从 APSX 页面上的响应中获取 NTLM 凭据
我有一个 ASPX 页面(在服务器 A 上),它是使用 NTLM 凭据调用的。 该页面的部分工作是调用 HTML 页面(在服务器 B 上)并将其代理回客户端。 (防火墙允许访问 A,但不允许访问 B。通常会允许用户访问两台服务器。)。 服务器 B 也不开放匿名访问,因此我需要向其提供凭据。
如果我对某些凭据进行硬编码(按照所附代码),它会起作用,但理想情况下我会回显 .aspx 页面收到的凭据。 有什么方法可以获取这些 NetworkCredentials 以便我可以传递它们吗?
protected void Page_Load(object sender, EventArgs e) {
Response.Clear();
WebClient proxyFile = new WebClient();
CredentialCache cc = new CredentialCache();
cc.Add(new Uri("http://serverB/"), "NTLM",
new NetworkCredential("userName", "password", "domain"));
proxyFile.Credentials = cc;
Stream proxyStream = proxyFile.OpenRead("http://serverB/Content/webPage.html");
int i;
do {
i = proxyStream.ReadByte();
if (i != -1) {
Response.OutputStream.WriteByte((byte)i);
}
} while (i != -1);
Response.End();
}
I have an ASPX page (On server A) which is invoked using NTLM credentials. Part of that page's job is to call an HTML page (On server B) and proxy it back to the client. (The firewall allows access to A, but not to B. The user would normally be allowed access to both servers.). Server B is also not open to anonymous access, so I need to supply credentials to it.
If I hardcode some credentials (as per the attached code), it works, but ideally I would echo the credentials that were received by the .aspx page. Is there some way to get those NetworkCredentials so I can pass them on?
protected void Page_Load(object sender, EventArgs e) {
Response.Clear();
WebClient proxyFile = new WebClient();
CredentialCache cc = new CredentialCache();
cc.Add(new Uri("http://serverB/"), "NTLM",
new NetworkCredential("userName", "password", "domain"));
proxyFile.Credentials = cc;
Stream proxyStream = proxyFile.OpenRead("http://serverB/Content/webPage.html");
int i;
do {
i = proxyStream.ReadByte();
if (i != -1) {
Response.OutputStream.WriteByte((byte)i);
}
} while (i != -1);
Response.End();
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您当然可以获取呼叫者的登录名,但不能获取密码。 NTLM 使用质询/响应机制,因此密码永远不会传输。 您的服务器必须有权访问密码等效项(哈希)才能形成质询并检查响应,但即使您可以掌握它,该密码等效项对您尝试形成凭据也毫无用处将被服务器 B 接受。
如果您可以设置模拟,如另一个答案中所述,即使这样也不一定能得到您想要的东西。 默认情况下,不允许模拟服务器进程将其身份传输到另一台服务器。 第二个跃点称为委派,需要在涉及的服务器(和/或 Active Directory 中)上显式配置。
除了委派之外,我认为您唯一的选择是维护服务器 A 可以访问并向服务器 B 提供的凭据数据库。以安全的方式构建该数据库是一个微妙且耗时的过程。 另一方面,默认情况下禁用委派也是有原因的。 当我登录服务器时,我是否希望允许它使用我的身份来访问其他服务器? 委派对您来说是最简单的选择,但您需要确保服务器 A 不会受到损害而利用您的用户身份做不负责任的事情。
You can certainly obtain the login name of the caller, but not the password. NTLM uses a challenge/response mechanism, so the password is never transmitted. Your server must have access to a password-equivalent (a hash) in order to form the challenge and check the response, but even if you can get hold of it that password-equivalent will be no use to you in trying to form credentials that will be accepted by server B.
If you can set up impersonation, as described in another answer, even that doesn't necessarily get you what you want. By default, an impersonating server process is not allowed to transmit its identity to another server. That second hop is known as delegation and needs to be configured explicitly on the servers involved (and/or in Active Directory).
Apart from delegation I think your only option is to maintain a database of credentials that server A can access and present to server B. Building that in a secure manner is a subtle and time-consuming process. On the other hand, there is a reason why delegation is disabled by default. When I log into a server, do I want it to be allowed to use my identity for accessing other servers? Delegation is the simplest option for you, but you'll need to be sure that server A can't be compromised to do irresponsible things with your users' identities.
Page.User 将为您提供运行该页面的用户的安全主体。
从那里你应该能够弄清楚。
Page.User will get you the Security Principal of the user the page is running under.
From there you should be able to figure it out.
您可以在您的场景中冒充呼叫者身份吗? 这样你甚至不需要传递凭据,例如:
在服务器 A 的 web.config 中。但这当然取决于你的情况,因为你可能不希望服务器 A 这样做。但是如果可以的话,这可以解决你的问题,而无需自定义代码。
以下是设置模拟的链接:http://msdn.microsoft。 com/en-us/library/ms998351.aspx#paght000023_impersonatingorigcaller
Can you in your scenario impersonate the callers identity? that way you wouldnt even need to pass along credentials, ex:
in web.config of server A. But this of course depends on your situation, as you may not want that for server A. But if you can this could solve your problem without custom code.
Heres a link for setting up impersonation: http://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_impersonatingorigcaller