使用系统帐户执行 SPWebApplication.Update 会引发 SecurityException

发布于 2024-08-03 20:44:02 字数 1265 浏览 9 评论 0原文

我正在使用 SPWebConfigModification 类进行一些 web.config 修改。将它们添加到 WebApplication 并对其调用 Update 时,它​​会抛出 SecurityException,尽管

  • 我以提升的权限运行代码 (并打开 SPSite 的新实例)
  • 我的程序集位于 GAC
  • 应用程序池帐户 中 wss_admin_wpg 组和 web.config 文件已写入 wss_admin_wpg 许可。

代码

SPSecurity.RunWithElevatedPrivileges(delegate()
{
    addProviderProxy(properties);
});

where addProviderProxy(SPItemEventProperties properties)

using (SPSite site = new SPSite(properties.SiteId))
using (SPWeb web = site.OpenWeb())
{
  ensureSectionGroup(web);
  ...
}

where EnsureSectionGroup(SPWeb web)

  SPWebApplication webApp = web.Site.WebApplication; 
  ...
  webApp.Update(); <--Throws exception here

异常详细信息

System.Security.SecurityException was caught
  Message="Piekļuve liegta." //(Translates to something like "Access Denied")
  Source="Microsoft.SharePoint"
  StackTrace:
       at Microsoft.SharePoint.Administration.SPPersistedObject.Update()
       at Microsoft.SharePoint.Administration.SPWebApplication.Update()
       at Balticovo.SharePoint.AdjustWebConfigForOutlook.ensureSectionGroup(SPWeb web)
  InnerException: 

I`m doing some web.config modifications with SPWebConfigModification class. When adding them to WebApplication and calling Update to it, it throws me SecurityException, although

  • I run code with elevated privilages
    (and open new instance of SPSite)
  • my assembly is in GAC
  • application pool account is from
    wss_admin_wpg group and web.config file has wss_admin_wpg write
    permissins.

Code

SPSecurity.RunWithElevatedPrivileges(delegate()
{
    addProviderProxy(properties);
});

where addProviderProxy(SPItemEventProperties properties)

using (SPSite site = new SPSite(properties.SiteId))
using (SPWeb web = site.OpenWeb())
{
  ensureSectionGroup(web);
  ...
}

where ensureSectionGroup(SPWeb web)

  SPWebApplication webApp = web.Site.WebApplication; 
  ...
  webApp.Update(); <--Throws exception here

Exception Details

System.Security.SecurityException was caught
  Message="Piekļuve liegta." //(Translates to something like "Access Denied")
  Source="Microsoft.SharePoint"
  StackTrace:
       at Microsoft.SharePoint.Administration.SPPersistedObject.Update()
       at Microsoft.SharePoint.Administration.SPWebApplication.Update()
       at Balticovo.SharePoint.AdjustWebConfigForOutlook.ensureSectionGroup(SPWeb web)
  InnerException: 

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

旧人 2024-08-10 20:44:02

尝试在 PowerShell 脚本中运行此命令,然后重试更新:

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$contentService.RemoteAdministratorAccessDenied = $false
$contentService.Update()

我仍然掌握 2010 权限的窍门,因此请珍惜它的价值。根据 Paul Kotlyar 的说法,这会有所帮助。

Try running this in a PowerShell script, then retry your update:

$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$contentService.RemoteAdministratorAccessDenied = $false
$contentService.Update()

I'm still getting the hang of 2010 permissions, so take it for what it's worth. According to Paul Kotlyar, that'll help.

濫情▎り 2024-08-10 20:44:02

由于 SPPersistedObject.Update() 处发生“访问被拒绝”错误,这显然表明存在持久对象的问题。这很可能是写入 SharePoint 配置数据库(或者可能是另一个 SP 数据库)时出现的权限错误。

如果可能,请检查 SQL 日志或运行 SQL Profiler 跟踪以获取有关导致问题的帐户的更多信息。检查运行代码的帐户是否有权访问配置数据库。

更新:

您可以通过将用户添加到场管理员组来授予对配置数据库的权限。这为他们提供了对该数据库的 db_owner 权限,但这并不理想,因为这意味着该帐户可以执行任何操作。但是(据我所知)没有其他方法可以访问该数据库。

如果这是一个主要问题,您可以通过 SQL Server Management Studio 自行更改权限。理想情况下,使用 SQL Profiler 并设计一个仅提供所需权限的新角色。或者,尝试将帐户添加到 WSS_Content_Application_Pools 角色和/或 data_readerdata_writer 角色。

As the "Access Denied" error is occurring at SPPersistedObject.Update(), this obviously indicates that there is a problem persisting the object. This is very likely to be a permissions error writing to the SharePoint configuration database (or maybe another SP database).

If possible check the SQL logs or run a SQL Profiler trace to get more information on what account is causing the problem. Check that the account your code is running under has access to the configuration database.

Update:

You can give permission to the configuration database by adding the user to the Farm Administrator's group. This gives them db_owner permission on that database which isn't ideal as that means the account can do anything. However there is no other way (that I know of) that can give access to this database.

If this is a major concern, you could change the permissions yourself via SQL Server Management Studio. Ideally use SQL Profiler and devise a new role that gives just the permissions required. Alternatively try adding the account to the WSS_Content_Application_Pools role and/or the data_reader and data_writer roles.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文