ASP.NET中的模拟和委派

时间:2021-09-17 08:10:36

I'm having problems accessing a text file on a remote server with ASP.NET. The ASP.NET 1.1 application is running on Server 2003 using Impersonation with the requester's Windows Credentials. The client, webserver, and remote server are all on the same domain, and the user has permission to access the text file. The user can open the text file from their machine over a UNC share. When the user runs the site logged in directly on the server it works fine. However, when the user tries on their machine, it does not work. How should Impersonation be set up for this to work?

我在使用ASP.NET访问远程服务器上的文本文件时遇到问题。 ASP.NET 1.1应用程序使用模拟与请求者的Windows凭据在Server 2003上运行。客户端,Web服务器和远程服务器都在同一个域中,并且用户有权访问该文本文件。用户可以通过UNC共享从其计算机打开文本文件。当用户运行直接在服务器上登录的站点时,它可以正常工作。但是,当用户尝试使用他们的计算机时,它不起作用。如何设置假冒行为?

EDIT: Other features of the app work fine, it just accessing the remote file that doesn't work.

编辑:应用程序的其他功能工作正常,它只是访问无效的远程文件。

3 个解决方案

#1


It sounds like you're running into the multi-hop problem. When you use integrated authentication, you can authenticate from your browser to IIS. But, you can't authenticate to any other machines on the domain. The reason is that with standard credentials, they can't verify who you are.

听起来你正在遇到多跳问题。使用集成身份验证时,可以从浏览器向IIS进行身份验证。但是,您无法对域中的任何其他计算机进行身份验证。原因是使用标准凭证,他们无法验证您的身份。


There are 2 primary workarounds that I'm familiar with:

  1. Implement Kerberos, these certificates allow you to do a more advanced authentication, and allow for multiple-network hops.
  2. 实施Kerberos,这些证书允许您进行更高级的身份验证,并允许多网络跃点。

  3. Re-impersonate your user using the LogonUser win32 api (requires a password).
  4. 使用LogonUser win32 api重新模拟您的用户(需要密码)。

#2


In IIS, Anonymous, and Basic authentication both need to be unchecked at a minimum on the application folders. You might want to check the application folder itself instead of just the root folders. There may be other configuration options, but this is the "low hanging fruit" option.

在IIS中,匿名和基本身份验证都需要至少在应用程序文件夹中取消选中。您可能想要检查应用程序文件夹本身而不仅仅是根文件夹。可能还有其他配置选项,但这是“低挂水果”选项。

#3


As a test, specify a username and password in the impersonation tag to force the application to always impersonate as a user you know has access to the file.

作为测试,请在模拟标记中指定用户名和密码,以强制应用程序始终以您知道可以访问该文件的用户身份进行模拟。

If the application can now access the text file, you will know it is the transfer of the user's credentials to the server.

如果应用程序现在可以访问文本文件,您将知道将用户凭据传输到服务器。

If the application STILL can't access the text file, the credentials are not the problem and there's a server configuration issue.

如果应用程序STILL无法访问文本文件,则凭据不是问题,并且存在服务器配置问题。

#1


It sounds like you're running into the multi-hop problem. When you use integrated authentication, you can authenticate from your browser to IIS. But, you can't authenticate to any other machines on the domain. The reason is that with standard credentials, they can't verify who you are.

听起来你正在遇到多跳问题。使用集成身份验证时,可以从浏览器向IIS进行身份验证。但是,您无法对域中的任何其他计算机进行身份验证。原因是使用标准凭证,他们无法验证您的身份。


There are 2 primary workarounds that I'm familiar with:

  1. Implement Kerberos, these certificates allow you to do a more advanced authentication, and allow for multiple-network hops.
  2. 实施Kerberos,这些证书允许您进行更高级的身份验证,并允许多网络跃点。

  3. Re-impersonate your user using the LogonUser win32 api (requires a password).
  4. 使用LogonUser win32 api重新模拟您的用户(需要密码)。

#2


In IIS, Anonymous, and Basic authentication both need to be unchecked at a minimum on the application folders. You might want to check the application folder itself instead of just the root folders. There may be other configuration options, but this is the "low hanging fruit" option.

在IIS中,匿名和基本身份验证都需要至少在应用程序文件夹中取消选中。您可能想要检查应用程序文件夹本身而不仅仅是根文件夹。可能还有其他配置选项,但这是“低挂水果”选项。

#3


As a test, specify a username and password in the impersonation tag to force the application to always impersonate as a user you know has access to the file.

作为测试,请在模拟标记中指定用户名和密码,以强制应用程序始终以您知道可以访问该文件的用户身份进行模拟。

If the application can now access the text file, you will know it is the transfer of the user's credentials to the server.

如果应用程序现在可以访问文本文件,您将知道将用户凭据传输到服务器。

If the application STILL can't access the text file, the credentials are not the problem and there's a server configuration issue.

如果应用程序STILL无法访问文本文件,则凭据不是问题,并且存在服务器配置问题。