USER"] vs. Request.LogonUserIdentity

 

I trying to get the current WindowsIdentity from a caller of an ASP.Net Application without impersonation.

After reading some articles my setup is:

  • In my IIS I have enabled the Windows Authentication in the Authentication Settings
  • At my web.conf I set the authentication mode to "Windows"

    • For testing purposes, I wrote the following log statements 

    m_techLogger.Warn(string.Format("Request[LOGON_USER] {0}", Request["LOGON_USER"]));
m_techLogger.Warn(string.Format("Request.LogonUserIdentity {0}", Request.LogonUserIdentity.Name));
m_techLogger.Warn(string.Format("HttpContext.Current.User.Identity {0}", HttpContext.Current.User.Identity.Name));
m_techLogger.Warn(string.Format("WindowsIdentity.GetCurrent() {0}", WindowsIdentity.GetCurrent().Name));

    This statements returned the following 

    2015-04-23 10:47:19,628 [7] WARN  - Request[LOGON_USER] DOMAINUser
2015-04-23 10:47:19,681 [7] WARN  - Request.LogonUserIdentity NT AUTHORITYSYSTEM
2015-04-23 10:47:19,681 [7] WARN  - HttpContext.Current.User.Identity NT AUTHORITYSYSTEM
2015-04-23 10:47:19,681 [7] WARN  - WindowsIdentity.GetCurrent() NT AUTHORITYSYSTEM

    I understand that WindowsIdentity.GetCurrent().Name returns the System User. I do not understand why the output from Request.LogonUserIdentity and Request[LOGON_USER] are different. I need the WindowsIdentity Object from the User with the name that returned by Request[LOGON_USER].

    Can anybody point me in the right direction?

    When I try the same I get 

        Request.LogonUserIdentity.Name  "DOMAINaccountname"   (no capital letter)
    Request["LOGON_USER"]   "DOMAINAccountname"   (capital letters)

    To get the current user in our asp.net application, I user this line of code 

    User.Identity.Name

    Does this help in any way?

    Request["LOGON_USER"] is only the authentication header that the client has sent to the server. Which means it is the login name of the client sending a request to your server. This login name will not be verified against the Active Directory unless you activate the impersonation. More info here: https://msdn.microsoft.com/en-us/library/ms524602(v=vs.90).aspx

    Now without using impersonation you are therefore stuck. You can check the user in the Request["LOGON_USER"] against your AD on your server. But I do not recommend you doing that. Because a hostile client could just send any username in that field and get logged on your server if that user exists.

    The correct way of doing this is to enable impersonation and you use an AD group to allow the users to do what your service is now doing and you activate that by just adding this to your IIS config 

    <configuration>
  <system.web>
    <identity impersonate="true"/>
  </system.web>
</configuration>

    But if you really can't use impersonation you can hack yourself out of this by impersonate a service account using the Win32 API. If you want to do that yourself here is the examples from Microsoft https://msdn.microsoft.com/en-us/library/chf6fbt4.aspx and https://msdn.microsoft.com/en-us/library/system.security.principal.windowsidentity.aspx

    Or you can find a good wrapper here: How do you do Impersonation in .NET?

    And using it is as easy as this: 

    using (new Impersonation(domain, username, password))
{
    // probably connecting to some bad 3rd party stuff that needs a very specific access.
}

    Now without knowing more about your actual reason for doing this I hope this will help you further along the road and only do this if it's absolutely necessary

    System.Web.HttpContext.Current.User.Identity.Name

    Gets or sets security information for the current HTTP request. (The Name of the Logged in user on your Website)

    Request.ServerVariables

    Gets a collection of Web server variables.

    The Request property provides programmatic access to the properties and methods of the HttpRequest class. Because ASP.NET pages contain a default reference to the System.Web namespace (which contains the HttpContext class), you can reference the members of HttpRequest on an .aspx page without using the fully qualified class reference to HttpContext.

    Conclussion Both work to the same, but, whith Request.ServerVariables you can iterate for whole the collections dynamically.

    For example: 

    int loop1, loop2;
NameValueCollection coll;

// Load ServerVariable collection into NameValueCollection object.
coll=Request.ServerVariables; 
// Get names of all keys into a string array. 
String[] arr1 = coll.AllKeys; 
for (loop1 = 0; loop1 < arr1.Length; loop1++) 
{
   Response.Write("Key: " + arr1[loop1] + "<br>");
   String[] arr2=coll.GetValues(arr1[loop1]);
   for (loop2 = 0; loop2 < arr2.Length; loop2++) {
      Response.Write("Value " + loop2 + ": " + Server.HtmlEncode(arr2[loop2]) + "<br>");
   }
}
    链接地址: http://www.djcxy.com/p/84564.html

    上一篇: ReceiverRestrictedContext不能转换为android.app.Activity

    下一篇: USER“]与Request.LogonUserIdentity