堆栈内存溢出
  简体   繁体   English

如何在域控制器上分配IIS 7.5文件系统访问权限?

[英]How to assign IIS 7.5 file system access permissions on a Domain Controller?

 原文  2013-10-08 06:25:44       c#/ asp.net/ .net/ permissions/ iis-7.5

问题描述

I have a somewhat unusual situation. 我有一个不寻常的情况。

I am dealing with IIS 7.5 installed on a Windows Server 2008 R2 Domain Controller machine. 我正在处理Windows Server 2008 R2域控制器计算机上安装的IIS 7.5。

I am trying to write a C# program that installs my web application on that IIS. 我试图编写一个C#程序,将我的Web应用程序安装在该IIS上。 Everything works OK, except the moment when I need to assign access permissions for the Application Pool to the folder where the web app is installed. 一切正常,除了需要将“应用程序池”的访问权限分配给安装Web应用程序的文件夹的那一刻。

After having done some research I found that I need to assign access for the following user account: 经过研究后,我发现我需要为以下用户帐户分配访问权限:

IIS AppPool\\[AppPoolName] IIS AppPool \\ [AppPoolName]

So I came up with this code: 所以我想出了这段代码: 

setFolderPermissions(@"C:\inetpub\www_test1",
    @"IIS AppPool\" + strAppPoolName,
    System.Security.AccessControl.FileSystemRights.Read | System.Security.AccessControl.FileSystemRights.ListDirectory,
    System.Security.AccessControl.AccessControlType.Allow);

public static string setFolderPermissions(string strFolderPath, string sUserName, FileSystemRights rights, AccessControlType access)
{
    DirectoryInfo info = new DirectoryInfo(strFolderPath);

    DirectorySecurity ds = info.GetAccessControl();
    ds.AddAccessRule(new FileSystemAccessRule(sUserName,
                        rights,
                        InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit,
                        PropagationFlags.None,
                        access));

    info.SetAccessControl(ds);
}

The method above works except when it is useed on a Domain Controller. 除在域控制器上使用该方法外,以上方法均有效。 It throws this exception: 它引发以下异常:

Some or all identity references could not be translated. 某些或所有身份参考均无法翻译。

And the only way how I can assign those required permissions is by doing this manually from a command line: 而我可以分配那些所需权限的唯一方法是从命令行手动执行此操作 

C:\Users\Administrator>icacls "C:\inetpub\www_test1" /grant "IIS AppPool\MyAppsoolName":(CI)(OI)(M)

Any idea how to do this icacls stuff with C#? 任何想法如何用C#来做这个icacls东西吗?

3 个解决方案

解决方案1
 0  2013-10-08 07:35:51

Better, create your own application pool that runs using the given credential. 更好地,创建自己的使用给定凭据运行的应用程序池。 And the assign the permissions for the given credential (user name) on the web application installed folder. 然后在Web应用程序的已安装文件夹中为给定的凭据(用户名)分配权限。

解决方案2
 0  2013-10-09 12:59:50

You shouldn't be running IIS on domain controller as advised my Microsoft as this may cause issues with security and permissions. 您不应按照我的Microsoft的建议在域控制器上运行IIS,因为这可能会导致安全性和权限问题。

If you really want to do this you should use domain account to run application pool, not integrated IIS Apppool. 如果确实要执行此操作,则应使用域帐户来运行应用程序池,而不是集成的IIS Apppool。 This doesn't work because domain controller doesn't have local accounts and IIS APPool accounts are local. 这不起作用,因为域控制器没有本地帐户,而IIS APPool帐户是本地帐户。

Check this for more details 检查此以获取更多详细信息

http://blogs.technet.com/b/abizerh/archive/2009/07/16/should-iis-be-installed-on-domain-controller.aspx http://blogs.technet.com/b/abizerh/archive/2009/07/16/should-iis-be-installed-on-domain-controller.aspx

解决方案3
 0  2013-10-15 03:16:52

I think I got it using an unmanaged approach. 我认为我是使用非托管方法获得的。 It turns out kinda ugly in C#, but here's the concept: 结果在C#中有点丑陋,但这是概念: 

uint nOSErr;
if(!(nOSErr = setFolderPermissions(@"C:\inetpub\www_test1", @"IIS AppPool\" + strAppPoolName, OSFileAccess.FILE_GENERIC_READ)))
{
    throw new Exception("Failed to change permissions, error code=" + nOSErr);
}

public static uint setFolderPermissions(string strFolderPath, string strUserName, OSFileAccess access)
{
    //Set folder permissions
    //RETURN:
    //      = 0 if success
    //      = Otherwise error code -- check GetLastError
    uint dwRes = 0;

    try
    {
        IntPtr pZero = IntPtr.Zero;

        IntPtr pSecDesc = pZero;
        IntPtr pDacl = pZero;
        if ((dwRes = GetNamedSecurityInfo(strFolderPath, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
            out pZero, out pZero, out pDacl, out pZero, out pSecDesc)) == ERROR_SUCCESS)
        {
            try
            {
                EXPLICIT_ACCESS ea = new EXPLICIT_ACCESS();

                ea.grfAccessPermissions = access;
                ea.grfAccessMode = AccessMode.GRANT_ACCESS;
                ea.grfInheritance = AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE;
                ea.Trustee.MultipleTrusteeOperation = UIntPtr.Zero;
                ea.Trustee.pMultipleTrustee = UIntPtr.Zero;
                ea.Trustee.TrusteeForm = (UIntPtr)(TrusteeForm.TRUSTEE_IS_NAME);
                ea.Trustee.ptstrName = strUserName;

                IntPtr pNewDacl = pZero;
                if((dwRes = SetEntriesInAcl(1, ref ea, pDacl, out pNewDacl)) == ERROR_SUCCESS)
                {
                    try
                    {
                        if ((dwRes = SetNamedSecurityInfo(strFolderPath, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
                            IntPtr.Zero, IntPtr.Zero, pNewDacl, IntPtr.Zero)) == ERROR_SUCCESS)
                        {
                            //Done
                        }
                    }
                    finally
                    {
                        //Free mem
                        if (pNewDacl != IntPtr.Zero)
                        {
                            LocalFree(pNewDacl);
                            pNewDacl = IntPtr.Zero;
                        }
                    }
                }
            }
            finally
            {
                //Free mem
                if (pSecDesc != IntPtr.Zero)
                {
                    LocalFree(pSecDesc);
                    pSecDesc = IntPtr.Zero;
                }
            }
        }
    }
    catch
    {
        dwRes = ERROR_INVALID_DATA;
    }

    return dwRes;
}


enum SE_OBJECT_TYPE
{
    SE_UNKNOWN_OBJECT_TYPE = 0,
    SE_FILE_OBJECT,
    SE_SERVICE,
    SE_PRINTER,
    SE_REGISTRY_KEY,
    SE_LMSHARE,
    SE_KERNEL_OBJECT,
    SE_WINDOW_OBJECT,
    SE_DS_OBJECT,
    SE_DS_OBJECT_ALL,
    SE_PROVIDER_DEFINED_OBJECT,
    SE_WMIGUID_OBJECT,
    SE_REGISTRY_WOW64_32KEY
}

[Flags]
enum SECURITY_INFORMATION : uint
{
    OWNER_SECURITY_INFORMATION = 0x00000001,
    GROUP_SECURITY_INFORMATION = 0x00000002,
    DACL_SECURITY_INFORMATION = 0x00000004,
    SACL_SECURITY_INFORMATION = 0x00000008,
    UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000,
    UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000,
    PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000,
    PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000
}

[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
static extern uint GetNamedSecurityInfo(
    string pObjectName,
    SE_OBJECT_TYPE ObjectType,
    SECURITY_INFORMATION SecurityInfo,
    out IntPtr pSidOwner,
    out IntPtr pSidGroup,
    out IntPtr pDacl,
    out IntPtr pSacl,
    out IntPtr pSecurityDescriptor);

[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr LocalFree(IntPtr hMem);

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto, Pack = 0)] //Platform independent (32 & 64 bit) - use Pack = 0 for both platforms. IntPtr works as well.
internal struct TRUSTEE
{
    internal UIntPtr pMultipleTrustee; // must be null
    internal UIntPtr MultipleTrusteeOperation;
    internal UIntPtr TrusteeForm;
    internal UIntPtr TrusteeType;
    //[MarshalAs(UnmanagedType.LPStr)]
    internal string ptstrName;
}

[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] 
internal struct EXPLICIT_ACCESS
{
    internal OSFileAccess grfAccessPermissions;
    internal AccessMode grfAccessMode;
    internal AceFlags grfInheritance;
    internal TRUSTEE Trustee;
}

private const uint ERROR_SUCCESS = 0;

[Flags]
public enum OSFileAccess : uint
{
    AccessSystemSecurity = 0x1000000,   // AccessSystemAcl access type
    MaximumAllowed = 0x2000000,     // MaximumAllowed access type

    Delete = 0x10000,
    ReadControl = 0x20000,
    WriteDAC = 0x40000,
    WriteOwner = 0x80000,
    Synchronize = 0x100000,

    StandardRightsRequired = 0xF0000,
    StandardRightsRead = ReadControl,
    StandardRightsWrite = ReadControl,
    StandardRightsExecute = ReadControl,
    StandardRightsAll = 0x1F0000,
    SpecificRightsAll = 0xFFFF,

    FILE_READ_DATA = 0x0001,        // file & pipe
    FILE_LIST_DIRECTORY = 0x0001,       // directory
    FILE_WRITE_DATA = 0x0002,       // file & pipe
    FILE_ADD_FILE = 0x0002,         // directory
    FILE_APPEND_DATA = 0x0004,      // file
    FILE_ADD_SUBDIRECTORY = 0x0004,     // directory
    FILE_CREATE_PIPE_INSTANCE = 0x0004, // named pipe
    FILE_READ_EA = 0x0008,          // file & directory
    FILE_WRITE_EA = 0x0010,         // file & directory
    FILE_EXECUTE = 0x0020,          // file
    FILE_TRAVERSE = 0x0020,         // directory
    FILE_DELETE_CHILD = 0x0040,     // directory
    FILE_READ_ATTRIBUTES = 0x0080,      // all
    FILE_WRITE_ATTRIBUTES = 0x0100,     // all

    GENERIC_READ = 0x80000000,
    GENERIC_WRITE = 0x40000000,
    GENERIC_EXECUTE = 0x20000000,
    GENERIC_ALL = 0x10000000,

    SPECIFIC_RIGHTS_ALL = 0x00FFFF,
    FILE_ALL_ACCESS = StandardRightsRequired | Synchronize | 0x1FF,

    FILE_GENERIC_READ = StandardRightsRead | FILE_READ_DATA | FILE_READ_ATTRIBUTES | FILE_READ_EA | Synchronize,

    FILE_GENERIC_WRITE = StandardRightsWrite | FILE_WRITE_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_EA | FILE_APPEND_DATA | Synchronize,

    FILE_GENERIC_EXECUTE = StandardRightsExecute | FILE_READ_ATTRIBUTES | FILE_EXECUTE | Synchronize
}

internal enum AccessMode
{
    NOT_USED_ACCESS = 0,
    GRANT_ACCESS,
    SET_ACCESS,
    DENY_ACCESS,
    REVOKE_ACCESS,
    SET_AUDIT_SUCCESS,
    SET_AUDIT_FAILURE
}

[Flags]
internal enum AceFlags
{
    OBJECT_INHERIT_ACE = 0x1,
    CONTAINER_INHERIT_ACE = 0x2,
    NO_PROPAGATE_INHERIT_ACE = 0x4,
    INHERIT_ONLY_ACE = 0x8,
    INHERITED_ACE = 0x10,
    SUCCESSFUL_ACCESS_ACE_FLAG = 0x40,
    FAILED_ACCESS_ACE_FLAG = 0x80
}

enum TrusteeForm
{
    TRUSTEE_IS_SID,
    TRUSTEE_IS_NAME,
    TRUSTEE_BAD_FORM,
    TRUSTEE_IS_OBJECTS_AND_SID,
    TRUSTEE_IS_OBJECTS_AND_NAME
}


[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
static extern uint SetEntriesInAcl(
    int cCountOfExplicitEntries,
    ref EXPLICIT_ACCESS pListOfExplicitEntries,
    IntPtr OldAcl,
    out IntPtr NewAcl);

[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
static extern uint SetNamedSecurityInfo(
    string pObjectName,
    SE_OBJECT_TYPE ObjectType,
    SECURITY_INFORMATION SecurityInfo,
    IntPtr psidOwner,
    IntPtr psidGroup,
    IntPtr pDacl,
    IntPtr pSacl);

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SignalR 跨域和 IIS 7.5 集线器路径只能在服务器本地运行,如何从外部访问它? - SignalR cross domain and IIS 7.5 path to hub only works locally on the server, how to access it externally? 如何在IIS 7.5中允许任何文件下载 - How to allow any file download in IIS 7.5 当File.Copy拒绝IIS 7.5目录访问 - IIS 7.5 Directory Access Denied When File.Copy 如何在web.config文件(iis 7.5)中重写URL? - How do rewrite the url in web.config file(iis 7.5)? 无法写入IIS 7.5中的日志文件 - Cant write to log file in IIS 7.5 IIS 7.5中打开的文档文件为空 - Open doc file is null IIS 7.5 File.exists()在localhost中工作,但在IIS 7.5中不工作 - File.exists() working in localhost but not in IIS 7.5 IIS 7.5-仅允许一个域名用户查看站点 - iis 7.5 - allow only one domain name user to view site 如何在IIS 7.5中托管WCF服务? - How to host a WCF service in IIS 7.5? 如何在IIS 7.5上添加Application not website? - How to add Application not website on IIS 7.5?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM