从 IIS 控制远程服务器上的服务
请注意:在下面描述的每个步骤中,我都以同一域用户帐户登录。
我有一个 Web 应用程序,用于控制远程计算机上的服务(通过 ServiceController)。 当我远程连接到网站并尝试控制服务时,我收到 InvalidOperationException:访问被拒绝。
我知道它可以工作,因为当我从网络服务器连接到网站时(远程桌面,以我的域用户身份登录,然后打开网页),它按预期工作。
我已将 IIS 和 ASP.NET 配置为需要 Windows 身份验证和模拟。 当失败时,我会记录当前线程的主体,并且我会看到该线程正在以我的身份运行,无论我是远程连接还是从服务器本身连接。
我尝试强制 IIS 使用 Kerberos 身份验证、NTLM 身份验证以及同时使用两者; 我的委托人将其 AuthenticationType 报告为“Negotiate”还是“NTLM”并不重要。 当我远程连接(从本地计算机)时,它们都不起作用。
另一个奇怪的事情是,如果我从本地计算机/连接到远程服务器调试,它每次都会起作用! 但我没有调试,每次都失败!
这里到底发生了什么?
Please note: In each step I describe below I'm logged in as the same domain user account.
I have a web application that controls a service on a remote machine (via ServiceController). When I connect to the website remotely and attempt to control the service, I get an InvalidOperationException: Access is denied.
I know it CAN work, because when I connect to the website from the web server (remote desktop in, login as my domain user, then open the webpage), it works as expected.
I have configured IIS and ASP.NET to require windows authentication and impersonation. I log the current thread's principal when this fails, and I see that the thread is running under my identity whether I'm connecting remotely or from the server itself.
I have tried forcing IIS to use Kerberos authentication, NTLM authentication and both at the same time; whether my principal reports its AuthenticationType as "Negotiate" or "NTLM" it doesn't matter. None of them work when I connect remotely (from my local machine)
ANOTHER weird thing about this is that if I'm debugging from my local machine/connecting to the remote server, it works every time! But I'm NOT debugging, it fails every time!
What in the heck could be going on here?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您的场景是委托而不是模拟。 授权是很难实现的,它取决于许多事情是否做得正确。
可以从 Kerberos 身份验证和故障排除委派问题
David Wang 博客 是关于数千个问题的非常有用的资源。
Your scenario is delegation and not impersonation. Delegation is hard to achieve and it depends on many thing that are done right.
A place to start would be Kerberos authentication and troubleshooting delegation issues
David Wang blog is a very useful resource on thous issues.
“另一个奇怪的事情是,如果我从本地计算机进行调试/连接到远程服务器,它每次都会工作!但我没有调试,它每次都会失败!”
这清楚地表明您存在权限问题。 当您在调试器中运行时,您将以登录用户身份运行;当您不进行调试时,它将以 IIS 设置使用的任何内容运行(默认为网络服务)。 尝试设置(暂时!)使用您的域帐户作为用户启用匿名访问,看看是否有效。 如果确实如此,则意味着您的 IIS 未正确设置以进行模拟(并且它可能作为网络服务运行)。
IIS 中的权限可能需要一些c才能正确调整...
祝你好运!
P/S:这看起来更像是一个网络管理问题,而不是一个编程问题(请参阅https://stackoverflow.com/questions/321618/stackoverflow-is-for-programming-questions-here-are-some-better-forums-for-your#321756< /a>)
"ANOTHER weird thing about this is that if I'm debugging from my local machine/connecting to the remote server, it works every time! But I'm NOT debugging, it fails every time!"
That's a clear indication that you have permission issues. When you run in the debugger you're running as the logged on user, when you're not debugging it runs as whatever IIS is set to use (NETWORK SERVICE by default). Try setting (temporarily!) the Enable anonymous access using your domain account as the user and see if that works. If it does then it means your IIS is not setup properly to impersonate (and it's probably running as NETWORK SERVICE).
Permissions in IIS can be a bitch to fine tune properly...
Good luck!
P/S: This looks more like a network administration question than a programming one (see https://stackoverflow.com/questions/321618/stackoverflow-is-for-programming-questions-here-are-some-better-forums-for-your#321756)