ASP.NET Web应用程序无法使用多个模拟进行身份验证

时间:2021-07-21 08:10:05

I have a asp.net app (uses windows authentication for access) which (stipulated by the security team) needs to connect to a remote SQL Server 2005 using integrated security.Because of the fact that it is remote SQL server I needed to impersonate a custom account (impersonating the original caller would not work) via :

我有一个asp.net应用程序(使用Windows身份验证进行访问),它(由安全团队规定)需要使用集成安全性连接到远程SQL Server 2005.因为它是远程SQL服务器我需要冒充一个自定义帐户(模仿原始调用方无效)通过:

<identity impersonate = "true" userName="domainname\user" password="password" />

This workes fine. The rub is my app also connects to an SSRS server for reporting needs using the ReportViewer control. The report server is on a separate server and the security team mandates that all calls to this server must be using the original window's account for auditing purposes. It seems my only option was to to try and separate my app into folders and use a "location" tag in my web.config and use separate identity tags. Such as:

这很好。摩擦是我的应用程序还使用ReportViewer控件连接到SSRS服务器以报告需求。报表服务器位于单独的服务器上,安全团队要求对此服务器的所有调用必须使用原始窗口的帐户进行审计。似乎我唯一的选择是尝试将我的应用程序分成文件夹,并在我的web.config中使用“location”标记并使用单独的标识标记。如:

 <location path="Reporting">
    <system.web>
      <identity impersonate = "true"/>
    </system.web>
  </location>

Note: no username and password specified which means it should impersonate the original caller.

注意:没有指定用户名和密码,这意味着它应该模仿原始调用者。

However to make matters even more complicated my app is a Masterpage/content page app. The master page makes calls to SQL to populate menus and such. Bottom line is the dual impersonation track is not working. I am ready to throw my hands up and declare that that this can not be done. If there was a way where I could have the app impersonate the original caller which would satisfy my SSRS auditing needs yet make connections to SQL server as the custom domain account. I cannot use SQL authentication: not allowed although that would solve this issue.

然而,为了使问题更加复杂,我的应用程序是一个主页/内容页面应用程序。母版页调用SQL来填充菜单等。底线是双重模仿轨道不起作用。我准备好举起手来宣布这不可能做到。如果有一种方法我可以让应用模拟原始调用者,这将满足我的SSRS审核需求,但仍然连接到SQL服务器作为自定义域帐户。我不能使用SQL身份验证:不允许,虽然这可以解决这个问题。

2 个解决方案

#1


Have you tried the following setup:

您是否尝试过以下设置:

  1. Set impersonation to true. This is necessary for authentication into the application and for access to the SSRS to use current user logged in.

    将模拟设置为true。这对于在应用程序中进行身份验证以及访问SSRS以使用登录的当前用户是必需的。

  2. Use one connection string to SSRS that has Integrated Security set to true, so that the impersonated user passes straight through.

    将一个连接字符串用于集成安全性设置为true的SSRS,以便模拟的用户直接通过。

  3. Use a second connection string, with the custom user name and password hard coded into the connection string. You can encrypt the connection string section of the web.config so that it isn't visible to human eyes, but the framework will automatically decrypt this on the fly when creating a connection.

    使用第二个连接字符串,将自定义用户名和密码硬编码到连接字符串中。您可以加密web.config的连接字符串部分,以便人眼看不到它,但框架将在创建连接时自动解密。

I have a similar situation (need a specific account to retrieve specific data, but the general impersonation for the rest of the service functionality) and this setup is working.

我有类似的情况(需要一个特定的帐户来检索特定的数据,但一般模仿其余的服务功能)和这个设置是有效的。

EDIT: The general syntax for encrypting your web.config from the command prompt is:

编辑:从命令提示符加密web.config的一般语法是:

aspnet_regiis -pef "connectionStrings" [PhysicalPathToApplication] -prov "DataProtectionConfigurationProvider"

Encryption is done on a machine per machine basis, so the encryption will have to be done on the specific server. You can pull up more documentation on this if needed.

加密是在每台计算机的计算机上完成的,因此加密必须在特定服务器上完成。如果需要,您可以提供更多相关文档。

#2


You should be able to switch the impersonation on and off, so you can go back to using the default account running the site. I will have to check, it's been a while since I have done it.

您应该可以打开和关闭模拟,这样您就可以返回使用运行该站点的默认帐户。我将不得不检查,自从我完成它已经有一段时间了。

This looks like a start as to how to do it:

这看起来像是如何做到的开始:

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = 
    ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

//Insert your code that runs under the security context of the authenticating user here.

impersonationContext.Undo();

Essentially you just impersonate the appropriate user for the calls you need, and then "undo" the context and turn it off. It goes back to the default user after that.

基本上,您只是模拟适当的用户进行所需的呼叫,然后“撤消”上下文并将其关闭。之后它会返回默认用户。

Here is a link to the windows identity class:

这是windows身份类的链接:

http://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity.aspx

#1


Have you tried the following setup:

您是否尝试过以下设置:

  1. Set impersonation to true. This is necessary for authentication into the application and for access to the SSRS to use current user logged in.

    将模拟设置为true。这对于在应用程序中进行身份验证以及访问SSRS以使用登录的当前用户是必需的。

  2. Use one connection string to SSRS that has Integrated Security set to true, so that the impersonated user passes straight through.

    将一个连接字符串用于集成安全性设置为true的SSRS,以便模拟的用户直接通过。

  3. Use a second connection string, with the custom user name and password hard coded into the connection string. You can encrypt the connection string section of the web.config so that it isn't visible to human eyes, but the framework will automatically decrypt this on the fly when creating a connection.

    使用第二个连接字符串,将自定义用户名和密码硬编码到连接字符串中。您可以加密web.config的连接字符串部分,以便人眼看不到它,但框架将在创建连接时自动解密。

I have a similar situation (need a specific account to retrieve specific data, but the general impersonation for the rest of the service functionality) and this setup is working.

我有类似的情况(需要一个特定的帐户来检索特定的数据,但一般模仿其余的服务功能)和这个设置是有效的。

EDIT: The general syntax for encrypting your web.config from the command prompt is:

编辑:从命令提示符加密web.config的一般语法是:

aspnet_regiis -pef "connectionStrings" [PhysicalPathToApplication] -prov "DataProtectionConfigurationProvider"

Encryption is done on a machine per machine basis, so the encryption will have to be done on the specific server. You can pull up more documentation on this if needed.

加密是在每台计算机的计算机上完成的,因此加密必须在特定服务器上完成。如果需要,您可以提供更多相关文档。

#2


You should be able to switch the impersonation on and off, so you can go back to using the default account running the site. I will have to check, it's been a while since I have done it.

您应该可以打开和关闭模拟,这样您就可以返回使用运行该站点的默认帐户。我将不得不检查,自从我完成它已经有一段时间了。

This looks like a start as to how to do it:

这看起来像是如何做到的开始:

System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = 
    ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

//Insert your code that runs under the security context of the authenticating user here.

impersonationContext.Undo();

Essentially you just impersonate the appropriate user for the calls you need, and then "undo" the context and turn it off. It goes back to the default user after that.

基本上,您只是模拟适当的用户进行所需的呼叫,然后“撤消”上下文并将其关闭。之后它会返回默认用户。

Here is a link to the windows identity class:

这是windows身份类的链接:

http://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity.aspx