以 Active Directory 用户或组身份运行服务Run a service as an Active Directory user or group

在 Windows Server 独立群集上,可以使用 RunAs 策略以 Active Directory 用户或组的身份来运行服务。On a Windows Server standalone cluster, you can run a service as an Active Directory user or group using a RunAs policy. 默认情况下,Service Fabric 应用程序在运行 Fabric.exe 程序的帐户之下运行。By default, Service Fabric applications run under the account that the Fabric.exe process runs under. 即使在共享托管环境中以不同帐户身份运行应用程序,也可确保运行的应用程序彼此更安全。Running applications under different accounts, even in a shared hosted environment, makes them more secure from one another. 注意:这是域中的本地 Active Directory,不是 Azure Active Directory (Azure AD)。Note that this uses Active Directory on-premises within your domain and not Azure Active Directory (Azure AD). 还可以采用组托管服务帐户 (gMSA) 的身份来运行服务。You can also run a service as a group Managed Service Account (gMSA).

通过使用域用户或组,可以访问域中已被授予权限的其他资源(例如文件共享)。By using a domain user or group, you can then access other resources in the domain (for example, file shares) that have been granted permissions.

下面的示例演示名为 TestUser 的 Active Directory 用户,其域密码使用名为 MyCert 的证书进行了加密。The following example shows an Active Directory user called TestUser with their domain password encrypted by using a certificate called MyCert. 可以使用 Invoke-ServiceFabricEncryptText PowerShell 命令创建密码文本。You can use the Invoke-ServiceFabricEncryptText PowerShell command to create the secret cipher text. 请参阅管理 Service Fabric 应用程序中的机密获取详细信息。See Managing secrets in Service Fabric applications for details.

用于解密密码的证书私钥必须使用带外方法(在 Azure 中通过 Azure 资源管理器)部署到本地计算机。You must deploy the private key of the certificate to decrypt the password to the local machine by using an out-of-band method (in Azure, this is via Azure Resource Manager). 这样,当 Service Fabric 将服务包部署到计算机时,便能够解密密码和用户名,向 Active Directory 进行身份验证以使用这些凭据运行。Then, when Service Fabric deploys the service package to the machine, it is able to decrypt the secret and (along with the user name) authenticate with Active Directory to run under those credentials.

<Principals>
  <Users>
    <User Name="TestUser" AccountType="DomainUser" AccountName="Domain\User" Password="[Put encrypted password here using MyCert certificate]" PasswordEncrypted="true" />
  </Users>
</Principals>
<Policies>
  <DefaultRunAsPolicy UserRef="TestUser" />
  <SecurityAccessPolicies>
    <SecurityAccessPolicy ResourceRef="MyCert" PrincipalRef="TestUser" GrantRights="Full" ResourceType="Certificate" />
  </SecurityAccessPolicies>
</Policies>
<Certificates>

备注

如果将 RunAs 策略应用到服务,且服务清单声明使用 HTTP 协议的终结点资源,则还必须指定 SecurityAccessPolicy 。If you apply a RunAs policy to a service and the service manifest declares endpoint resources with the HTTP protocol, you must also specify a SecurityAccessPolicy. 有关详细信息,请参阅为 HTTP 和 HTTPS 终结点分配安全访问策略For more information, see Assign a security access policy for HTTP and HTTPS endpoints.

有关后续步骤,请阅读以下文章:As a next step, read the following articles: