code:
代码:
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//access network resources.
impersonationContext.Undo();
web.config:
. config:
<authentication mode="Windows">
</authentication>
<identity impersonate="true"
userName="user"
password="password"></identity>
As clear from web.config file, the app runs in an impersonated mode. I need to impersonate temporarily on top of that to access a network resource. I do that as shown above.
从web。配置文件,应用程序以模拟模式运行。我需要在此基础上临时模拟以访问网络资源。如上所示。
This works fine on server if I browse to the website on the local IE installed on the server but when I access the app from my PC or any other PC, I get a access denied.
如果我浏览安装在服务器上的本地IE上的网站,这在服务器上运行得很好,但是当我从我的PC或任何其他PC*问应用程序时,我就会被拒绝访问。
Btw, this is all within an enterprise domain environment. so IE in both cases is passing a valid authenticated token.
顺便说一句,这都是在企业领域环境中。因此IE在这两种情况下都传递有效的认证令牌。
Any ideas what is going on. thanks.
有什么想法吗。谢谢。
1 个解决方案
#1
3
You need to make sure the server will delegate the impersonated security contexts in your application to another server (the network resource you mentioned).
您需要确保服务器将把应用程序中模拟的安全上下文委托给另一个服务器(您提到的网络资源)。
I'm pretty sure it works while you're logged onto your server because it is using the security context of you being logged in directly, and not the impersonated context that exists in the application.
我很确定,当您登录到服务器时,它可以工作,因为它使用的是直接登录的安全上下文,而不是应用程序中存在的模拟上下文。
I can't remember specifics on configuration but I do know it is referred to as delegation or "Kerberos Double Hop". "Constrained Delegation" is when you configure such that only one type of delegation is allowed. IE, your app is only allowed to delegate security contexts when talking to Active Directory (port xyz) on this other specific server - otherwise not.
我不记得具体的配置,但我知道它被称为委托或“Kerberos双跳”。“约束授权”指的是当您配置此类时,只允许一种类型的委托。例如,您的应用程序只允许在与这个特定服务器上的活动目录(端口xyz)对话时委托安全上下文——否则不允许。
See Understanding Kerberos Double Hop
参见了解Kerberos双跳。
See DelegConfig - it is helpful in configuring delegation.
参见“委托配置”—它有助于配置委托。
Also see: TechNet Article
还看到:技术文章
And: this other article
和:其他的文章
#1
3
You need to make sure the server will delegate the impersonated security contexts in your application to another server (the network resource you mentioned).
您需要确保服务器将把应用程序中模拟的安全上下文委托给另一个服务器(您提到的网络资源)。
I'm pretty sure it works while you're logged onto your server because it is using the security context of you being logged in directly, and not the impersonated context that exists in the application.
我很确定,当您登录到服务器时,它可以工作,因为它使用的是直接登录的安全上下文,而不是应用程序中存在的模拟上下文。
I can't remember specifics on configuration but I do know it is referred to as delegation or "Kerberos Double Hop". "Constrained Delegation" is when you configure such that only one type of delegation is allowed. IE, your app is only allowed to delegate security contexts when talking to Active Directory (port xyz) on this other specific server - otherwise not.
我不记得具体的配置,但我知道它被称为委托或“Kerberos双跳”。“约束授权”指的是当您配置此类时,只允许一种类型的委托。例如,您的应用程序只允许在与这个特定服务器上的活动目录(端口xyz)对话时委托安全上下文——否则不允许。
See Understanding Kerberos Double Hop
参见了解Kerberos双跳。
See DelegConfig - it is helpful in configuring delegation.
参见“委托配置”—它有助于配置委托。
Also see: TechNet Article
还看到:技术文章
And: this other article
和:其他的文章