简体   繁体   English

在IIS 7中以编程方式为自定义身份应用程序池设置用户帐户

[英]Programmatically set up user account for custom identity application pool in IIS 7

In my C# code I need to create a custom identity for my web application and add it to IIS 7. I do the following: 在我的C#代码中,我需要为我的Web应用程序创建一个自定义标识,并将其添加到IIS7。我执行以下操作:

string strAppPoolName = "MyAppPool";
string strUserName = Environment.UserDomainName + "\\" + "myappusername";

addUserAccount(strUserName, strUserPass);

using (ServerManager serverManager = new ServerManager())
{
    //Add application pool
    ApplicationPool appPool = serverManager.ApplicationPools.Add(strAppPoolName);
    appPool.AutoStart = true;

    appPool.ManagedPipelineMode = ManagedPipelineMode.Integrated;
    appPool.ManagedRuntimeVersion = "v4.0";

    appPool.ProcessModel.MaxProcesses = 1;

    //Assign identity to a custom user account
    appPool.ProcessModel.IdentityType = ProcessModelIdentityType.SpecificUser;
    appPool.ProcessModel.UserName = strUserName;
    appPool.ProcessModel.Password = strUserPass;
}

Where the user is added to the Active Directory as such: 这样将用户添加到Active Directory的位置:

public static void addUserAccount(string sUserName, string sPassword)
{
    using (PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain))
    {
        using (UserPrincipal up = new UserPrincipal(oPrincipalContext))
        {
            up.SamAccountName = sUserName;
            up.SetPassword(sPassword);
            up.Enabled = true;
            up.PasswordNeverExpires = true;
            up.Description = "My app's user account";

            up.Save();
        }
    }
}

The issue is that when I later add my site and application to IIS 7 under that application pool, the web application cannot run because it does not have sufficient permissions. 问题是,当我以后将我的站点和应用程序添加到该应用程序池下的IIS 7时,该Web应用程序无法运行,因为它没有足够的权限。 More importantly for me, some of the .NET classes, such as System.Security.Cryptography fail with unexpected error codes even if I manually set read/write permissions for this new user account to the file system folder where my web app is installed. 对我来说更重要的是,即使我将这个新用户帐户的手动读写权限设置为安装Web应用程序的文件系统文件夹,某些.NET类(例如System.Security.Cryptography)也会由于意外的错误代码而失败。

So while doing a research I found the following statement : 因此,在进行研究时,我发现以下陈述

If you use a custom identity, make sure that the user account you specify is a member of the IIS_IUSRS group on the Web server so that the account has proper access to resources. 如果使用自定义标识,请确保指定的用户帐户是Web服务器上IIS_IUSRS组的成员,以便该帐户可以正确访问资源。 Additionally, when you use Windows and Kerberos authentication in your environment, you might need to register a Service Principle Name (SPN) with the domain controller (DC). 此外,在环境中使用Windows和Kerberos身份验证时,可能需要向域控制器(DC)注册服务主体名称(SPN)。

So, how do you do this? 那么,你如何做到这一点?

If you need to add that account to the IIS_IUSERS group, (which is local on the machine) you can use the GroupPrincipal for that. 如果需要将该帐户添加到IIS_IUSERS组(在计算机上是本地的),则可以使用GroupPrincipal Keep in mind to create a PrincipalContext that is local for your machine, instead of the Domain one you used for the user. 请记住创建一个本地计算机的PrincipalContext ,而不是您为用户使用的DomainContext。 You can simply find the group by identity and then add the new created user to the Members collection. 您可以简单地通过标识找到组,然后将新创建的用户添加到Members集合中。 The Add method has an overload that accepts an UserPrincipal . Add方法具有接受UserPrincipal的重载。

Your code would like this: 您的代码将如下所示:

using (PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain))
{
    using (PrincipalContext oGroupContext = new PrincipalContext(ContextType.Machine))
    {
        // find the local group IIS_IUSRS
        using(var gp = GroupPrincipal.FindByIdentity(oGroupContext,"IIS_IUSRS"))
        {
            using (UserPrincipal up = new UserPrincipal(oPrincipalContext))
            {
                up.SamAccountName = sUserName;
                up.SetPassword(sPassword);
                up.Enabled = true;
                up.PasswordNeverExpires = true;
                up.Description = "My app's user account";

                up.Save();

                // add new user to Members of group
                gp.Members.Add(up);
                // save before Disposing!
                gp.Save();
            }
         }
    }
}

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何正确设置IIS 7应用程序池标识? - How to set up IIS 7 application pool identity correctly? 如何在IIS 8上以编程方式设置应用程序池标识 - How to programmatically set App Pool Identity on IIS 8 在IIS 6.0应用程序池中设置用户帐户 - Setting user account in IIS 6.0 application pool 以编程方式将应用程序池标识设置为域用户 - Programmatically set App Pool identity to Domain user 如何将IIS应用程序池标识用户区域设置为ApplicationPoolIdentity时,如何设置它 - How do you set the IIS Application Pool Identity User Locale when it's set to ApplicationPoolIdentity 以编程方式将IIS应用程序池标识“用户”分配给组 - Programmatically assigning IIS Application Pool Identity “users” to Groups 以编程方式获取应用程序池标识 - Get the Application Pool Identity programmatically 将 IIS 应用程序池标识从内置帐户更改为自定义帐户会导致 503 错误 - Changing IIS application pool idenity from built in account to custom account causes 503 error 以编程方式停止应用程序池问题IIS7 - STOP Application Pool Issue Programmatically IIS7 使用安装程序以编程方式在IIS中创建应用程序池时出错 - Error creating an Application Pool in IIS programmatically with an installer
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM