IIS7 Impersonation无法访问TFS存储库

时间:2012-03-14 03:51:16

标签: asp.net iis-7 tfs windows-server-2008 impersonation

我正在尝试构建一个在TFS中添加工作项的ASP.NET页面。

我启用了模拟和Windows身份验证:

<authentication mode="Windows" />
<identity impersonate="true" password="" userName="" />
<customErrors mode="Off" />

在页面中,我访问TFS并尝试添加工作项:

TfsTeamProjectCollection prjCollection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("xxx"));
WorkItemStore store = prjCollection.GetService<WorkItemStore>();
...

但是,只有在 ASP.NET模拟中选择 SpecificUser 并存储凭据时,它才有效。选择经过身份验证的用户时,它不起作用。

我已经检查过SpecificUser与Authenticated的相同,但在后一种情况下我得到了权限错误(这表明模拟无法正常工作)。

TF30063: You are not authorized to access XXX. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at     Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.AsyncWebRequest.ExecRequest(Object obj)
   --- End of inner exception stack trace ---
   at     Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.ProcessHttpResponse(HttpWebResponse response, Stream responseStream, WebException webException, XmlReader& xmlResponseReader)
   at Microsoft.TeamFoundation.Client.TeamFoundationClientProxyBase.ExecWebServiceRequest(HttpWebRequest request, XmlWriter requestXml, String methodName, HttpWebResponse& response)
   at Microsoft.TeamFoundation.Framework.Client.LocationWebService.Connect(Int32 connectOptions, ServiceTypeFilter[] serviceTypeFilters, Int32 lastChangeId)
   at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.Connect(ConnectOptions connectOptions)
   at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.EnsureConnected(ConnectOptions optionsNeeded)
   at Microsoft.TeamFoundation.Framework.Client.FrameworkServerDataProvider.get_InstanceId()
   at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.InitializeInternal()
   at Microsoft.TeamFoundation.Client.TfsTeamProjectCollection.InitializeTeamFoundationObject(String fullName, Object instance)
   at Microsoft.TeamFoundation.Client.TfsConnection.CreateServiceInstance(Assembly assembly, String fullName)
   at Microsoft.TeamFoundation.Client.TfsConnection.GetService(Type serviceType)
   at Microsoft.TeamFoundation.Client.TfsConnection.GetService[T]()
   at ASP.index_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer)

以下变量在两种情况下都是相同的:

HttpContext.Current.Request.LogonUserIdentity.Name
HttpContext.Current.Request.IsAuthenticated
HttpContext.Current.User.Identity.Name
System.Environment.UserName
System.Security.Principal.WindowsIdentity.GetCurrent().Name

有什么想法吗?

修改

实际上,正如John在下面提到的,问题是由 Kerberos委派引起的。

Kerberos Delegation

我发现以下文章和随附的工具在解释和减轻这个问题时非常有用:

DelegConfig - A Tool To help resolve Kerberos authentication and delegation issues

Kerberos Delegation Check

3 个答案:

答案 0 :(得分:7)

我认为您可能遇到"double hop"问题。

答案 1 :(得分:2)

基于this文章,值得一提的是EnsureAuthenticated(); 

TfsTeamProjectCollection prjCollection = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri("xxx"));
prjCollection.EnsureAuthenticated();
WorkItemStore store = prjCollection.GetService<WorkItemStore>();

我从来没有尝试过这个,所以我只希望它会起作用。

答案 2 :(得分:0)

运行的IIS应用程序的应用程序池是谁?默认情况下,我认为它是IIUSR帐户之一,不一定是具有TFS服务器凭据的域帐户。

相关问题
最新问题