当我设置 IIS 池的 LoadUserProfile 时究竟会发生什么? [英] What exactly happens when I set LoadUserProfile of IIS pool?
问题描述
我遇到了以下问题.
我运行以下代码
var binaryData = File.ReadAllBytes(pathToPfxFile);
var cert = new X509Certificate2(binaryData, password);
在两个过程中.其中一个进程在 LOCAL_SYSTEM 下运行,并且该代码成功.另一个在属于用户"本地组的本地用户帐户下在 IIS 中运行,我得到以下异常:
in two processes. One of the processes runs under LOCAL_SYSTEM and there this code succeeds. Another one runs inside IIS under a local user account belonging to "Users" local group and there I get the following exception:
System.Security.Cryptography.CryptographicException
Object was not found.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password)
//my code here
所以我在 Google 上搜索了一下,发现 this answer 是一个类似问题的答案.我尝试为应用程序池启用 LoadUserProfile,它现在可以工作了.
So I Googled a bit and found this answer to a kind of similar question. I tried to enable LoadUserProfile for the application pool and it works now.
问题是我不知道设置 LoadUserProfile 时究竟发生了什么以及可能产生的后果.我的意思是,如果它是好"的东西,那么为什么默认情况下它不是开启"的,为什么它毕竟存在?
The problem is I don't get what exactly happens when I set LoadUserProfile and what consequences that might have. I mean if it's a "good" thing then why it is not "on" by default and why is it there after all?
当我在 IIS 池中设置 LoadUserProfile 时究竟会发生什么,它会产生什么负面后果?
What exactly happens when I set LoadUserProfile in IIS pool and what negative consequences can it have?
推荐答案
我的意思是,如果它是好"的东西,那么为什么默认情况下它不是开启"的,为什么它毕竟存在呢?
I mean if it's a "good" thing then why it is not "on" by default and why is it there after all?
IIS 6 从不加载用户配置文件.我假设默认情况下这是关闭的以保持行为一致,并且管理员必须选择加入.
IIS 6 never loaded user profiles. I would assume this is off by default to keep the behavior consistent, and an administrator has to opt-in to it.
我尝试为应用程序池启用 LoadUserProfile,它现在可以工作了.
I tried to enable LoadUserProfile for the application pool and it works now.
这很可能是因为 Windows 加密服务提供商试图在用户存储中存储或加载您的证书的密钥,并且由于配置文件不可用,因此 加密上下文不可用.请注意,Load User Profile 设置仅适用于用户帐户.NETWORK SERVICE 和 ApplicationPoolIdentity 等服务帐户有特殊处理.
This is most likely because the Windows Cryptographic Service Provider was trying to store or load a key for your certificate in the user store, and since a profile was not available, a cryptographic context was not available. Note that the Load User Profile setting only applies to user accounts. Service Accounts like NETWORK SERVICE and ApplicationPoolIdentity have special handling.
当我在 IIS 池中设置 LoadUserProfile 时会发生什么
What exactly happens when I set LoadUserProfile in IIS pool
好吧,用户配置文件已加载.这包括他们的加密存储、环境变量(例如 %TEMP%)和其他变量.
Well, the user profile is loaded. This includes their cryptographic store, environment variables such as %TEMP%, and other ones.
最终归结为 LoadUserProfile 在 AppPool 启动时被 IIS 调用.
What it eventually boils down to is LoadUserProfile is called by IIS when the AppPool starts.
它会产生什么负面后果?
what negative consequences can it have?
它可能会破坏与在 IIS 6 上运行的应用程序的向后兼容性,该应用程序未加载用户配置文件.环境变量已加载.例如,当 Load User Profile 为 true 时,%TEMP% 环境变量为 C:UsersAccountNameAppDataLocalTemp(例如).如果为 false,则为 C:WINDOWSTemp.
It may break backwards compatibility with an app that ran on IIS 6, which didn't load the user profile. The environment variables are loaded. For example, when Load User Profile is true, the %TEMP% environment variable is C:UsersAccountNameAppDataLocalTemp (for example). When false, it's C:WINDOWSTemp.
这篇关于当我设置 IIS 池的 LoadUserProfile 时究竟会发生什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
