IIS 7.5应用程序池用户所需的用户权限(域用户,而不是AppPoolIdentity) [英] User rights needed for IIS 7.5 application pool user (domain user, not the AppPoolIdentity)
问题描述
我们有一个活动目录域(我们称之为 foodomain )和域用户帐户( foodomain\fooAppPoolUser )用于IIS应用程序池标识。
We have an active directory domain (let's call it foodomain) and a domain user account (foodomain\fooAppPoolUser) used for the IIS application pool identity.
我们希望在此用户帐户下运行应用程序池,而不是在网络服务或新的 AppPoolIdentity ,因为我们必须访问SQL服务器,并在IIS(有自己的应用程序池)访问不同的数据库有多个应用程序。
We want to run the app pool under this user account and not under Network Service or the new AppPoolIdentity as we have to access SQL server and have multiple applications on IIS (with own app pools) accessing different databases.
问题是我找不到清楚的HOW-TO说明,必须为此用户帐户设置哪些用户权限,以及如何设置IIS这将工作。
The problem is that I can't find a clear HOW-TO explaining, which user rights have to be set for this user account and how IIS has to be setup so that this will work.
首先我遇到错误(不幸的是我不记得哪些错误),然后我将 fooAppPoolUser 添加到本地管理员组(管理员,我知道,只是测试),然后它工作。现在我再次删除用户,重新启动IIS,它仍然可以工作。
First I got errors (unfortunately I can't remember which ones), then I added fooAppPoolUser to the local admin group (Administrators, I know, was only to test), then it worked. Now I removed the user again, restarted IIS and it still works.
所以我很困惑,想知道配置/设置是如何工作的。
So I'm confused a bit and would like to know, how the configuration/setup has to be to have it working.
在其中我阅读,帐户需要具有验证后模拟客户端用户权限。这就是我将该帐户添加到管理员组的原因(用户权限分配通过组策略被阻止,但如果真的需要,则可以更改。
Somwhere I read, that the account needs to have the "Impersonate a client after authentication" user right. That's the reason I added the account to the Admin group (the user rights assignment is blocked via group policy, but this can for sure be changed if really needed.
我希望我很清楚这个问题是什么,希望有人有答案。
I hope I was clear enough what the question is and hope somebody has an answer.
推荐答案
令人沮丧的是,这些信息很难找到,因为一些安全管理员似乎享受更改默认策略设置以阻止在IIS中安装应用程序的残酷和不寻常的惩罚。
It's frustrating that this information is so hard to find, since some security admins seem to enjoy the cruel and unusual punishment of changing default policy settings to thwart installing apps within IIS.
这是我相信你应该做的启用帐户作为ApplicationPool标识工作:
Here's what I believe you should do to enable an account to work as an ApplicationPool identity:
- 运行
aspnet_regiis -ga DOMAIN\USER添加访问IIS元数据库的权限( 这是什么意思,谁知道?) aspnet_regiis reference - 将用户添加到
IIS_IUSRS组。自动取决于IIS配置设置processmodel.manualGroupMembership,但最容易自己添加。 - 如果安全策略使用的是Windows默认值。如果安全策略被锁定,您可能需要为帐户启用特定的用户权限。默认情况下,你有ApplicationPoolIdentities(这似乎是一个好地方开始,但不一定都是必需的):
- 从网络访问此计算机
- 调整进程的内存配额
- 允许本地登录
- 绕过遍历检查
- 生成安全审核详细信息
- 在身份验证后模仿客户端 - (默认情况下,在锁定环境中通常不可用)
b $ b - 登录为服务 - (我不确定是否需要)
- 替换进程级令牌
- Run
aspnet_regiis -ga DOMAIN\USERto add permissions to access the IIS Metabase. (Exactly what that means, who knows?) aspnet_regiis reference - Add the user to the
IIS_IUSRSgroup. This may be done automatically depending on the IIS configuration setting processmodel.manualGroupMembership but easiest to add it yourself. - If security policy is using windows defaults that's about it. If the security policy is locked down you may need to enable specific user rights for the account. The ones you have by default for ApplicationPoolIdentities (which seems a good place to start but not necessarily all required):
- Access this computer from the network
- Adjust memory quotas for a process
- Allow log on locally
- Bypass traverse checking
- Generate security audit details
- Impersonate a client after authentication - (Often not available by default on locked-down environments)
- Log on as a batch job - (Often not available by default on locked-down environments)
- Log on as a service - (I'm not sure this is needed)
- Replace a process level token
阅读乐趣:
- IIS 7.0,7.5和8.0的默认权限和用户权限。这是最好的参考,请参见底部的用户权限。
- 用户权限(在Windows Server 2008上,但仍然有趣和有用,因为它是一篇很长的文章你可以CTRL + F来查找IIS相关的评论)
- 用户权限分配在Server 2008 R2 +上。你必须钻探每一个权利,看看它提到IIS。
- 如何:创建服务帐户一个ASP.NET 2.0应用程序 - 很遗憾这篇文章没有更新的版本。
- IIS7 / 7.5上的Kerberos的SPN清单
- 如何使用SPN - 如果内核模式认证关闭,则适用于IIS6或7/8。
- Default permissions and user rights for IIS 7.0, 7.5, 8.0. This is the best reference, see the user rights at the bottom.
- User Rights (on Windows Server 2008, but still interesting and helpful as it's a long article you can CTRL+F to find IIS-related comments)
- User Rights Assignment on Server 2008 R2+. You have to drill into each right to see what it mentions about IIS.
- How To: Create a Service Account for an ASP.NET 2.0 Application - pity there's no more recent version of this article.
- SPN Checklist for Kerberos on IIS7/7.5
- How to use SPNs - applies to IIS6 or to 7/8 if Kernel-mode authentication is turned off.
这篇关于IIS 7.5应用程序池用户所需的用户权限(域用户,而不是AppPoolIdentity)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
