IIS 仍然通过池身份访问资源,而不是模拟用户
我已经穷尽了!
在 Server 2003 上,我有一个配置为使用基本身份验证的 INTRANET 应用程序和一个具有专用帐户的应用程序池。
在 web.config 中,我指定
<authentication mode="Windows" />
<identity impersonate="true"/>
在视图中 (MVC 3):
<p>Environment.UserName (authentication): @Environment.UserName</p>
<p>User.Identity.Name (asp.net account): @User.Identity.Name</p>
这显示我的域帐户按预期被选取(我必须通过对话框登录到应用程序)。伟大的!
但是等等!当应用程序访问文件系统或 SQL Server(另一台机器)时,它不是通过我的域帐户,而是通过池帐户执行此操作。我可以通过分析器看到 SQL 登录信息。我也通过文件系统权限验证了这一点。如果我将池设置为使用网络服务,则无法创建本地文件,即使我使用的域帐户具有权限并且可以交互地执行此操作。如果我授予 NS 帐户对文件的权限,它就可以工作。所以我知道一个事实,即使视图确认我正在冒充,资源请求也不使用该帐户,而是使用池的帐户。
如果我关闭模拟,我会按照预期看到池 ID。
根据我所读到的内容,我应该能够使用基本身份验证来访问远程 sql 服务器,对吧?更不用说本地磁盘了。我就是不明白!
任何建议将不胜感激。
谢谢你!
I'm at my whitt's end!
On Server 2003, I have an INTRANET app configured to use BASIC AUTHENTICATION and an app pool with a dedicated account.
In web.config I'm specifying
<authentication mode="Windows" />
<identity impersonate="true"/>
In a view (MVC 3):
<p>Environment.UserName (authentication): @Environment.UserName</p>
<p>User.Identity.Name (asp.net account): @User.Identity.Name</p>
This shows my domain account being picked up as expected (I have to log into the app via the dialog). Great!
BUT WAIT! When the app accesses the file system or a sql server (another machine), it does not do so through my domain account, but rather through the pool account. I can see the SQL login coming in through profiler. I verified this via file system permissions, as well. If I set the pool to use NETWORK SERVICES, I can't create a local file, even through the domain account I'm using has permissions and can do so interactively. If I grant the NS account permission to the files, it works. So I know for a fact that even though the view confirms that I'm impersonating, resource requests don't use that account, but rather the pool's.
If I turn off impersonation, I see the pool ID in view, as expected.
From what I've read I should be able to use basic authentication to access the remote sql server, right? Not to mention the local disk. I just don't get it!
Any suggestions would be much appreciated.
Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
模拟以 IIS 结束。要继续将用户凭据传递到第二个远程服务器,您需要启用 Web 服务器和文件服务器之间的委派。这是 Active Directory 中计算机之间的位标志设置。
impersonation ends with IIS. to continue passing the user credentials to the 2nd remote server you need to enable delegation between the web server and the file server. This is a bit flag setting between computers in Active Directory.