.net IIS 7 模拟和身份
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3632456/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
IIS 7 impersonation and identities
提问by ScottE
I'm trying to get used to II7, having worked with IIS6 for quite some time.
我正在尝试习惯 II7,已经使用 IIS6 有一段时间了。
In IIS 6, I'd set <identity impersonate="true"/>in the web.config, and make sure that I applied the correct NTFS permissions to the IUSR_[MACHINENAME] account if a folder required more than read permissions.
在 IIS 6 中,我会<identity impersonate="true"/>在 web.config 中进行设置,并确保我将正确的 NTFS 权限应用于 IUSR_[MACHINENAME] 帐户,如果一个文件夹需要的不仅仅是读取权限。
In IIS 7, I'm having trouble duplicating this setup without resorting to applying too many permissions.
在 IIS 7 中,我无法在不应用太多权限的情况下复制此设置。
If I use <identity impersonate="true"/>in IIS 7, Environment.Username tells me that I'm indeed impersonating the IUSR account, which is the new equivalent. However, if I log into the admin portion of the website using forms authentication it impersonates differently than I expect.
如果我<identity impersonate="true"/>在 IIS 7 中使用,Environment.Username 会告诉我我确实在模拟 IUSR 帐户,这是新的等效帐户。但是,如果我使用表单身份验证登录网站的管理部分,它的模拟方式与我预期的不同。
With NetworkService set in the application pool:
在应用程序池中设置 NetworkService:
- not logged in: IUSR, not impersonating: [MACHINENAME]$
- logged in: [MACHINENAME]$, not impersonating: [MACHINENAME]$
- 未登录:IUSR,未冒充:[MACHINENAME]$
- 已登录:[MACHINENAME]$,未冒充:[MACHINENAME]$
With LocalService set in the application pool:
在应用程序池中设置 LocalService:
- not logged in: IUSR, not impersonating: LOCAL SERVICE
- logged in: LOCAL SERVICE, not impersonating: LOCAL SERVICE
- 未登录:IUSR,未冒充:LOCAL SERVICE
- 登录:LOCAL SERVICE,不是冒充:LOCAL SERVICE
If I give the IIS_IUSRS account the NTFS permissions I can make things work just fine, but this seems odd. How can I always impersonate the IUSR account? Or, am I supposed to give the NTFS permissions to IIS_IUSRS?
如果我给 IIS_IUSRS 帐户 NTFS 权限,我可以使事情正常工作,但这似乎很奇怪。如何始终模拟 IUSR 帐户?或者,我是否应该将 NTFS 权限授予 IIS_IUSRS?
I'd appreciate a good explanation of this change in IIS7 - I've searched around and can't find an explanation for this usage with forms authentication.
我很感激对 IIS7 中的这种更改的一个很好的解释 - 我已经四处搜索,但找不到对表单身份验证的这种用法的解释。
采纳答案by Cypher
Here's a snippet from a technet article:
这是来自technet文章的片段:
If you enable impersonation for an ASP.NET application, that application can run in one of two different contexts: either as the user authenticated by IIS 7 or as an arbitrary account that you set up. For example, if you were using Anonymous authentication and chose to run the ASP.NET application as the authenticated user, the application would run under an account set up for anonymous users (typically, IUSR). Likewise, if you chose to run the application under an arbitrary account, it would run under whatever security context was set up for that account.
如果您为 ASP.NET 应用程序启用模拟,则该应用程序可以在两种不同的上下文之一中运行:作为 IIS 7 验证的用户或作为您设置的任意帐户。例如,如果您使用匿名身份验证并选择以经过身份验证的用户身份运行 ASP.NET 应用程序,则该应用程序将在为匿名用户设置的帐户(通常为 IUSR)下运行。同样,如果您选择在任意帐户下运行应用程序,它将在为该帐户设置的任何安全上下文下运行。
Here is the full document:
这是完整的文档:
http://technet.microsoft.com/en-us/library/cc730708%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc730708%28WS.10%29.aspx
回答by Taylor Bird
The pipeline changes in IIS 7 handle authentication very differently than previous versions. Most scenarios are just as possible, but the setup is different.
IIS 7 中的管道更改处理身份验证的方式与以前的版本大不相同。大多数场景都是尽可能,但设置不同。
You should look at this entry on "breaking changes" in IIS 7.0 It should help you narrow down to what's happening
您应该查看有关 IIS 7.0 中“重大更改”的条目它应该可以帮助您缩小范围
http://learn.iis.net/page.aspx/381/aspnet-20-breaking-changes-on-iis-70/
http://learn.iis.net/page.aspx/381/aspnet-20-break-changes-on-iis-70/
Hope that helps
希望有帮助
