[英]Programmatically set up user account for custom identity application pool in IIS 7
In my C# code I need to create a custom identity for my web application and add it to IIS 7. I do the following: 在我的C#代码中,我需要为我的Web应用程序创建一个自定义标识,并将其添加到IIS7。我执行以下操作:
string strAppPoolName = "MyAppPool";
string strUserName = Environment.UserDomainName + "\\" + "myappusername";
addUserAccount(strUserName, strUserPass);
using (ServerManager serverManager = new ServerManager())
{
//Add application pool
ApplicationPool appPool = serverManager.ApplicationPools.Add(strAppPoolName);
appPool.AutoStart = true;
appPool.ManagedPipelineMode = ManagedPipelineMode.Integrated;
appPool.ManagedRuntimeVersion = "v4.0";
appPool.ProcessModel.MaxProcesses = 1;
//Assign identity to a custom user account
appPool.ProcessModel.IdentityType = ProcessModelIdentityType.SpecificUser;
appPool.ProcessModel.UserName = strUserName;
appPool.ProcessModel.Password = strUserPass;
}
Where the user is added to the Active Directory as such: 这样将用户添加到Active Directory的位置:
public static void addUserAccount(string sUserName, string sPassword)
{
using (PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain))
{
using (UserPrincipal up = new UserPrincipal(oPrincipalContext))
{
up.SamAccountName = sUserName;
up.SetPassword(sPassword);
up.Enabled = true;
up.PasswordNeverExpires = true;
up.Description = "My app's user account";
up.Save();
}
}
}
The issue is that when I later add my site and application to IIS 7 under that application pool, the web application cannot run because it does not have sufficient permissions. 问题是,当我以后将我的站点和应用程序添加到该应用程序池下的IIS 7时,该Web应用程序无法运行,因为它没有足够的权限。 More importantly for me, some of the .NET classes, such as System.Security.Cryptography fail with unexpected error codes even if I manually set read/write permissions for this new user account to the file system folder where my web app is installed.
对我来说更重要的是,即使我将这个新用户帐户的手动读写权限设置为安装Web应用程序的文件系统文件夹,某些.NET类(例如System.Security.Cryptography)也会由于意外的错误代码而失败。
So while doing a research I found the following statement : 因此,在进行研究时,我发现以下陈述 :
If you use a custom identity, make sure that the user account you specify is a member of the IIS_IUSRS group on the Web server so that the account has proper access to resources.
如果使用自定义标识,请确保指定的用户帐户是Web服务器上IIS_IUSRS组的成员,以便该帐户可以正确访问资源。 Additionally, when you use Windows and Kerberos authentication in your environment, you might need to register a Service Principle Name (SPN) with the domain controller (DC).
此外,在环境中使用Windows和Kerberos身份验证时,可能需要向域控制器(DC)注册服务主体名称(SPN)。
So, how do you do this? 那么,你如何做到这一点?
If you need to add that account to the IIS_IUSERS group, (which is local on the machine) you can use the GroupPrincipal
for that. 如果需要将该帐户添加到IIS_IUSERS组(在计算机上是本地的),则可以使用
GroupPrincipal
。 Keep in mind to create a PrincipalContext
that is local for your machine, instead of the Domain one you used for the user. 请记住创建一个本地计算机的
PrincipalContext
,而不是您为用户使用的DomainContext。 You can simply find the group by identity and then add the new created user to the Members
collection. 您可以简单地通过标识找到组,然后将新创建的用户添加到
Members
集合中。 The Add
method has an overload that accepts an UserPrincipal
. Add
方法具有接受UserPrincipal
的重载。
Your code would like this: 您的代码将如下所示:
using (PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain))
{
using (PrincipalContext oGroupContext = new PrincipalContext(ContextType.Machine))
{
// find the local group IIS_IUSRS
using(var gp = GroupPrincipal.FindByIdentity(oGroupContext,"IIS_IUSRS"))
{
using (UserPrincipal up = new UserPrincipal(oPrincipalContext))
{
up.SamAccountName = sUserName;
up.SetPassword(sPassword);
up.Enabled = true;
up.PasswordNeverExpires = true;
up.Description = "My app's user account";
up.Save();
// add new user to Members of group
gp.Members.Add(up);
// save before Disposing!
gp.Save();
}
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.