通过 Intranet 应用程序从登录计算机检索 Windows 用户名
在生产服务器上运行的应用程序如何访问用户访问应用程序的计算机的登录用户名?例如,我当前登录到 INTRA 公司内部网上的我的计算机。我的用户名将是INTRA\用户名。
我已将特定用户名添加到数据库中,并希望根据数据库检查此 Intranet 用户名,以限制对应用程序的访问并在整个应用程序中利用该用户名。
目前,我正在使用以下代码来访问用户名:
Private username As String = Thread.CurrentPrincipal.Identity.Name
这在本地主机上运行得很好,但是当针对开发服务器上的数据库进行身份验证时,我收到以下错误:
用户“NT”登录失败 权威\匿名登录'。
这是一个不正确的做法吗?这是否可能,或者这是否是一个太大的安全问题?该应用程序将是在 IE 商店中运行的内部 Intranet 应用程序。已存在的相关 web.config 部分包括:
<identity impersonate="true"/>
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>
<connectionStrings>
<add name="CONNSTR" connectionString="Initial Catalog=DATANAME;Data Source=servername;Integrated Security=True;" providerName="System.Data.SqlClient"/>
</connectionStrings>
How can an application, running on a production server, access the login username of the machine that a user is accessing an application from? For example, I am currently logged into my machine on the INTRA corporate intranet. My username will be INTRA\Username.
I have added specific usernames to a database and wish to check this intranet username against the database to restrict access to an application and leverage the username across the application.
Currently, I am using the following code to access the username:
Private username As String = Thread.CurrentPrincipal.Identity.Name
This is working great on localhost, but when authenticating against the database on a development server, I'm getting the following error:
Login failed for user 'NT
AUTHORITY\ANONYMOUS LOGON'.
Is this an incorrect approach? Is this even possible, or is it too much of a security issue? This application will be an internal intranet application running in an IE shop. Relevant pieces of web.config that already exist include:
<identity impersonate="true"/>
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>
<connectionStrings>
<add name="CONNSTR" connectionString="Initial Catalog=DATANAME;Data Source=servername;Integrated Security=True;" providerName="System.Data.SqlClient"/>
</connectionStrings>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在服务器上设置 Web 应用程序时,需要进入文档安全部分(它的名称根据服务器运行的 IIS 版本而变化,但大致是这样的),关闭匿名身份验证,然后打开关于 Windows 身份验证。这告诉服务器向浏览器请求 Windows 登录身份验证。 (也许比我更了解
web.config文件的人[几乎是任何人]可以编辑此文件以指向相关位;我不认为这是模拟,但是如果我知道的话,我会说到目前为止我只是通过用户界面完成此操作。)When setting up your web application on the server, you need to go into the Document Security section (the name of it changes depending on what version of IIS your server is running, but it's something like that), turn off anonymous authentication, and turn on Windows authentication. That tells the server to request windows login authentication from the browser. (Perhaps someone who knows
web.configfiles better than I [which is nearly anyone] can edit this to point to the relevant bit; I don't think it'simpersonatebut if I knew, I'd say. I've so far only done this via the UI.)在您的示例中,您正在查找运行网络服务器的用户名。您要查找的是访问该页面的用户的用户名。
尝试如下操作:
in your example, you are locating the username that your webserver is running under. What you are after is the username of the user accessing the page.
Try something like this:
如果将目录安全性设置为 Windows 身份验证不起作用,请将其更改为基本身份验证。您还需要指定要进行身份验证的域名。这是我们将安全性从 IIS 层传播到数据库的唯一方法。不幸的是,这会导致用户名和密码通过明文发送。这不是最好的解决方案,但由于事情是在内联网上,所以它在我们更新登录过程时起作用。
If setting the directory security to Windows Authentication is not working, change it to Basic Authentication. You'll also need to specify the domain name to authenticate against. This was the only way we could get the security to propagate through from the IIS layer to the DB. Unfortunately this causes the username and password to be sent through clear text. Its not the best solution, but since things were on the Intranet, it worked while we work on updating our login procedure.