当前位置: 文江博客话题详情

错误 500.19 - 基于 UNC 的 IIS 7.5 站点 - 文件权限问题

发布于 2024-11-08 21:49:02 字数 1087 浏览 2 评论 0原文

我正在尝试在我的 IIS 7.5(Win 7 Pro 计算机)中获取一个网站,以通过默认网站和底层应用程序之一的代码的 UNC 路径运行。这是我第一次尝试在 IIS 7.5 中基于 UNC 路径设置站点/应用程序:同一域中另一台服务器上的文件夹。

我尝试了各种方法来解决这个问题。应用程序池在我设置此站点的 Win 7 Pro PC 上的 ApplicationPoolIdentity 下运行。

尝试通过 http://localhost/TheAppName 在浏览器中运行应用程序时出现的运行时错误是:

模块: IIS Web 核心
通知:未知
处理程序:尚未确定
错误代码: 0x800700005
配置错误:由于权限不足,无法读取配置文件
配置文件: \\?\UNC\theServerName\www\TheAppName
请求的 URL: http://localhost:80/TheAppName
物理路径:(此处未显示任何内容)
登录方式:尚未确定
登录用户:尚未确定

为了本文的隐私,我在上面的服务器和应用程序名称中使用了假名。

因此,读取该站点的 UNC 路径中的 web.config 时遇到问题。

我尝试在目标服务器上添加本地用户,然后将该用户授予 web.config 权限,然后使用该用户 RemoteServerName\LocalUserICreated 作为我的计算机上的应用程序池的身份,但它没有影响。

不知道在这里做什么以及如何去做。

原文

I'm trying to get a website in my IIS 7.5 (Win 7 Pro machine) to run via a UNC path to the code for one of the default website and an underlying App. This is the first time I've ever tried to set up a site/app in IIS 7.5 based off a UNC path: a folder on another server in the same domain.

I've tried various things to try to get this resolved. The app pool is running under ApplicationPoolIdentity on my Win 7 Pro PC where I have this site set up.

The runtime error I get when trying to run the app in the browser via http://localhost/TheAppName is:

Module: IIS Web Core
Notification: Unknown
Handler: Not Yet Determined
Error Code: 0x800700005
Config Error: Cannot read configuration file due to insufficient permissions
Config File: \\?\UNC\theServerName\www\TheAppName
Requested URL: http://localhost:80/TheAppName
Physical Path: (nothing showing up here)
Logon Method: Not yet determined
Logon User: Not yet determined

I put in fake names for the server and app name above for privacy for this post.

So it's having trouble reading the web.config found in that UNC path for this site.

I tried to add a local user on the target server and then then gave that user permissions to the web.config and then used that user RemoteServerName\LocalUserICreated as the app pool's Identity on my machine but it had no effect.

No clue what to do here and how to go about it.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

故人的歌 2024-11-15 21:49:02

我假设 UNC 路径是到不同的服务器?

如果是的话,两台服务器是否在同一个域中?如果是这样,那么 IIS 需要在有权读取文件的用户帐户下运行网站。

如果不是,您需要在 Web 服务器和文件存储服务器上创建相同的用户帐户(相同的用户名、相同的密码),然后更改 IIS 以在该用户帐户下运行网站。

希望这有帮助/有效。

I assume the UNC path is to a different server?

If so are both servers in the same domain? If so then IIS needs to run the website under a user account that has permissions to read the files.

If not you need to create identical user accounts (same username, same password) on the web server and the file storage server and then change IIS to run the website under this user account.

Hope this helps/works.

回复 原文
缘字诀 2024-11-15 21:49:02

当您从 UNC 路径创建 Web 应用程序或虚拟目录时,您需要向 IIS 提供连接凭据。

在“添加应用程序”对话框中,“物理路径”部分下方是“连接为...”按钮 - 然后您可以选择“应用程序用户(直通身份验证)”或“特定用户”。

无论您选择哪一个,它们都必须是远程服务器能够识别的凭据 - “传递”将尝试使用当前桌面(或浏览器)凭据来验证用户身份(如果您通过 VPN 连接)根据您的评论)几乎肯定是无效的。在这种情况下,您应该使用“特定用户”并提供(理想情况下)具有适当权限的域用户来运行该站点。

当我们过去需要这样做时,我们会在本地应用程序池将在其下运行的域上创建一个帐户,然后这也可以在这些情况下使用。

如果您已经创建了应用程序,则可以使用“基本设置...”操作链接访问该对话框。

When you create a web application or virtual directory from a UNC path, you need to provide the credentials to IIS for the connection.

In the Add Application dialog, below the Physical path section is the "Connect as..." button - you can then choose either "Application user (pass-through authentication)" or "Specific user".

Which ever you choose, they have to be credentials that will be recognised by the remote server - "Pass-through" will try and use the current desktop (or browser) credentials to authenticate the user which (if you're connecting via a VPN as per your comments) almost certainly won't be valid. In this case you should use "Specific user" and provide (ideally) a domain user with suitable permissions to run the site.

When we've needed to do this in the past, we'd create an account on the domain that the local AppPools would run under, and then this could be used in these situations as well.

If you've already created the application, the dialog can be reached using the "Basic Settings..." action link.

回复 原文
遥远的绿洲 2024-11-15 21:49:02

我花了几个小时终于为自己解决了同样的问题。结果我在物理路径中使用了错误的斜杠。应该是\这些,而不是//这些。

I took me a few hours to finally solve the same issue for myself. Turned out I used the wrong slashes in my physical path. It should be \ these, not // these.

回复 原文
左岸枫 2024-11-15 21:49:02

扎夫艾伦 两者都确定了 Microsoft 建议的解决方法。以下是有关您的问题的 Microsoft 页面中的其余信息:

原因

IIS 6.0 使用托管工作进程身份连接到远程目录。然后,IIS 6.0 根据远程目录对用户进行身份验证。但是,IIS 7.0 引入了委派方案。在 IIS 7.0 中,您可以将网站设置和应用程序级设置委托给 Web.config 文件。

对于直通身份验证,Web.config 文件存储在 UNC 目录中。因此,IIS 7.0 中的默认进程标识必须首先检查 Web.config 文件,以确定在身份验证进程开始之前是否必须应用任何与安全相关的设置。 IIS 7.0 中的默认进程标识没有足够的权限来打开 Web.config 文件。因此,Web 请求被拒绝。

如果 UNC 目录中没有 Web.config 文件,则 IIS 7.0 将使用为父目录定义的规则。对于在此方案中提供的 Web 内容,工作进程身份必须有权访问整个内容目录。否则,Web 请求将被拒绝。

分辨率

要解决此问题并确保直通身份验证正常工作,请按照下列步骤操作:

  1. 确保所有访问 UNC 目录的用户帐户至少具有 UNC 目录的读取权限。

    注意此行为与 IIS 6.0 中的行为相同。

  2. 确保 IIS 工作进程标识在 UNC 文件服务器上也存在的域帐户或工作组帐户下运行。如果需要,请在 UNC 文件服务器上创建一个与 IIS 工作进程标识具有相同用户名和密码的帐户。

    注释

    • 此行为与 IIS 6.0 中的行为不同。
    • 默认情况下,DefaultAppPool 应用程序池在网络服务帐户下运行。该帐户是该计算机的本地帐户,并且该帐户在其他计算机上不存在。因此,请确保将 DefaultAppPool 应用程序池配置为使用域用户帐户。然后,您可以在 UNC 文件服务器上使用相同的帐户。或者,您可以在 UNC 文件服务器和运行 IIS 7.0 的计算机上创建工作组帐户。

  3. 如果 UNC 目录中有 Web.config 文件,请编辑该 Web.config 文件的自主访问控制列表 (DACL),以便DACL 包含您在步骤 2 中验证的帐户。或者,编辑 Web.config 文件的 DACL,以便 DACL 包含您在步骤 2 中创建的帐户。

    如果 UNC 目录中没有 Web.config 文件,请编辑 UNC 目录的 DACL,以便 DACL 包含您在步骤 2 中验证的帐户。或者,编辑 UNC 目录的 DACL,以便 DACL包含您在第 2 步中创建的帐户。

    注意此行为与 IIS 6.0 中的行为不同。

Zhaph and Alan both identify the work-around suggested by Microsoft. Here's the rest of the information from Microsoft's page on your problem:

Cause

IIS 6.0 uses the hosting worker-process identity to connect to a remote directory. Then, IIS 6.0 authenticates the user against the remote directory. However, IIS 7.0 introduces delegation scenarios. In IIS 7.0, you can delegate Web-site settings and application-level settings to a Web.config file.

For pass-through authentication, the Web.config file is stored in a UNC directory. Therefore, the default-process identity in IIS 7.0 must examine the Web.config file first to determine whether any security-related settings must be applied before the authentication process starts. The default-process identity in IIS 7.0 does not have sufficient permissions to open the Web.config file. Therefore, the Web request is rejected.

If there is no Web.config file in the UNC directory, IIS 7.0 uses the rules that are defined for the parent directory. For the Web content to be served in this scenario, the worker-process identity must have access to the whole content directory. Otherwise, the Web request is rejected.

Resolution

To resolve this behavior and to make sure that pass-through authentication works correctly, follow these steps:

  1. Make sure that all the user accounts that access the UNC directory have at least the Read permission for the UNC directory.

    Note This behavior is the same as the behavior in IIS 6.0.

  2. Make sure that the IIS worker-process identity is running under a domain account or under a workgroup account that also exists on the UNC file server. If it is necessary, create an account on the UNC file server that has the same user name and the same password as the IIS worker-process identity.

    Notes

    • This behavior differs from the behavior in IIS 6.0.
    • By default, the DefaultAppPool application pool runs under the Network Service account. This account is local to the computer, and this account does not exist on another computer. Therefore, make sure that you configure the DefaultAppPool application pool to use an account that is a domain user. Then, you can use the same account on the UNC file server. Alternatively, you can create a workgroup account on the UNC file server and on the computer that is running IIS 7.0.

  3. If there is a Web.config file in the UNC directory, edit the discretionary access control list (DACL) for the Web.config file so that the DACL contains the account that you verified in step 2. Alternatively, edit the DACL for the Web.config file so that the DACL contains the account that you created in step 2.

    If there is no Web.config file in the UNC directory, edit the DACL for the UNC directory so that the DACL contains the account that you verified in step 2. Alternatively, edit the DACL for the UNC directory so that the DACL contains the account that you created in step 2.

    Note This behavior differs from the behavior in IIS 6.0.

回复 原文
~没有更多了~

关于作者

秋意浓

暂无简介

0 文章
0 评论
510 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

苦中寻乐

文章 0 评论 0

lueluelue

文章 0 评论 0

嗼ふ静

文章 0 评论 0

王权女流氓

文章 0 评论 0

与花如笺

文章 0 评论 0

残酷

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文