Tridion CoreService Authentication/Impersonation

问题

I have developed a .Net Library that uses the Core Service. This library is called from VBScript from a Workflow Automated Decision and uses Core Service to perform some activities related to that workflow process.

I was able to successfully connect to the service using a service account we have for Tridion:

CoreServiceClient client = new CoreServiceReference.CoreServiceClient(
                                                       binding, endpoint);
client.ChannelFactory.Credentials.Windows.ClientCredential = 
        new NetworkCredential(serviceAccountUsername, serviceAccountPassword);
client.ChannelFactory.Credentials.Windows.AllowedImpersonationLevel = 
        System.Security.Principal.TokenImpersonationLevel.Delegation;

With the relevant binding attributes set as the following:

binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = 
        HttpClientCredentialType.Windows;

The problem I am having is that when I make calls to the Core Service, I am getting the following Tridion Content Manager error on the CMS box:

Access is denied for the user NT AUTHORITY\NETWORK SERVICE.

How can I configure my client so that the operations are performed using the Tridion service account instead of NT AUTHORITY\NETWORK SERVICE?

回答1:

If you want to run under a service account, you should probably be using a SessionAwareCoreServiceClient and then impersonate the account you want to use.

var client = new SessionAwareCoreServiceClient(binding, endpoint);
client.Impersonate("Administrator");

But since most of my Core Service clients are actually meant to run on a different machine, I can't use Impersonate (at least not without introducing a huge security leak), so instead I initialize my clients like this:

var client = ...
var credentials = CredentialCache.DefaultNetworkCredentials;
if (!string.IsNullOrWhiteSpace(userName) && !string.IsNullOrWhiteSpace(password))
{
    credentials = new NetworkCredential(userName, password);
}
client.ChannelFactory.Credentials.Windows.ClientCredential = credentials;

来源：https://stackoverflow.com/questions/12044338/tridion-coreservice-authentication-impersonation