Cassini忽略Win NT角色授权,IIS 7.5一切正常
我有一个 ASP.NET MVC 3 应用程序在我的本地开发盒 (Win7) 和登台服务器 (W2k8r2) 上运行。在启用 ASP.NET Windows 授权安全性之前,应用程序在两种环境中都运行良好。
保护 Web 应用程序后,它继续在临时服务器上正常运行,但在我的本地开发盒上生成 401.2 访问被拒绝。我能看到的唯一显着差异是在本地开发盒上,我通过 Visual Studio 使用 Cassini,而服务器是 IIS7.5。
正在使用Windows授权+模拟。什么可能导致 Cassini 生成这些 401.2 访问被拒绝?
Web.config 是:
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
<!-- replication of system.webServer security settings for cassini which doesn't process them... -->
<authorization>
<allow roles=".\Test Application - Users" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="Test Application - Users" />
</authorization>
</security>
仅供参考,相关用户位于每个系统上的“测试应用程序 - 用户”Windows 安全组中。
解决方案
开发盒上的根本问题是:
- Cassini 不支持身份模拟并且
- 而用户已被添加到相关的 NT 组,他们没有注销/登录,因此与他们的 Windows 令牌关联的组 SID 没有被刷新
如果 Cassini 支持模拟,我怀疑这会是一个问题,因为会在冒充 语境。感谢@x0n 指出了正确的方向。
I have an ASP.NET MVC 3 application running on both my local dev box (Win7) and staging server (W2k8r2). The application operates fine in both environments until ASP.NET Windows authorization security is enabled.
After securing the web-app, it continues operates correctly on the staging server but generates 401.2 access denied's on my local dev box. The only significant difference I can see is on local dev box, I'm using Cassini via Visual Studio whereas the server is IIS7.5.
Windows authorization + impersonation is being used. What could cause Cassini to generate these 401.2 access denied?
Web.config is:
<system.web>
<authentication mode="Windows" />
<identity impersonate="true" />
<!-- replication of system.webServer security settings for cassini which doesn't process them... -->
<authorization>
<allow roles=".\Test Application - Users" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="Test Application - Users" />
</authorization>
</security>
FYI Relevant users are in the 'Test Application - Users' Windows security group on each system.
Solution
The underlying issue on the dev box turned out to be that:
- Cassini doesn't support identity impersonation and
- Whilst the user had been added to relevant NT groups, they had not logged off/on and thus the group SID's associated with their Windows token had not been refreshed
If impersonation had been supported by Cassini I doubt this would have been an issue because a new token would have been established within the impersonation context. Thanks to @x0n for pointing in the right direction.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我不完全确定,但我不认为 cassini 可以模仿(但是 iis express 可以。)
i'm not entirely sure, but I don't think cassini can impersonate (iis express can, however.)
在解决方案资源管理器窗格中选择 Web 项目并按 F4。 (不是右键单击+属性,这是不同的)-这将显示属性窗格
在属性窗格中然后设置:
Windows 身份验证:启用
匿名身份验证:禁用
运行您的项目,快乐的日子!
In solution explorer pane select the Web Project and hit F4. (not right click+properties, thats different) - this will show property pane
In properties Pane then set:
Windows Authentication: Enable
Anonymous Authentication: Disabled
Run your project, Happy Days!