Microsoft.Web.Administration.ServerManager 无法读取 applicationHost.config 中包含加密密码的配置部分
我在 IIS7 中有一些站点配置为作为域用户 (MYDOMAIN\someuser) 运行。
我正在使用 Microsoft.Web.Administration 命名空间来扫描我的服务器配置,但当我访问这些“模仿者”站点之一时,它会引发异常:
using (ServerManager sm = new ServerManager()) {
foreach (Site site in sm.Sites) {
foreach (Application app in site.Applications.Reverse()) {
foreach (VirtualDirectory vdir in app.VirtualDirectories.Reverse()) {
var config = app.GetWebConfiguration();
foreach (var locationPath in config.GetLocationPaths()) {
// error occurs in GetLocationPaths()
}
}
}
}
}
实际的错误消息是:
COMException was unhandled
Filename: \\?\C:\Windows\system32\inetsrv\config\applicationHost.config
Line number: 279
Error: Failed to decrypt attribute 'password' because the keyset does not exist
看来 IIS 正在存储 MYDOMAIN\someuser 密码在 applicationHost.config 中加密,这在安全性方面非常好 - 但我不知道如何让 ServerManager 解密它。
有关如何允许 ServerManager 解密此密码或仅告诉 IIS 以纯文本形式存储密码的任何提示?
顺便说一句,这是在 Windows 7 RC 下的 IIS7 上。
I have some sites in IIS7 that are configured to run as domain users (MYDOMAIN\someuser).
I'm using the Microsoft.Web.Administration namespace to scan my server configuration, but it's throwing an exception when I hit one of these "impersonator" sites:
using (ServerManager sm = new ServerManager()) {
foreach (Site site in sm.Sites) {
foreach (Application app in site.Applications.Reverse()) {
foreach (VirtualDirectory vdir in app.VirtualDirectories.Reverse()) {
var config = app.GetWebConfiguration();
foreach (var locationPath in config.GetLocationPaths()) {
// error occurs in GetLocationPaths()
}
}
}
}
}
The actual error message is:
COMException was unhandled
Filename: \\?\C:\Windows\system32\inetsrv\config\applicationHost.config
Line number: 279
Error: Failed to decrypt attribute 'password' because the keyset does not exist
It appears that IIS is storing the MYDOMAIN\someuser password encrypted in applicationHost.config, which is great in terms of security - but I have no idea how to get the ServerManager to decrypt this.
Any tips on how I can either allow ServerManager to decrypt this, or just tell IIS to store the passwords in plain text?
This is on IIS7 under Windows 7 RC, by the way.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
IIS 对在其架构中标记为“encrypted=true”的属性使用加密。 此外,在其架构中,它定义了用于加密的提供程序(请参阅 C:\Windows\System32\inetsrv\config\schema\IIS_Schema.xml),如果虚拟目录内有密码,则它使用在中定义的 AesProvider ApplicationHost.config 中的 configProtectedData 部分。
在那里,您将能够看到 KeyContainerName,您需要为您想要解密的任何帐户授予权限,出于安全原因,默认情况下仅包括管理员。
这引出了我的问题,如果您的代码失败,我猜测您已将 ApplicationHost.config 的访问权限授予非管理员用户,是这种情况吗?
如果是这样,那么我建议确保这不会给您的环境带来安全风险。
IIS uses encryption for attributes that are marked as "encrypted=true" in its schema. Also in its schema it defines the provider to use for the encryption (See C:\Windows\System32\inetsrv\config\schema\IIS_Schema.xml), in the case of password inside the Virtual Directory it uses the AesProvider which is defined in the section configProtectedData inside ApplicationHost.config.
In there you will be able to see the KeyContainerName that you need to grant permissions for whatever account you want to be able to decrypt, which for security reasons, by default only includes Administrators.
This leads me to my question, if your code is failing I would guess that you have granted access to ApplicationHost.config to a user that is not an Administrator, is that the case?
If that is, then I would suggest making sure this is not going to open security risks for your environment.