IIS WebService請求主體權限失敗

Question

我已經創建了一個簡單的Web服務，並在Web服務中寫了一個簡單的方法，如下面的代碼所示。

[PrincipalPermission(SecurityAction.Demand, Role = @"KIANCOORP\SomethingElse Users U")] 
public string HelloWorld() 
{ 
    var msg = "Hello {0} from internal.".FormatWith(IdentityName); 

    _log.Info(msg); 

    return msg; 
} 

我主持在它被設置爲一個域用戶KIANCOORP \ webapppooluser一個應用程序池的web服務，並且我已經加入此用戶到該組的「KIANCOORP \ SomethingElse用戶U」（通過活動目錄） 。

現在，當我使用互聯網瀏覽器瀏覽Web服務時，我得到以下提示，因此我嘗試使用用於此HelloWorld Web服務的應用程序池用戶的相同用戶登錄礦。

現在，如果我嘗試用正確的憑據登錄，則提示出現時重新

這就像我必須輸入憑據3次，我已經測試這每次我收到登錄對話框的提示時，我都要嘗試3次，最終進入以下瀏覽器屏幕。

System.ServiceModel Warning: 131076 : <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning"><TraceIdentifier>http://msdn.microsoft.com/en-NZ/library/System.ServiceModel.Diagnostics.TraceHandledException.aspx</TraceIdentifier><Description>Handling an exception.</Description><AppDomain>/LM/W3SVC/3/ROOT-1-131164864670874625</AppDomain><Exception><ExceptionType>System.Security.SecurityException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>Request for principal permission failed.</Message><StackTrace> at System.Security.Permissions.PrincipalPermission.ThrowSecurityException() 
    at System.Security.Permissions.PrincipalPermission.Demand() 
    at System.Security.PermissionSet.DemandNonCAS() 
    at KianService.HelloWorld() in C:\vso\SandBox\KianService.cs:line 81 
    at SyncInvokeHelloWorld(Object , Object[] , Object[]) 
    at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp;amp; outputs)</StackTrace><ExceptionString>System.Security.SecurityException: Request for principal permission failed. 
    at System.Security.Permissions.PrincipalPermission.ThrowSecurityException() 
    at System.Security.Permissions.PrincipalPermission.Demand() 
    at System.Security.PermissionSet.DemandNonCAS() 
    at KianService.HelloWorld() in C:\vso\SandBox\KianService.cs:line 81 
    at SyncInvokeHelloWorld(Object , Object[] , Object[]) 
    at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp;amp; outputs) 
The action that failed was: 
Demand 
The type of the first permission that failed was: 
System.Security.Permissions.PrincipalPermission 
The first permission that failed was: 
&amp;lt;IPermission class="System.Security.Permissions.PrincipalPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" 
version="1"&amp;gt; 
&amp;lt;Identity Authenticated="true" 
Role="KIANCOORP\SomethingElse Users U"/&amp;gt; 
&amp;lt;/IPermission&amp;gt; 

The demand was for: 
&amp;lt;IPermission class="System.Security.Permissions.PrincipalPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" 
version="1"&amp;gt; 
&amp;lt;Identity Authenticated="true" 
Role="KIANCOORP\SomethingElse Users U"/&amp;gt; 
&amp;lt;/IPermission&amp;gt; 

The assembly or AppDomain that failed was: 
mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionString></Exception></TraceRecord> 
System.ServiceModel Error: 131075 : <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-NZ/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier><Description>Throwing an exception.</Description><AppDomain>/LM/W3SVC/3/ROOT-1-131164864670874625</AppDomain><Exception><ExceptionType>System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>Access is denied.</Message><StackTrace> at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp;amp; outputs) 
    at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp;amp; rpc) 
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp;amp; rpc) 
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc&amp;amp; rpc) 
    at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet) 
    at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext) 
    at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext) 
    at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result) 
    at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result) 
    at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously) 
    at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item) 
    at System.Runtime.InputQueue`1.EnqueueAndDispatch(Item item, Boolean canDispatchOnThisThread) 
    at System.Runtime.InputQueue`1.EnqueueAndDispatch(T item, Action dequeuedCallback, Boolean canDispatchOnThisThread) 
    at System.ServiceModel.Channels.SingletonChannelAcceptor`3.Enqueue(QueueItemType item, Action dequeuedCallback, Boolean canDispatchOnThisThread) 
    at System.ServiceModel.Channels.HttpChannelListener.HttpContextReceived(HttpRequestContext context, Action callback) 
    at System.ServiceModel.Activation.HostedHttpTransportManager.HttpContextReceived(HostedHttpRequestAsyncResult result) 
    at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest() 
    at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest() 
    at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.OnBeginRequest(Object state) 
    at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped) 
    at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped) 
    at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP) 
</StackTrace><ExceptionString>System.ServiceModel.FaultException: Access is denied.</ExceptionString></Exception></TraceRecord> 
System.ServiceModel Information: 131076 : <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Information"><TraceIdentifier>http://msdn.microsoft.com/en-NZ/library/System.ServiceModel.Diagnostics.TraceHandledException.aspx</TraceIdentifier><Description>Handling an exception.</Description><AppDomain>/LM/W3SVC/3/ROOT-1-131164864670874625</AppDomain><Exception><ExceptionType>System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>Access is denied.</Message><StackTrace> at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp;amp; outputs) 
    at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp;amp; rpc) 
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp;amp; rpc) 
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc&amp;amp; rpc) 
    at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)</StackTrace><ExceptionString>System.ServiceModel.FaultException: Access is denied. 
    at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp;amp; outputs) 
    at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp;amp; rpc) 
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp;amp; rpc) 
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc&amp;amp; rpc) 
    at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)</ExceptionString></Exception></TraceRecord> 

我無法找到任何有用的在線，可以幫助我排查此錯誤。

Answer 1

我已經解決了這個問題，這是一個很奇怪的問題。我在Active Directory中查找了同一個用戶組，我使用IIS日誌中的用戶組字符串來搜索Active Directory中的相同匹配組，但我無法找到它。

Role =「KIANCOORP \ SomethingElse Users U」/ & gt;

但是，當我瀏覽活動目錄以獲得匹配的用戶組時，我發現它，所以我複製並將usergroup字符串從我的IIS日誌文件粘貼到活動目錄中的用戶組名稱文本框中，然後單擊應用。

然後我重新啓動IIS並使用Internet Explorer再次瀏覽到Web服務，現在IIS能夠解析我用來登錄的用戶的訪問權限並將其匹配到相應的適當用戶組（如寫在我的C＃代碼「[PrincipalPermission（SecurityAction.Demand，Role = @」KIANCOORP \ SomethingElse Users U「）]」），我能夠得到一個世界的迴應。