设想:
我需要远程管理与请求更改的服务器位于同一域的 IIS 服务器(创建和销毁应用程序)。我有一个应用程序池设置为在授权帐户下运行。我已经使用 IIS 管理器和 Web 池成功运行的帐户测试了远程配置,因此我知道权限是正确的。
我通过代码执行此操作时遇到的错误是这样的。
Type=System.Runtime.InteropServices.COMException
Source=mscorlib
Message=Retrieving the COM class factory for remote component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from machine <SERVERNAME> failed due to the following error: 800706ba <SERVERNAME>.
如果我查看尝试进行身份验证的远程 IIS 计算机上的事件日志,我会看到以下错误。
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/13/2011 5:20:22 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: FQDN.local
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: UserName
Account Domain: DOMAIN
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc00002ee
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2011-07-13T21:20:22.234292500Z" />
<EventRecordID>12046</EventRecordID>
<Correlation />
<Execution ProcessID="556" ThreadID="8984" />
<Channel>Security</Channel>
<Computer>FQDN.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">UserName</Data>
<Data Name="TargetDomainName">DOMAIN</Data>
<Data Name="Status">0xc00002ee</Data>
<Data Name="FailureReason">%%2304</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">Kerberos</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="WorkstationName">-</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
我对此进行了大量搜索,但没有找到任何似乎能为我指明正确方向的东西。我确实找到了一些关于森林信任的内容,这可能是问题所在,但我不是广告奇才,这一切都超出了我的想象。我觉得适当的权限已经到位,因为我可以使用 IIS 管理器让它正常工作,只有在使用 Microsoft.Web.Administration 和 ServerManager.OpenRemote() 时才会失败
UPDATE
我确实在两台计算机上禁用了 UAC,并将目标 IIS 计算机中的证书添加到请求计算机上的证书存储中。仍然遇到同样的错误。
听起来很奇怪——只是一些想法:
Update:检查用户是否具有“作为操作系统的一部分”用户权限,请参见。的底部这一页 http://msdn.microsoft.com/en-us/library/ff647404.aspx#paght000023_delegationtable在“Windows Server 2003 注意事项”标题下。
对我来说,这很可能听起来像是 Kerberos 约束委派的问题。它是从 Windows Server 2003 引入的,旨在限制 Web 服务器通过 Kerberos 访问远程资源(因为,如果 Web 服务器受到损害,情况会变得有点难看)。查看此配置可信任委派的服务器:http://technet.microsoft.com/en-us/library/ee675779.aspx http://technet.microsoft.com/en-us/library/ee675779.aspx.
另一个想法:您是否验证了您的客户端应用程序正在使用您期望它使用的凭据(也许您已经知道,但不能保证它使用应用程序池身份,特别是如果您有类似的凭据)<identity impersonate="true"/>
在你的 web.config 或代码中的模拟 - 请检查类似http://retkomma.wordpress.com/2009/07/28/how-to-debug-http-error-401-unauthorized-in-asp-net-via-iis/ http://retkomma.wordpress.com/2009/07/28/how-to-debug-http-error-401-unauthorized-in-asp-net-via-iis/)?
最终调试思路:此外,您还可以使用类似工具来更深入地了解 Kerberos 身份验证是否成功WireShark http://www.wireshark.org/- kerberos 有时真的很讨厌......
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)