1. 技术文章
  2. Impersonation in ASP.NET web application does not work when running on IIS

Impersonation in ASP.NET web application does not work when running on IIS

痴心易碎 提交于 2019-12-30 03:32:07

问题


I am working on ASP.NET 4.0 MVC3 web application that works in intranet environment. The application makes use of Windows authentication. Its application pool is run by domain user that has spn set on a domain controller. Authentication works using Kerberos (on IE and Firefox after some additional configuration).

Now I want to upload files to sharepoint, but it's important for me to upload the file as the user currently logged in into the application (so the file is created on Sharepoint with his/her credentials).

I have the following code in ResourceExists(Uri uri) function:

'...
    Dim identity As System.Security.Principal.WindowsIdentity = HttpContext.User.Identity
    Dim impersonationContext = identity.Impersonate()
    response = request.GetResponse()
    impersonationContext.Undo()
'...

This works when running locally, but when I deploy to the server I get the exception:

System.Net.WebException: The remote server returned an error: (401) Unauthorized.\r\n   at WebDav.WebDavClient.ResourceExists(Uri uri)\r\n   at Website.Website.WebdavController.Upload(HttpPostedFileBase file, UploadViewModel vm)

I read something about passing on the credentials, that is not possible with NTLM, but I am sure I am using Kerberos (I checked the headers with wireshark and fiddler) and I see the following:

Authorization: Negotiate YIIFpQYGKwYBBQUCoIIFmTCCBZWgJDAiBgkqhkiC9x...

Any ideas why the impersonation does not work when running on the IIS server?


回答1:


I found the answer here:

http://support.microsoft.com/kb/810572

"Kerberos does not work in a load-balanced architecture and IIS drops back to NTLM authentication. Because you cannot use NTLM for delegation, any applications or services that require delegation do not work. For more information, click the following article number to view the article in the Microsoft"

And that was exactly the case. I tried now with another machine that is not load-balanced and it works.

The only thing that still surprises me is that ImpersonationLevel of the identity is still Impersonate not Delegate...




回答2:


After setting <identity impersonate="true"/> in your web.config try the following:

using (((WindowsIdentity)User.Identity).Impersonate())
using (var client = new WebClient { Credentials = CredentialCache.DefaultNetworkCredentials })
{
    string result = client.DownloadString("http://sharepoint");
}



回答3:


you need to configure your site correctly in IIS for impersonation to work.

see Configure ASP.NET Impersonation Authentication (IIS 7)



来源:https://stackoverflow.com/questions/11079651/impersonation-in-asp-net-web-application-does-not-work-when-running-on-iis

标签
asp.net-mvc-3
.net-4.0
windows-authentication
impersonation
kerberos
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!