这是所需的设置:
我们目前能够使用 Windows 身份验证对客户端进行身份验证,但使用模拟
<identity impersonate="true" userName="OurCompany\Me" password="Blahblahblah" />
因为该网站将使用“ASPNET”作为用户名,而该用户名不在域中。
由于安全问题,我们现在想放弃这种方法;我们不想在 DMZ 上公开此类信息。
有什么方法可以在不使用客户端配置的模拟的情况下正确进行身份验证?
如果我们更改为使用证书身份验证,是否会影响需要模拟的服务操作(例如,需要模拟以访问网络上的文件)?
谢谢。
This has been resolved now, and I think it'd be constructive to share the solutions.
In terms of my original question - whether it's able to do impersonation without setting it explicitly in the config or in the front end code. As mentioned by the above, the App Pool method does work, but only when both the client and server are on the same domain.
Since the web site client being situated in the DMZ has no access of the local network at all, meaning we are unable to impersonate any network user (this is a flaw in my original question, saying the impersonation works - it was actually not working).
So the only way to go was using certificate. Since this is internal communications, I have generated a test certificate on each of the server / client sides with the makecert. Using peer trust certificate authentications, I am able to get the communication working between the client and the server. This will ensure that no Windows / network user account information is presented in the DMZ zone.