ASP.NET 中的安全异常和 IIS 7.5 中的加载用户配置文件选项 [英] Security exceptions in ASP.NET and Load User Profile option in IIS 7.5

问题描述

在部署我们的 ASP.NET 2.0 应用程序的新版本后，它开始引发安全异常:„System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' 失败.".

After deployment of new version of our ASP.NET 2.0 application, it started to raise security exception: „System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.".

在互联网上进行快速研究后，我们能够通过在 IIS 7.5 应用程序池中将加载用户配置文件"设置为 True 来解决此问题.这个解决方案在stackoverflow上也多次提到:

After quick research on internet we were able to resolve this isse by setting „Load User Profile" to True in IIS 7.5 application pool. This solution is also mentioned several times here on stackoverflow:

• 奇怪的 ASP.NET 错误！
• System.Web.AspNetHostingPermission 新部署异常李>
• 运行 asp.net Web 应用程序IIS7 上的项目抛出异常

但是我们无法找到它必须为真的原因.我们审查了新版本中的所有更改(很高兴只有少数)，但没有发现任何可疑之处(如某些文章建议的那样，无法访问注册表或临时数据等).当 IIS 7.5 中托管的 ASP.NET 应用程序需要将加载用户配置文件"选项设置为 True 时，谁能给我们提示?

However we were unable to find reason why it has to be true. We reviewed all changes in new version (gladly there were only a few), but didn’t find anything suspicious (no access to registry or temp data as some articles suggested etc). Could anybody give us hints when an ASP.NET application hosted in IIS 7.5 needs „Load User Profile" option set to True?

详情:

• 应用程序池:.NET 2.0；托管管道模式 - 经典；身份 - 自定义域帐户
• 在 IIS 6.0 (W2K3) 中:新旧版本应用程序版本工作正常
• 在 IIS 7.5 (W2K8-R2) 中:旧版本的应用程序工作正常；新版本应用程序提高安全性例外——它在之后开始工作将加载用户配置文件"设置为 True

谢谢！

我们终于找到了这个问题的原因！我们的管理员使用不同的技术将新版本的应用程序从暂存环境复制到生产环境.他使用网络服务器作为中介.在将压缩的发布构建工件下载到生产环境然后解压缩文件后，它们仍被标记为已阻止"，因为它们来自不同的计算机.另请参阅 https://superuser.com/questions/38476/this-file-came-from-another-computer-how-can-i-unblock-all-the-files-in-a.ASP.NET 然后在逻辑上以部分信任而不是完全信任的方式执行这些二进制文件，这实际上导致了我们的应用程序中提到的安全异常.

We have finally found the cause of this problem! Our admin used different technique to copy the new version of application from staging environment to production environment. He used web server as intermediary. After donwloading zipped release build artifacts to production environment and then unzipping the files, they were still marked as "blocked" because they came from different computer. See also https://superuser.com/questions/38476/this-file-came-from-another-computer-how-can-i-unblock-all-the-files-in-a. ASP.NET then logically executes these binaries in partial trust instead of full trust and that was actually causing mentioned security exceptions in our application.

将加载用户配置文件"设置为 True 将安全异常修复为副作用.如果加载用户配置文件"设置为 False，那么我们的应用程序(不是我们的代码，可能是一些 .NET BCL 或外部程序集)正在尝试查询有关目录C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsTemporary Internet Files"，其中应用程序池的身份不允许:

Setting "Load User Profile" to True fixed the security exceptions as a side-effect. If "Load User Profile" is set to False, then our application (not our code, maybe some .NET BCL or external assembly) is trying to query basic info about directory "C:WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsTemporary Internet Files" which the identity of application pool is not allowed to:

• 完全信任:拒绝访问此查询操作不会引发任何异常
• 部分信任:拒绝访问此查询操作引发安全异常

如果加载用户配置文件"设置为 True，则每次应用程序池启动时都会在用户目录中创建临时配置文件.然后我们的应用程序尝试查询有关此配置文件的临时 Internet 文件"目录的信息，允许应用程序池的身份.因此，即使部分信任也不会引发异常.

If "Load User Profile" is set to True, then temporary profile in Users directory is created every time when application pool starts. Our application is then trying to query info about "Temporary Internet Files" directory of this profile, which the identity of application pool is allowed to. Thus no exception is raised even with partial trust.

非常好的故障排除会议！:)

Really nice troubleshooting session! :)

推荐答案

加载用户配置文件"设置可以帮助您的另一个示例是使用临时文件.有时这种用法可能是间接的.例如，SQL Express 在某些情况下可以做到这一点.

One more example when "Load User Profile" setting could helps you is usage of temporary files. Sometime this usege can be indirect. SQL Express for example can do this in some situations.

所以我的建议.关闭加载用户配置文件"并检查 %TEMP%.然后尝试为用于应用程序池的域帐户提供对 %TEMP% 目录的完全访问权限(或更改访问权限).可能它解决了你的问题.

So my advice. Switch off "Load User Profile" and examine %TEMP%. Then try to give domain account used for application pool the full access (or change access) to the directory from %TEMP%. Probably it fix your problem.

另一个建议是使用 Process Monitor(请参阅 http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx)在您收到System.Security.SecurityException:请求System.Web.AspNetHostingPermission"类型的权限异常.

One more advice is usage of Process Monitor (see http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) to locale which parts of user profile will be used (or receive "access denied" error) at the moment when you receive "System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission" exception.

这篇关于ASP.NET 中的安全异常和 IIS 7.5 中的加载用户配置文件选项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！