[英]appcmd.exe set config doesn't check if username or password is invalid and sets it anyways
我正在使用后端 api 中的 winexe 在 Windows 域服务器上运行命令。 我想将 IIS App Pool Identity 设置为 Active Directory 中的帐户。 问题是在使用此命令时:
%windir%\system32\inetsrv\appcmd.exe set config /section:applicationPools ^
/[name='POOLNAME'].processModel.identityType:SpecificUser ^
/[name='POOLNAME'].processModel.userName:DOMAIN\USER ^
/[name='POOLNAME'].processModel.password:PASSWORD
即使用户名和密码不正确,它也每次都能成功运行。 甚至池也以错误的密码启动。 但是通过 GUI 设置错误的密码失败。
我想确定密码或用户名何时设置错误。
PS:我什至尝试在 powershell 上使用Set-ItemProperty
,结果是一样的。
您无法使用 AppPool 测试您的凭据,但您绝对可以测试它们。
# Service Principal credentials
$username = 'Username'
$password = 'Password' | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object -TypeName 'System.Management.Automation.PSCredential' -ArgumentList $username, $password
if (Test-Credential -Credential $credential) {
Write-Verbose "Credentials for $($credential.UserName) are valid..."
# do the appcmd stuff
}
else {
Write-Warning 'Credentials are not valid or some other logic'
}
只需在脚本顶部添加Test-Credential
function 定义
function Test-Credential {
[CmdletBinding()]
Param
(
# Specifies the user account credentials to use when performing this task.
[Parameter()]
[ValidateNotNull()]
[System.Management.Automation.PSCredential]
[System.Management.Automation.Credential()]
$Credential = [System.Management.Automation.PSCredential]::Empty
)
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$DS = $null
$Username = $Credential.UserName
$SplitUser = $Username.Split('\')
if ($SplitUser.Count -eq 2 ) {$Username = $SplitUser[1]}
if ($SplitUser.Count -eq 1 -or $SplitUser[0] -eq $env:COMPUTERNAME ) {
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine', $env:COMPUTERNAME)
}
else {
try {
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('domain')
}
catch {
return $false
}
}
$DS.ValidateCredentials($Username, $Credential.GetNetworkCredential().Password)
}
(PS:代码是有效的,即使修饰符用反斜杠引用语法中断)
令人惊讶的是,我很困惑你可以这样做 - 但它仍然无法验证
appcmd set apppool junkapp /processmodel.password:junkpassword
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.