在IIS上运行时,模拟在ASP.NET Web应用程序无法正常工作 [英] Impersonation in ASP.NET web application does not work when running on IIS
问题描述
我工作的ASP.NET 4.0 MVC3 Web应用程序,在内部网环境中工作。该应用程序使用Windows身份验证。它的应用程序池是由已SPN在域控制器上设置的域用户运行。使用Kerberos(在IE和Firefox之后,一些额外的配置)。认证作品
I am working on ASP.NET 4.0 MVC3 web application that works in intranet environment. The application makes use of Windows authentication. Its application pool is run by domain user that has spn set on a domain controller. Authentication works using Kerberos (on IE and Firefox after some additional configuration).
现在我要上传文件到SharePoint,但对我来说要上传的文件作为当前登录到应用程序(使文件在SharePoint中创建与他/她的凭据)的用户是很重要的。
Now I want to upload files to sharepoint, but it's important for me to upload the file as the user currently logged in into the application (so the file is created on Sharepoint with his/her credentials).
我有以下的code。在 ResourceExists(URI URI)功能:
I have the following code in ResourceExists(Uri uri) function:
'...
Dim identity As System.Security.Principal.WindowsIdentity = HttpContext.User.Identity
Dim impersonationContext = identity.Impersonate()
response = request.GetResponse()
impersonationContext.Undo()
'...
该作品在本地运行的时候,但是当我部署到服务器我得到异常:
This works when running locally, but when I deploy to the server I get the exception:
System.Net.WebException: The remote server returned an error: (401) Unauthorized.\r\n at WebDav.WebDavClient.ResourceExists(Uri uri)\r\n at Website.Website.WebdavController.Upload(HttpPostedFileBase file, UploadViewModel vm)
我读了一些有关传递的凭据,这是不可能的使用NTLM,但我相信我使用Kerberos(我检查了Wireshark的提琴手和头),我看到以下内容:
I read something about passing on the credentials, that is not possible with NTLM, but I am sure I am using Kerberos (I checked the headers with wireshark and fiddler) and I see the following:
Authorization: Negotiate YIIFpQYGKwYBBQUCoIIFmTCCBZWgJDAiBgkqhkiC9x...
任何想法,为什么在模拟IIS服务器上运行时不工作?
Any ideas why the impersonation does not work when running on the IIS server?
推荐答案
我在这里找到了答案:
http://support.microsoft.com/kb/810572
的Kerberos不能在负载平衡的体系结构中运行和IIS降回NTLM身份验证。因为你不能使用NTLM进行委派,任何应用程序或需要委派不起作用服务。欲了解更多信息,请单击下面的文章编号,以查看相应的Microsoft
"Kerberos does not work in a load-balanced architecture and IIS drops back to NTLM authentication. Because you cannot use NTLM for delegation, any applications or services that require delegation do not work. For more information, click the following article number to view the article in the Microsoft"
而这正是这种情况。现在我试图与另一台机器,是不是负载平衡和它的作品。
And that was exactly the case. I tried now with another machine that is not load-balanced and it works.
这还是让我吃惊的唯一的事情就是身份ImpersonationLevel仍模仿不是代理 ...
The only thing that still surprises me is that ImpersonationLevel of the identity is still Impersonate not Delegate...
这篇关于在IIS上运行时,模拟在ASP.NET Web应用程序无法正常工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
