ADSI / IIS 管理和 ASP.NET 模拟
我正在编写一个小型 Web 应用程序,它允许我管理网络上不同服务器上的多个 IIS 安装。 我们没有域控制器。
我编写了一个小型模拟控制器,它使用 win32 api 及其 LogonUser 方法。 然后,我使用 System.DirectoryServices 和 IIS ADSI 提供程序创建一个新站点。
我有以下例程(用明文字符串交换一些值以获得更好的可读性):
if (impersonationSvc.ImpersonateValidUser("Administrator@SRV6", String.Empty, "PASSWORD))
{
string metabasePath = "IIS://" + server.ComputerName + "/W3SVC";
DirectoryEntry w3svc = new DirectoryEntry(metabasePath, "Administrator", "PASSWORD");
string serverBindings = ":80:" + site.HostName;
string homeDirectory = server.WWWRootNetworkPath + "\\" + site.FolderName;
object[] newsite = new object[] { site.Name, new object[] { serverBindings }, homeDirectory };
object websiteId = (object)w3svc.Invoke("CreateNewSite", newsite);
int id = (int)websiteId;
impersonationSvc.UndoImpersonation();
}
当我使用托管 Web 应用程序的服务器 (SRV6) 时,此例程有效。 一个新站点已创建。
例如,如果我使用 SRV5,我们网络上的另一台服务器(没有域),ImpersonateValidUser 可以工作,DirectoryEntry 已创建,但 w3svc.Invoke 失败并出现以下错误:
[COMException (0x80070005): 访问被拒绝]
System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +377678
System.DirectoryServices.DirectoryEntry.Bind() +36
System.DirectoryServices.DirectoryEntry.get_NativeObject() +31
System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args) +53
...
有人知道我该如何解决这个问题吗?
I'm in the process of writing a small web app that would allow me to manage several IIS installations on different servers on our network. We have no domain controller.
I have written a small impersonation controller that uses the win32 api and its LogonUser method. I then use System.DirectoryServices and the IIS ADSI provider to create a new site.
I have the following routine (exchanged some values with clear-text strings for better readability):
if (impersonationSvc.ImpersonateValidUser("Administrator@SRV6", String.Empty, "PASSWORD))
{
string metabasePath = "IIS://" + server.ComputerName + "/W3SVC";
DirectoryEntry w3svc = new DirectoryEntry(metabasePath, "Administrator", "PASSWORD");
string serverBindings = ":80:" + site.HostName;
string homeDirectory = server.WWWRootNetworkPath + "\\" + site.FolderName;
object[] newsite = new object[] { site.Name, new object[] { serverBindings }, homeDirectory };
object websiteId = (object)w3svc.Invoke("CreateNewSite", newsite);
int id = (int)websiteId;
impersonationSvc.UndoImpersonation();
}
This routine works when I use the server the web app is hosted on (SRV6). A new site is created.
If I use SRV5 for instance, another Server on our network (with no domain), ImpersonateValidUser works, the DirectoryEntry is created, but w3svc.Invoke fails with the following error:
[COMException (0x80070005): Access denied]
System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +377678
System.DirectoryServices.DirectoryEntry.Bind() +36
System.DirectoryServices.DirectoryEntry.get_NativeObject() +31
System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args) +53
...
Anyone knows how I could solve this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我会查看 SRV5 的事件日志,以检查连接到该服务器时使用的权限。 您可能需要更改组策略以在安全日志中记录故障。
在服务器上设置 Web 服务听起来更容易,最好通过登录和/或 IP 限制进行保护,以执行此类操作。
I would look into the eventlog of SRV5 to check what privileges are used when you connect to that server. You may need to change your group policies to log failures in the security log.
It sounds easier to setup webservices on your servers, preferably protected by logins and/or ip restrictions, that does these kind of operations.
在这种情况下您不能使用模拟。 您模拟的帐户需要本地计算机上的登录权限。
如果您的 Web 服务器不是域的一部分,我认为 Tant102 的 Web 服务理念是您唯一的出路。
You cannot use impersonation in this situation. The account you are impersonating needs login priveleges on the local machine.
If your web servers are not part of a domain, I think Tant102's idea of web services is your only way to go.