问题描述
HowToTroubleshootASPinIIS5.0NOTE:Beforeyoubegin,ensurethat.htmlor.htmfilesopenontheWebserverinquestion.Ifthesefilesdonotopen,thisisnotanASPissue.1.IfaGlobal.asafileexistsintherootofyourWebsite,renameitasGlobal.old,stopandrestarttheWebservices,andthencreateatestASPpageinNotepadwiththefollowingcode:<%Response.Write"ThisisatestASPpage."%>SavethisfileasTest.aspintherootofyourWebsite,andtrytoopenthefileontheWebserver.IfASPpagesloadinyourWebbrowserafteryouhaveperformedthisstep,theproblemiswiththeGlobal.asafile.IfASPpagesstilldonotload,proceedtostep2.2.SettheapplicationprotectionfortheWebsitetoLowandstopandrestarttheIISAdminservice.IfASPpagesloadinyourWebbrowserafteryouhaveperformedthisstep,theissueiswiththeIWAMaccount,andyoucanproceedtostep3.IfASPpagesstilldonotload,checkComponentServicesinAdministrativeToolstoensurethatyoucanviewtheIISpackages.ThisensuresthatComponentServicesisnotfailing.MakesurethefollowingusersexistinthelocalUsersgroup:•NTAUTHORITYAuthenticatedUsers•NTAUTHORITYINTERACTIVE3.IfASPpagesloadinyourWebbrowserafteryouhaveperformedstep2,setthesitebacktoMediumorHighapplicationprotection,andaddtheIWAMaccounttothelocalAdministratorsgroup.IfASPpagesloadinyourWebbrowserafteryouhaveperformedthisstep,apermissionsissueinvolvingtheIWAMaccountexists,andyoucanproceedtostep4.IfASPpagesstilldonotload,runtheSynciwam.vbsutilityfromacommandline.Todothis,openacommandpromptandtypeC:Inetpubadminscripts>cscriptsynciwam.vbs.4.ToresolvepermissionsissueswiththeIWAMaccount,usetheRegmonandFilemonthird-partyproductsforWindows2000.Todownloadthesetheseutilities,seethefollowingWebsite:http://technet.microsoft.com/en-us/sysinternals/default.aspxRuntheseutilitieswhileyoumakearequestforanASPpage,thensearchfor"ACCDENIED"inRegmonand"FAILURE"inFilemonfortheDllhost.exeprocess.NOTE:Donotbealarmedifyousee"accessdenied"fortheIexplore.exe(MicrosoftInternetExplorer)process.Thisiscommonbehavior.Afteryouhaveidentified"accessdenied"errormessagesfortheDllhost.exeprocess,useRegedt32tomakeanynecessarymodificationstoNTFSpermissionsintheregistry.5.Inthesystemeventlog,lookforthefollowingevents:Source:DCOMEventID:10010User:NTAUTHORITYSYSTEMDescription:Theserver{3D14228D-FBE1-11D0-995D-00C04FD919C1}didnotregisterwithDCOMwithintherequiredtimeout.Thiserrormessageisfollowedintheeventlogbyawarningmessagelikethefollowing:Source:W3SVCEventID:36User:N/ADescription:Theserverfailedtoloadapplication'AppPath'.Theerrorwas'Serverexecutionfailed'.Youmayalsoseeentrieslikethefollowinginyour%SystemRoot%Iis5.logfile:OC_ABOUT_TO_COMMIT_QUEUE:Unregiis_core:FindModules:FindProcessByNameWfailed!Ifyoureceivetheseerrormessages,theNTAUTHORITYAuthenticatedUsersorNTAUTHORITYINTERACTIVEentryhasbeenremovedfromtheUsersgroup.Toresolvetheproblem,makesurethatAuthenticatedUsersandINTERACTIVEaremembersoftheUsersGroupforthatcomputer.6.Asalastresort,youcanre-createtheIISpackages.Todothis,followthesesteps:a.BrowsetoComponentServicesanddeletethefollowingpackages:NOTE:Todeletethepackages,youmustfirstopenthepropertiesofthepackage,clicktheAdvancedtab,andthenclicktocleartheDisableDeletioncheckbox.•IISIn-ProcessApplications•IISOut-of-ProcessPooledApplications•IISUtilitiesb.Openacommandprompt,andthenusethefollowingcommandtoswitchdirectories:cd%windir%system32inetsrvc.Runthefollowingcommands:rundll32wamreg.dll,CreateIISPackageNOTE:"CreateIISPackage"mustbetypedexactly;itiscase-sensitive.regsvr32asptxn.dlld.CloseandreopenComponentServices.YoushouldseeallthreeIISCOM+applicationsthathavebeenrecreated.e.RunIISRESETfromacommandlineandtestanyASPpagethatpreviouslydidnotloadcorrectly.
解决方案
解决方案二:
HowToSecureanASP.NETApplicationbyUsingWindowsSecurity1.HowtoDeveloptheWebSiteInthisprocedure,youwillcreateasimpleASP.NETWebapplication,whichwillbesecuredbyusingWindowsauthentication.a.StartVisualStudio.NET,andthencreateanewVisualBasicASP.NETWebapplicationnamed"WindowsSite."b.DragalabelcontrolfromthetoolboxontotheWebForm1.aspxWebform,andthensetitsIDpropertytoauthUserPrincipalLabel.c.DragasecondlabelcontrolfromthetoolboxontotheWebForm1.aspxWebform,andthensetitsIDpropertytoaspPrincipalLabel.d.Double-clickWebForm1.aspxtoviewthecodewindow,andthenaddthefollowingImportsstatementabovetheclassdeclaration:ImportsSystem.SecurityAddthefollowingcodetothePage_Loadeventprocedure:DimauthUserNameAsStringDimaspUserNameAsStringauthUserName=User.Identity.NameaspUserName=Principal.WindowsIdentity.GetCurrent.NameauthUserPrincipalLabel.Text="Youare:"&authUserNameaspPrincipalLabel.Text="Thispagerunsas:"&aspUserNamee.Viewtheproject'sWeb.configfile,andthenlocatetheauthenticationelement.VerifythatthemodeattributehasavalueofWindows.f.Buildandsavetheproject.g.Runtheproject,andthenconfirmthatthepageisdisplayedwiththefollowingmessage:•InWindows2000Youare:Thispagerunsas:DomainOrServerASPNET•InWindowsServer2003Youare:Thispagerunsas:DomainOrServerNETWORKSERVICENoteYourusernameisnotdisplayedbecauseyouhavenotbeenauthenticatedbyIIS;anonymousaccessisstillenabled.h.QuitInternetExplorertostoptheproject.2.HowtoDisableAnonymousAccessInthisprocedure,youwillconfigureIIStorequireWindows-integratedauthenticationfortheWindowsSitesite.a.MinimizeVisualStudio,andthenstartInternetServicesManagerfromtheAdministrativeToolsprogramgroup.b.ExpandyourserveranditsdefaultWebsite,right-clicktheWindowsSitesite,andthenclickProperties.c.OntheDirectorySecuritytabintheWindowsSitePropertiesdialogbox,clicktheEditbuttoninthe"Anonymousaccessandauthenticationcontrol"section.d.ClicktocleartheAnonymousaccesscheckbox,verifythattheIntegratedWindowsauthenticationcheckboxisselected,andthenclickOK.e.ClickOKtoclosetheWindowsSitePropertiesdialogbox.f.SwitchbacktoVisualStudio,andthenruntheproject.Confirmthatthepageisdisplayedwiththefollowingmessage:•InWindows2000Youare:YourWindowsusernameThispagerunsas:DomainOrServerASPNET•InWindowsServer2003Youare:YourWindowsusernameThispagerunsas:DomainOrServerNETWORKSERVICENote:YouhavebeenauthenticatedthroughyourWindowsaccount.IfyouhadnotbeenloggedontoWindows,youwouldhavebeenpromptedforaWindowsusernameandpassword.g.QuitInternetExplorertostoptheproject.3.AuthorizationInASP.NET,itispossibletoallowauthorizationtotheapplicationwhenyoumakeadditionalsettingsavailablewithintheWeb.configfile.Youcanallowcertainusersorcertaingroupsaccesstotheseadditionalsettings.Thefollowingexamplesdescribethiscapability.ToallowaccesstoallusersfoundintheWindowsNTGroupthatiscalled"Managers,"usethefollowingcode:<configuration><system.web><authorization><allowroles="domainnameManagers"/><denyusers="*"/></authorization></system.web></configuration>Toallowaccesstoonlycertainusers,usethefollowingcode:<configuration><system.web><authorization><allowusers="domainnameuser1,domainnameuser2,domainnameuser3"/><denyusers="*"/></authorization></system.web></configuration>NoteYoucanreferencemultiplerolesoruserswhenyouuseacomma-separatedlist.4.HowtoEnableImpersonationInthisprocedure,youwillconfiguretheWindowsSiteapplicationtoimpersonatetheWindowsuserwhoisaccessingit.a.InVisualStudio,viewtheWeb.configfilefortheWindowsSiteproject.b.Addthefollowingelementaftertheauthenticationelement:<identityimpersonate="true"/>c.SaveWeb.config.d.Runtheproject.Confirmthatthepageisdisplayedwiththefollowingmessage(notethattheASP.NETexecutionenginewilluseyourWindowscredentialstoaccessresourcesonyourbehalf):Youare:YourWindowsusernameThispagerunsas:YourWindowsusernamee.QuitInternetExplorertostoptheproject.5.HowtoAssignaCustomPrincipalInthisprocedure,youwillconfiguretheWindowsSiteapplicationtouseacustomsecurityprincipal:a.StarttheComputerManagementfeaturefromtheAdministrativeToolsprogramgroup.CreateanewWindows2000useraccountnamed"WindowsSite,"withapasswordof"password"(notewhetheryourserverisadomaincontroller,andthenusetheActiveDirectoryUsersandComputerstool).b.ClicktocleartheUsermustchangepasswordatnextlogoncheckbox.c.WhentheWindowsSiteaccounthasbeencreated,closetheadministrativetoolthatyouusedtocreateit.d.InVisualStudio,viewtheWeb.configfilefortheWindowsSiteproject.e.Edittheidentityelementtoreadasfollows:identityimpersonate="true"userName="DomainOrServerNameWindowsSite"password="password"/>whereDomainOrServerNameiseitherthenameofyourWindows2000orWindowsServer2003domain(inadomainenvironment)orofyourcomputer(inaworkgroupenvironment).f.SaveWeb.config.g.Runtheproject.Confirmthatthepageisdisplayedwiththefollowingmessage:Youare:YourWindowsusernameThispagerunsas:DomainOrServerNameWindowsSiteNote:Aspnet_wp.exewillusetheWindowscredentialsthatyouspecifiedtoaccessresourcesonyourbehalf.h.QuitInternetExplorertostoptheproject.NoteTheidentityoftheprocessthatimpersonatesaspecificuseronathreadmusthavetheActaspartoftheoperatingsystemprivilege.•OnWindows2000,bydefault,theAspnet_wp.exeprocessrunsunderacomputeraccountthatisnamedASPNET.•OnWindowsServer2003,bydefault,theAspnet_wp.exeprocessrunsunderacomputeraccountthatisnamedNetworkService.However,thisaccountdoesnothavethecorrectprivilegestoimpersonateaspecificuser.Youreceiveanerrormessageifyoutrytoimpersonateaspecificuser.Toworkaroundthisproblem,useoneofthefollowingmethods:•GranttheActaspartoftheoperatingsystemprivilegetotheASPNETaccount(theleastprivilegedaccount).NoteAlthoughyoucanusethismethodtoworkaroundtheproblem,Microsoftdoesnotrecommendthismethod.•ChangetheaccountthattheAspnet_wp.exeprocessrunsundertotheSystemaccountinthe<processModel>configurationsectionoftheMachine.configfile.
解决方案三:
已经OK
解决方案四:
这有两个问题,一个是“怎样在IIS5.0中排除ASP故障”另一个是“如何使用Windows安全保护ASP.NET应用程序”