Blazor server app, .Net Core Data Api, SQL Server and Windows Authentication impersonate / pass credentials question

huangapple go评论78阅读模式
英文:

Blazor server app, .Net Core Data Api, SQL Server and Windows Authentication impersonate / pass credentials question

问题

我正在尝试将应用程序用户的凭据从 Blazor 应用传递到数据 API,然后在 SQL Server 连接中使用这些凭据(Trusted_Connection=true)- 这是否可能?

我尝试过使用

WindowsIdentity.RunImpersonatedAsync(((WindowsIdentity)user.Identity).AccessToken.... )
但是一旦我部署到服务器上,它显示 IIS 应用程序池用户。

我希望在没有身份提供程序的情况下执行此操作,因为它都部署在防火墙后的本地环境,并且只会在已登录用户的 Windows 计算机上运行。在这种情况下,似乎使用身份提供程序有点过于复杂......除非没有其他方法。

任何帮助将不胜感激!

谢谢

英文:

I'm trying to pass the application user's credentials through from a Blazor App to the Data Api and then use these credentials for the SQL Server connection (Trusted_Connection=true) - is this even possible?

I've tried using

WindowsIdentity.RunImpersonatedAsync(((WindowsIdentity)user.Identity).AccessToken.... )

but this is displaying the IIS App Pool user once I deploy it to the server.

I was hoping to do this without an identity provider as it's all being deployed on-premise behind firewalls and will only run on Windows machines with logged in users. An identity provider in this instance seems like overkill ..... unless there is no other way.

Any help would be appreciated!

Thanks

答案1

得分: 1

通过我的研究,我发现这是不可能的,因为您希望将您的 IIS 网站以最低权限的账户运行,这样它就无法访问不应访问的服务器或网络。这就是为什么建议使用 Application Pool 身份来运行它的原因。

在我的情况下,我将传递当前用户的 Windows 凭据身份(即 Active Directory ID)到 Data Api,它可以将其传递到数据库,以记录在表格的审核字段中,用于所有更新和新记录等。

参考链接:https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/understanding-identities

希望这对其他试图实现相同目标的人有所帮助。

英文:

Through my research I've discovered that this isn't possible as you want to have your IIS website running with an account of least privilege - so that it can't get access to the server or network where it shouldn't. This is why the recommendation is to run it with the Application Pool identity.

In my case I will pass the current user's windows credentials identity (i.e. Active Directory ID) to the Data Api where it can pass it to the database to record in an audit field of the tables for all updates and new records, etc.

reference: https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/understanding-identities

I hope this helps someone one else trying to achieve the same thing.

huangapple
  • 本文由 发表于 2023年5月11日 14:59:49
  • 转载请务必保留本文链接:https://go.coder-hub.com/76224884.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定