{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 家丑人穷心不美 的问题《Incorrect windows identity in Cassini-Dev when hos》','https://www.manongdao.com/q-1123011.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am hosting CassiniDev 4.0 in my windows service running an MVC 3.0 configuration site for my service.
I have the web.config setup to use windows authentication. When I look at the HttpContext.User in the web site, it shows the identity that the service is running under, not the itentity of the user making the request. The User.AuthenticationType is NTLM, which is correct, BTW.
This seems pretty clearly to be a bug, but wanted to run it by the community to see if there is some configuration I am missing.
It seems like it might be a variation on this issue postedlast week:
This is definitely a bug in Cassini Dev. It looks like this method is returning the wrong token:
Request.GetUserToken(). The code:And here _host.GetProcessToken() is a pointer to a security token belonging to the user who owns the Cassini process, it is not the token belonging to the user that's logged in. What needs to happen is the
NtlmAuthobject needs to pass the security token back to theRequestobject so that it can be returned when this method is called instead of the host's token. Not really sure what the best way to do this is but you can see in theNtlmAuthclass, the security token is acquired here:phTokenis the security token but it needs to get back to the Request object and not callInterop.CloseHandle(phToken);later in that method, where it frees the token. Note that CloseHandle() needs to be called on the token eventually, otherwise a new one will be issued for every request made by a logged in user but unused ones will never get freed. One possible place to do this is in theRequestobject, which subclasses SimpleWorkerRequest and you can override the EndOfRequest method to call CloseHandle() on the security token.