法.
Here is my VB.NET method.
Protected FirstName, LastName, EMail As String
Protected Sub Lookup(ByVal UserName As String)
UserName = Trim(UserName)
UserName = Replace(UserName, "", "/")
UserName = Right(UserName, Len(UserName) - InStr(1, UserName, "/"))
Using (Hosting.HostingEnvironment.Impersonate) 'ADDED
Dim directoryEntry As New DirectoryEntry("LDAP://dl/DC=dl,DC=net")
'directoryEntry.AuthenticationType = AuthenticationTypes.Delegation 'REMOVED
Dim ds As New DirectorySearcher(directoryEntry)
Dim r As SearchResult
Try
ds.PropertiesToLoad.Add("givenName") 'First Name
ds.PropertiesToLoad.Add("sn") 'Last Name
ds.PropertiesToLoad.Add("mail") 'Email
ds.Filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=" & UserName & "))"
r = ds.FindOne 'Query LDAP; find record with UserName.
'Populates all the variables retrieved from LDAP.
FirstName = If(r.Properties.Contains("givenName"), Trim(r.Properties("givenName").Item(0)), "")
LastName = If(r.Properties.Contains("sn"), Trim(r.Properties("sn").Item(0)), "")
If IsNothing(r.Properties.Contains("mail")) Then
EMail = If(r.Properties.Contains("userPrincipalName"), Trim(r.Properties("userPrincipalName").Item(0)), "")
Else
EMail = If(r.Properties.Contains("mail"), Trim(r.Properties("mail").Item(0)), "")
End If
EMail = EMail.ToLower
Catch ex As Exception
'Error Logging to Database Here
End Try
End Using
End Sub
请提出任何必要的问题,以获得帮助我所需的信息.我一直在研究这个数周,似乎 Impersonation 有如此多的变量,我很容易迷路.我只是不知道如何在我的代码中实现这一点......我对 .NET 还很陌生:(
Please ask any questions necessary to get the information you need to help me. I've been researching this for weeks and it seems that Impersonation has such an insane number of variables that I could easily get lost. I just can't figure out how to implement this in my code... I'm still fairly new to .NET :(
推荐答案
您不应该需要配置 AuthenticationType
以使其工作.但是,您需要确保托管上述代码的服务帐户(或计算机帐户,如果是网络服务)可以委托给您环境中所有 DC 上的 LDAP 服务.
You shouldn't need to configure an AuthenticationType
for this to work. You will however need to ensure that the service account (or computer account if network service) hosting the code above is allowed to delegate to the LDAP service on all of the DCs in your environment.
这篇关于在 Kerberos 上模拟委托或多于一跳?彻底迷路的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!