I believe that I have successfully impersonated my own user account while running an ASP.NET page on my local machine.
我相信我在本地计算机上运行ASP.NET页面时已经成功模拟了我自己的用户帐户。
Using the method described here, I have successfully changed the WindowsIdentity.GetCurrent().Name from ASPNET to my domain account.
使用此处描述的方法,我已成功将WindowsIdentity.GetCurrent()。名称从ASPNET更改为我的域帐户。
I can successfully write to a file on the file system that ONLY my account has permission to access. However when I try to delete a Performance Counter Category, I get Access Denied.
I have auditing on the branch of the registry and its telling me that MyMachine\ASPNET is Failing at Object Access.
我可以成功写入文件系统上的文件,只有我的帐户才有权访问。但是,当我尝试删除性能计数器类别时,我得到拒绝访问。我在注册表的分支上进行审计,并告诉我MyMachine \ ASPNET在对象访问时失败。
Here is the code it is failing on:
这是它失败的代码:
if ( PerformanceCounterCategory.Exists ( PerfmonCategory ) )
PerformanceCounterCategory.Delete ( PerfmonCategory );
Its failing on the Delete Call.
它在删除呼叫上失败了。
(My account is admin and I can run the same code outside an ASP.NET context successfully).
(我的帐户是管理员,我可以成功地在ASP.NET上下文之外运行相同的代码)。
I suspect that this System.Diagnostics namespace call is actually calling some COM process and somehow I am being bounced because of a 2nd hop. Can anyone confirm what might be going on?
我怀疑这个System.Diagnostics命名空间调用实际上正在调用一些COM进程,不知何故我因为第二跳而被弹回。任何人都可以确认可能会发生什么?
Edit: The Exception: Access is denied Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
编辑:异常:访问被拒绝说明:在执行当前Web请求期间发生了未处理的异常。请查看堆栈跟踪以获取有关错误及其源自代码的位置的更多信息。
Exception Details:
System.ComponentModel.Win32Exception: Access is denied
System.ComponentModel.Win32Exception:访问被拒绝
Running under full trust.
在完全信任下运行。
2 个解决方案
#1
You could run your application on its own application pool (always a good thing) and assign it a service user the appropriate rights, that way you don't need to mess with impersonation.
您可以在自己的应用程序池上运行应用程序(总是一件好事),并为服务用户分配适当的权限,这样您就不需要模仿模拟。
#2
You do indeed need to be an admin in order to add or remove performance counters.
您确实需要成为管理员才能添加或删除性能计数器。
I'm not sure why you'd want to use Win32 API calls to do your impersonation - it's been a while since I've messed with it, but I think all you need to do is use
我不确定你为什么要使用Win32 API调用进行模拟 - 这已经有一段时间了,因为我搞砸了它,但我认为你需要做的只是使用
WindowsIdentity.GetCurrent().Impersonate()
To be clear, you'll first need to authenticate in your web application using Windows authentication, and then you should be able to make the call to Impersonate().
为了清楚起见,您首先需要使用Windows身份验证在Web应用程序中进行身份验证,然后您应该能够调用Impersonate()。
#1
You could run your application on its own application pool (always a good thing) and assign it a service user the appropriate rights, that way you don't need to mess with impersonation.
您可以在自己的应用程序池上运行应用程序(总是一件好事),并为服务用户分配适当的权限,这样您就不需要模仿模拟。
#2
You do indeed need to be an admin in order to add or remove performance counters.
您确实需要成为管理员才能添加或删除性能计数器。
I'm not sure why you'd want to use Win32 API calls to do your impersonation - it's been a while since I've messed with it, but I think all you need to do is use
我不确定你为什么要使用Win32 API调用进行模拟 - 这已经有一段时间了,因为我搞砸了它,但我认为你需要做的只是使用
WindowsIdentity.GetCurrent().Impersonate()
To be clear, you'll first need to authenticate in your web application using Windows authentication, and then you should be able to make the call to Impersonate().
为了清楚起见,您首先需要使用Windows身份验证在Web应用程序中进行身份验证,然后您应该能够调用Impersonate()。