使用 Microsoft.Web.Administration 所需的权限
我正在尝试使用 IIS 7 管理 API,但遇到安全问题。我的应用程序是在 .NET 4(集成管道)上运行的常规 ASP.NET 站点。该计算机是 Windows 7 x64(应用程序池是默认的,在 ApplicationPoolIdentity、x64 下运行)。该站点使用以下设置:
<identity impersonate="true" />
<authentication mode="Windows" />
<customErrors mode="Off" />
<authorization>
<deny users="?" />
</authorization>
我的站点尝试通过 IIS 管理 API(位于本地主机)读取其他站点的详细信息。我以本地管理员成员身份登录。在 IE 中,我尝试打开我的页面,但得到这个:
Site 'mysite' at 'myhost' is unknown.System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.Web.Administration.Interop.IAppHostProperty.get_Value()
at Microsoft.Web.Administration.ConfigurationElement.GetPropertyValue(IAppHostProperty property)
at Microsoft.Web.Administration.Site.get_State()
我不明白为什么。我非常确定代码在我的帐户的模拟上下文中运行(可以看到这是调试器正在监视 System.Threading.Thread.CurrentPrincipal )。我做错了什么?
ps
UAC 已打开,但我相信这并不重要。 检查 C:\Windows\system32\inetsrv\config 文件夹上的 NTFS 权限 - 管理员的完全访问权限。
I'm trying to use IIS 7 management API but stuck with a security issue. My application is regular ASP.NET site running on .NET 4 (integrated pipeline). The machine is Windows 7 x64 (the app pool is default, running under ApplicationPoolIdentity, x64). The site uses the following settings:
<identity impersonate="true" />
<authentication mode="Windows" />
<customErrors mode="Off" />
<authorization>
<deny users="?" />
</authorization>
My site tries to read other site's details via IIS management API (at localhost). I'm logged in as a member of local Administrators. In IE i try to open my page but get this:
Site 'mysite' at 'myhost' is unknown.System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.Web.Administration.Interop.IAppHostProperty.get_Value()
at Microsoft.Web.Administration.ConfigurationElement.GetPropertyValue(IAppHostProperty property)
at Microsoft.Web.Administration.Site.get_State()
I don't understand why. I'm damn sure the code runs in impersonation context of my account (can see this is debugger watching System.Threading.Thread.CurrentPrincipal). What am i doing wrong?
p.s.
UAC is on, but i believe that's not important.
Checked NTFS permissions on C:\Windows\system32\inetsrv\config folder - full access for Administrators.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
UAC确实是万恶之源。启用后,模拟行为就会被破坏。这里的事情确实过于复杂:(
当启用UAC并且模拟当前安全上下文时,委托人报告他不是本地管理员组的成员。但他是。这与交互式/非交互式会话有关。
UAC is indeed the root of all evil. Impersonation behavior is broken when it's on. Something is really over-complicated here :(
When UAC is enabled and the current security context is impersonated, the principal reports he's not a member of local Administrators group. But he is. It has something to do with interactive/non-interactive sessions.
尝试将 web.config 中的临时目录设置为具有完全权限的文件夹。
Try set temp directory into web.config to folder with full permissions.