IIS 使用域用户 域用户登录IIS以及IIS设置

lanying56123

　　原文地址：http://tobysky.blog.hexun.com/38881881_d.html
　　
　　用VS2005做好reporting service报表，并将数据源和报表depoly到安装有reporting service在另一台机器上
　　要使iis访问reporting service提供的web service接口，调用这个接口下载报表，pdf导出。
　　1）。 在reporting service管理页面加入域帐户并授予权限
　　2） 配置IIS6.0, 认证仅使用windows集成认证，check this one only.
　　3）. 池运行账户使用域帐户（domain\username）
　　4） iisreset
　　
　　症状：
　　1. 配置IIS6.0, 认证仅使用windows集成认证，check this one only.
　　2. 池运行账户使用域帐户（domain\username）
　　3. 站点使用该池出现“服务不可用”，安全日志里出现“没有授予用户在这台机器上请求的登录类型”。
　　日志如下：
　　事件类型:    审核失败
事件来源:    Security
事件种类:    登录/注销
事件 ID:    534
日期:        2009-3-31
事件:        10:30:55
用户:        NT AUTHORITY\SYSTEM
计算机:    hostname
描述:
登录失败:
     原因:    没有授予用户在这台机器上请求的登录类型
     用户名:    domainUserName
     域:        domain
     登录类型:    4
     登录过程:    Advapi  
     身份验证数据包:    Negotiate
     工作站名:    hostname
     调用方用户名:    hostname$
     调用方域:    domain
     调用方登录 ID:    (0x0,0x3E7)
     调用方进程 ID:     3572
     传递服务:     -
     源网络地址:    -
     源端口:    -

　　有关更多信息，请参阅在 http://go.microsoft.com/fwlink/events.asp 的帮助和支持中心。

　　
　　尝试寻找解决方案过程：
　　1. 微软提供的解决方案是：http://support.microsoft.com/kb/159930/zh-cn，我尝试了下，未成功。
　　2. 有网友提示说：要将该域用户加入到本地安全策略中的“作为服务登录”(log on as
service)，从错误日志信息分析，“没有授予用户在这台机器上请求的登录类型”登录类型为4（以服务运行），那么把这个帐号设置为“作为服务登录”
应该可行。但是，仍旧不行。
　　2. 经老赵提醒，尝试将该域帐号domain\username 加入到IIS工作进程组（IIS_WPG）。然后一切OK!
　　操作步骤：
　　右键“我的电脑”->”管理”->”系统工具”->“本地用户和组”->“组”->“IIS_WPG”
　　然后：运行 iisreset
　　

How Do I Setup IIS to Allow it to Use Network Resources?


If you're working with files (creating, copying,
deleting etc) in your ASP applications, you have probably configured the
permissions for the IUSR_MachineName
account so it is allowed to write to the folder where your files reside.
However, if you want to write to a folder on another machine you'll run
into problems. This FAQ describes a few common scenarios to overcome
these problems.　　



　　


　　Let's say you have two machines, called WebServer and FileServer.
The first machine is obviously the one that hosts IIS and serves your
Web site. The second is the machine where you want to save your files.
To configure your Web site on WebServer so it is allowed to write to a
folder on FileServer, you have at least 4 options:

• Use Integrated Security (1);
  
• Synchronize the IUSR account (2) account between the two machines;
  
• Configure IIS on WebServer so it uses a Domain Account (3) instead of the default IUSR_WebServer account;
  
• Move your code to a COM+ DLL and host this DLL in a COM+ package (4). This package can be configured to run under a specific Domain Account.
  

　　In this article, I'll use WebServer and FileServer to refer to the two machines. This also means that the account IUSR_WebServer refers to the local account that IIS uses on WebServer. Make sure you replace WebServer and FileServer with the names of your machines.

Using Integrated Security
　　If you're using Integrated Security, IIS will run under the context
of the currently logged on user. So, if you access your Web site, IIS
will run with your privileges. By configuring IIS to use Integrated
Security, you can overcome the permissions issue: simply grant the users
of your Web site the necessary permissions to the folder on FileServer.
Note
that Integrated Security is only suitable for an Intranet scenario as
it won't work over the Internet across firewalls and because it's an
Internet Explorer only solution.

How to Configure Your Server for Integrated Security?

• Open the Internet Information Services Management Console which you'll find in the Administrative Tools menu on the Start Menu or in the Control Panel.
  
• Expand your server in the tree on the left until you see the
  Web site or Virtual Directory you want to configure. Right click the
  site or directory and choose Properties.
  
• Switch to the Directory Security tab and click the Edit... button in the Anonymous access and authentication control area.
  
• Make sure you disable Anonymous access and make sure Integrated Windows authentication is checked. The dialog should end up like this:
  
  Figure 1 - The Authentication Method in IIS set to Integrated Windows Authentication
  
• Browse to your Web site. Internet Explorer will log you on
  automatically and IIS runs with the privileges of your user account. If
  your account is allowed to write to the folder at FileServer, your file access code will work.
  

Synchronize the IUSR Account
　　The second solution is to create two identical accounts with
identical passwords on both machines. This will work, as both accounts
will use the same password hash. So, at run-time, when WebServer tries to write to FileServer, the machine FileServer will recognize the account that WebServer presents, and will allow it to write to the folder where the Web files reside.

How to Configure Your Servers for Synchronized Accounts?

• On WebServer, open up User Management (either under Computer Management, or within Active Directory) and change the password for the IUSR_WebServer account. Give it a strong password, and make sure that the password does not automatically expire.
  
• In IIS on WebServer, change the password that the IUSR_WebServer account uses. Also disable the feature Allow IIS to control password. To do this, open the Internet Information Services Management Console which you'll find in the Administrative Tools menu on the Start Menu or in the Control Panel.
  Expand your server in the tree on the left until you see the Web site
  or Virtual Directory you want to configure. Right click the site or
  directory and choose Properties.
  Switch to the Directory Security tab and click the Edit... button in the Anonymous access and authentication control area. Make sure Anonymous access is enabled, and provide the strong password you set for the IUSR_WebServer account in step 1. The dialog box should look similar to this one:
  
  Figure 2 - Anonymous Authentication with a Synchronized IUSR Account
  
• On FileServer, create a new account and name it IUSR_WebServer. Notice that the account ends with WebServer, not with FileServer. Give this account the same password as you gave to IUSR_WebServer in step 1.
  
• Give the IUSR_WebServer account on the FileServer machine the required privileges to write to the directory that holds your files
  
• Browse to your site. IIS will use the anonymous account IUSR_WebServer for any requests made to IIS. The mirrored account on FileServer makes sure that your IIS is allowed to write files to the folder on FileServer.
  

Using a Domain Account in IIS
　　Instead of using the mirrored IUSR account, you can create a brand
new account that is specifically used for IIS anonymous access. Since
this account lives in your (Active Directory) domain, it's easy to give
it the required permissions on both WebServer and FileServer.
You may be tempted to use the the Administrator account for that, but
it's recommended not to that. Using the Administrator account for IIS is
a great security risk as it allows IIS, and all pages being served by
it, to operate with Administrator privileges.

How to Configure Your Servers for a Domain Account?
　　To create the domain account follow these steps:

• On WebServer, open up Active Directory Users and Computers (or other User Management software you may have) and create a new account. Call this account AnonIIS
  for example, although any name will do. Give it a strong password, and
  make sure that the password does not automatically expire.
  
• In IIS on WebServer, change the user account and password that is used for anonymous account uses. Also disable the feature Allow IIS to control password. To change both settings, open the Internet Information Services Management Console which you'll find in the Administrative Tools menu on the Start Menu or in the Control Panel.
  Expand your server in the tree on the left until you see the Web site
  or Virtual Directory you want to configure. Right click the site or
  directory and choose Properties.
  Switch to the Directory Security tab and click the Edit... button in the Anonymous access and authentication control area. Make sure Anonymous access
  is enabled, and provide the account name and strong password you
  created in step 1. The dialog box should look similar to this one:
  
  Figure 3 - Anonymous Authentication Using a Network Account
  
• On FileServer, give the YourDomain\AnonIIS account the required privileges to write to the directory that holds your files.
  
• Browse to your site. IIS will use the anonymous account you set
  in step2 for any requests made to IIS. That domain account has also
  access rights to the folder on FileServer so IIS is allowed to write to files in that folder.
  

Using a COM+ Package
　　The last method I'll discuss in this article is the use of a COM+
package to host a COM+ DLL created in VB 6 or C++ for example. I won't
discuss the steps you need to perform to create the actual DLL, but
instead I'll assume you have a project called MyCompany that exposes a class called MyUsefulproject which in turn has a method called WriteFile.
This DLL will be hosted inside a COM+ package that is configured to use
a specific domain account that has the required privileges to write to
the folder on FileServer.

How to Configure Your Servers for COM+?

• On WebServer, open up COM+ Services in Start | Programs | Administrative Tools (It's called MTS in NT 4).
  
• Expand Component Services | Computers | My computer.
  
• Expand COM+ applications.
  
• Right-click COM+ applications and choose New | Application.
  
• Click Next and choose Empty application.
  
• Enter a (arbitrary) name and click Next.
  
• Enter the details for a user account you want the component to
  run under. Leaving it to interactive can be dangerous. Suppose somebody
  without rights logs in, then your component will no longer work. Your
  package will also not run when nobody is logged on, a common scenario
  with (Web) servers. It's better to specify a user you created for this
  purpose with just enough rights. Refer to How to Configure Your Servers for a Domain Account, step 1 (10) to find out how to create the account.
  
• Click Finish.
  
• Expand your newly created package and right-click Components and choose New | Component.
  
• Click Next, then choose Install new components.
  
• Click Add and browse for your DLL .
  
• Click Next again and then click Finish.
  
• Make sure the account you configured in step 7 has the required permissions for the documents folder on FileServer.
  
• Make changes to the code in your ASP pages. Instead of code
  dealing with files in your ASP pages directly, you should now make calls
  to the COM+ component, for example:
  
  
  Dim ObjFileHandler
  Set ObjFileHandler = Server.CreateObject("MyCompany.MyUsefulproject")
  ObjFileHandler.WriteFile()
  
• Browse to your page. The code from step 14 will run. Instead of using your user context or the context of the IUSR_WebServer account, the context of the user you configured in step 7 is now used to access the folder on FileServer. Since this account is allowed to access that folder, any file handling code in the WriteFile method will run successfully.
  

Summary
　　Setting security permissions in IIS is not always a piece of cake. There are quite a lot of possibilities and options you can change. Choosing the right security settings often depends on the requirements of your application. The four solutions presented in this article all serve different setups and applications. Choose the correct mechanism for the job, and you'll end up with a secure but easily maintainable Web server configuration.
　　

How to configure Internet Information Services Web authentication in Windows 2000
　　This step-by-step article describes how to configure authentication for Web-based requests in Microsoft Internet Information Services (IIS) 5.0.


Back to the top
How Web authentication works
　　Web authentication is a communication between the Web browser and the Web server that involves a small number of Hyper Text Transfer Protocol (HTTP) headers and error messages.
The flow of communication is:

• The Web browser makes a request, such as HTTP-GET.
  
• The Web server performs an authentication check. If this is not
  successful because authentication is required, the server sends back an
  error message that is similar to the following one:
  
  
  
  
  
  You are not authorized to view this page
  You do not have permission to view this directory or page using the credentials you supplied.
  Information is included in this message that the Web browser can use to resubmit the request as an authenticated request.
  
• The Web browser uses the server's response to construct a new request that contains authentication information.
  
• The Web server performs an authentication check. If the check
  is successful, the Web server sends the data that was initially
  requested back to the Web browser.
  

Back to the top
Authentication methods

• Use an administrative account to log on to the Web server computer.
  
• Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
  The Internet Information Services snap-in starts.
  
• In the console tree, click * computer name where computer name is the name of the computer.
  
• Right-click one of the following items, and then click Properties:
  
  
  
  • To configure authentication for all Web content that is hosted on the IIS server, right-click * computer name.
    
  • To configure authentication for an individual Web site, right-click the Web site that you want.
    
  • To configure authentication for a virtual directory or a
    physical directory in a Web site, click the Web site that you want, and
    then right-click the directory that you want, such as _vti_pvt.
    
  • To configure authentication for an individual page or file in a
    Web site, click the Web site that you want, click the folder that
    contains the file or the page that you want, and then right-click the
    file or the page that you want.
    
  
  
  
• On the Item Name Properties dialog box where Item Name is the name of the item that you selected, click the Directory Security tab.
  NOTE: If the selected item is an individual file, click the File Security tab.
  
• Under Anonymous access and authentication control, click Edit.
  
• Click to select the Anonymous access check box to turn on anonymous access. To turn off anonymous access, click to clear this check box.
  NOTE: If you turn off anonymous access, you need to configure some form of authenticated access.
  
  
  • To change the account that is used for anonymous access to this resource, click Edit next to Account used for anonymous access.
    
  • In the Anonymous User Account dialog box, click the user account that you want to use for anonymous access.
    
  • Click to clear the Allow IIS to control password check box if you want to use the Windows LogonUser() API for user authentication.
    NOTE:
    By turning this password control option off, this forces IIS to use
    normal authentication and to log the account on locally. You should turn
    this option off if users experience difficulty accessing resources such
    as files or Microsoft Access databases on a network computer.
    
  • Click OK.
    
  
  
  
• Under Authenticated access, click to select the Basic authentication (password is sent in clear text) check box to turn on basic authentication. When you receive the following message, click Yes:
  
  The authentication option
  you have selected results in passwords being transmitted over the
  network without data encryption. Someone attempting to compromise your
  system security could use a protocol analyzer to examine user passwords
  during the authentication process. For more detail on user
  authentication, consult the online help. This warning does not apply to
  HTTPS (or SSL) connections.
  Are you sure you want to continue?
  
  
  • To select a domain with which to authenticate users that are using basic authentication, click Edit next to Select a default domain.
    
  • Type the domain that you want in the Domain Name box, and then click OK.
    Note
    If you are concerned about security on your intranet because Basic
    Authentication transmits user name and password information in clear
    text, you can use Basic authentication together with Secure Sockets
    Layer (SSL).
    
  
  
  
• Click to select the Digest authentication for Windows domain servers check box to use digest authentication. When you receive the following message, click Yes:
  
  Digest authentication works
  with Windows 2000 domain accounts only and requires the accounts to
  store passwords as encrypted clear text.
  Are you sure you wish to continue?
  NOTE: You must configure user accounts with the Store password using reversible encryption account option turned on.
  
• Click to select the Integrated Windows authentication check box to use integrated Windows authentication.
  NOTE: This authentication method was formerly known as Microsoft Windows NT Challenge/Response or NT LAN Manager (NTLM).
  
• Click OK, and then in the Item Name Properties dialog box, click OK. If the Inheritance Overrides dialog box opens:
  
  
  • Click Select All to apply the new authentication settings to all of the files or the folders that are within the item that you changed.
    
  • Click OK.
    
  
  
  
• Quit Internet Information Services.
  

　　
　　http://imar.spaanjaars.com/QuickDocId.aspx?quickdoc=276#Method3
　　http://www.iyunv.com/wpsl5168/archive/2009/03/31/1426126.html
　　http://support.microsoft.com/default.aspx?scid=kb;en-us;308160