ASP.NET 拒绝尊重我的权威。
我已成功模拟用户。使用 LogonUser Interop,例如
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool LogonUser(
string principal,
string authority,
string password,
LogonSessionType logonType,
LogonProvider logonProvider,
out IntPtr token);
这工作正常。当我转到即时窗口并输入 WindowsIdentity.GetCurrent().Name 时,模拟的用户显示为我的 CurrentUser。当我释放该用户时,它会返回到我的真实用户。这里没有问题——我正在冒充。
但是,当我尝试将文件写入用户有权访问的共享时,我得到:
访问路径 [路径名称] 被拒绝。。
我已经能够以我模拟的用户身份手动登录 Windows,进行导航并将文件写入共享。用户肯定对我的目标目录具有管理权限。
我允许最终用户上传文件,并使用 HttpPostedFileBase 对象将文件写入此共享。本质上,我将模拟限制为上传文件的代码块。完成后,它会返回到原始的经过身份验证的 LDAP 用户,例如
imp = Impersonation.ImpersonateUser("someuser","somepassword");
HttpPostedFileBase hpf = Request.Files[file] as HttpPostedFileBase;
...
hpf.SaveAs(path);
Impersonation.StopImpersonating(imp);
路径是正确的。
当我使用 SaveAs 方法保存文件时,它是否尊重我的模拟?
它是否试图在我不知道的另一个帐户下写入文件?如果是这样,我该如何改变这一点?
使用 SaveAs 方法似乎没有太多的控制——没有一个重载。除了使用此对象之外,还有其他替代方法可以让我更好地控制我的凭据吗?
I've managed to impersonate a user successfully. Using the LogonUser Interop, e.g.
[DllImport("advapi32.dll", SetLastError = true)]
static extern bool LogonUser(
string principal,
string authority,
string password,
LogonSessionType logonType,
LogonProvider logonProvider,
out IntPtr token);
This works fine. When I go to my immediate window and enter WindowsIdentity.GetCurrent().Name, the impersonated user shows as my CurrentUser. When I release this user, it goes back to my real user. No problems here -- I'm am impersonating.
However, when I attempt to write a file to a share that the user has access to, I get:
Access to the path [path name] denied..
I've been able to log into Windows manually as the user I am impersonating, navigated, and written a file to the share. The user definately has administrative privlidges to the directory I'm targeting.
I am allowing the end user to upload a file, and using the HttpPostedFileBase object, write a file to this share. Essentially, I am restricting the impersonation to the block of code to upload the file. Once it's finished, it goes back to the original authenticated LDAP user e.g.
imp = Impersonation.ImpersonateUser("someuser","somepassword");
HttpPostedFileBase hpf = Request.Files[file] as HttpPostedFileBase;
...
hpf.SaveAs(path);
Impersonation.StopImpersonating(imp);
The path is correct.
When I save the file using the SaveAs method, is it respecting my impersonation?
Is it attempting to write the file under another account I'm not aware of? And if so, how can I change this?
There doesn't seem to be a whole lot of control using the SaveAs method -- not a single overload. Are there any other alternatives to using this object that would give me greater control over my credentials?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这听起来像是一个双跳身份验证问题。您是否尝试过向站点的默认 IIS 用户(例如 ASPNET)授予网络共享修改访问权限并在完全不使用模拟代码的情况下运行 POST/SaveAs?如果失败,您应该查看 IIS 中的设置是否会导致服务器跃点身份验证问题。这里可能是一个很好的起点:
http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx
It sounds like a double-hop authentication problem. Have you tried getting giving the network share modify access to your site's default IIS user (e.g. ASPNET) and run the POST/SaveAs without the impersonation code at all? If that fails, you should look to see if things are setup in IIS that can lead to server hop authentication issues. Here might be a good place to start:
http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx
您说“将文件写入此共享”。共享的权限与计算机上的文件夹的权限不同。你检查过共享权限吗?
You say "write a file to this share." There are separate permissions for the share than there are for the folder on the computer. Have you checked the shares permissions?
尝试调整您的 LogonSessionType 值。我认为为了保存到网络共享,您需要将其设置为“网络”,而默认设置为“交互式”。
更多详细信息:如何:在 ASP.NET 2.0 中使用模拟和委派
Try adjusting your LogonSessionType value. I think in order to save to a network share, you need to have it as "Network", while the default is "Interactive".
Further details: How To: Use Impersonation and Delegation in ASP.NET 2.0