IIS 使用域用戶 域用戶登錄IIS以及IIS設置

原文地址：http://tobysky.blog.hexun.com/38881881_d.html

 

用VS2005做好reporting service報表，並將數據源和報表depoly到安裝有reporting service在另一台機器上

要使iis訪問reporting service提供的web service接口，調用這個接口下載報表，pdf導出。

1）。 在reporting service管理頁面加入域帳戶並授予權限

2） 配置IIS6.0, 認證僅使用windows集成認證，check this one only.

3）. 池運行賬戶使用域帳戶（domain\username）

4） iisreset

 

症狀：

1. 配置IIS6.0, 認證僅使用windows集成認證，check this one only.

2. 池運行賬戶使用域帳戶（domain\username）

3. 站點使用該池出現“服務不可用”，安全日志里出現“沒有授予用戶在這台機器上請求的登錄類型”。

日志如下：

事件類型:    審核失敗
事件來源:    Security
事件種類:    登錄/注銷
事件 ID:    534
日期:        2009-3-31
事件:        10:30:55
用戶:        NT AUTHORITY\SYSTEM
計算機:    hostname
描述:
登錄失敗:
     原因:    沒有授予用戶在這台機器上請求的登錄類型
     用戶名:    domainUserName
     域:        domain
     登錄類型:    4
     登錄過程:    Advapi 
     身份驗證數據包:    Negotiate
     工作站名:    hostname
     調用方用戶名:    hostname$
     調用方域:    domain
     調用方登錄 ID:    (0x0,0x3E7)
     調用方進程 ID:     3572
     傳遞服務:     -
     源網絡地址:    -
     源端口:    -

有關更多信息，請參閱在 http://go.microsoft.com/fwlink/events.asp 的幫助和支持中心。

 

嘗試尋找解決方案過程：

1. 微軟提供的解決方案是：http://support.microsoft.com/kb/159930/zh-cn，我嘗試了下，未成功。

2. 有網友提示說：要將該域用戶加入到本地安全策略中的“作為服務登錄”(log on as service)，從錯誤日志信息分析，“沒有授予用戶在這台機器上請求的登錄類型”登錄類型為4（以服務運行），那么把這個帳號設置為“作為服務登錄” 應該可行。但是，仍舊不行。

2. 經老趙提醒，嘗試將該域帳號domain\username 加入到IIS工作進程組（IIS_WPG）。然后一切OK!

操作步驟：

右鍵“我的電腦”->”管理”->”系統工具”->“本地用戶和組”->“組”->“IIS_WPG”

然后：運行 iisreset

 

How Do I Setup IIS to Allow it to Use Network Resources?

If you're working with files (creating, copying, deleting etc) in your ASP applications, you have probably configured the permissions for the IUSR_MachineName account so it is allowed to write to the folder where your files reside. However, if you want to write to a folder on another machine you'll run into problems. This FAQ describes a few common scenarios to overcome these problems.

 

 

Let's say you have two machines, called WebServer and FileServer. The first machine is obviously the one that hosts IIS and serves your Web site. The second is the machine where you want to save your files. To configure your Web site on WebServer so it is allowed to write to a folder on FileServer, you have at least 4 options:

1. Use Integrated Security (1);
2. Synchronize the IUSR account (2) account between the two machines;
3. Configure IIS on WebServer so it uses a Domain Account (3) instead of the default IUSR_WebServer account;
4. Move your code to a COM+ DLL and host this DLL in a COM+ package (4). This package can be configured to run under a specific Domain Account.

In this article, I'll use WebServer and FileServer to refer to the two machines. This also means that the account IUSR_WebServer refers to the local account that IIS uses on WebServer. Make sure you replace WebServer and FileServer with the names of your machines.

Using Integrated Security

If you're using Integrated Security, IIS will run under the context of the currently logged on user. So, if you access your Web site, IIS will run with your privileges. By configuring IIS to use Integrated Security, you can overcome the permissions issue: simply grant the users of your Web site the necessary permissions to the folder on FileServer.
Note that Integrated Security is only suitable for an Intranet scenario as it won't work over the Internet across firewalls and because it's an Internet Explorer only solution.

How to Configure Your Server for Integrated Security?

1. Open the Internet Information Services Management Console which you'll find in the Administrative Tools menu on the Start Menu or in the Control Panel.
2. Expand your server in the tree on the left until you see the Web site or Virtual Directory you want to configure. Right click the site or directory and choose Properties.
3. Switch to the Directory Security tab and click the Edit... button in the Anonymous access and authentication control area.
4. Make sure you disable Anonymous access and make sure Integrated Windows authentication is checked. The dialog should end up like this:
   
   
   Figure 1 - The Authentication Method in IIS set to Integrated Windows Authentication
   
   
5. Browse to your Web site. Internet Explorer will log you on automatically and IIS runs with the privileges of your user account. If your account is allowed to write to the folder at FileServer, your file access code will work.

Synchronize the IUSR Account

The second solution is to create two identical accounts with identical passwords on both machines. This will work, as both accounts will use the same password hash. So, at run-time, when WebServer tries to write to FileServer, the machine FileServer will recognize the account that WebServer presents, and will allow it to write to the folder where the Web files reside.

How to Configure Your Servers for Synchronized Accounts?

1. On WebServer, open up User Management (either under Computer Management, or within Active Directory) and change the password for the IUSR_WebServer account. Give it a strong password, and make sure that the password does not automatically expire.
2. In IIS on WebServer, change the password that the IUSR_WebServer account uses. Also disable the feature Allow IIS to control password. To do this, open the Internet Information Services Management Console which you'll find in the Administrative Tools menu on the Start Menu or in the Control Panel. Expand your server in the tree on the left until you see the Web site or Virtual Directory you want to configure. Right click the site or directory and choose Properties.
   Switch to the Directory Security tab and click the Edit... button in the Anonymous access and authentication control area. Make sure Anonymous access is enabled, and provide the strong password you set for the IUSR_WebServer account in step 1. The dialog box should look similar to this one:
   
   
   Figure 2 - Anonymous Authentication with a Synchronized IUSR Account
   
   
3. On FileServer, create a new account and name it IUSR_WebServer. Notice that the account ends with WebServer, not with FileServer. Give this account the same password as you gave to IUSR_WebServer in step 1.
4. Give the IUSR_WebServer account on the FileServer machine the required privileges to write to the directory that holds your files
5. Browse to your site. IIS will use the anonymous account IUSR_WebServer for any requests made to IIS. The mirrored account on FileServer makes sure that your IIS is allowed to write files to the folder on FileServer.

Using a Domain Account in IIS

Instead of using the mirrored IUSR account, you can create a brand new account that is specifically used for IIS anonymous access. Since this account lives in your (Active Directory) domain, it's easy to give it the required permissions on both WebServer and FileServer. You may be tempted to use the the Administrator account for that, but it's recommended not to that. Using the Administrator account for IIS is a great security risk as it allows IIS, and all pages being served by it, to operate with Administrator privileges.

How to Configure Your Servers for a Domain Account?

To create the domain account follow these steps:

1. On WebServer, open up Active Directory Users and Computers (or other User Management software you may have) and create a new account. Call this account AnonIIS for example, although any name will do. Give it a strong password, and make sure that the password does not automatically expire.
2. In IIS on WebServer, change the user account and password that is used for anonymous account uses. Also disable the feature Allow IIS to control password. To change both settings, open the Internet Information Services Management Console which you'll find in the Administrative Tools menu on the Start Menu or in the Control Panel. Expand your server in the tree on the left until you see the Web site or Virtual Directory you want to configure. Right click the site or directory and choose Properties.
   Switch to the Directory Security tab and click the Edit... button in the Anonymous access and authentication control area. Make sure Anonymous access is enabled, and provide the account name and strong password you created in step 1. The dialog box should look similar to this one:
   
   
   Figure 3 - Anonymous Authentication Using a Network Account
   
   
3. On FileServer, give the YourDomain\AnonIIS account the required privileges to write to the directory that holds your files.
4. Browse to your site. IIS will use the anonymous account you set in step2 for any requests made to IIS. That domain account has also access rights to the folder on FileServer so IIS is allowed to write to files in that folder.

Using a COM+ Package

The last method I'll discuss in this article is the use of a COM+ package to host a COM+ DLL created in VB 6 or C++ for example. I won't discuss the steps you need to perform to create the actual DLL, but instead I'll assume you have a project called MyCompany that exposes a class called MyUsefulproject which in turn has a method called WriteFile. This DLL will be hosted inside a COM+ package that is configured to use a specific domain account that has the required privileges to write to the folder on FileServer.

How to Configure Your Servers for COM+?

1. On WebServer, open up COM+ Services in Start | Programs | Administrative Tools (It's called MTS in NT 4).
2. Expand Component Services | Computers | My computer.
3. Expand COM+ applications.
4. Right-click COM+ applications and choose New | Application.
5. Click Next and choose Empty application.
6. Enter a (arbitrary) name and click Next.
7. Enter the details for a user account you want the component to run under. Leaving it to interactive can be dangerous. Suppose somebody without rights logs in, then your component will no longer work. Your package will also not run when nobody is logged on, a common scenario with (Web) servers. It's better to specify a user you created for this purpose with just enough rights. Refer to How to Configure Your Servers for a Domain Account, step 1 (10) to find out how to create the account.
8. Click Finish.
9. Expand your newly created package and right-click Components and choose New | Component.
10. Click Next, then choose Install new components.
11. Click Add and browse for your DLL .
12. Click Next again and then click Finish.
13. Make sure the account you configured in step 7 has the required permissions for the documents folder on FileServer.
14. Make changes to the code in your ASP pages. Instead of code dealing with files in your ASP pages directly, you should now make calls to the COM+ component, for example:
    

    Dim ObjFileHandler
    Set ObjFileHandler = Server.CreateObject("MyCompany.MyUsefulproject")
    ObjFileHandler.WriteFile()
    

15. Browse to your page. The code from step 14 will run. Instead of using your user context or the context of the IUSR_WebServer account, the context of the user you configured in step 7 is now used to access the folder on FileServer. Since this account is allowed to access that folder, any file handling code in the WriteFile method will run successfully.

Summary

Setting security permissions in IIS is not always a piece of cake. There are quite a lot of possibilities and options you can change. Choosing the right security settings often depends on the requirements of your application. The four solutions presented in this article all serve different setups and applications. Choose the correct mechanism for the job, and you'll end up with a secure but easily maintainable Web server configuration.

 

How to configure Internet Information Services Web authentication in Windows 2000

This step-by-step article describes how to configure authentication for Web-based requests in Microsoft Internet Information Services (IIS) 5.0.

Back to the top

How Web authentication works

Web authentication is a communication between the Web browser and the Web server that involves a small number of Hyper Text Transfer Protocol (HTTP) headers and error messages.

The flow of communication is:

1. The Web browser makes a request, such as HTTP-GET.
2. The Web server performs an authentication check. If this is not successful because authentication is required, the server sends back an error message that is similar to the following one:
   You are not authorized to view this page
   
   You do not have permission to view this directory or page using the credentials you supplied.
   Information is included in this message that the Web browser can use to resubmit the request as an authenticated request.
3. The Web browser uses the server's response to construct a new request that contains authentication information.
4. The Web server performs an authentication check. If the check is successful, the Web server sends the data that was initially requested back to the Web browser.

Back to the top

Authentication methods

1. Use an administrative account to log on to the Web server computer.
2. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
   
   The Internet Information Services snap-in starts.
3. In the console tree, click * computer name where computer name is the name of the computer.
4. Right-click one of the following items, and then click Properties:
   • To configure authentication for all Web content that is hosted on the IIS server, right-click * computer name.
   • To configure authentication for an individual Web site, right-click the Web site that you want.
   • To configure authentication for a virtual directory or a physical directory in a Web site, click the Web site that you want, and then right-click the directory that you want, such as _vti_pvt.
   • To configure authentication for an individual page or file in a Web site, click the Web site that you want, click the folder that contains the file or the page that you want, and then right-click the file or the page that you want.
5. On the Item Name Properties dialog box where Item Name is the name of the item that you selected, click the Directory Security tab.
   
   NOTE: If the selected item is an individual file, click the File Security tab.
6. Under Anonymous access and authentication control, click Edit.
7. Click to select the Anonymous access check box to turn on anonymous access. To turn off anonymous access, click to clear this check box.
   
   NOTE: If you turn off anonymous access, you need to configure some form of authenticated access.
   1. To change the account that is used for anonymous access to this resource, click Edit next to Account used for anonymous access.
   2. In the Anonymous User Account dialog box, click the user account that you want to use for anonymous access.
   3. Click to clear the Allow IIS to control password check box if you want to use the Windows LogonUser() API for user authentication.
      
      NOTE: By turning this password control option off, this forces IIS to use normal authentication and to log the account on locally. You should turn this option off if users experience difficulty accessing resources such as files or Microsoft Access databases on a network computer.
   4. Click OK.
8. Under Authenticated access, click to select the Basic authentication (password is sent in clear text) check box to turn on basic authentication. When you receive the following message, click Yes:
   The authentication option you have selected results in passwords being transmitted over the network without data encryption. Someone attempting to compromise your system security could use a protocol analyzer to examine user passwords during the authentication process. For more detail on user authentication, consult the online help. This warning does not apply to HTTPS (or SSL) connections.
   
   Are you sure you want to continue?
   1. To select a domain with which to authenticate users that are using basic authentication, click Edit next to Select a default domain.
   2. Type the domain that you want in the Domain Name box, and then click OK.
      
      Note If you are concerned about security on your intranet because Basic Authentication transmits user name and password information in clear text, you can use Basic authentication together with Secure Sockets Layer (SSL).
9. Click to select the Digest authentication for Windows domain servers check box to use digest authentication. When you receive the following message, click Yes:
   Digest authentication works with Windows 2000 domain accounts only and requires the accounts to store passwords as encrypted clear text.
   
   Are you sure you wish to continue?
   NOTE: You must configure user accounts with the Store password using reversible encryption account option turned on.
10. Click to select the Integrated Windows authentication check box to use integrated Windows authentication.
    
    NOTE: This authentication method was formerly known as Microsoft Windows NT Challenge/Response or NT LAN Manager (NTLM).
11. Click OK, and then in the Item Name Properties dialog box, click OK. If the Inheritance Overrides dialog box opens:
    1. Click Select All to apply the new authentication settings to all of the files or the folders that are within the item that you changed.
    2. Click OK.
12. Quit Internet Information Services.

 

http://imar.spaanjaars.com/QuickDocId.aspx?quickdoc=276#Method3

http://www.cnblogs.com/wpsl5168/archive/2009/03/31/1426126.html

http://support.microsoft.com/default.aspx?scid=kb;en-us;308160