通过 WMI 问题从 ASP.NET 重新启动应用程序池

Question

I've been trying to create a C# ASP.NET page which sits on a Windows Server 2003 IIS 6 server and when called (remotely), restarts/recycles a specific application pool on the server.我一直在尝试创建一个 C# ASP.NET 页面，该页面位于 Windows Server 2003 IIS 6 服务器上，并在（远程）调用时重新启动/回收服务器上的特定应用程序池。

I've not been having much luck, does anyone know where I'm going wrong?我运气不太好，有谁知道我哪里出错了？ I've tried many combinations and tried running direct from server but to no-avail.我尝试了很多组合并尝试直接从服务器运行但无济于事。

When I don't pass the credentials over I get the error...当我不传递凭据时，我收到错误...

Access is denied访问被拒绝

...and when I do pass them I get the error... ......当我通过它们时，我得到了错误......

User credentials cannot be used for local connections用户凭据不能用于本地连接

I've also tried elevating permissions with the anon account just to test but again it wouldn't work.我也试过用匿名帐户提升权限只是为了测试，但它再次不起作用。 Is this possible what I'm trying to achieve?这可能是我想要实现的目标吗？

try
{
    ManagementScope scope = new ManagementScope("root\\MicrosoftIISv2");
    scope.Path.Server = "servername";
    scope.Path.Path = "\\\\servername\\root\\MicrosoftIISv2";
    scope.Path.NamespacePath = "root\\MicrosoftIISv2";
    scope.Options.Username = "domain\\user";
    scope.Options.Password = "password";
    scope.Options.Authentication = AuthenticationLevel.Default;
    scope.Options.Impersonation = ImpersonationLevel.Impersonate;
    scope.Options.EnablePrivileges = true;
    scope.Connect();

    ManagementObject appPool = new ManagementObject(scope, new ManagementPath("IIsApplicationPool.Name='W3SVC/AppPools/AppPoolName'"), null);
    appPool.InvokeMethod("Recycle", null, null);
}
catch (System.Exception ex)
{
}

Answer 1

You can't use the username/password option for local WMI connections.您不能将用户名/密码选项用于本地 WMI 连接。 By default for local WMI connections the credentials of the logged on user are used (in your case the Identity of the application pool of your website).默认情况下，本地 WMI 连接使用登录用户的凭据（在您的情况下是您网站的应用程序池的标识）。 I think you have two options using WMI from your website:我认为您有两种选择从您的网站使用 WMI：

First option: Grant the identity of your application pool enough permissions to use WMI (recycle applications pools).第一个选项：授予您的应用程序池标识足够的权限以使用 WMI（回收应用程序池）。
Second option: Use impersonation.第二种选择：使用模拟。

Here is an example:下面是一个例子：

public class _Default : Page
{
  [DllImport("advapi32.dll", SetLastError = true)]
  static extern bool LogonUser(string principal, string authority,string password, uint logonType, uint logonProvider, out IntPtr token);

  [DllImport("kernel32.dll", SetLastError = true)]
  static extern bool CloseHandle(IntPtr handle); 

  protected void OnClick(object sender, EventArgs e)
  {
    IntPtr token = IntPtr.Zero;
    WindowsImpersonationContext impUser = null;

    try
    {        
      bool result = LogonUser("administrator", "contoso",
                            "P@$$W0rd", 3, 0, out token);
      if (result)
      {
        WindowsIdentity wid = new WindowsIdentity(token);
        impUser = wid.Impersonate();

        try
        {
          ManagementScope scope = new ManagementScope("root\\MicrosoftIISv2");
          scope.Path.Server = "srvcontoso";
          scope.Path.Path = "\\\\srvcontoso\\root\\MicrosoftIISv2";
          scope.Path.NamespacePath = "root\\MicrosoftIISv2";

          scope.Connect();

          ManagementObject appPool = new ManagementObject(scope, new ManagementPath("IIsApplicationPool.Name='W3SVC/AppPools/DefaultAppPool'"), null);
          appPool.InvokeMethod("Recycle", null, null);
         }
         catch (System.Exception ex)
         {
         } 
       }
    }
    catch
    {        
    }
    finally
    {         
      if (impUser  != null)
        impUser .Undo();

      if (token != IntPtr.Zero)
        CloseHandle(token);
    }                 
  }
}

Hope, this helps.希望这可以帮助。

Answer 2

It is not possible to specify alternate credentials when connecting to the local WMI service.连接到本地 WMI 服务时无法指定备用凭据。

Internally , the ManagementScope.Connect() method uses the ConnectServerWmi function , which is a wrapper around the IWbemLocator::ConnectServer method . 在内部， ManagementScope.Connect()方法使用ConnectServerWmi函数，它是IWbemLocator::ConnectServer方法的包装器。 That documentation states...该文件指出...

Do not specify strUser , strPassword , or strAuthority when making a connection to a local namespace.在连接到本地命名空间时，不要指定strUser 、 strPassword或strAuthority 。 For more information, see Connecting to WMI on a Remote Computer .有关详细信息，请参阅在远程计算机上连接到 WMI 。

If you follow that link you'll find it says...如果您点击该链接，您会发现它说...

If you were trying to access a different account, you would need to supply additional credentials.如果您尝试访问其他帐户，则需要提供其他凭据。 (Note that trying to access WMI locally with credentials different than your current account is not permitted.) （请注意，不允许尝试使用与当前帐户不同的凭据在本地访问 WMI。）

So, there is simply no way to do this through the WMI API.因此，根本无法通过 WMI API 执行此操作。 A workaround I had success with is to use impersonation, as in the accepted answer.我成功的解决方法是使用模拟，如已接受的答案。 The documentation for the WindowsIdentity.Impersonate() method provides a good, robust example of this. WindowsIdentity.Impersonate()方法的文档提供了一个很好的、健壮的示例。

通过 WMI 问题从 ASP.NET 重新启动应用程序池

问题描述

2 个解决方案

解决方案1
3 已采纳 2011-08-26 21:22:44

解决方案2
0 2020-02-19 02:09:18

通过 WMI 问题从 ASP.NET 重新启动应用程序池

问题描述

2 个解决方案

解决方案1 3 已采纳 2011-08-26 21:22:44

解决方案2 0 2020-02-19 02:09:18

解决方案1
3 已采纳 2011-08-26 21:22:44

解决方案2
0 2020-02-19 02:09:18