场景:
我需要远程管理与请求更改的服务器位于同一域的IIS服务器(创建和销毁应用程序).我有一个应用程序池设置为在授权帐户下运行.我已经使用IIS管理器和Web池成功运行的帐户测试了远程配置,因此我知道权限是正确的.
- Type=System.Runtime.InteropServices.COMException
- Source=mscorlib
- Message=Retrieving the COM class factory for remote component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from machine <SERVERNAME> Failed due to the following error: 800706ba <SERVERNAME>.
如果我查看我尝试进行身份验证的远程IIS计算机上的事件日志,我会看到以下错误.
- Log Name: Security
- Source: Microsoft-Windows-Security-Auditing
- Date: 7/13/2011 5:20:22 PM
- Event ID: 4625
- Task Category: logon
- Level: Information
- Keywords: Audit Failure
- User: N/A
- Computer: FQDN.local
- Description:
- An account Failed to log on.
- Subject:
- Security ID: NULL SID
- Account Name: -
- Account Domain: -
- logon ID: 0x0
- logon Type: 3
- Account For Which logon Failed:
- Security ID: NULL SID
- Account Name: UserName
- Account Domain: DOMAIN
- Failure Information:
- Failure Reason: An Error occured during logon.
- Status: 0xc00002ee
- Sub Status: 0x0
- Process Information:
- Caller Process ID: 0x0
- Caller Process Name: -
- Network Information:
- Workstation Name: -
- Source Network Address: -
- Source Port: -
- Detailed Authentication Information:
- logon Process: Kerberos
- Authentication Package: Kerberos
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0
- This event is generated when a logon request fails. It is generated on the computer where access was attempted.
- The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service,or a local process such as Winlogon.exe or Services.exe.
- The logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
- The Process Information fields indicate which account and process on the system requested the logon.
- The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
- The authentication information fields provide detailed information about this specific logon request.
- - Transited services indicate which intermediate services have participated in this logon request.
- - Package name indicates which sub-protocol was used among the NTLM protocols.
- - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
- Event Xml:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
- <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
- <EventID>4625</EventID>
- <Version>0</Version>
- <Level>0</Level>
- <Task>12544</Task>
- <Opcode>0</Opcode>
- <Keywords>0x8010000000000000</Keywords>
- <TimeCreated SystemTime="2011-07-13T21:20:22.234292500Z" />
- <EventRecordID>12046</EventRecordID>
- <Correlation />
- <Execution ProcessID="556" ThreadID="8984" />
- <Channel>Security</Channel>
- <Computer>FQDN.local</Computer>
- <Security />
- </System>
- <EventData>
- <Data Name="SubjectUserSid">S-1-0-0</Data>
- <Data Name="SubjectUserName">-</Data>
- <Data Name="SubjectDomainName">-</Data>
- <Data Name="SubjectlogonId">0x0</Data>
- <Data Name="TargetUserSid">S-1-0-0</Data>
- <Data Name="TargetUserName">UserName</Data>
- <Data Name="TargetDomainName">DOMAIN</Data>
- <Data Name="Status">0xc00002ee</Data>
- <Data Name="FailureReason">%%2304</Data>
- <Data Name="SubStatus">0x0</Data>
- <Data Name="logonType">3</Data>
- <Data Name="logonProcessName">Kerberos</Data>
- <Data Name="AuthenticationPackageName">Kerberos</Data>
- <Data Name="WorkstationName">-</Data>
- <Data Name="TransmittedServices">-</Data>
- <Data Name="LmPackageName">-</Data>
- <Data Name="KeyLength">0</Data>
- <Data Name="ProcessId">0x0</Data>
- <Data Name="ProcessName">-</Data>
- <Data Name="IpAddress">-</Data>
- <Data Name="IpPort">-</Data>
- </EventData>
- </Event>
我已经做了很多搜索,并没有找到任何似乎指向正确方向的东西.我确实找到了一些谈论森林信任的事情,这可能是问题,但我不是一个AD的头衔,而且这一切都超出了我的想象.我觉得适当的权限已经到位,因为我可以使用IIS管理器正常工作,它只在使用Microsoft.Web.Administration和ServerManager.OpenRemote()时失败
UPDATE
这听起来很蠢 – 只是一些想法:
更新:检查用户是否具有“作为操作系统的一部分”的用户权限,请参阅标题为“Windows Server 2003注意事项”下的this page的底部.
>对我来说最有可能听起来像Kerberos约束委员会的问题.它是从Windows Server 2003引入的,目的是限制Web服务器通过Kerberos访问远程资源(因为,如果Web服务器被泄露,它会变得有点丑陋).请查看此配置服务器以获得委托信任:http://technet.microsoft.com/en-us/library/ee675779.aspx.
>另一个想法:您是否已验证您的客户端应用程序正在使用您希望它使用的凭据(可能您已经知道,但不能保证它使用应用程序池标识,特别是如果您有类似< identity你的web.config中的impersonate =“true”/>或代码中的模拟 – 请查看像http://retkomma.wordpress.com/2009/07/28/how-to-debug-http-error-401-unauthorized-in-asp-net-via-iis/一样的smth)?
>最后的调试思路:另外,你可以通过使用像WireShark这样的工具获得更低级别的Kerberos身份验证成功视图 – kerberos有时可能真的很讨厌……
