使用应用程序池标识会导致异常和事件日志 [英] Using application pool identity results in exceptions and event logs

问题描述

我最近将应用程序从使用ASP.NET模拟转换为在应用程序池中实际指定标识。这样做的原因是为了让将来使用 async 更容易，因此线程作为我的服务帐户运行。

I recently switched my applications from using ASP.NET impersonation to actually specifying the identity in the application pool. The reason for this was to make future use of async easier so the threads run as my service account.

自进行更改后，网站遇到了一些问题。在我做出更改的那天，我现在看到这些事件日志显示得更频繁（过去每天2-3次，现在每天8-10次）：

Since making the change the site has been experiencing some issues. On the day I made the change I am now seeing these event logs show up much more often (used to be 2-3 times per day, now it's 8-10 times per day):

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

 DETAIL - 
 3 user registry handles leaked from \Registry\User\S-1-5-21-1695807550-3099950144-3292890465-4346:
Process 3840 (\Device\HarddiskVolume2\Windows\System32\inetsrv\w3wp.exe) has opened key \REGISTRY\USER\S-1-5-21-1695807550-3099950144-3292890465-4346
Process 3840 (\Device\HarddiskVolume2\Windows\System32\inetsrv\w3wp.exe) has opened key \REGISTRY\USER\S-1-5-21-1695807550-3099950144-3292890465-4346\Control Panel\International
Process 3840 (\Device\HarddiskVolume2\Windows\System32\inetsrv\w3wp.exe) has opened key \REGISTRY\USER\S-1-5-21-1695807550-3099950144-3292890465-4346\Software\Microsoft\Windows\CurrentVersion\Explorer

在与活动目录交谈时，我也得到（看似随机）错误：

I am also getting (seemingly at random) an error when talking to active directory:

System.Runtime.InteropServices.COMException (0x80005000): Unknown error (0x80005000)
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
   at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
   at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
   at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)

自从进行更改后我看到的最后一个错误（尽管似乎不太经常发生）：

The last error that I'm seeing since making the change (although it seems to occur less often):

System.Runtime.InteropServices.COMException (0x800703FA): Illegal operation attempted on a registry key that has been marked for deletion.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
   at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
   at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
   at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
   at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)

一旦我重置应用程序池，问题就会消失。不幸的是，它似乎会在一两天之后继续回归。

Once I reset the application pool the issue goes away. Unfortunately it seems to keep coming back after a day or two.

有没有人知道这里有什么用？我可以回去使用模拟，因为直到我将应用程序池标识切换为特定用户才会发生这种情况。我的谷歌今天没有给我任何答案。

Does anyone have an idea of what's at play here? I could go back to using impersonation since this never occurred until I switched the application pool identity to be a specific user. My Google-fu didn't give me any answers today.

推荐答案

我无法找到其根本原因问题。但是，如果底层代码依赖于属于该标识的资源，似乎对多个应用程序池使用相同的标识可能会导致一些问题。

I wasn't able to find the root cause of the issue. However, it seems as though using the same identity for multiple application pools can cause some issues if underlying code relies on resources that belong to that identity.

更改应用程序池设置加载用户个人资料到 True 修复了问题并且事件日志条目已停止发生。

Changing the application pool setting Load User Profile to True fixed the issue and the event log entries stopped occurring.

这篇关于使用应用程序池标识会导致异常和事件日志的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！