iis - 在 Azure 中将应用程序池的标识设置为 LocalSystem

Question

有没有办法在ServiceDefinition.csdef或其他地方执行此操作，而无需转到IIS并手动调整？

我尝试了 executionContext="elevated" for webrole，但不起作用。

更新

如果您在 Azure IIS 上安装“IIS 6 Metabase Compatibility”，下面显示的错误就会消失。

这引发了另一个问题，如何在 Azure 上的部署阶段自动安装“IIS 6 元数据库兼容性”。

<小时/>

@astaykov，我喜欢评论，但下面的代码太大，所以我使用这个地方。

我使用 Wade Wagner 编写的相同代码:

public override bool OnStart()
        {
            // http://code.msdn.microsoft.com/windowsazure/CSAzureChangeAppPoolIdentit-27099828
            // This variable is used to iterate through list of Application pools 
            string metabasePath = "IIS://localhost/W3SVC/AppPools";
            string appPoolName;
            using (ServerManager serverManager = new ServerManager())
            {
                //Get the name of the appPool that is created by Azure 
                appPoolName = serverManager.Sites[RoleEnvironment.CurrentRoleInstance.Id + "_Web"].Applications.First().ApplicationPoolName;
                // Get list of appPools at specified metabasePath location 
                using (DirectoryEntry appPools = new DirectoryEntry(metabasePath))
                {
                    // From the list of appPools, Search and get the appPool that is created by Azure  
                    using (DirectoryEntry azureAppPool = appPools.Children.Find(appPoolName, "IIsApplicationPool"))
                    {
                        if (azureAppPool != null)
                        {
                            // Refer to: 
                            // http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/e3a60d16-1f4d-44a4-9866-5aded450956f.mspx?mfr=true,  
                            // http://learn.iis.net/page.aspx/624/application-pool-identities/  
                            // for more info on AppPoolIdentityType 
                            azureAppPool.InvokeSet("AppPoolIdentityType", new Object[] { 0 });  // MD_APPPOOL_IDENTITY_TYPE_LOCALSYSTEM
                            // Write above settings to IIS metabase 
                            azureAppPool.Invoke("SetInfo", null);
                            // Commit the above configuration changes that are written to metabase 
                            azureAppPool.CommitChanges();
                        }
                    }
                }
            }
            RoleInRun = true;
            TaskInRun = false;
            return base.OnStart();
        }

我可以在appPoolName处获取正确的值，但是这里发生了错误:使用 (DirectoryEntry azureAppPool = appPools.Children.Find(appPoolName, "IIsApplicationPool"))

我正在到处寻找解决方案，但仍然找不到线索以下错误来自 IIS 事件:

Application: WaIISHost.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Runtime.InteropServices.COMException
Stack:
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_IsContainer()
   at System.DirectoryServices.DirectoryEntries.Find(System.String, System.String)
   at GimmeRank.Redirector.WebRole.OnStart()
   at Microsoft.WindowsAzure.ServiceRuntime.RoleEnvironment.InitializeRoleInternal(Microsoft.WindowsAzure.ServiceRuntime.Implementation.Loader.RoleType)
   at Microsoft.WindowsAzure.ServiceRuntime.Implementation.Loader.RoleRuntimeBridge.<InitializeRole>b__0()
   at System.Threading.ExecutionContext.runTryCode(System.Object)
   at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode, CleanupCode, System.Object)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()

有什么想法吗？

Answer 1

executionContext="elevated"只会将您的 RoleEntryPoint 作为本地 SYSTEM 帐户运行，但它不是 IIS 池标识。

您可能想查看this blog post by Wade Wagner 。他在那里描述的内容可以在您的 OnStart 方法中与executionContext="elevated"一起运行(因为只有管理员可以更改池身份)。如果这对本地系统不起作用，您可以为 RDP 创建一个用户，它将添加到管理员组中，并且您可以将 iis 应用程序池标识设置为该用户。

更新

嗯，我使用了以下方法(类似)并且效果很好:

private void SetAppPoolIdentity()
{
    string appPoolUser = "myRDP_admin_user";
    string appPoolPass = "my_super_secure_password";

    Action<string> iis7fix = (appPoolName) =>
    {
        bool committed = false;
        while (!committed)
        {
            try
            {
                using (ServerManager sm = new ServerManager())
                {
                    var applicationPool = sm.ApplicationPools[appPoolName];
                    applicationPool.ProcessModel.IdentityType = ProcessModelIdentityType.SpecificUser;
                    applicationPool.ProcessModel.UserName = appPoolUser;
                    applicationPool.ProcessModel.Password = appPoolPass;
                    sm.CommitChanges();
                    committed = true;
                }
            }
            catch (FileLoadException fle)
            {
                Trace.TraceError("Trying again because: " + fle.Message);
            }
        }
    };

    // ServerManager in %WinDir%System32InetSrvMicrosoft.Web.Administration.dll
    var sitename = RoleEnvironment.CurrentRoleInstance.Id + "_Web";
    var appPoolNames = new ServerManager().Sites[sitename].Applications.Select(app => app.ApplicationPoolName).ToList();
    appPoolNames.ForEach(iis7fix);
}

你能尝试一下吗？请注意，它不适用于本地系统帐户，因为它不是真实帐户，我们不能这样设置(至少我不知道如何做到这一点，但对于 RDP 的特定帐户，它可以正常工作)。