从 ASP.NET 查询远程计算机时 WMI 访问被拒绝错误
我有一个 ASP.NET 应用程序,它对远程系统执行 WMI 调用。应用程序 Web.config 包含
问题是我收到“访问被拒绝”错误,尽管我可以在同一用户的同一主机上的 PowerShell 控制台上成功执行我的 WMI 请求到相关远程服务器。
// this doesn't work
ManagementScope scope = new ManagementScope();
scope.Path.NamespacePath = "root\\virtualization";
scope.Path.Server = "vs01";
scope.Connect(); // <-- here comes exception
# this works just fine
Get-WmiObject -Namespace 'root\virtualization' -Class Msvm_ComputerSystem -ComputerName vs01
转储 HttpContext.Current.User.Identity.Name、System.Security.Principal.WindowsIdentity.GetCurrent().Name、System.Threading.Thread.CurrentPrincipal.Identity.Name 属性表明模拟按预期工作。
有想法吗?问题可能是某种 .NET 或 IIS 安全性吗?
I have an ASP.NET application that executes a WMI call to a remote system. The application Web.config contains <identity impersonate="true"> and <authentication mode="Windows"> options which, as I understand, should force the application code to be executed on behalf of the application user.
The problem is that I get "Access is denied" error, despite the fact I can successfully execute the my WMI request from PowerShell console on the same host under the same user to the remote server in question.
// this doesn't work
ManagementScope scope = new ManagementScope();
scope.Path.NamespacePath = "root\\virtualization";
scope.Path.Server = "vs01";
scope.Connect(); // <-- here comes exception
# this works just fine
Get-WmiObject -Namespace 'root\virtualization' -Class Msvm_ComputerSystem -ComputerName vs01
Dumping HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, System.Threading.Thread.CurrentPrincipal.Identity.Name properties suggest that impersonation works as expected.
Ideas? Could the issue be some kind of .NET or IIS security?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您需要让域管理员为您的 Web 服务器计算机启用委派。这是 Kerberos 的一项安全功能。默认情况下,中间服务器(在本例中是您的 Web 服务器)不允许将客户端的模拟上下文传递到远程服务器,除非它已被授予委派权限。如果您不这样做,远程目标服务器将看到以匿名用户身份传入的请求...如果其安全措施正确,将拒绝访问。
请注意,其常见策略是仅允许中间服务器委托给特定目标服务器(称为约束委托),因此如果您的 Web 应用程序需要能够在网络中的任何服务器上调用 WMI,则可能会遇到问题。与您的域管理员联系。
You need to have a domain administrator enable Delegation for your web server machine. This is a security feature of Kerberos. By default an intermediate server (in this case your web server) is not allowed to pass the impersonation context of a client to the remote server unless it has been given Delegation permission. If you don't do this the remote target server will see the request coming in as Anonymous User... which if its properly secured will be denied access.
Note its a common policy to only allow an intermediate server to delegate to specific target servers (called constrained delegation), so if your web app needs to be able to call WMI on any server in your network you may have problem. Talk to your domain admin.