IIS管理远程使用Microsoft.Web.Administration时,身份验证过程中收到COMException过程中、身份验证、Microsoft、IIS
方案:
我需要远程管理IIS服务器(创建和销毁应用程序)是在同一个域中的服务器请求的更改。我有一个应用程序池设置为在授权帐户下运行。我已经测试使用IIS管理器,然后在其下的网络池成功运行的帐户进行远程配置,所以我知道的权限是正确的。
I need to remotely administer an IIS server (create and destroy applications) that is on the same domain as the server requesting the changes. I have an application pool set up to run under an authorized account. I have tested remote configuration using the IIS Manager and the account under which the web pool is running successfully so I know the permissions are correct.
我得到通过时code这样的错误是这样的。
The error I get while doing this via code is this.
Type=System.Runtime.InteropServices.COMException
Source=mscorlib
Message=Retrieving the COM class factory for remote component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from machine <SERVERNAME> failed due to the following error: 800706ba <SERVERNAME>.
如果我把我想用,我看到下面的错误来验证上的远程IIS机器上的事件日志。
If I look at the event logs on the remote IIS machine on which I am trying to authenticate with, I see the following error.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/13/2011 5:20:22 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: FQDN.local
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: UserName
Account Domain: DOMAIN
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc00002ee
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2011-07-13T21:20:22.234292500Z" />
<EventRecordID>12046</EventRecordID>
<Correlation />
<Execution ProcessID="556" ThreadID="8984" />
<Channel>Security</Channel>
<Computer>FQDN.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">UserName</Data>
<Data Name="TargetDomainName">DOMAIN</Data>
<Data Name="Status">0xc00002ee</Data>
<Data Name="FailureReason">%%2304</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
我已经做了很多搜索在这一点并没有发现任何东西,似乎指向我朝着正确的方向发展。我没有找到的东西,谈到林信任,这可能是这个问题,但我不是一个广告奇才,这一切又在我头上。我觉得适当的权限在地方,因为我能得到这个使用IIS管理器工作得很好,它只使用Microsoft.Web.Administration和失败时ServerManager.OpenRemote()
I have done a lot of searching on this and have not found anything that seems to point me in the right direction. I did find something that talked about forest trust and that might be the issue but I am not a AD wiz and it all went over my head. I feel like the appropriate permissions are in place since I can get this to work using the IIS Manager just fine, it only fails when using Microsoft.Web.Administration and ServerManager.OpenRemote()
更新
我没有禁用UAC在两台机器上和我说从目标证书IIS机器发出请求的机器上的证书存储区。仍然得到同样的错误。
I did disable UAC on both machines and I added the certificate from the target IIS machine to the certificate store on the requesting machine. Still getting the same error.
推荐答案
这听起来strage - 只是一些想法:
it sounds strage - just some thoughts:
更新:检查用户作为操作系统的一部分用户权限,请参见的标题下的Windows Server 2003的注意事项本页面底部
Update: Check that the user has "Act as part of the operating system" user right, please cf. the bottom of this page under the header "Windows Server 2003 considerations".
最有可能对我来说,它听起来就像Kerberos的约束委派的问题。这是从Windows Server 2003中引入的,主要针对constrainting Web服务器通过Kerberos来访问远程ressources(因为,如果Web服务器被攻破,它得到kind'a丑陋的)。看看这个配置一台服务器被信任作为委派:的http:// TechNet联系。 microsoft.com/en-us/library/ee675779.aspx 。
另一个想法:你有没有确认您的客户端应用程序正在使用您希望它使用(也许你已经知道的凭据,但它使用的应用程序池的身份,特别是如果你有不保证水木清华像&LT;身份冒充=真/&GT; 在你的web.config或假冒的code - 请查看水木清华像http://retkomma.word$p$pss.com/2009/07/28/how-to-debug-http-error-401-unauthorized-in-asp-net-via-iis/)?
Another idea: Have you verified that your client app is using the credentials that you expect it to use (perhaps you are already aware, but it is not guaranteed that it uses the app pool identity, especially if you have smth like <identity impersonate="true"/> in your web.config or impersonation in code - please check out smth like http://retkomma.wordpress.com/2009/07/28/how-to-debug-http-error-401-unauthorized-in-asp-net-via-iis/)?
最后的调试思路:另外,你可以得到的阉Kerberos身份验证成功通过使用像的是Wireshark - Kerberos的可真讨厌,有时...
Final debugging idea: Also, you can get a more low level view of wether the Kerberos authentication is successful by using a tool like WireShark - kerberos can be really nasty sometimes...
