具有 Windows 身份验证的 IIS 7.5 Web 应用程序是否需要最终用户具有文件权限? [英] Does an IIS 7.5 web app with windows authentication require end users to have file permissions?
问题描述
简短版本:
<块引用>对于带有 Windows 身份验证的 IIS 7.5 Web 应用程序用户需要具有读取文件访问权限?
长版:
我有一个使用 Windows 身份验证的 Intranet ASP.NET Web 应用程序.它安装在数十家不同的公司,通常身份验证工作正常:用户导航到该站点,例如http://appserver/MyApp,应用程序会识别他们的登录身份并相应地显示页面.我刚刚在一个新客户端上安装了它,遇到了一个问题:
连接时,例如到 http://appserver/MyApp 我被提示输入 Windows 凭据,但在输入它们后我被反复提示.几次重新输入凭据后,我看到一个 401 错误页面,上面写着401 - 未经授权:由于凭据无效,访问被拒绝.".因此,它不仅不会通过我的身份,甚至在输入用户名时也是如此.密码它仍然拒绝访问.
给予阅读和阅读对应用最终用户的执行权限解决了这个问题,但我认为这根本没有必要.
在 Windows 应用程序事件日志中,有一条消息请求的文件授权失败"以及线程帐户名:NT AUTHORITYNETWORK SERVICE 和用户:[正确的工作站用户的域帐户].这表明文件访问是以用户的身份执行的,而不是网络服务的 AppPool 身份.果然,如果我授予最终用户 Read &对应用程序目录的执行权限(我没有尝试只读)然后一切正常:当用户浏览到站点时,他们会自动进行身份验证,而不是提示,并且网站正确识别了他们的身份!因此,我的解决方法是给 Read &对应用程序目录中的所有人"执行权限...但这不是理想的解决方案.
这看起来很奇怪.我以前在 IIS 7.5 中从来不需要这样做,据我所知,在 IIS 6 或 IIS 7 中绝对不需要这样做.这是 IIS7.5 的新东西吗?文档说默认情况下模拟是关闭的.我在 web.config 中添加了一个元素,以确保删除了网络服务以外的文件权限,但问题仍然存在.
有什么想法吗?对于 IIS 7.5 上的 Windows 身份验证站点,最终用户需要对 Web 服务器文件的文件权限是否正常?
一些相关细节:
- 网络服务对应用文件夹拥有完全控制文件权限.
- 从服务器本身连接时,系统提示我输入凭据但是在输入它们后我通过了身份验证并且应用程序可以正常工作正确包括显示我的 Windows 登录和连接以及从数据库中检索数据.后来我确定这是在提示获取凭据,因为
http://localhost位于受信任的站点中因此不被认为是 Intranet 区域,因此不身份通过.我还确定它正在工作此用户身份,因为它是具有文件的管理员用户权限. - Web 服务器正在运行 Windows Server 2008 R2/IIS7.5.在我安装它之前,它没有 IIS.我安装了默认功能以及 Windows 身份验证、ASP.NET 和可能还有其他一些项目.我安装了一个单独的 WCF 应用程序使用 IIS,匿名身份验证 &.net 2.0 运行良好那个网络服务器.
- 应用安装过程是手动复制文件,创建 IIS 应用程序池 &Web 应用程序,更新连接字符串,等
- 我检查了 IE 安全设置.它认识到服务器与 Intranet 区域中的一样,并具有自动登录"选项仅在 Intranet 区域中选择.同样在高级设置中选中启用集成 Windows 身份验证"选项.
- 之后安装 IIS 我为 .net 2.0 运行
aspnet_regiis -i和aspnet_regiis -iru用于 .net 4.0. - 匿名身份验证是为我的应用程序禁用并启用了 Windows 身份验证.
- 该应用程序是在 ASP.NET v4 上运行,但我安装了另一个应用程序在运行 ASP.NET v2 时遇到同样的问题.
- 应用正在运行身份 = 网络服务并处于 32 位模式.
- 数据库连接字符串包括
Trusted Connection=True和数据库权限被授予 web 服务器帐户[domain][server]$例如DGMMyServer$. - 在 IIS > Authentication > Windows Authentication > Providers 中,列表是先协商,然后是 NTLM.我尝试重新排序,所以 NTLM 是第一个.
- 在 Windows 安全事件日志中有是一系列 Microsoft Windows 安全审核事件:登录和注销.他们表示登录成功并且是显示工作站用户的用户 ID.这是从什么时候我正在从另一个工作站连接并收到 401多次尝试后未获授权.
我看到有人遇到过这个问题 在此处报告,但没有解决方案.最初我发布在 ASP 然后是 IIS 论坛到目前为止没有答案.
更新:这篇msdn文章说><块引用>
当启用 Windows 身份验证但禁用模拟时,ASP.NET 在 文件授权 模块使用从浏览器发送的凭据 (我的重点).不需要启用模拟,因为 FileAuthorizationModule 模块确保允许请求用户对资源进行读访问或写访问,这取决于执行请求之前的请求动词(例如,GET 或 POST).此行为适用于输入托管代码的任何请求.在 ASP.NET 的早期版本中,访问基于 URI(例如Default.aspx")的文件会触发访问检查.在 ASP.NET MVC 应用程序中,通常使用无扩展名 URL 执行对资源的访问,此检查通常不适用,因为没有要检查的物理文件.在这种情况下,FileAuthorizationModule 类会回退到检查文件夹的访问控制列表 (ACL).
这确实表明最终用户需要对文件(在 .aspx 的情况下)或文件夹(在 MVC 的情况下)的权限……尽管这似乎仍然有些隐蔽且不确定.这篇关于 App Pools 的文章 说它们已经被使用作为保护资源的身份,这与需要向最终用户授予特权的想法相矛盾.除非应用程序池和网络服务的规则不同,否则可能是这种情况,但会令人惊讶.
简短的回答是否定的.在 IIS 7.0 和 IIS 7.5 中使用 Windows 身份验证时,您不需要授予文件访问权限.
我们之所以能够发现这一点,是因为我们的服务器管理员发现了向用户和组授予文件级访问权限所带来的安全和管理问题.
对于处理此问题的任何人,或者如果您正在设置新的 IIS7/IIS7.5 服务器和/或从 IIS 6 迁移,这里有一篇文章为您提供了所有需要的 Windows 身份验证选项和配置修改以避免向个人或组授予文件级访问权限.
请阅读帖子末尾的两条评论,以了解对本文中使用的方法的一些有效批评.
除了文章中的信息外,请注意 IIS 7.5 没有使用 system.web 的 Web 配置标记(至少在我的 MVC 4 应用程序中没有).
它在 system.webserver 标签中查找授权配置(您需要在其中列出用户访问您的应用程序所需的 windows 域组).
-- DSB
Short version:
For IIS 7.5 web applications with Windows Authentication does the end user need to have Read file access?
Long version:
I have an intranet ASP.NET web app that uses windows authentication. It's installed at dozens of different companies and normally the authentication works fine: users navigate to the site e.g. http://appserver/MyApp, the app recognizes who they're logged in as and displays pages accordingly. I just installed it at a new client and encountered a problem:
When connecting e.g. to http://appserver/MyApp I'm prompted for windows credentials but after entering them I'm repeatedly prompted. After several re-entering credentials I'm shown a 401 error page saying "401 - Unauthorized: Access is denied due to invalid credentials.". So not only is it not passing through my identity but even when entering the username & password it's still denying access.
Giving Read & Execute permissions to the end users of the app solves this problem, but I don't think this should be necessary at all.
In the windows Application Event Log there's a message "File authorization failed for the request" along with Thread account name: NT AUTHORITYNETWORK SERVICE and User: [the correct workstation users's domain account]. This suggests that the file access is being performed with the User's identity, not the AppPool identity of Network Service. Sure enough if I grant the end user Read & Execute permission (I didn't try Read only) to the application's directory then everything works correctly: when the user browses to the site they're authenticated automatically, not prompted, and the web site correctly recognizes their identity! Therefore my workaround solution is to give Read & Execute permission to Everybody on the application directory...but this is not an ideal solution.
This seems very strange. I've never needed to do this before in IIS 7.5, so far as I recall, and definitely never needed to in IIS 6 or IIS 7. Is this a new IIS7.5 thing? The documentation says that Impersonation is turned off by default. I added a element to the web.config to be sure, removed file permissions other than Network Service, but the problem remained.
Any thoughts? Is it normal for Windows Authenticated sites on IIS 7.5 for end users to need file permissions on the web server files?
Some relevant details:
- Network Service has Full Control file permissions to the app folder.
- When connecting from the server itself I was prompted for credentials
but after entering them i'm authenticated and the application works
correctly including displaying my windows login and connecting and
retrieving data from the db. I later determined that it was prompting
for credentials because
http://localhostwas in the trusted sites and therefore not recognised as the Intranet Zone and thus not passing identity through. I also determined that it was working as this user identity because it's an admin user who has file permissions. - The web server is running Windows Server 2008 R2 / IIS 7.5. It didn't have IIS on it until I installed it. I installed the default features as well as Windows Authentication, ASP.NET, and possibly a couple of other items. A separate WCF app I installed that uses IIS, anonymous authentication & .net 2.0 is working fine on that web server.
- The app install process is a manual copy of files, creation of IIS App Pools & web apps, updating connection strings, etc.
- I checked the IE security settings. It was recognizing the server as in the Intranet zone and had the option 'Automatic logon only in Intranet zone' selected. Also on Advanced Settings the 'Enable Integrated Windows Authentication' option was checked.
- After
installing IIS I ran
aspnet_regiis -ifor .net 2.0 andaspnet_regiis -irufor .net 4.0. - Anonymous authentication is disabled for my app and Windows Authentication enabled.
- The app is running on ASP.NET v4 but there's another app I installed experiencing the same issue running ASP.NET v2.
- The app is running with Identity = Network Service and in 32-bit mode.
- Database
connection string includes
Trusted Connection=Trueand database permissions are granted to the web server account[domain][server]$e.g.DGMMyServer$. - In IIS > Authentication > Windows Authentication > Providers the list was Negotiate first then NTLM. I tried reordering so NTLM is first.
- In the Windows Security Event Log there were a series of Microsoft Windows security auditing events: Logon and Logoff. They indicated that the Logon was successful and was displaying the User Id of the workstation user. This are from when I'm connecting from another workstation and receive a 401 Unauthorized after several attempts.
I see someone has had this problem reported here but with no solution. Originally I posted in the ASP and then the IIS forums with no answers so far.
Update: This msdn article says
When Windows authentication is enabled but impersonation is disabled, ASP.NET performs file access checks in the file authorization module using the credentials that are sent from the browser (my emphasis). Impersonation does not need to be enabled, because the FileAuthorizationModule module ensures that the requesting user is allowed read access or write access to the resource, depending on the request verb (for example, GET or POST) before executing the request. This behavior applies to any requests that enter managed code. In earlier versions of ASP.NET, accessing files based on URIs such as "Default.aspx" triggered the access check. In ASP.NET MVC applications, where access to resources is typically performed using extensionless URLs, this check typically does not apply, because there is not a physical file to check. In that case, the FileAuthorizationModule class falls back to checking access-control lists (ACLs) for the folder.
This does suggest that the end user needs permissions to the files (in the case of .aspx) or the folder (for MVC) ... although still this seems slightly tucked away and non-definitive. This article about App Pools says they're used as the identity for securing resources, which contradicts the idea of needing to grant privileges to end users. Unless the rules are different for App Pools and NETWORK SERVICE, which could be the case but would be surprising.
The short answer is NO. You are not required to grant file access permissions when using Windows Authentication in IIS 7.0 and IIS 7.5.
We were only able to discover this because our server admin smelled the security and management issues that arise from taking the route of granting file level access to users and groups.
For anyone dealing with this issue or if you are setting up a new IIS7/IIS7.5 server and/or moving from IIS 6, here is an article that gives you all of the Windows Authentication options and configurations that need to be modified to avoid granting file level access to individuals or groups.
Please read the two comments in at the end of the POST for some valid critiques of the methods used in this article.
In addition to the information in the article, please be aware that IIS 7.5 is not using the web configuration tags for system.web (at least not in my MVC 4 application).
It is looking in the system.webserver tags for authorization configuration (where you will need to list the windows domaingroups a user needs to be in to access your application).
-- DSB
这篇关于具有 Windows 身份验证的 IIS 7.5 Web 应用程序是否需要最终用户具有文件权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
