Asp.Net临时文件的ApplicationPoolIdentity权限
[英]ApplicationPoolIdentity permissions on Temporary Asp.Net files
问题描述
at work I am struggling a bit with the following situation: We have a web application that runs on a WIndows Server 2008 64 bits machine. 
在工作中,我遇到以下问题:我们有一个在Windows Server 2008 64位计算机上运行的Web应用程序。 The app's ApplicationPool is running under the ApplicationPoolIdentity and configured for .net 2 and Classic pipeline mode. 该应用程序的ApplicationPool在ApplicationPoolIdentity下运行,并配置为.net 2和经典管道模式。
This works fine up to the moment that XmlSerialization requires creation of Serializer assemblies where MEF is being used to create a collection of knowntypes. 在XmlSerialization要求创建Serializer程序集的时候,这种方法可以正常工作,在该程序集中,使用MEF创建了已知类型的集合。
To remedy this I was hoping that granting the ApplicationPoolIdentity rights to the ASP.Net Temporary Files directory would be enough, but alas... 为了解决这个问题,我希望向ASP.Net临时文件目录授予ApplicationPoolIdentity权限就足够了,但是可惜...
What I did was the run the following command from a cmd prompt: 我所做的是从cmd提示符下运行以下命令:
icacls "c:\windows\microsoft.net\framework64\v2.0.50727\Temporary ASP.NET Files" /grant "IIS AppPool\MyAppPool":(M)
Obviously this did not work, otherwise you would not be reading this :) 显然这是行不通的,否则您将不会阅读此内容:)
Strange thing is that whenever I grant the Users or even more specific, the Authenticated Users Group those permissions, it works. 奇怪的是,每当我授予用户或更具体的身份时,身份验证的用户组就可以使用这些权限。 What's weird as well (in my eyes) is that before I started granting access the ApplicationPoolIdentity was already a member of IIS_IUSRS which does have Modify rights for the temporary asp files directory. 在我看来,奇怪的是,在我开始授予访问权限之前,ApplicationPoolIdentity已经是IIS_IUSRS的成员,而IIS_IUSRS确实具有对临时asp文件目录的修改权限。
And now I'm left wondering why this situation requires Modify rights for the Authenticated Users group. 现在,我想知道为什么这种情况需要Authenticated Users组的Modify权限。 I thought it could be because the apppool account was missing additional rights (googling for this returned some results, so I tried those), but granting the ApplicationPoolIdentity modification rights to the Windows\\Temp directory and/or the application directory itself did not fix it. 我以为是因为apppool帐户缺少其他权限(为此搜索返回了一些结果,所以我尝试了这些结果),但是向Windows \\ Temp目录和/或应用程序目录本身授予ApplicationPoolIdentity修改权限并不能解决问题。
For now we have a workaround, but I hate that I don't know what is exactly going on here, so I was hoping any of you guys could shed some light on this. 现在,我们有一个解决方法,但是我讨厌我不知道这里到底发生了什么,所以我希望大家能对此有所了解。
Thanx in advance! 提前感谢!
2 个解决方案
解决方案1
5 已采纳 2010-06-15 03:41:28
If the application pool is running as AppPool Identity then things should work out-of-the box since the worker process will be injected the IIS_IUSRS SID which will have the right permissions to write. 如果应用程序池作为AppPool身份运行,则应立即使用,因为工作进程将被注入IIS_IUSRS SID,该ID具有正确的写权限。
My guess, is that the application must be using Windows authentication and impersonation is enabled in ASP.NET so that code is probably be ran as the specific user that is making the request and not necesarilly the process identity. 我的猜测是,该应用程序必须使用Windows身份验证,并且已在ASP.NET中启用了模拟功能,以便可能以发出请求的特定用户身份运行代码,而不必使用进程标识。
Am I right on the guess that the app is running Windows Authentication? 我猜对了该应用程序正在运行Windows身份验证吗? and impersonation is enabled in asp.net ? 并且在asp.net中启用了模拟功能?
解决方案2
0 2010-06-29 11:52:42
Might not be relevant to you - but if you are running the app pool as a domain user, the rules change on the automatic injection of IIS_IUSRS token into the process at startup. 可能与您不相关-但是,如果您以域用户身份运行应用程序池,则规则会在启动时自动将IIS_IUSRS令牌注入到进程中而更改。 This caught us out recently when moving to .net 4, and not having permission on the new Temporary ASP.net Files directory. 最近,当移至.net 4时,我们陷入困境,并且没有新的Temporary ASP.net Files目录的权限。
See here for a workaround: http://www.yusufozturk.info/iis7/asp-net-write-access-error-on-iis7-5.html 解决方法请参见此处: http : //www.yusufozturk.info/iis7/asp-net-write-access-error-on-iis7-5.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.