远程共享上的 IIS6 虚拟目录 500 错误
我们的服务器位于域中的服务器场中。我们称之为 LIVE。
我们的开发人员计算机位于一个完全独立的公司域中,相距数英里。我们称之为 CORP。
我们有一个大型中央存储单元 (unix),用于存放服务器场中许多网络服务器所需的图像和其他媒体。 IIS 应用程序池作为(比方说)LIVE\MediaUser 运行,并使用这些凭据作为虚拟目录连接到中央存储共享、检索图像并为它们提供服务,就像它们位于每台服务器上的本地一样。
问题出在发展上。
在我的开发机器上。我以 CORP\MyName 身份登录。我的 IIS 6 应用程序池作为网络服务运行。我无法以 LIVE 域的用户身份运行它,因为我的计算机没有(也不能)加入该域。
我尝试创建一个虚拟目录,将其指向同一网络目录,单击“连接为”,取消选中“验证对网络目录的访问权限时始终使用经过身份验证的用户凭据”复选框,以便我可以输入登录信息,输入凭据对于LIVE\MediaUser,单击“确定”,验证密码等。
这不起作用。我从 IIS 收到“HTTP 错误 500 - 内部服务器错误”。
IIS 日志文件报告 sc-status = 500、sc-substatus = 16 和 sc-win32-status = 1326。
文档表示这意味着“UNC 授权凭据不正确”,Win32 状态意味着“登录失败:未知的用户名”或密码错误。”
如果它接近准确的话,那就太好了。我仔细检查了一下。尝试了多个已知良好的登录。 IIS 管理器允许我在其窗口中查看文件树,只有浏览器将我踢出局。
我什至尝试进入虚拟目录的“目录安全”选项卡,在“身份验证和访问控制”下,我尝试使用相同的实时域用户名作为匿名访问凭据。运气不好。
我不想在虚拟目录之外运行任何 ASP、ASP.NET 或其他动态内容。我只希望 IIS 能够加载静态图像、css 和 js 文件。
如果有人有一些好主意,我将不胜感激!
We have our servers at the server farm in a domain. Let's call it LIVE.
Our developer computers live in a completely separate corporate domain, miles and miles away. Let's call it CORP.
We have a large central storage unit (unix) that houses images and other media needed by many webservers in the server farm. The IIS application pools run as (let's say) LIVE\MediaUser and use those credentials to connect to a central storage share as a virtual directory, retrieve the images, and serve them as if they were local on each server.
The problem is in development.
On my development machine. I log in as CORP\MyName. My IIS 6 application pool runs as Network Service. I can't run it as a user from the LIVE domain because my machine isn't (and can not be) joined to that domain.
I try to create a virtual directory, point it to the same network directory, click Connect As, uncheck the "Always use the authenticated user's credentials when validating access to the network directory" checkbox so that I can enter the login info, enter the credentails for LIVE\MediaUser, click OK, verify the password, etc.
This doesn't work. I get "HTTP Error 500 - Internal server error" from IIS.
The IIS log file reports sc-status = 500, sc-substatus = 16, and sc-win32-status = 1326.
The documentation says this means "UNC authorization credentials are incorrect" and the Win32 status means "Logon failure: unknown user name or bad password."
This would be all and good if it were anywhere close to accurate. I double- and trouble-checked it. Tried multiple known good logins. The IIS manager allows me to view the file tree in its window, it's only the browser that kicks me out.
I even tried going to the virtual directory's Directory Security tab, and under Authentication and Access Control, I tried using the same LIVE domain username for the anonymous access credential. No luck.
I'm not trying to run any ASP, ASP.NET, or other dynamic anything out of the virtual directory. I just want IIS to be able to load static images, css, and js files.
If anyone has some bright ideas I would be most appreciative!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我们也有同样的情况。正如上面的发帖人提到的,IIS 尝试使用 IUSER_XXXX 帐户来验证匿名访问,但该帐户需要在两台计算机上都存在。您仍然可以在不同的域中获得直通身份验证。
由于 NetLogon 处理域名的方式,这适用于远程 Windows 文件服务器 - 我不确定它是否适用于 Unix 服务器:
按照您的示例,您将在本地域中创建一个域用户('CORP \MediaUser'),其登录名和密码与“LIVE\MediaUser”帐户相同。然后,像之前一样使用“LIVE\MediaUser”凭据设置虚拟目录,但这次将“CORP\MediaUser”设置为该虚拟目录的匿名用户。然后它应该可以工作。
只要登录名和密码与远程帐户相同,这也适用于本地帐户(“MYMACHINE\MediaUser”)。
We have this same situation. As the above poster mentioned, IIS is trying to use the IUSER_XXXX account to authenticate for anonymous access, but that account needs to exist on the both machines. You can still get passthrough authentication working in separate domains.
This works with a remote Windows file server due to the way NetLogon processes domain names -- I'm not sure if it will work with a Unix server:
Following your example, you'd create a domain user in your local domain ('CORP\MediaUser') with the SAME logon name and password as the 'LIVE\MediaUser' account. Then, set up the virtual directory using the 'LIVE\MediaUser' credentials as you did before, but this time set up 'CORP\MediaUser' as the Anonymous User for that virtual directory. It should then work.
This will also work a local account ('MYMACHINE\MediaUser') so long as the logon name and password are the same as the remote account.
我的记忆是正确的,这取决于 IIS 身份验证所使用的用户帐户。如果虚拟目录设置为匿名,则根据 IIS 的版本,它将使用名为 IUSER_MACHINENAME 的本地计算机帐户。 此处< /a> 是一篇 technet 文章,介绍了如何更改 IIS 6.0 中用于匿名身份验证的用户帐户。
Ir my memory is correct, this depends on the user account that is used by authentication with IIS. If the virtual directory is set up for anonymous, then depending on the version of IIS it will use a local machine account called IUSER_MACHINENAME. Here is a technet article that explains how to change the user account used for anonymous authentication in IIS 6.0.
我们遇到了同样的问题,但无法纠正它,即使在安全选项卡上具有正确的安全权限也是如此。有一天它正在工作,突然停止了。
经过一番努力后,我转到虚拟目录旁边的“连接为”按钮,令人惊讶的是,这里有与安全选项卡不同的凭据。我使用了一个已知的良好服务帐户和 Viola',它立即起作用了。
We had the same problem but could not get it corrected, even with the correct security permissions on the security tab. It was working one day and just suddenly stopped.
After a lot of head banging, I went to the "Connect As" button next to the virtual directory and surprisingly there were DIFFERENT credentials than the security tab. I used a known good service account and Viola', it worked instantly.