I am working on an ASP.NET page that we, in code impersonate the requesting user. We are using the following code to start impersonating.
我正在编写一个ASP.NET页面,我们在代码中模拟请求用户。我们使用以下代码开始模拟。
Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext
Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity
currentWindowsIdentity = CType(User.Identity, System.Security.Principal.WindowsIdentity)
impersonationContext = currentWindowsIdentity.Impersonate()
After this we have validated that the application is running under the proper context by calling:
在此之后,我们通过调用以下方式验证应用程序是否在适当的上下文中运行:
System.Security.Principal.WindowsIdentity.GetCurrent().Name
This returns the proper identity of the user, and file access and other items appear to be using their account. However when using the Microsoft Application Data Application Block SqlHelper class to call out to a database using a trusted connection authentication fails for the "NT AUTHORITY\ANONYMOUS LOGON" user.
这将返回用户的正确身份,文件访问和其他项似乎正在使用其帐户。但是,当使用Microsoft应用程序数据应用程序块SqlHelper类使用可信连接调用数据库时,“NT AUTHORITY \ ANONYMOUS LOGON”用户的身份验证失败。
We can re-validate after the failure that the current identity is still our desired account and NOT the ANONYMOUS LOGIN account.
我们可以在失败后重新验证当前身份仍然是我们想要的帐户而不是ANONYMOUS LOGIN帐户。
Does anyone have an idea why this is? Or more specifically how we can get around it?
有谁知道为什么会这样?或者更具体地说我们如何绕过它?
Edit Some additional information about how the calls from these pages work.
编辑有关这些页面的调用如何工作的一些其他信息。
We do the impersonate call from the .aspx page.
我们从.aspx页面进行模拟调用。
After we impersonate we call out to a "business logic" assembly that is referecned.
在我们冒充之后,我们呼唤一个被引用的“业务逻辑”程序集。
We know that the context identity is still correct here.
我们知道上下文标识在这里仍然是正确的。
After that, the "business logic" assembly calls another assembly that actually executes the trusted connection call. We cannot modify this "data access" assembly, the authentication exception is reported by this assembly as well.
之后,“业务逻辑”程序集调用另一个实际执行可信连接调用的程序集。我们无法修改此“数据访问”程序集,此程序集也会报告身份验证异常。
2 个解决方案
#1
I think @John Sonmez is right, you're hitting the Double Hop issue. Impersonation is only half of the story, you also need to look at Delegation (assuming your network is using Kerberos authentication). The articles below were the most useful in helping me through the same issue
我认为@John Sonmez是对的,你正在打双跳问题。模拟只是故事的一半,您还需要查看委托(假设您的网络正在使用Kerberos身份验证)。下面的文章对帮助我完成同样的问题最有用
假冒和授权
#2
I know that I've used impersonation in ASP.NET before (using C# and accessing the filesystem) and I was wondering if you had tried wrapping the logic that includes currentWindowsIdentity.Impersonate() with a 'Using / End Using' (to explicitly define the security context for a block of code).
我知道我之前在ASP.NET中使用过模拟(使用C#并访问文件系统),我想知道你是否尝试用包含currentWindowsIdentity.Impersonate()的逻辑包装'Using / End Using'(以明确定义代码块的安全上下文。
So, it would look like this:
所以,它看起来像这样:
Using impersonationContext = currentWindowsIdentity.Impersonate()
' Logic here
End Using
#1
I think @John Sonmez is right, you're hitting the Double Hop issue. Impersonation is only half of the story, you also need to look at Delegation (assuming your network is using Kerberos authentication). The articles below were the most useful in helping me through the same issue
我认为@John Sonmez是对的,你正在打双跳问题。模拟只是故事的一半,您还需要查看委托(假设您的网络正在使用Kerberos身份验证)。下面的文章对帮助我完成同样的问题最有用
假冒和授权
#2
I know that I've used impersonation in ASP.NET before (using C# and accessing the filesystem) and I was wondering if you had tried wrapping the logic that includes currentWindowsIdentity.Impersonate() with a 'Using / End Using' (to explicitly define the security context for a block of code).
我知道我之前在ASP.NET中使用过模拟(使用C#并访问文件系统),我想知道你是否尝试用包含currentWindowsIdentity.Impersonate()的逻辑包装'Using / End Using'(以明确定义代码块的安全上下文。
So, it would look like this:
所以,它看起来像这样:
Using impersonationContext = currentWindowsIdentity.Impersonate()
' Logic here
End Using