发表新帖
发表新帖

HttpClient & Windows Auth: Pass logged in User of Consumer to Service

后端 未结
关注
3 747
我寻月下人不归
我寻月下人不归 2020-12-13 05:34

I am struggling to understand and set up a Service and Consumer where the Service will run as the user logged into the Consumer.

My consumer is an MVC application. M

相关标签:
3条回答
  • 情深已故
    2020-12-13 06:03

    If you are trying to access service which is hosted on windows authentication then do following.

    var request = new RestRequest(Method.POST);

    If you want to use applications default credentials which must have access on hosted service server

    request.UseDefaultCredentials = true;

    or user below to pass the credentials manually

    request.Credentials = new NetworkCredential("Username", "Password", "Domain");
    0 讨论(0)
  • 野的像风
    2020-12-13 06:18

    The key is to let your MVC application (consumer) impersonate the calling user and then issue the HTTP requests synchronously (i.e. without spawning a new thread). You should not have to concern yourself with low-level implementation details, such as NTLM vs Kerberos.

    Consumer

    Configure your MVC application like so:

    1. Start IIS Manager
    2. Select your MVC web application
    3. Double click on 'Authentication'
    4. Enable 'ASP.NET Impersonation'
    5. Enable 'Windows Authentication'
    6. Disable other forms of authentication (unless perhaps Digest if you need it)
    7. Open the Web.config file in the root of your MVC application and ensure that <authentication mode="Windows" />

    To issue the HTTP request, I recommend you use the excellent RestSharp library. Example:

    var client = new RestClient("<your base url here>");
client.Authenticator = new NtlmAuthenticator();
var request = new RestRequest("Modules/5/Permissions", Method.GET);
var response = client.Execute<ModulePermissionsDTO>(request);

    Service

    Configure your Web API service like so:

    1. Start IIS Manager
    2. Select your Web API service
    3. Double click on 'Authentication'
    4. Disable 'ASP.NET Impersonation'.
    5. Enable 'Windows Authentication'
    6. If only a subset of your Web API methods requires users to be authenticated, leave 'Anonymous Authentication' enabled.
    7. Open the Web.config file in the root of your Web API service and ensure that <authentication mode="Windows" />

    I can see that you've already decorated your method with a [Authorize] attribute which should trigger an authentication challenge (HTTP 401) when the method is accessed. Now you should be able to access the identity of your end user through the User.Identity property of your ApiController class.

    0 讨论(0)
  • 渐次进展
    2020-12-13 06:21

    The key issue with double hop is delegation of user credential to second call. I want to elaborate a little bit about it. C1 = client browser , S1 = First Server , S2 = Second Server.

    Suppose our complete system support window authentication. When user access S1 from browser , its default window credential pass to server S1, but when S1 make a call to S2 , by default it don't pass credential to S2.

    Resolution :

    1. We must enable window authentication/ impersonation on both machines.
    2. WE need to enable delegation between server so that S1 can trust to S2 and will pass credential to S2.

    You can find some useful details at below links : http://blogs.msdn.com/b/farukcelik/archive/2008/01/02/how-to-set-up-a-kerberos-authentication-scenario-with-sql-server-linked-servers.aspx

    https://sqlbadboy.wordpress.com/2013/10/11/the-kerberos-double-hop-problem/

    0 讨论(0)
 看不清?
提交回复
热议问题