I have an MVC web application that is supposed to allow users to download files that are stored as UNC paths in a database. These files can be in any number of locations on remote servers/shares.
我有一个MVC Web应用程序,它应该允许用户下载在数据库中存储为UNC路径的文件。这些文件可以位于远程服务器/共享上的任意位置。
E.g. Server 1 hosts the web application that is used to download a file stored on Server 2
例如。服务器1托管用于下载存储在服务器2上的文件的Web应用程序
I do not want to give permissions to these folders to the hosting service account, as the security should be dependent on what the user has access to. Therefore, I'm attempting to use Impersonation to retrieve the file.
我不想将这些文件夹的权限授予托管服务帐户,因为安全性应取决于用户有权访问的内容。因此,我正在尝试使用Impersonation来检索文件。
When I debug on my local machine, everything works great. It impersonates my user and downloads the file.
当我在我的本地机器上调试时,一切都很好。它冒充我的用户并下载文件。
When I deploy to my test server, I'm getting the following error:
当我部署到我的测试服务器时,我收到以下错误:
Access to the path '\\Server2\SharedFolder\somefile.txt' is denied
访问路径'\\ Server2 \ SharedFolder \ somefile.txt'被拒绝
I've tried various pieces from this Microsoft link, but am not having much luck.
我尝试过这个微软链接中的各种各样的部分,但是没有太多运气。
Scenarios I've tried:
我尝试过的场景:
- Just giving the permission to the service account of the AppPool works fine, but as I said, isn't ideal
- Implementing the Impersonate a Specific User in Code from the above article, which works perfectly with a hard-coded user and password. This situation is also not ideal.
- Implementing the Impersonate the Authenticating User in Code from the above article. This seems to be exactly what I need, but this is what generates the
Access Denied
error.
只是给AppPool的服务帐户许可工作正常,但正如我所说,并不理想
从上面的文章实现模拟代码中的特定用户,它与硬编码的用户和密码完美配合。这种情况也不理想。
从上面的文章实现模拟代码中的身份验证用户。这似乎正是我所需要的,但这就是生成Access Denied错误的原因。
The Code that I want to work:
我想要的代码:
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Code to read all bytes from the file path
impersonationContext.Undo();
I have logging, and System.Security.Principal.WindowsIdentity.GetCurrent().Name
after the impersonation does return the intended user (my account instead of the service account), so it does appear to be working.
我有日志记录和System.Security.Principal.WindowsIdentity.GetCurrent()。模拟后的名称确实返回了目标用户(我的帐户而不是服务帐户),所以它看起来确实有效。
I thought maybe it was a double-hop thing, so I have also added SPNs for the server and the service account, making sure their Delegation in AD was set to allow for any service. That hasn't helped either.
我想也许这是一个双跳的东西,所以我还为服务器和服务帐户添加了SPN,确保他们在AD中的委派被设置为允许任何服务。这也没有帮助。
This question seems to have the exact same problem as me, but there's no follow-up on what the final solution was. I did try the Process Monitor part, but it didn't help at all.
这个问题似乎与我有完全相同的问题,但没有对最终解决方案的后续跟进。我确实尝试过Process Monitor部分,但它根本没用。
I'm at a loss to why Impersonation seems to be working, but I'm denied access to a file on a second server.
我不知道为什么模拟似乎有效,但我拒绝访问第二台服务器上的文件。
Update 1 I've played around more with my IIS settings and trying to get Kerberos properly set up. The only thing enabled in my IIS Authentication is "Windows Authentication".
更新1我使用我的IIS设置玩了更多,并尝试正确设置Kerberos。我的IIS身份验证中唯一启用的是“Windows身份验证”。
When I spit out details after my Impersonate()
call, I'm finding that ImpersonationLevel = Impersonation
当我在Impersonate()调用后吐出细节时,我发现ImpersonationLevel = Impersonation
Is that how it should be, or should that be returning Delegation
?
是应该如何,或者应该返回代表团?
1 个解决方案
#1
0
It would seem the issue was mostly due to my setup with Kerberos and SPNs. I undid all my settings and re-registered my service account, and the Impersonation ended up working properly.
这似乎问题主要是由于我使用Kerberos和SPN设置。我解除了所有设置并重新注册了我的服务帐户,模拟最终正常运行。
The issue now is that it only seems to work with Internet Explorer. Chrome and MobileIron are doing something different that prevents the ImpersonationLevel of Delegation. That's a whole other question...
现在的问题是它似乎只适用于Internet Explorer。 Chrome和MobileIron正在采取不同的措施来阻止委派的ImpersonationLevel。那是另一个问题......
#1
0
It would seem the issue was mostly due to my setup with Kerberos and SPNs. I undid all my settings and re-registered my service account, and the Impersonation ended up working properly.
这似乎问题主要是由于我使用Kerberos和SPN设置。我解除了所有设置并重新注册了我的服务帐户,模拟最终正常运行。
The issue now is that it only seems to work with Internet Explorer. Chrome and MobileIron are doing something different that prevents the ImpersonationLevel of Delegation. That's a whole other question...
现在的问题是它似乎只适用于Internet Explorer。 Chrome和MobileIron正在采取不同的措施来阻止委派的ImpersonationLevel。那是另一个问题......