从构建服务器进行远程和自动化 IIS 7 管理 - 权限问题
场景如下:
- Win2003 Build Server (CCNET)
- IIS7 目标部署服务器
用于执行此操作(创建 VDirs、设置 AppPool 属性)的各种 MSBuild 任务(Sdc.Tasks、MSBuild Community、MSBuild Extension Pack)至少不适合一个或多个原因如下:
- 不支持 IIS 7。
- 无法传递域用户名/密码来执行操作。
- Microsoft.Web.Management.dll 在生成服务器上不可用。
- “访问被拒绝”错误。
在 IIS 6 上创建 Vdir 没有问题 - 尽管我们实际上是在使用 iisvdir.vbs,因为使用上述任何 MSBuild 任务似乎在执行操作时不支持域用户名/密码身份验证,或者只是抛出错误基本的“访问被拒绝”消息(尽管在 IIS 6 元数据库上具有适当的权限)。
另外 - 请记住,只要当前身份验证上下文具有正确的权限,如果不指定特定的域用户/密码,各种方法都可以在 IIS 7 上完美运行,但出于显而易见的原因,我们不希望所有 CCNET 构建都在这种情况下运行。
我什至使用 psexec.exe 在盒子上远程运行 appcmd.exe,如果当前安全上下文具有适当的权限,它也可以正常工作,但是一旦您在 psexec 上指定用户名/密码,您就会收到一条错误消息:“由于权限不足,无法读取配置文件。”指定的用户是域帐户,并且是 2008 服务器上本地管理员组的一部分。
另外 - 我最终滚动了自己的 RunAs MSBuild 任务,继承了 Exec 任务并使用编程模拟。然后,我使用它来调用 psexec,而不在 psexec 中指定用户名和密码,而是通过在 shell 到 psexec 时进行模拟,但我只是得到退出代码 1 - 没有任何更多详细信息。
正如你所看到的,我几乎已经用尽了所有的选择,至少我是这么认为的。
如果您能想到其他任何事情,或者已经通过非 IIS7 机器上的自动化流程(使用特定的非本地管理员用户)实现了远程管理 IIS7,请告诉我。
Here's the scenario:
- Win2003 Build Server (CCNET)
- IIS7 target deployment server
The various MSBuild tasks (Sdc.Tasks, MSBuild Community, MSBuild Extension Pack) for doing this (creating VDirs, setting AppPool properties) are not suitable for at least one or more of the following reasons:
- No support for IIS 7.
- No possibility to pass domain username/password to perform the operation.
- Microsoft.Web.Management.dll is not available on build server.
- 'Access Denied' error.
There are no issues creating Vdirs on IIS 6 - though we're actually shelling out to iisvdir.vbs, as using any of the MSBuild task as described above seem to either not support domain username/password auth when performing the operation or will simply throw a basic 'Access Denied' message (despite having the appropriate permissions on the IIS 6 metabase).
Also - bear in mind that the various methods work perfectly on IIS 7 if not specifying a specific domain user/pw as long as the current authentication context has the correct permissions, but for obvious reasons we don't want all of our CCNET build to run in that context.
I've even used psexec.exe to run appcmd.exe on the box remotely, which also works fine if the current security context has appropriate permission, but as soon as you specify username/password on psexec, you get an error message saying "Cannot read configuration file due to insufficient permissions." The user specified is a domain account, and is part of the local Administrators group on the 2008 server.
Also - I've ended up rolling my own RunAs MSBuild task, inheriting from the Exec task and using programmatic impersonation. I then use this to call psexec without specifying the username and password in psexec, but by impersonating when shelling to psexec, but I'm simply getting an exitcode of 1 - without any more details.
As you see, I've pretty much exhausted all options, or so I reckon.
If you can think of anything else, or have achieved managing IIS7 remotely, from an automated process on a non IIS7 box (using a specific non local admin user), please let me know.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
正确的。经过一番折腾后,Windows 2008 用户帐户控制 (UAC) 似乎出现了问题。如果您使用内置管理员以外的任何其他管理员帐户,UAC 的管理员批准模式就会启动。
显然,在自动脚本(非交互模式)中,您将被拒绝访问,因为您没有单击的选项UAC 对话框中的“继续”。
唯一的替代方法是在组策略 (gpedit.msc) 中编辑本地计算机的安全选项,并将“以管理员批准模式运行管理员”从启用设置为禁用。
重新启动,就没事了。
如果您可以在特定管理员帐户上为管理员批准模式设置 UAC 例外,那么实际上会更好、更安全。如果您正在阅读,MS - 将其放入功能列表中!
Right. After a bit more messing around, it looks like Windows 2008 User Account Control (UAC) is getting in the way. If you are using any other administrator account than the built-in Administrator, the UAC's Admin Approval mode kicks in.
Obviously in an automated script (non-interactive mode), you will be denied access, as you do not have an option to click 'Continue' on the UAC dialog.
The only alternative is to edit the Security Options for the local machine in Group Policy (gpedit.msc) and set 'Run Administrators in Admin Approval Mode' from Enabled to Disabled.
Reboot, and you're fine.
It would actually be better and more secure if you could set UAC exceptions for Admin Approval mode on specific Administrator accounts. If you're reading, MS - put it on the feature list!