AzMan 给不同的服务器提供不同的结果
我们有 2 个网络服务器,理论上是相同的,但在执行 AzMan 授权检查时产生不同的结果。
我们在两台计算机上运行相同的网站(实际上是相同的网站 - 它已从一台计算机复制到另一台计算机,并且在同一服务帐户下运行)。该网站所做的只是针对 AzMan 数据库(位于单独的 SQL 服务器上)执行授权检查。
但是,在工作网站 (WebA) 上,此检查返回 0(即“用户已授权”),而在损坏的网站 (WebB) 上,此检查返回 5代码>(即“用户未获得授权”)。我们预计这两个网站上都会出现 0。同一用户从同一台 PC 访问这两个网站。
有人对我们可以检查的事情有什么想法吗?
环境详细信息
- Windows Server 2008 R2
- 相同的 AD 域
- IIS 7.5
- .NET 3.5
- AzMan 数据库在 SQL Server 2005/Windows Server 2008 R2 上运行。
代码
AzAuthorizationStoreClass authStore = new AzAuthorizationStoreClass();
// initialise the store
authStore.Initialize(0, "mssql://Driver={SQL Server};Server={OURDBSERVER};Trusted_Connection={Yes};/OURDATABASE/OURAPPLICATION", null);
// open the store
IAzApplication2 authApp = authStore.OpenApplication2("OURAPPLICATION", null);
// get the identity of the user NOT the service account
WindowsIdentity identity = Thread.CurrentPrincipal.Identity as WindowsIdentity;
// and from that derive the token
ulong userToken = (ulong)identity.Token.ToInt64();
// get the context based on the token
IAzClientContext3 clientContext =
(IAzClientContext3)authApp.InitializeClientContextFromToken(userToken, null);
// get the operation object based on the id
IAzOperation2 azManOperation = (IAzOperation2)authApp.OpenOperation(operationId, null);
// generate an audit identifier
string auditIdentifer =
string.Format("{0}{1} : O:{2}", "{the_correct_id}", identity.Name, operationId);
uint accessResult = clientContext.AccessCheck2(auditIdentifer, string.Empty, azManOperation.OperationID);
return accessResult.ToString();
非常感谢,
RB。
We have 2 web-servers which are theoretically identical, but are producing different results when performing an AzMan authorisation check.
We have the same web-site running on both machines (literally the same web-site - it's been XCOPYed from one to the other, and it runs under the same service account). All this web-site does is perform an authorisation check against an AzMan database (sitting on a separate SQL server).
However, on the working web-site (WebA) this check returns 0 (i.e. "user is authorised"), while on the broken web-site (WebB) this check returns 5 (i.e. "user is NOT authorised"). We are expecting 0 on both web-sites. The same user is accessing both web-sites, from the same PC.
Does anyone have any ideas for things we can check?
Environment details
- Windows Server 2008 R2
- Same AD domain
- IIS 7.5
- .NET 3.5
- AzMan Database runs on SQL Server 2005/Windows Server 2008 R2.
Code
AzAuthorizationStoreClass authStore = new AzAuthorizationStoreClass();
// initialise the store
authStore.Initialize(0, "mssql://Driver={SQL Server};Server={OURDBSERVER};Trusted_Connection={Yes};/OURDATABASE/OURAPPLICATION", null);
// open the store
IAzApplication2 authApp = authStore.OpenApplication2("OURAPPLICATION", null);
// get the identity of the user NOT the service account
WindowsIdentity identity = Thread.CurrentPrincipal.Identity as WindowsIdentity;
// and from that derive the token
ulong userToken = (ulong)identity.Token.ToInt64();
// get the context based on the token
IAzClientContext3 clientContext =
(IAzClientContext3)authApp.InitializeClientContextFromToken(userToken, null);
// get the operation object based on the id
IAzOperation2 azManOperation = (IAzOperation2)authApp.OpenOperation(operationId, null);
// generate an audit identifier
string auditIdentifer =
string.Format("{0}{1} : O:{2}", "{the_correct_id}", identity.Name, operationId);
uint accessResult = clientContext.AccessCheck2(auditIdentifer, string.Empty, azManOperation.OperationID);
return accessResult.ToString();
Many thanks,
RB.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
感谢大卫·霍尔为我指明了正确的方向。
调查显示,这两个网站都启用了 Windows 身份验证和匿名访问。然而,在一个网站上,用户可以正确登录,而在损坏的网站上,用户会退回到匿名模式。
禁用匿名访问可确保用户同时登录这两个网站,从而解决了此问题。
然而,这留下了另一个问题,即为什么浏览器在一个网站上匿名登录,而不是在另一个网站上登录——我认为是为了 ServerFault。
Thanks to David Hall for pointing me in the right direction.
Investigation showed that both web-sites were enabled for both Windows authentication and anonymous access. However, on one web-site the user was being logged in correctly, while on the broken web-site it was falling back to anonymous mode.
Disabling anonymous access fixed this problem by ensuring the user logs in to both web-sites.
However, this leaves another question of why the browser logs in anonymously on one web-site but not the other - one for ServerFault I think.
在我们的例子中,我们使用 ASP.NET 模拟和 Windows 身份验证,而不是匿名。 Tt 在 Windows 7 Enterprise x64 开发计算机上运行,而不是在 Windows Server 2008 R2 x64 测试服务器上运行。两个应用程序池的设置完全相同,具有相同的域帐户凭据。
事实证明,ASP.NET 模拟是问题的根本原因。禁用 ASP.NET 模拟后,应用程序池帐户现在被用作成功连接到 AzMan 存储的凭据。连接到 Active Directory 或 SQL Server 中的 AzMan 存储时也会出现同样的问题。
为了清楚起见,我得到的错误是:
值不在预期范围内。来自 AzAuthorizationStoreClass.Initialize()我的最终连接字符串是:
In our case, we were using ASP.NET impersonation with Windows Authentication and not Anonymous. Tt was working on the Windows 7 Enterprise x64 Development machine and not on the Windows Server 2008 R2 x64 test server. Both Application Pools were set up exactly the same with the same domain account credentials.
It turns out that ASP.NET impersonation was the root cause of the issue. After disabling ASP.NET impersonation, the App Pool account was now being used as the credentials to connect to the AzMan store successfully. The same issue was occurring when connecting to an AzMan store in Active Directory or SQL Server.
For clarity, the error I was getting was:
Value does not fall within the expected range. from AzAuthorizationStoreClass.Initialize()My final connection string was: