如何从控制台应用程序传递的Web API调用模拟用户使用Windows身份验证? [英] How to pass impersonated user in Web API call from Console App with Windows Authentication?
问题描述
我有一个控制台应用程序和一个Web API 2项目,在同一台服务器上运行两个。我安装我的控制台应用程序使用的HttpClient而冒充域帐户来调用一个RESTful端点在我的Web API。
I have a Console App and a Web API 2 project, both run on the same server. I have setup my Console App to call a RESTful endpoint in my Web API using HttpClient while impersonating a domain account.
Console.WriteLine("Setting up impersonator.");
using (new Impersonator(accountUsername, accountDomain, accountPwd))
{
Console.WriteLine("Impersonator set up.");
HttpClientHandler handler = new HttpClientHandler();
handler.UseDefaultCredentials = true;
Console.WriteLine("Executing as: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
using (var client = new HttpClient(handler))
{
client.BaseAddress = new Uri(serviceBaseUrl);
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
HttpResponseMessage response = await client.GetAsync("api/resource/3/");
Console.WriteLine(response.ToString());
if (response.IsSuccessStatusCode)
{
result = await response.Content.ReadAsAsync<ResourceType>();
}
}
if (result != null)
{
// Do something...
}
}
我不认为实际的端点是有关这个问题,作为HTTP请求从不它这一点(即使没有任何授权属性)。当我在本地运行的两个项目,控制台应用程序进行调用时是成功的。然而,当我在服务器上运行它,在控制台应用程序接收到一个401未经授权。我加了一些记录到我的Web API管线记录HttpContext.Current.User信息。
I don't think the actual endpoint is relevant to this question, as the Http Request never makes it to this point (even without any authorization attribute). When I run the two projects locally, the Console App is successful when making the call. However, when I run it on the server, the Console App receives a 401 unauthorized. I added some logging to my Web API pipeline to log the HttpContext.Current.User information.
protected void Application_BeginRequest()
{
var currentContext = HttpContext.Current;
ILogHelper _logger = new LogHelper("System");
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "BeginRequest System Principal Name: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "BeginRequest Is User Null? " + (currentContext.User == null? "YES":"NO"));
if (currentContext.User != null)
{
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "BeginRequest User: " + currentContext.User.Identity.Name);
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "BeginRequest User Authenticated: " + currentContext.User.Identity.IsAuthenticated.ToString());
}
}
protected void Application_AuthenticateRequest()
{
var currentContext = HttpContext.Current;
ILogHelper _logger = new LogHelper("System");
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "AuthenticateRequest System Principal Name: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "AuthenticateRequest Is User Null? " + (currentContext.User == null ? "YES" : "NO"));
if (currentContext.User != null)
{
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "AuthenticateRequest User: " + currentContext.User.Identity.Name);
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "AuthenticateRequest User Authenticated: " + currentContext.User.Identity.IsAuthenticated.ToString());
}
}
protected void Application_AuthorizeRequest()
{
var currentContext = HttpContext.Current;
ILogHelper _logger = new LogHelper("System");
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "AuthorizeRequest System Principal Name: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "AuthorizeRequest Is User Null? " + (currentContext.User == null ? "YES" : "NO"));
if (currentContext.User != null)
{
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "AuthorizeRequest User: " + currentContext.User.Identity.Name);
_logger.LogLine(NLog.LogLevel.Info, LogHelper.Tier.Business, "AuthorizeRequest User Authenticated: " + currentContext.User.Identity.IsAuthenticated.ToString());
}
}
在本地运行,模拟用户记录在的AuthenticateRequest'和'的AuthorizeRequest。但是,当服务器上运行,用户是空全路通过管道。
When ran locally, the impersonated user is logged in the 'AuthenticateRequest' and 'AuthorizeRequest'. But, when ran on the server, the user is null the whole way through the pipeline.
我的Windows身份验证和模拟在IIS中启用(一切禁用)。我一直在为这40多个小时,觉得我还没有取得任何进展。这个问题的任何帮助将是巨大的!
I have Windows Authentication and Impersonation Enabled in IIS (everything else disabled). I have been working on this for 40+ hours and feel like I haven't made any progress. Any help with this issue would be huge!
推荐答案
此的 SO质疑,我决定了它,事实上,一个FQDN问题。 修复,我只是在我的web.config与本地主机/服务/改变了servername.com/service/基本URL。一旦我这样做,它准确无误地运行。我不喜欢使用localhost作为URL的想法,但我无法编辑服务器的注册表值,这样的修正由微软提供不会为我工作。
From this SO question, I determined that it is, in fact, a FQDN problem. To "fix", I just had to change out the "servername.com/service/" base URL in my Web.config with "localhost/service/". Once I did this, it ran flawlessly. I don't like the thought of using localhost as the URL, but I am unable to edit the server Registry values, so the fix provided by Microsoft wouldn't work for me.
此外,事实证明,我不需要模拟上启用我的Web API的网站在IIS。现在,我只启用了Windows身份验证。
Also, it turns out that I don't need Impersonation Enabled on my Web API site in IIS. Now, I only have Windows Authentication enabled.
这篇关于如何从控制台应用程序传递的Web API调用模拟用户使用Windows身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
