如何“取消冒充” (取消委托?)在 Kerberos 中

发布于 2024-08-18 04:53:53 字数 513 浏览 5 评论 0原文

我有一个使用 Kerberos 的 Web 应用程序来使用 ASP.NET 3.5 和 IIS 访问外部资源。

当用户连接到应用程序时,Kerberos 身份验证会自动允许我使用委派作为用户连接到外部资源。这并不容易做到。这很好,但我有一个问题。有时我需要使用比用户拥有更多权限的帐户连接到外部资源。应用程序池运行的服务帐户具有我需要的附加权限。如何删除用户的 Kerberos 标识并使用运行应用程序池的服务帐户与 Kerberos 连接?

更新

我不确定为什么我根本没有收到任何回复。我以前从未见过这样的情况。请发布问题,他们可能会澄清问题(对我来说也是如此)。


使用 Kerberos 并需要了解委派的概述?阅读此答案的第一部分:https://stackoverflow.com/a/19103747/215752

I have a web application using Kerberos to access an external resource useing ASP.NET 3.5 and IIS.

When a user connects with the application, Kerberos authentication auto-magically allows me to connect to external resources acting as the user using delegation. This was not easy to do. It is nice, but I've a problem. Sometimes I need to connect to an external resource using an account with more rights than the user. The service account which the app-pool is running under has the addition rights I need. How can I remove the user's Kerberos identification and connect with Kerberos using the service account running the application pool?

UPDATE

I'm not sure why I am getting no responses at all. I've never seen that before. Please post questions, they may clarify the problem (to me too).


Woring in Kerberos and need an overview of delegation? Read the first part of this answer: https://stackoverflow.com/a/19103747/215752.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

坏尐絯 2024-08-25 04:53:53

我有一个类:

public class ProcessIdentityScope : IDisposable
{
    private System.Security.Principal.WindowsImpersonationContext _impersonationContext;
    private bool _disposed;

    public ProcessIdentityScope()
    {
        _impersonationContext = System.Security.Principal.WindowsIdentity.Impersonate(IntPtr.Zero);
    }

    #region IDisposable Members

    public void Dispose()
    {
        Dispose(true);
        GC.SuppressFinalize(this);
    }

    protected virtual void Dispose(bool disposing)
    {
        if (!_disposed)
        {
            _impersonationContext.Undo();
            _impersonationContext.Dispose();
            _disposed = true;
        }
        else
            throw new ObjectDisposedException("ProcessIdentityScope");
    }

    #endregion
}

我像这样使用它:

using(ProcessIdentityScope identityScope = new ProcessIdentityScope())
{
    // Any code in here runs under the Process Identity.
}

此代码基于此 MSDN 文章: http://msdn.microsoft.com/en-us/library/ms998351.aspx

I have a class:

public class ProcessIdentityScope : IDisposable
{
    private System.Security.Principal.WindowsImpersonationContext _impersonationContext;
    private bool _disposed;

    public ProcessIdentityScope()
    {
        _impersonationContext = System.Security.Principal.WindowsIdentity.Impersonate(IntPtr.Zero);
    }

    #region IDisposable Members

    public void Dispose()
    {
        Dispose(true);
        GC.SuppressFinalize(this);
    }

    protected virtual void Dispose(bool disposing)
    {
        if (!_disposed)
        {
            _impersonationContext.Undo();
            _impersonationContext.Dispose();
            _disposed = true;
        }
        else
            throw new ObjectDisposedException("ProcessIdentityScope");
    }

    #endregion
}

And I use it like so:

using(ProcessIdentityScope identityScope = new ProcessIdentityScope())
{
    // Any code in here runs under the Process Identity.
}

This code is based on this MSDN article: http://msdn.microsoft.com/en-us/library/ms998351.aspx

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文