I trying to get the current WindowsIdentity from a caller of an ASP.Net Application without impersonation.
我试图从ASP.Net应用程序的调用者那里获取当前的WindowsIdentity而不进行模拟。
After reading some articles my setup is:
阅读一些文章后,我的设置是:
- In my IIS I have enabled the Windows Authentication in the Authentication Settings
- At my web.conf I set the authentication mode to "Windows"
在我的IIS中,我在身份验证设置中启用了Windows身份验证
在我的web.conf中,我将身份验证模式设置为“Windows”
For testing purposes, I wrote the following log statements
出于测试目的,我编写了以下日志语句
m_techLogger.Warn(string.Format("Request[LOGON_USER] {0}", Request["LOGON_USER"]));
m_techLogger.Warn(string.Format("Request.LogonUserIdentity {0}", Request.LogonUserIdentity.Name));
m_techLogger.Warn(string.Format("HttpContext.Current.User.Identity {0}", HttpContext.Current.User.Identity.Name));
m_techLogger.Warn(string.Format("WindowsIdentity.GetCurrent() {0}", WindowsIdentity.GetCurrent().Name));
This statements returned the following
这些陈述返回以下内容
2015-04-23 10:47:19,628 [7] WARN - Request[LOGON_USER] DOMAIN\User
2015-04-23 10:47:19,681 [7] WARN - Request.LogonUserIdentity NT AUTHORITY\SYSTEM
2015-04-23 10:47:19,681 [7] WARN - HttpContext.Current.User.Identity NT AUTHORITY\SYSTEM
2015-04-23 10:47:19,681 [7] WARN - WindowsIdentity.GetCurrent() NT AUTHORITY\SYSTEM
I understand that WindowsIdentity.GetCurrent().Name returns the System User. I do not understand why the output from Request.LogonUserIdentity and Request[LOGON_USER] are different. I need the WindowsIdentity Object from the User with the name that returned by Request[LOGON_USER].
我知道WindowsIdentity.GetCurrent()。Name返回系统用户。我不明白为什么Request.LogonUserIdentity和Request [LOGON_USER]的输出不同。我需要来自User的WindowsIdentity对象,其名称由Request [LOGON_USER]返回。
Can anybody point me in the right direction?
任何人都能指出我正确的方向吗?
4 个解决方案
#1
1
When I try the same I get
当我尝试同样的时候,我得到了
Request.LogonUserIdentity.Name "DOMAIN\\accountname" (no capital letter)
Request["LOGON_USER"] "DOMAIN\\Accountname" (capital letters)
To get the current user in our asp.net application, I user this line of code
为了在我们的asp.net应用程序中获取当前用户,我使用了这行代码
User.Identity.Name
Does this help in any way?
这有什么用?
#2
1
Request["LOGON_USER"] is only the authentication header that the client has sent to the server. Which means it is the login name of the client sending a request to your server. This login name will not be verified against the Active Directory unless you activate the impersonation. More info here: https://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx
Request [“LOGON_USER”]仅是客户端发送到服务器的身份验证标头。这意味着它是向您的服务器发送请求的客户端的登录名。除非您激活模拟,否则不会针对Active Directory验证此登录名。更多信息:https://msdn.microsoft.com/en-us/library/ms524602(v = vs。90).aspx
Now without using impersonation you are therefore stuck. You can check the user in the Request["LOGON_USER"] against your AD on your server. But I do not recommend you doing that. Because a hostile client could just send any username in that field and get logged on your server if that user exists.
现在没有使用模仿你就被卡住了。您可以在服务器上针对AD的请求[“LOGON_USER”]中检查用户。但我不建议你这样做。因为恶意客户端只能在该字段中发送任何用户名,并且如果该用户存在则会在您的服务器上登录。
The correct way of doing this is to enable impersonation and you use an AD group to allow the users to do what your service is now doing and you activate that by just adding this to your IIS config
这样做的正确方法是启用模拟,并使用AD组允许用户执行您的服务正在执行的操作,并通过将其添加到IIS配置来激活它
<configuration>
<system.web>
<identity impersonate="true"/>
</system.web>
</configuration>
But if you really can’t use impersonation you can hack yourself out of this by impersonate a service account using the Win32 API. If you want to do that yourself here is the examples from Microsoft https://msdn.microsoft.com/en-us/library/chf6fbt4.aspx and https://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity.aspx
但是,如果你真的不能使用模拟,你可以通过使用Win32 API模拟服务帐户来解决这个问题。如果您想自己这样做,请参阅Microsoft https://msdn.microsoft.com/en-us/library/chf6fbt4.aspx和https://msdn.microsoft.com/en-us/library/system上的示例。 .security.principal.windowsidentity.aspx
Or you can find a good wrapper here: How do you do Impersonation in .NET?
或者你可以在这里找到一个好的包装:你如何在.NET中进行模拟?
And using it is as easy as this:
使用它就像这样简单:
using (new Impersonation(domain, username, password))
{
// probably connecting to some bad 3rd party stuff that needs a very specific access.
}
Now without knowing more about your actual reason for doing this I hope this will help you further along the road and only do this if it’s absolutely necessary
现在不知道更多关于你这样做的实际原因我希望这将有助于你在路上继续前进,只有在绝对必要时才这样做
#3
1
System.Web.HttpContext.Current.User.Identity.Name
Gets or sets security information for the current HTTP request. (The Name of the Logged in user on your Website)
获取或设置当前HTTP请求的安全信息。 (您网站上登录用户的名称)
Request.ServerVariables
Gets a collection of Web server variables.
获取Web服务器变量的集合。
The Request property provides programmatic access to the properties and methods of the HttpRequest class. Because ASP.NET pages contain a default reference to the System.Web namespace (which contains the HttpContext class), you can reference the members of HttpRequest on an .aspx page without using the fully qualified class reference to HttpContext.
Request属性提供对HttpRequest类的属性和方法的编程访问。因为ASP.NET页面包含对System.Web命名空间(包含HttpContext类)的默认引用,所以您可以在.aspx页面上引用HttpRequest的成员,而不使用对HttpContext的完全限定类引用。
Conclussion Both work to the same, but, whith Request.ServerVariables
you can iterate for whole the collections dynamically.
Conclussion两者的工作方式相同,但是,对于Request.ServerVariables,您可以动态地迭代整个集合。
For example:
int loop1, loop2;
NameValueCollection coll;
// Load ServerVariable collection into NameValueCollection object.
coll=Request.ServerVariables;
// Get names of all keys into a string array.
String[] arr1 = coll.AllKeys;
for (loop1 = 0; loop1 < arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");
String[] arr2=coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2 < arr2.Length; loop2++) {
Response.Write("Value " + loop2 + ": " + Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}
#4
1
Have your tried to user
你试过用户了吗?
User.Identity.Name
assuming you are after Windows users, as you have mentioned. What output it gives?
假设你是在Windows用户之后,正如你所提到的那样。它给出了什么输出?
Also, does your config file has these settings:
此外,您的配置文件是否具有以下设置:
<authentication mode="Windows"/>
<identity impersonate="true"/>
#1
1
When I try the same I get
当我尝试同样的时候,我得到了
Request.LogonUserIdentity.Name "DOMAIN\\accountname" (no capital letter)
Request["LOGON_USER"] "DOMAIN\\Accountname" (capital letters)
To get the current user in our asp.net application, I user this line of code
为了在我们的asp.net应用程序中获取当前用户,我使用了这行代码
User.Identity.Name
Does this help in any way?
这有什么用?
#2
1
Request["LOGON_USER"] is only the authentication header that the client has sent to the server. Which means it is the login name of the client sending a request to your server. This login name will not be verified against the Active Directory unless you activate the impersonation. More info here: https://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx
Request [“LOGON_USER”]仅是客户端发送到服务器的身份验证标头。这意味着它是向您的服务器发送请求的客户端的登录名。除非您激活模拟,否则不会针对Active Directory验证此登录名。更多信息:https://msdn.microsoft.com/en-us/library/ms524602(v = vs。90).aspx
Now without using impersonation you are therefore stuck. You can check the user in the Request["LOGON_USER"] against your AD on your server. But I do not recommend you doing that. Because a hostile client could just send any username in that field and get logged on your server if that user exists.
现在没有使用模仿你就被卡住了。您可以在服务器上针对AD的请求[“LOGON_USER”]中检查用户。但我不建议你这样做。因为恶意客户端只能在该字段中发送任何用户名,并且如果该用户存在则会在您的服务器上登录。
The correct way of doing this is to enable impersonation and you use an AD group to allow the users to do what your service is now doing and you activate that by just adding this to your IIS config
这样做的正确方法是启用模拟,并使用AD组允许用户执行您的服务正在执行的操作,并通过将其添加到IIS配置来激活它
<configuration>
<system.web>
<identity impersonate="true"/>
</system.web>
</configuration>
But if you really can’t use impersonation you can hack yourself out of this by impersonate a service account using the Win32 API. If you want to do that yourself here is the examples from Microsoft https://msdn.microsoft.com/en-us/library/chf6fbt4.aspx and https://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity.aspx
但是,如果你真的不能使用模拟,你可以通过使用Win32 API模拟服务帐户来解决这个问题。如果您想自己这样做,请参阅Microsoft https://msdn.microsoft.com/en-us/library/chf6fbt4.aspx和https://msdn.microsoft.com/en-us/library/system上的示例。 .security.principal.windowsidentity.aspx
Or you can find a good wrapper here: How do you do Impersonation in .NET?
或者你可以在这里找到一个好的包装:你如何在.NET中进行模拟?
And using it is as easy as this:
使用它就像这样简单:
using (new Impersonation(domain, username, password))
{
// probably connecting to some bad 3rd party stuff that needs a very specific access.
}
Now without knowing more about your actual reason for doing this I hope this will help you further along the road and only do this if it’s absolutely necessary
现在不知道更多关于你这样做的实际原因我希望这将有助于你在路上继续前进,只有在绝对必要时才这样做
#3
1
System.Web.HttpContext.Current.User.Identity.Name
Gets or sets security information for the current HTTP request. (The Name of the Logged in user on your Website)
获取或设置当前HTTP请求的安全信息。 (您网站上登录用户的名称)
Request.ServerVariables
Gets a collection of Web server variables.
获取Web服务器变量的集合。
The Request property provides programmatic access to the properties and methods of the HttpRequest class. Because ASP.NET pages contain a default reference to the System.Web namespace (which contains the HttpContext class), you can reference the members of HttpRequest on an .aspx page without using the fully qualified class reference to HttpContext.
Request属性提供对HttpRequest类的属性和方法的编程访问。因为ASP.NET页面包含对System.Web命名空间(包含HttpContext类)的默认引用,所以您可以在.aspx页面上引用HttpRequest的成员,而不使用对HttpContext的完全限定类引用。
Conclussion Both work to the same, but, whith Request.ServerVariables
you can iterate for whole the collections dynamically.
Conclussion两者的工作方式相同,但是,对于Request.ServerVariables,您可以动态地迭代整个集合。
For example:
int loop1, loop2;
NameValueCollection coll;
// Load ServerVariable collection into NameValueCollection object.
coll=Request.ServerVariables;
// Get names of all keys into a string array.
String[] arr1 = coll.AllKeys;
for (loop1 = 0; loop1 < arr1.Length; loop1++)
{
Response.Write("Key: " + arr1[loop1] + "<br>");
String[] arr2=coll.GetValues(arr1[loop1]);
for (loop2 = 0; loop2 < arr2.Length; loop2++) {
Response.Write("Value " + loop2 + ": " + Server.HtmlEncode(arr2[loop2]) + "<br>");
}
}
#4
1
Have your tried to user
你试过用户了吗?
User.Identity.Name
assuming you are after Windows users, as you have mentioned. What output it gives?
假设你是在Windows用户之后,正如你所提到的那样。它给出了什么输出?
Also, does your config file has these settings:
此外,您的配置文件是否具有以下设置:
<authentication mode="Windows"/>
<identity impersonate="true"/>