IIS 7.5应用程序池写入权限被拒绝 [英] IIS 7.5 App Pool write permissions denied
问题描述
我有一个在IIS 7.5上运行的Web应用程序,并且存在一些权限问题.该站点将读取/提供文件,但在任何情况下均不会写入任何文件位置.理想情况下,我会写一个非本地共享,但是我现在只是想让应用程序写一个本地共享/驱动器.我尝试将身份设置为专门为此应用程序设置的域服务帐户,内置的网络服务帐户以及没有运气的ApplicationPoolIdentity.值得一提的是,该服务器是在与其他服务器共享的硬件上运行的虚拟实例.
I have a web application that is running on IIS 7.5 and is having some permission issues. The site will read/serve files, but will not write to any file location under any circumstances. Ideally, I'd be writing to a non-local share, but I'm currently just trying to get the application to write to a local share/drive. I've tried setting the identity to a domain service account set up specifically for this application, the built in Network Service account, and the ApplicationPoolIdentity with no luck. It may be worth mentioning that this server is a virtualized instance running on shared hardware with other servers.
为了尝试解决该问题,我已将完全控制权授予:
In order to try and grasp the issue, I have granted full control to:
(MACHINE NAME)
(MACHINE NAME)\Users
(MACHINE NAME)\IUSR
(MACHINE NAME)\IIS_IUSRS
(DOMAIN NAME)\(MACHINE NAME)
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
(APPLICATION POOL IDENTITY)
(DOMAIN NAME)\(SERVICE ACCOUNT NAME)
我已经手动验证了所有这些帐户/组在文件/文件夹的安全性选项卡上的完全控制权.
I have manually verified that all these accounts/groups have full control on the security tab of the file/folder.
应用程序池在集成托管管道上的.NET Framework v4.0下运行.我已经尝试过,将加载用户配置文件"设置为true和false都没有运气.该网站本身已设置为应用程序通过身份验证.
The app pool is running under the .NET Framework v4.0 on the Integrated Managed Pipeline. I've tried it with Load User Profile set to both true and false with no luck. The site itself is set to application pass-through authentication.
浏览器中抛出的错误是:
The error thrown in the browser is:
Access to the path 'D:\Dataload\LOG.txt' is denied.
[UnauthorizedAccessException: Access to the path 'D:\Dataload\LOG.txt' is denied.]
我尝试用已创建和未创建的文件写入该文件.我还尝试通过服务器路径而不是驱动器名称来调用文件.
I've tried writing to that file with it already created as well as not created. I've also tried calling the file by its server path instead of the drive name.
在Microsoft的Process Monitor中查看事件:
Viewing the event in Microsoft's Process Monitor:
Operation: CreateFile
Result: ACCESS DENIED
Desired Access: Generic Write, Read Attributes
Disposition: OpenIF
Options:Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Open No Recall
Attributes:n/a
ShareMode: Read
User:NT AUTHORITY\NETWORK SERVICE (this will correctly change depending on the identity I set)
组或帐户是否缺少某些内容,或者可能是我可能忽略的IIS设置阻止了写访问?
Is there something I am missing with groups or accounts, or possibly an IIS setting I could be overlooking that prevents write access?
推荐答案
我前不久想出了答案,却在这里忘了我的帖子.在此特定情况下,问题出在服务器上的Internet Explorer Enhanced Security Configuration设置上.为了查看Windows Server 2008 R2中的设置,请转到Server Manager并在主页上显示您的视图.到达那里后,请转到Security Settings部分.在这里,您将看到一个名为IE Enhanced Security Configuration (ESC)的项目,它旁边是管理员和用户的当前设置.就我而言,管理员和用户在此新服务器上的默认设置都设置为On.将这些设置为Off允许网络服务帐户写入已被授予适当权限的所有位置,从而解决了问题.
I figured out the answer to this a while back and forgot about my post here. In this particular instance, the problem was with the Internet Explorer Enhanced Security Configuration settings on the server. In order to see your settings in Windows Server 2008 R2, go to the Server Manager and have your view on the main page. Once there, go down to the Security Settings section. Here you will see an item called IE Enhanced Security Configuration (ESC), and next to it it's current settings for both administrators and users. In my case, the default settings on this fresh server were set to On for both administrators and users. Setting these to Off allowed the network service account to write to all locations it had been granted proper permissions to, thus solving the problem.
这篇关于IIS 7.5应用程序池写入权限被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
