简体繁体 English

即使授予“所有人”访问权限，ASP.NET应用程序也无法访问网络共享

[英]ASP.NET application cannot access network share even with “Everyone” granted access

原文 2014-03-14 19:02:10 6 5 asp.net/ windows/ file/ iis/ ntfs

I have two servers: server A which is a web server running an ASP.NET application on IIS, and server B which is an SSIS server with a network share that contains a configuration file. 我有两台服务器：服务器A是在IIS上运行ASP.NET应用程序的Web服务器，服务器B是具有网络共享（包含配置文件）的SSIS服务器。

I need server A to be able to write to the configuration file on server B. This seems fairly straight-forward, however I keep getting the error: "Access to the path \\\\ServerB\\files\\config.xml is denied." 我需要服务器A才能写入服务器B上的配置文件。这看起来很简单，但是我不断收到错误消息：“拒绝访问路径\\\\ ServerB \\ files \\ config.xml。” What I have done for testing , to make this perfectly clear: 我所做的测试工作是为了清楚地说明这一点：

I have set " Everyone " to have full control of the folder. 我将“ 所有人 ”设置为完全控制文件夹。
I have set " Everyone " to have read/write access on the share . 我已将“ 所有人 ”设置为对共享具有读/写访问权限。
I have set " Everyone " to have full control of the file. 我将“ 所有人 ”设置为完全控制文件。
I have verified that the file is not read-only. 我已经验证该文件不是只读的。

I realize this isn't a good solution, I am just doing this for debugging so please don't comment to tell me not to do this. 我意识到这不是一个好的解决方案，我只是在调试时这样做，所以请不要发表评论以告诉我不要这样做。

Anyhow, even with these things set, I still get "Access is denied." 无论如何，即使设置了这些内容，我仍然会收到“访问被拒绝”的信息。 I have also explicitly given access to a number of users, including Network Service , IUSR , Anonymous Logon , and IUSRS group, and it has not fixed the problem. 我还明确授予了许多用户访问权限，包括网络服务 ， IUSR ， 匿名登录和IUSRS组，但它尚未解决问题。

The application pool on Server A is using ApplictionPoolIdentity . 服务器A上的应用程序池正在使用ApplictionPoolIdentity 。 I have Googled and Overflowed and found suggestions to give permissions to things like IIS AppPool\\{Application Pool} or {MACHINE}\\ASPNET, but I cannot access these resources from Server B so I do not understand how this would be possible. 我经过Google搜索和“泛滥”，发现了一些建议，可以授予对IIS AppPool \\ {Application Pool}或{MACHINE} \\ ASPNET之类的权限的权限，但是我无法从服务器B访问这些资源，因此我不知道如何实现。

Finally, the perplexing thing is that developers running solutions on their local machines are able to access the file. 最后，令人困惑的是，在其本地计算机上运行解决方案的开发人员能够访问该文件。 So it is something to do with how something is configured with Server A, however I cannot figure out what. 因此，这与服务器A的配置方式有关，但是我无法弄清楚是什么。

Edit: Truly wacky stuff going on here. 编辑：真正古怪的东西在这里发生。 I have figured out how to enable auditing and get the requests logged in the event viewer on Server B. When the developer runs the process from his local, I can see all the requests logged on Server B. Eg: "A network share object was checked to see whether client can be granted desired access." 我已经弄清楚了如何启用审核并在服务器B的事件查看器中记录请求。当开发人员从本地运行该过程时，我可以看到服务器B上记录的所有请求。例如：“网络共享对象是检查是否可以授予客户端所需的访问权限。”

However! 然而！ When attempting to connect from server A, nothing gets logged. 尝试从服务器A连接时，不会记录任何内容 。 Nothing is there at all. 什么都没有。 Server A throws an "access to the path is denied" error, but I don't even see the request from Server B. :( 服务器A引发“拒绝访问路径”错误，但我什至看不到来自服务器B的请求。

5 个解决方案

It has been long time ago but maybe it could be useful for someone. 它已经很久了，但也许对某人有用。

Try and use the class NetworkConnection to access to the shared folder. 尝试并使用类NetworkConnection来访问共享文件夹。 You'll need to specify the path and credentials. 您需要指定路径和凭据。

More reference about the class here: 有关该类的更多参考，请参见：

https://gist.github.com/AlanBarber/92db36339a129b94b7dd#file-networkconnection-cs-L15 https://gist.github.com/AlanBarber/92db36339a129b94b7dd#file-networkconnection-cs-L15

You seem to be using all Local Identities and I think that will not work on a network share despite what permissions you give. 您似乎正在使用所有本地身份，尽管您授予了什么权限，但我认为这不适用于网络共享。 You need to make a domain user and run the app pool with that user and you should be good to go. 您需要成为一个域用户并与该用户一起运行应用程序池，您应该一切顺利。

Also please do verify if the path is reachable or its access denied. 另外，请确认路径是否可以访问或拒绝访问。 Sometimes we go get the access denied message even though the path was not reachable. 有时即使路径不可达，我们也会收到拒绝访问消息。

You may need to edit settings in the Group Policy Editor on the machine where the share is hosted. 您可能需要在托管共享的计算机上的组策略编辑器中编辑设置。

Open the Group Policy Editor via Start → Run → gpedit.msc. 通过开始→运行→gpedit.msc打开组策略编辑器。 Set the following under Local Computer Policy → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options: 在“本地计算机策略”→“计算机配置”→“ Windows设置”→“安全设置”→“本地策略”→“安全选项”下进行以下设置：

Network access: Shares that can be accessed anonymously - Enter the name of the network share folder ( files in your question above) in the text field. Network access: Shares that can be accessed anonymously -在文本字段中输入网络共享文件夹的名称（上述问题中的files ）。 (Don't include the hostname.) （不包括主机名。）
Network access: Let Everyone permissions apply to anonymous users - Set to Enabled . Network access: Let Everyone permissions apply to anonymous users -设置为Enabled 。 (For me, this was necessary for write access to be granted.) （对我来说，这是授予写访问权限所必需的。）

When done making changes in gpedit.msc, from an admin-elevated command prompt, run gpupdate /force to apply the Group Policy changes. 在gpedit.msc中完成更改后，从管理员提升的命令提示符下，运行gpupdate /force以应用组策略更改。

Obviously, you should consider the security implications in your specific situation before making these changes. 显然，在进行这些更改之前，您应该考虑特定情况下的安全隐患。

您必须根据本文http://blogs.msdn.com/b/vijaysk/archive/2009/02/13/goodbye-network-service.aspx修改ApplicationPoolIdentity，因为它可以与NetworkService身份一起使用

在system.web ，在identity标签上，设置impersonate=true还设置生产服务器的用户名和密码