IIS 7.5/ASP.NET - 匿名访问除一个目录之外的所有内容 - 如何?
我们正在使用相同的应用程序从 IIS 6 和 .NET 3.5 升级到 IIS 7.5 (Windows Server 2008 R2 Enterprise)。我无法让之前的 IIS 6 设置正常工作。
在 IIS 6 下,我可以将网站本身设置为使用 IIS 本身的特定域用户(例如 ourdomain\webuser)。这控制了对所有文件(包括 HTML、图像等)的初始访问,并形成了发送到 ASP.NET 页面的初始请求,然后 .NET 引擎接管,运行 .NET 的用户是另一个域用户(例如我们的域\点网用户)。然后,我们将从 IIS 用户 ourdomain\webuser 的一个文件夹(例如 /lockdown/)中撤回所有 NTFS 权限。每当有人尝试访问该目录中的文件时,IIS 都会说“无法访问,启动 Windows 身份验证访问”并提示他们输入凭据。这仍然会导致任何底层 .NET 代码以 ourdomain\dotnetuser 身份运行。
我无法让相同的设置在 IIS 7.5 下工作,并且确信这只是一些愚蠢的疏忽。它...想要工作但不完全。以下是我所做的:
将站点的应用程序池设置为 .NET Framework v2.0.50727,并选择“集成”作为托管管道模式选项。然后,将身份设置为 ourdomain\dotnetuser,以便池作为该特定用户运行。
网站设置为 IIS >以“ourdomain\webuser”身份连接的身份验证,一切似乎都很好。问题是当我进入这个特殊的 /lockdown/ 目录时。我尝试以与 IIS 6 完全相同的方式进行设置(只需从 ourdomain\webuser 中删除对该文件夹的访问权限)。当我这样做时,我确实得到了标准的访问提示,但在提供我的凭据后,我仍然得到:
Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\ourwebsite\lockdown\default.aspx'.
我的帐户位于这台计算机上的本地管理员组中(加上我是这里的域管理员)并且管理员组有已被授予对此文件夹的完全访问权限。我在应用程序事件查看器中看到以下内容为“信息”事件:
Event code: 4008
Event message: File authorization failed for the request.
Event time: 8/1/2010 8:45:18 AM
Event time (UTC): 8/1/2010 12:45:18 PM
Event ID: 0f8a5de692e74e67bb4e3c65a867586c
Event sequence: 32
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT-1-129251371048714102
Trust level: Full
Application Virtual Path: /
Application Path: C:\ourwebsite\
Machine name: TESTWEB3
Process information:
Process ID: 3008
Process name: w3wp.exe
Account name: ourdomain\dotnetuser
Request information:
Request URL: http://localhost/lockdown/default.aspx
Request path: /lockdown/default.aspx
User host address: ::1
User: ourdomain\myuser
Is authenticated: True
Authentication Type: Negotiate
Thread account name: ourdomain\dotnetuser
这里有什么建议或想法吗?
We're in the process of upgrading from IIS 6 and .NET 3.5 to IIS 7.5 (Windows Server 2008 R2 Enterprise) with the same application. I'm having trouble getting our previous IIS 6 setup to work correctly.
Under IIS 6, I could set the website itself to use a specific domain user (e.g. ourdomain\webuser) for IIS itself. This controlled initial access to all files, including HTML, images, etc. and formed the initial request that went to an ASP.NET page wherein then the .NET engine took over and the user running .NET was another domain user (e.g. ourdomain\dotnetuser). We would then yank all NTFS permissions from one folder (e.g. /lockdown/) for the IIS user, ourdomain\webuser. Anytime someone tried to access a file in that directory, IIS said "No access, kick into Windows authentication access" and prompt them for credentials. This still caused any underlying .NET code to run as ourdomain\dotnetuser.
I'm having trouble getting this same setup to work under IIS 7.5 and am sure that it's just some dumb oversight thing. It...wants to work but doesn't completely. Here's what I've done:
The application pool for the site is set to .NET Framework v2.0.50727 with "Integrated" selected as the managed pipeline mode option. Then the identity is set to ourdomain\dotnetuser so that the pool runs as that specific user.
The website is setup to IIS > Authentication to connect as "ourdomain\webuser" and all seems to be well. The trouble is when I go to this special /lockdown/ directory. I tried to set it up exactly the same way as IIS 6 (by simply removing access to that folder from ourdomain\webuser). When I do this, I do get the standard prompt for access, but after providing my credentials, I still get:
Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\ourwebsite\lockdown\default.aspx'.
My account is in the local administrators group on this machine (plus I'm a domain admin here) and the Administrators group has been given full access to this folder. I see the following as an "Information" event in the Application Event Viewer:
Event code: 4008
Event message: File authorization failed for the request.
Event time: 8/1/2010 8:45:18 AM
Event time (UTC): 8/1/2010 12:45:18 PM
Event ID: 0f8a5de692e74e67bb4e3c65a867586c
Event sequence: 32
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT-1-129251371048714102
Trust level: Full
Application Virtual Path: /
Application Path: C:\ourwebsite\
Machine name: TESTWEB3
Process information:
Process ID: 3008
Process name: w3wp.exe
Account name: ourdomain\dotnetuser
Request information:
Request URL: http://localhost/lockdown/default.aspx
Request path: /lockdown/default.aspx
User host address: ::1
User: ourdomain\myuser
Is authenticated: True
Authentication Type: Negotiate
Thread account name: ourdomain\dotnetuser
Any suggestions or ideas here?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在带有 IIS 7.5 的 Windows Server 2008 R2 上,您需要执行以管理员身份运行的 Windows 资源管理器,方法是右键单击它以获得管理员权限来修改该文件夹中的任何内容。将应用程序池标识添加到具有读取和执行权限的 c:\inetpub\wwwroot... 文件夹的 ACL。
On Windows Server 2008 R2 with IIS 7.5 you need to execute Windows Explorer run as Administrator by right clicking it to get admin privileges to modify anything in that folder. Add the application pool identity to the ACL of the c:\inetpub\wwwroot... folder with read and execute permissions.
您可以使用授权规则来实现这一点,只需在要保护的目录中创建一个 web.config,其中包含以下内容:
这将阻止匿名用户的访问,并且只允许来自 Administrators 组的用户。您可以为此使用角色或用户。
You could use Authorization rules for that, just create a web.config inside the directory you want to protect with the following contents:
This will prevent the access to anonymous users and only allow users from the Admnistrators group. you can use Roles or users for this.