无法从 ASP.NET 页面运行 Windows 服务?
我正在尝试在 Windows Server 2003 上启动 Windows 服务 从 ASP.NET 页面:
第 35 行的代码是:
32. Dim controller As New ServiceController
33. controller.MachineName = System.Environment.MachineName
34. controller.ServiceName = "WindowsServiceRealName"
35. controller.Start()
错误代码是
System.InvalidOperationException:无法在计算机“DARWIN”上打开 WindowsServiceRealName 服务。 ---> System.ComponentModel.Win32Exception:访问被拒绝 --- 内部异常堆栈跟踪结束 --- 在 System.ServiceProcess.ServiceController.GetServiceHandle(Int32desiredAccess) 在 System.ServiceProcess.ServiceController.Start(String[] args) 在 System. E:\ProjectsNet\AfconParking\AfconParking\system\Import.aspx.vb 中 AfconParking.Import.StartService() 处的 ServiceProcess.ServiceController.Start():第 35 行
I'm trying to start a Windows service on Windows Server 2003
from an ASP.NET page:
the code of line 35 is:
32. Dim controller As New ServiceController
33. controller.MachineName = System.Environment.MachineName
34. controller.ServiceName = "WindowsServiceRealName"
35. controller.Start()
The error code is
System.InvalidOperationException: Cannot open WindowsServiceRealName service on computer 'DARWIN'. ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess) at System.ServiceProcess.ServiceController.Start(String[] args) at System.ServiceProcess.ServiceController.Start() at AfconParking.Import.StartService() in E:\ProjectsNet\AfconParking\AfconParking\system\Import.aspx.vb:line 35
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
用于 ASP.NET 应用程序池标识的帐户 ("网络服务"默认情况下)没有 启动服务所需的权限。
要解决此问题,您有以下几种选择:
重新设计您的站点,使其不需要 ASP.NET 页面与服务控制管理器之间进行交互。我真的想不出一个很好的理由来要求这个(该服务可以简单地在启动时启动,并保持运行:如果服务崩溃,您应该修复其原因,和/或使用提供的纠正措施如果需要重新启动服务来启动某种处理,请使用 IPC 机制(例如套接字或命名管道)来在 Web 应用程序和服务之间进行通信)。
按照详细说明此处。请注意,这有几个安全隐患,但没有一个特别好。
The account used for the identity of your ASP.NET application pool ("Network Service" by default) does not have the permissions required to start a service.
To fix this issue, you have a few options:
Re-architect your site to not require interactions between ASP.NET pages and the service control manager. I really can't think of a good reason to require this (the service can simply be started at boot time, and remain running: if the service crashes, you should fix the cause of that, and/or use the corrective actions provided by the SCM. If a service restart is needed to kick of some kind of processing, use an IPC mechanism, such as sockets or named pipes, to communicate between your web app and the service instead).
Create a service account with the appropriate permissions (basically, membership of the local Administrators group) as described in detail here. Do note that this has several security implications, none of them particularly good.
这是一个权限问题,请尝试使用有权执行服务控制操作的身份运行应用程序池。
阅读此知识库以了解如何授予用户此类权限:
http://support.microsoft.com/kb/325349
Its a permissions issue, try to run the application pool with an Identity that has permissions to perform service control operations.
Read this kb to find out how to grant user such a permissions:
http://support.microsoft.com/kb/325349
服务具有访问控制列表(如文件等)。默认情况下,大多数普通和受限用户帐户(包括 ASP.NET 工作人员使用的默认帐户)没有控制或查看任何服务状态的权限。
您可以在服务上设置 ACL 以允许 IIS 工作人员控制该服务,或者使用已拥有权限的帐户运行 Web 应用程序。
后一个选项可能会给 Web 应用程序带来危险的访问级别(例如,如果 Web 用户发现安全漏洞会发生什么),但这是确认它是服务访问权限的快速方法。
设置 ACL 是更好的解决方案,但我认为没有 UI 来设置 ACL(组策略除外),这让事情变得更加困难。您需要使用命令行工具(例如 SUBINACL.exe)
Services have Access Control Lists (like files etc.). By default most normal and restricted user accounts (including the default account used by ASP.NET workers) do not have permissions to control or see the status any services.
You can either set an ACL on the service that allows the IIS worker to control the service, or run the web application with an account that already has rights.
The latter option would probably give the web application a dangerous level of access (e.g. what would happen if a web user found a security vulnerability), but is a quick approach to confirming that it is a service access permission.
Setting an ACL is the better solution, but I don't think there is a UI to set the ACL (except in group policy) which makes things harder. You'll need to use the command line tools (e.g. SUBINACL.exe)