当我尝试从在 IIS 5.1 下运行的 C# 应用程序连接到远程 IIS 6 服务器时,我收到“Access Deined”COMException。
有任何想法吗? 我遇到了与原始问题相同的问题。
更新 - 2009 年 4 月 1 日
我找到了这个解决方案 (http ://www.codeproject.com/KB/cs/Start_Stop_IIS_Website.aspx),由连接到 IIS 服务器以启动和停止网站的窗口应用程序组成。 我能够在我的工作站上运行它并连接到 IIS 服务器。
呃......为什么我可以运行这个独立的应用程序,但不能运行我的 ASP.NET 应用程序?
原始
当我尝试使用 DirectoryEntry.Exist 方法从远程计算机连接到 IIS 以检查 IIS 服务器是否有效时,我收到“访问被拒绝”COMException。
string path = string.Format("IIS://{0}/W3SVC", server);
if(DirectoryEntry.Exist(path))
{
//do something is valid....
}
我是 Active Directory 组的成员,该组已添加到我尝试连接的 IIS 服务器的管理员组中。
有谁经历过这个问题并知道如何解决它?
更新:
@Kev - 这是一个 ASP.NET 应用程序。 另外,我可以通过 IIS6 管理器连接到远程服务器,无需用户名和密码。
@Chris - 我正在尝试连接到远程服务器以显示虚拟目录的数量并确定每个目录的 .NET Framework 版本。 请参阅这个所以问题。
@dautzenb - 我的 ASP.NET 应用程序在 IIS 5.1 下运行,尝试连接到 IIS 6 服务器。 我可以在远程服务器上本地 ASPNET 帐户的安全日志中看到故障审核。 当我尝试调试应用程序时,我在我的域帐户下运行,但仍然收到“访问被拒绝”的消息。
更新2:
@Kev - 我能够使用以下重载来创建DirectoryEntry对象:
public DirectoryEntry
(
string path,
string username,
string password
)
但是,所有属性都包含“引发了类型为'System.Runtime.InteropServices.COMException的异常” '”当我调试应用程序时。
此外,AuthenticationType 属性设置为 Secure。
更新 3:
每次我尝试建立连接时,远程 IIS 服务器的安全事件日志中都会出现以下两个失败审核条目:
第一个事件:
事件类别:帐户登录
事件 ID:680
记录尝试:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
登录帐号:ASPNET
源工作站:
错误代码:0xC0000234
第二个事件:
事件类别:登录/注销
事件 ID:529
登录失败:
原因:用户名未知或密码错误
用户名:ASPNET
域:(我的域)
登录类型:3
登录过程:NtLmSsp
身份验证包:NTLM
工作站名称:(MyWorkstationId)
呼叫者用户名:-
调用者域:-
来电登录 ID:-
调用者进程 ID:-
中转服务:-
源网络地址:10.12.13.35
源端口:1708
模拟设置为 true,用户名和密码为空。 它使用远程 IIS 服务器上的 ASPNET 帐户。
I receive an "Access Deined" COMException when I try to connect to a remote IIS 6 server from my C# application that is running under IIS 5.1.
Any ideas? I am experiencing all the same issues with the original questions.
Update - 4/1/09
I found this solution (http://www.codeproject.com/KB/cs/Start_Stop_IIS_Website.aspx) that consists of a window application connecting to an IIS server to start and stop web sites. I am able to run it on my workstation and connect to the IIS server.
Ugh....why can I run this stand alone application but not my ASP.NET application?
Original
I receive an "Access Denied" COMException when I try to connect to IIS from a remote machine using the DirectoryEntry.Exist method to check to see if the IIS server is valid.
string path = string.Format("IIS://{0}/W3SVC", server);
if(DirectoryEntry.Exist(path))
{
//do something is valid....
}
I am a member of an active directory group that has been added to the Administrators groups to the IIS server I am trying to connect to.
Has anyone experience this issue and know how to resolve it?
UPDATE:
@Kev - It is an ASP.NET application. Also, I can connect without an username and password to the remote server through IIS6 Manager.
@Chris - I am trying to connect to the remote server to display the number of virtual directorys and determine the .NET framework version of each directory. See this SO question.
@dautzenb - My ASP.NET application is running under IIS 5.1 trying to connect to an IIS 6 server. I can see fault audits in the security log for my local ASPNET account on the remote server. When I try to debug the application, I am running under my domain account and still get the Access is denied.
UPDATE 2:
@Kev - I was able to establish to create a DirectoryEntry object using the following overload:
public DirectoryEntry
(
string path,
string username,
string password
)
But, all of the properties contain a " threw an exception of type 'System.Runtime.InteropServices.COMException'" while I debug the app.
Also, the AuthenticationType property is set to Secure.
UPDATE 3:
The following two failure audit entries were in the remote IIS server's security event log every time I tried to establish a connection:
First event:
Event Category: Account Logon
Event ID: 680
Log attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: ASPNET
Source Workstation:
Error Code: 0xC0000234
Second event:
Event Category: Logon/Logoff
Event ID: 529
Logon Failure:
Reason: Unknown user name or bad password
User Name: ASPNET
Domain: (MyDomain)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: (MyWorkstationId)
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.12.13.35
Source Port: 1708
Impersonation is set to true and the username and password are blank. It is using the ASPNET account on the remote IIS server.
发布评论
评论(8)
您到底想在哪里阅读? 它与您的应用程序位于同一路径下吗?
Where exactly are you trying to read too? Is it in under the same path as your application?
当我遇到这个问题时,我发现只需在 Windows 文件共享上验证自己的身份就可以解决问题。 根据经验,我认为 WMI/ADSI/COM 对于尚未经过身份验证的用户没有很好的支持。 我相信当您未与 Windows 域关联时会出现此问题。
When I had this problem, I found that simply authenticating my self on a Windows file share solved the problem. From experience, I think that WMI/ADSI/COM doesn't have great support for not-already-authenticated users. I believe this issue occurs when you're not associated with a Windows domain.
如果确实是 NTLM 双跳问题,您可以使用 SETSPN 实用程序为目标 IIS 服务器创建服务主体命名实例。
然后,您可以进入 Active Directory,然后允许计算机对象(基本上是网络服务或本地服务主体)将其凭据委托给正确注册的 SPN。
然后你就可以到处跳啦! 但是,请注意! 当您启用双跳时,人们可能会被尖锐的东西弄伤自己!
值得一读的优秀知识库文章:
http://support.microsoft.com/kb/929650
If it is indeed a NTLM doublehop issue you could use the SETSPN utility to create service principal named instances for your target IIS servers.
Then you could go into Active Directory, and then allow the computer object (basically the NETWORK SERVICE or LOCAL SERVICE principals) to delegate its credentials to a correctly registered SPN.
Then you could hop-hop-hop all over the place! But, be warned! People can hurt themselves on sharp pointy things when you enable double-hop!
Good KB articles to read:
http://support.microsoft.com/kb/929650
我相信 DirectoryEntry.Exists 默默地忽略提供的任何凭据并使用经过身份验证的用户的凭据。 这似乎符合您所描述的行为。 对于 AD 工作,我们从不使用它,因为这个原因。
I believe that DirectoryEntry.Exists silently ignores any credentials supplied and uses the creds of the authenticated user. This seems to match the behaviour you've described. For AD work, we never use it for this reason.
我现在有点困惑为什么你不能让这个工作。 您可以尝试一下临时解决办法。 实例化
DirectoryEntry对象时,您可以使用以下构造函数重载之一:记录于:MSDN:DirectoryEntry 构造函数(字符串、字符串、字符串)
...或...
记录于:MSDN: DirectoryEntry 构造函数 (String, String, String, AuthenticationTypes)
碰巧我正在我的虚拟服务器上为新的虚拟服务器构建一个测试 AD 环境项目做类似的事情。 当我启动并运行它时,我会尝试一下,看看是否可以重现您遇到的问题。 同时让我们知道如果您尝试上面引用的这些构造函数重载会发生什么。
更新(回答 Michaels 的评论):
由于我刚才回避的原因,我们无法在特定场景中使用
DirectoryEntry.Exists(),有这个片段在我们的一个应用程序中时不时被调用的代码的数量:您可以将构造函数替换为上面的构造函数之一。 诚然,这是在黑暗中刺伤:)。
I'm sort of stumped at the moment as to why you can't get this working. There is a temporary work around you could try. When instantiating the
DirectoryEntryobject you could use one of the following constructor overloads:Documented at: MSDN: DirectoryEntry Constructor (String, String, String)
...or...
Documented at: MSDN: DirectoryEntry Constructor (String, String, String, AuthenticationTypes)
As it happens I'm building a test AD environment on my virtual server box for a new project to do similar stuff. When I get it up and running I'll have a play around to see if I can reproduce the problem you're encountering. In the meantime let us know what happens if you try these constructor overloads referenced above.
Update (In answer to Michaels comment):
For reasons that evade me just now, we couldn't use
DirectoryEntry.Exists()in a particular scenario, there is this snippet of code that gets called now and again in one of our apps:You could replace the constructor with one of the ones from above. Admittedly it's a stab in the dark :).
如果是身份问题,您可以尝试将 IIS 5.1 应用程序设置为使用 集成 Windows 身份验证,然后将以下内容添加到 IIS5.1 网站上的 web.config 下的 system.web 以启用 模拟。
If it is an identity problem, you could try setting your IIS 5.1 application to use Integrated Windows Authentication, and then add the following to you web.config on your IIS5.1 web site under system.web to enable impersonation.
由于这是一个 ASP.NET 应用程序,因此它在 IIS 的应用程序池中运行。 此应用程序池使用特定用户(“本地系统”、“网络服务”或其他用户)运行。
该用户是否有足够的权限连接到远程服务器?
有关详细信息,请参阅 MSDN。
Since this is an ASP.NET application, it runs in an Application Pool of IIS. This Application Pool runs using a specific user("Local System", "Network Service" or another user).
Does this user have enough rights to connect to a remote server ?
See MSDN for more info.
这看起来可能是双跳问题。 如果您使用 NTLM 模拟网站的当前用户,则该模拟仅在该服务器(本例中为 IIS 5.1 服务器)上有效。 如果您尝试使用该网站连接到另一台服务器,实际上会遇到问题,因为它无法将令牌传递到模拟期间使用的另一台服务器。 如果您通过计算机调试站点并转到另一个盒子,情况也是如此。 您的本地计算机正在对您进行身份验证,但它无法在另一台服务器上冒充您。
我过去使用的所有解决方案都要求您对应用程序池进行硬编码以使用具有权限的帐户,设置 annony。 帐户到在另一台计算机上具有权限的域帐户,或者使用在 IIS 5.1 计算机上运行的 Windows 服务(在域帐户下)连接到另一台服务器。
如果您使用 Kerberos,则不适用,但 AD 默认情况下使用 NTLM。
This looks like it may be a double-hop issue. If you are impersonating the current user of a website using NTLM, that impersonation is only valid on that server (your IIS 5.1 server in this case). If you try to connect to another server using the web site, you are actually going to have issues as it cannot pass the token to another server that was used during impersonation. The same is true if you are debugging your site through your machine, going to another box. Your local machine is authenticating you, but it cannot impersonate you to another server.
All of the solutions I have used in the past require you to hard code the app pool to use an account that has permissions, set the annony. account to a domain account with permissions on the other machine, or use a windows service running on the IIS 5.1 machine, under a domain account, to connect to the other server.
If you are using Kerberos, this wouldn't apply, but AD uses NTLM by default.