C# ASP.NET MVC 中的模拟
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1405612/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Impersonation in ASP.NET MVC
提问by Jason Kemp
I have a MVC web application on an intranet and want to be able to create files on our FTP server to send to outside partners.
我在 Intranet 上有一个 MVC Web 应用程序,希望能够在我们的 FTP 服务器上创建文件以发送给外部合作伙伴。
The code for impersonation uses the WindowsImpersonationContext.
模拟代码使用 WindowsImpersonationContext。
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
StreamWriter sw = System.IO.File.CreateText("PathOnFTPServer");
sw.Write("data");
impersonationContext.Undo();
Here's what's happening and the reason for my question:
这是发生了什么以及我的问题的原因:
Pre Impersonation
预模拟
User.Identity.Name: [my windows credentials]
User.Identity.Name:[我的 Windows 凭据]
System.Security.Principal.WindowsIdentity.GetCurrent().Name: NT AUTHORITY\NETWORK SERVICE
System.Security.Principal.WindowsIdentity.GetCurrent().Name: NT AUTHORITY\NETWORK SERVICE
Post Impersonation
假冒后
User.Identity: [my windows credentials]
User.Identity:[我的 Windows 凭据]
GetCurrent.Name: [my windows credentials]
GetCurrent.Name: [我的 Windows 凭据]
Impersonate Undo
冒充撤销
User.Identity: [my windows credentials]
User.Identity:[我的 Windows 凭据]
GetCurrent.Name: NT AUTHORITY\NETWORK SERVICE
GetCurrent.Name: NT AUTHORITY\NETWORK SERVICE
So, before I impersonate, the current user is the System Account but after impersonation, it is using my windows domain account which has permission to create text files on the FTP server. The code works locally using the visual studio web server but not when I deploy it on IIS on our test server.
因此,在我模拟之前,当前用户是系统帐户,但在模拟之后,它使用的是我的 Windows 域帐户,该帐户有权在 FTP 服务器上创建文本文件。该代码使用 Visual Studio Web 服务器在本地工作,但当我将其部署在我们测试服务器上的 IIS 上时则不然。
I'm getting an access denied error. What would be the reason for the error when the correct user is being impersonated?
我收到拒绝访问错误。当正确的用户被模拟时,错误的原因是什么?
采纳答案by anonymous
Impersonation allows machine to machine impersonation, so the client browser and the server are on the same page when it comes to the impersonation. When you then attempt to access the network share, the computer doesn't trust the impersonated credentials.
模拟允许机器对机器进行模拟,因此在模拟时客户端浏览器和服务器在同一页面上。当您随后尝试访问网络共享时,计算机不信任模拟的凭据。
You need to enable delegation for the IIS machine in Active Directory. Go to Active Directory Users and Computers, find the computer, click properties, and 'Trust computer for delegation'. (You might need to restart IIS for this to work, I don't remember).
您需要在 Active Directory 中为 IIS 计算机启用委派。转到 Active Directory 用户和计算机,找到计算机,单击属性,然后单击“信任计算机以进行委派”。(您可能需要重新启动 IIS 才能使其工作,我不记得了)。
There is way more theory than this that I don't fully understand, but this should work. Whether it is right or not someone else could comment on!
有比这更多的理论我不完全理解,但这应该有效。对不对别人可以评论!
Also, the reason it works on your development machine is that the development server runs as the developer, not (Local)\Network Service.
此外,它在您的开发机器上工作的原因是开发服务器作为开发人员运行,而不是 (Local)\Network Service。
A decent link:
一个体面的链接:
http://msdn.microsoft.com/en-us/library/cc949004.aspx
http://msdn.microsoft.com/en-us/library/cc949004.aspx
What is the difference between impersonation and delegation?
Impersonation flows the original caller's identity to back-end resources on the same computer. Delegation flows the original caller's identity to back-end resources on computers other than the computer running the service.
For example, if a service is running within IIS without impersonation, the service will access resources using the ASP.NET account in IIS 5.0, or the Network Service account in IIS 6.0. With impersonation, if the client is connecting using the original caller's account, the service will access resources such as a SQL Server database on the same machine using the original caller's account instead of the system ASP.NET account. Delegation is similar except that the SQL Server database could be on a different machine that is remote to the service.
模拟和委托有什么区别?
模拟将原始调用者的身份传送到同一台计算机上的后端资源。委派将原始调用者的身份传送到运行服务的计算机以外的计算机上的后端资源。
例如,如果服务在 IIS 中运行而没有模拟,则该服务将使用 IIS 5.0 中的 ASP.NET 帐户或 IIS 6.0 中的网络服务帐户访问资源。通过模拟,如果客户端使用原始调用者的帐户进行连接,则服务将使用原始调用者的帐户而不是系统 ASP.NET 帐户访问同一台计算机上的 SQL Server 数据库等资源。委派与此类似,只是 SQL Server 数据库可能位于远离服务的另一台计算机上。
