Our organization has web applications that are mostly used internally by users who have Active Directory accounts. Currently, each of our application runs under its own AD account. We grant access to the application AD accounts on the database side for data access.
我们的组织拥有的Web应用程序主要由拥有Active Directory帐户的用户在内部使用。目前,我们的每个应用程序都在自己的AD帐户下运行。我们授予对数据库端应用程序AD帐户的访问权限以进行数据访问。
Our DBA wants to move away from this for auditing reasons. He wants each data request that comes from the application to come with the logged in user's AD credentials, rather than the application's AD credentials. I understand this is something that is accomplished using impersonation. Is this a recommended practice? What are the benefits and the downsides? Is there a better way of doing this?
出于审计原因,我们的DBA希望摆脱这种情况。他希望来自应用程序的每个数据请求都带有登录用户的AD凭证,而不是应用程序的AD凭据。我理解这是使用模仿完成的事情。这是推荐的做法吗?有什么好处和缺点?有更好的方法吗?
Thanks.
谢谢。
1 个解决方案
#1
1
You add the following to your web.config:
您将以下内容添加到web.config:
<configuration>
<system.web>
<identity impersonate="true"/>
</system.web>
</configuration>
The web server will "impersonate the authenticated user" and your DBA will see the user's network id. You can also use the configuration file to impersonate a specific user:
Web服务器将“模拟经过身份验证的用户”,您的DBA将看到用户的网络ID。您还可以使用配置文件来模拟特定用户:
<identity impersonate="true" userName="user" password="pwd" />
but that is not what your DBA is looking for in this case.
但在这种情况下,这不是您的DBA所期待的。
Yes, "impersonation" may sound odd, but this is a perfectly standard way of authenticating web application users on your internal network. You will have to make sure that each of your users has the necessary folder permissions, etc, to do everything they need to do, since the web server is now doing these things in their name, not in the name of a general application user. You will hear about these permissions issues pretty quickly when users try to do things they used to be able to do, and get access denied instead. But once they each have been given the necessary permissions it will be okay.
是的,“模仿”可能听起来很奇怪,但这是在内部网络上验证Web应用程序用户的完美标准方法。您必须确保每个用户都具有必要的文件夹权限等,以执行他们需要执行的所有操作,因为Web服务器现在以其名称执行这些操作,而不是以常规应用程序用户的名义执行。当用户尝试执行以前可以执行的操作时,您会很快听到有关这些权限问题的信息,并获得拒绝访问权限。但是一旦他们每个人都获得了必要的许可,那就没关系。
#1
1
You add the following to your web.config:
您将以下内容添加到web.config:
<configuration>
<system.web>
<identity impersonate="true"/>
</system.web>
</configuration>
The web server will "impersonate the authenticated user" and your DBA will see the user's network id. You can also use the configuration file to impersonate a specific user:
Web服务器将“模拟经过身份验证的用户”,您的DBA将看到用户的网络ID。您还可以使用配置文件来模拟特定用户:
<identity impersonate="true" userName="user" password="pwd" />
but that is not what your DBA is looking for in this case.
但在这种情况下,这不是您的DBA所期待的。
Yes, "impersonation" may sound odd, but this is a perfectly standard way of authenticating web application users on your internal network. You will have to make sure that each of your users has the necessary folder permissions, etc, to do everything they need to do, since the web server is now doing these things in their name, not in the name of a general application user. You will hear about these permissions issues pretty quickly when users try to do things they used to be able to do, and get access denied instead. But once they each have been given the necessary permissions it will be okay.
是的,“模仿”可能听起来很奇怪,但这是在内部网络上验证Web应用程序用户的完美标准方法。您必须确保每个用户都具有必要的文件夹权限等,以执行他们需要执行的所有操作,因为Web服务器现在以其名称执行这些操作,而不是以常规应用程序用户的名义执行。当用户尝试执行以前可以执行的操作时,您会很快听到有关这些权限问题的信息,并获得拒绝访问权限。但是一旦他们每个人都获得了必要的许可,那就没关系。