stackoom
  简体   繁体   中英

Assign User to IIS AppPool via Powershell

 原文  2011-03-24 23:03:33       iis-7/ powershell

Question

I tried this code and it appears to work fine. However, i noticed if you assign the username and password to an account that does not exist the code continues without issue. In addition, if you assign an invalid account and call stop() and then start() the IIS pool indeed stops and starts!! Furthermore, when I go to InetMgr and start,stop or recylce the pool it also stops and starts without complaining!

I was hoping that adding an invalid account would throw an error effectively allowing me to test the validity of an account. Why does it behave this way? 

$loginfile = "d:\temp\Logins.csv"
$csv = Import-Csv -path $loginfile
ForEach($line in $csv){

   $poolid = "MyDomain\" + $line.Login;
   Write-Host "Assigning User to Pool:" $poolid;

   $testpool = get-item iis:\apppools\test;
   $testpool.processModel.userName = $poolid;
   $testpool.processModel.password = $line.Pwd;
   $testpool.processModel.identityType = 3;
   $testpool | Set-Item
   $testpool.Stop();
   $testpool.Start();
   Write-Host "IIS Recycled";

   $testpool = get-item iis:\apppools\test;
   write-host "New Pool User: " $testpool.processModel.userName;
   write-host "New Pool PWd: " $testpool.processModel.password;
}

2 answers

solution1
 8 ACCPTED  2011-04-27 19:04:52

You should always validate your credentials before setting the pool identity. This can be accomplished via the PrincipalContext .NET class -- specifically look at PrincipalContext.ValidateCredentials(user, password).

Sample: 

#-- Make sure the proper Assembly is loaded
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement") | out-null

#-- Code to check user credentials -- put in function but here are the guts
#-- Recommend you use SecureStrings and convert where needed
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $ct,"domainname"
$isValid = $pc.ValidateCredentials("myuser","mypassword")

If local account change the $ct to 'Machine' ContextType.

solution2
 4  2011-03-25 13:08:15

Start and Stop are something of a misnomer. They should really be named Enable and Disable .

The worker process for the pool won't actually "start" until it needs to service a request.

It's at that point authentication takes place. If the username and password are invalid then you'll get a 503 Service Unavailable response and three events (5021, 5057 and 5059) logged by the WAS in the System event log.

There is no up-front checking of the validity of a pool's identity when using the API's. Only the IIS management console performs these checks.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Login failed for user 'IIS APPPOOL\myAppPool Stopping iis apppool user from connecting to sql The permissions granted to user IIS APPPOOL\ASP.NET v4.0 are insufficient for performing this operation. (rsAccessDenied) The login failed. Login failed for user 'IIS APPPOOL\ASP.NET v4.0' Login failed for user 'IIS APPPOOL\ASP.NET v4.0' Add IIS 7 AppPool Identities as SQL Server Logons Permission set for newly created IIS AppPool Identity Powershell IIS7 Snap in Assign SSL certificate to https binding IIS7 slow appPool startup compared to IIS6 IIS7 apppool auto recycling causing upload issues
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM