ASP.NET模拟问题(第2部分)

时间:2022-12-23 08:10:01

This is a follow on to a previous post about being unable to impersonate a currently logged in Windows user. There were many good suggestions, but the previous thread was getting messy, so I am resetting with this post. Hopefully with the current state documented below it will be obvious what the issue is. This is a well worn path, so I have to believe all I am missing is a little configuration step.

这是关于无法冒充当前登录的Windows用户的上一篇文章的后续内容。有很多好的建议,但之前的帖子变得混乱,所以我正在重置这篇文章。希望在下面记录的当前状态下,问题显而易见。这是一条很好的路径,所以我必须相信我所缺少的是一个小配置步骤。

PROBLEM: I need to have ASP.NET impersonate the currently logged in user. When I run under IIS 7.5, it doesn't work. IIS Express works fine, but I believe that is because the debugging session is running under my user id.

问题:我需要让ASP.NET模拟当前登录的用户。当我在IIS 7.5下运行时,它不起作用。 IIS Express工作正常,但我认为这是因为调试会话在我的用户ID下运行。

I am using Environment.Username to determine who this user is. There was a suggestion that this property always returns the logged in user name, but from my testing it returns the impersonated user from IIS.

我使用Environment.Username来确定此用户是谁。有人建议此属性始终返回登录的用户名,但从我的测试中它返回IIS中的模拟用户。

For example, if my web.config has…

例如,如果我的web.config有......

    <identity impersonate="true" />

When I run under IIS 7.5 with that setting, Environment.Username returns IUSR. I believe this is the IIS anonymous user account.

当我使用该设置在IIS 7.5下运行时,Environment.Username返回IUSR。我相信这是IIS匿名用户帐户。

If I change web.config to…

如果我将web.config更改为...

    <identity impersonate="true" userName="domain\jlivermore" password="mypassword" />

… then Environment.Username returns jlivemore. However, I need it to return jlivermore without me explicitly setting it in web.config.

...然后Environment.Username返回jlivemore。但是,如果没有我在web.config中明确设置它,我需要它返回jlivermore。

Here are my IIS settings…

这是我的IIS设置......

.NET Authorization Rules ASP.NET模拟问题(第2部分)

.NET授权规则

Authentication ASP.NET模拟问题(第2部分)

认证

One question, if I disable Anonymous Authentication, then I am prompted to login to the site. I thought if you were logged in with an Active Directory account on a domain then this challenge wouldn't appear? Even if I enter my username/password into this prompt, I still don't get the impersonation to work.

一个问题,如果我禁用匿名身份验证,那么系统会提示我登录该站点。我想如果你在域上使用Active Directory帐户登录,那么这个挑战不会出现?即使我在此提示中输入我的用户名/密码,我仍然无法进行模拟。

ASP.NET模拟问题(第2部分)

Basic Settings

基本设置

ASP.NET模拟问题(第2部分)

3 个解决方案

#1


2  

I'm not sure if you've found an answer, but if anyone is having problems with it you will need the following in your web.config file

我不确定您是否找到了答案,但如果有人遇到问题,您需要在web.config文件中使用以下内容

<authentication mode="Windows"/>
<identity impersonate="true"/>

And in IIS you will need Asp.net Impersonation enabled as well as Windows Authentication enabled, the others should be disabled. And in Windows Authentication, go to Advanced Settings and UNCHECK the Enable Kernel-mode authentication. That should do it. Your site should now be set for Local Intranet apps and using any of the following will work

在IIS中,您将需要启用Asp.net模拟以及启用Windows身份验证,其他应该被禁用。在Windows身份验证中,转到“高级设置”并取消选中“启用内核模式”身份验证。应该这样做。现在应该为本地Intranet应用程序设置您的站点,并使用以下任何一种方法

System.Security.Principal.WindowsIdentity.GetCurrent().Username()
HttpContext.Current.User.Identity.Name
System.Threading.Thread.CurrentPrincipal.Identity.Name

But using Environment.Username will only return the server name, hopefully this helps anyone struggling with this

但是使用Environment.Username只会返回服务器名称,希望这有助于任何人在努力解决这个问题

#2


1  

I had a similar problem as you describe. The basic crux of the matter is that there is a difference between impersonation and delegation. My simple understanding of this is that impersonation will work when the client and server are on the same machine. If however, the client is on a different machine, you need delegation.

我有类似你描述的问题。问题的基本关键是假冒和授权之间存在差异。我对此的简单理解是,当客户端和服务器在同一台机器上时,模拟将起作用。但是,如果客户端位于不同的计算机上,则需要委派。

MSDN Reference

MSDN参考

What is the difference between impersonation and delegation?

模仿和授权有什么区别?

Impersonation flows the original caller's identity to back-end resources on the same computer. Delegation flows the original caller's identity to back-end resources on computers other than the computer running the service.

模拟将原始调用方的标识传递到同一台计算机上的后端资源。委派将原始呼叫者的身份传递给运行该服务的计算机以外的计算机上的后端资源。

Related SO questions

相关的SO问题

#3


0  

Have you tried using

你尝试过使用过吗?

HttpContext.Current.User.Identity.Name ?

#1


2  

I'm not sure if you've found an answer, but if anyone is having problems with it you will need the following in your web.config file

我不确定您是否找到了答案,但如果有人遇到问题,您需要在web.config文件中使用以下内容

<authentication mode="Windows"/>
<identity impersonate="true"/>

And in IIS you will need Asp.net Impersonation enabled as well as Windows Authentication enabled, the others should be disabled. And in Windows Authentication, go to Advanced Settings and UNCHECK the Enable Kernel-mode authentication. That should do it. Your site should now be set for Local Intranet apps and using any of the following will work

在IIS中,您将需要启用Asp.net模拟以及启用Windows身份验证,其他应该被禁用。在Windows身份验证中,转到“高级设置”并取消选中“启用内核模式”身份验证。应该这样做。现在应该为本地Intranet应用程序设置您的站点,并使用以下任何一种方法

System.Security.Principal.WindowsIdentity.GetCurrent().Username()
HttpContext.Current.User.Identity.Name
System.Threading.Thread.CurrentPrincipal.Identity.Name

But using Environment.Username will only return the server name, hopefully this helps anyone struggling with this

但是使用Environment.Username只会返回服务器名称,希望这有助于任何人在努力解决这个问题

#2


1  

I had a similar problem as you describe. The basic crux of the matter is that there is a difference between impersonation and delegation. My simple understanding of this is that impersonation will work when the client and server are on the same machine. If however, the client is on a different machine, you need delegation.

我有类似你描述的问题。问题的基本关键是假冒和授权之间存在差异。我对此的简单理解是,当客户端和服务器在同一台机器上时,模拟将起作用。但是,如果客户端位于不同的计算机上,则需要委派。

MSDN Reference

MSDN参考

What is the difference between impersonation and delegation?

模仿和授权有什么区别?

Impersonation flows the original caller's identity to back-end resources on the same computer. Delegation flows the original caller's identity to back-end resources on computers other than the computer running the service.

模拟将原始调用方的标识传递到同一台计算机上的后端资源。委派将原始呼叫者的身份传递给运行该服务的计算机以外的计算机上的后端资源。

Related SO questions

相关的SO问题

#3


0  

Have you tried using

你尝试过使用过吗?

HttpContext.Current.User.Identity.Name ?