时间戳

首页 > 解决方案 > 授权Windows Server 2016上运行的IIS查询Windows Server 2008R2上的远程搜索引擎

c# - 授权Windows Server 2016上运行的IIS查询Windows Server 2008R2上的远程搜索引擎

问题描述

我有一个 IIS Web 应用程序(托管在 Windows Server 2016 上),它试图使用以下代码访问同一网络(但不同域)中另一台机器(Windows Server 2008 R2)上的远程搜索引擎:

string connectionString = "Provider=Search.CollatorDSO;Extended Properties=\"Application=Windows\"";
OleDbConnection connection = new OleDbConnection(connectionString);
string query = @"SELECT System.FileName, System.ItemPathDisplay, System.DateModified, System.ItemUrl
    FROM <RemoteServerName>.SystemIndex WHERE scope ='file://<RemoteServerName>/IndexedFolder' and
    CONTAINS("TextToSearch") ORDER BY System.DateModified DESC";
connection.Open();

command = new OleDbCommand(query, connection);
OleDbDataReader reader = command.ExecuteReader();
tbl.Load(reader);

IIS 应用程序被配置为<identity impersonate="true"/>允许传播当前登录的用户。

每个可以使用 Web 服务器的域用户也包含在要搜索的远程服务器目录的 ACL 列表中。

在搜索到的服务器中,我已经将<DOMAIN\IIS_MachineName>被搜索路径的自动用户的 ACL 列表包含在其中。

使用此配置,我得到了错误:Access is denied.

基本上我的问题是:如何在远程服务器中操作以授权 IIS 到搜索到的文件夹?

附加信息

通过配置,<identity impersonate="true"/> 我在要访问搜索引擎的远程服务器中获得以下审计事件:

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

New Logon:
    Security ID:        ANONYMOUS LOGON
    Account Name:       ANONYMOUS LOGON
    Account Domain:     NT AUTHORITY
    Logon ID:       0xf2b3de320
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   <IIS_MachineName>
    Source Network Address: xxx.xxx.xxx.xxx
    Source Port:        yyyyy

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   NTLM V1
    Key Length:     128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

如果我在 中修改 web.config <identity impersonate="true" userName="MyAdminAccount" password="MyAdminPassword"/>,使用远程服务器上管理员组中包含的帐户一切正常,但我不想在配置文件中写入明确的管理密码。

使用此配置,审计事件是:

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

New Logon:
    Security ID:        DOMAIN\MyAdminAccount
    Account Name:       MyAdminAccount
    Account Domain:     DOMAIN
    Logon ID:       0xf2b3d1b85
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   <IIS_MachineName>
    Source Network Address: XX.XX.XXX.XXX
    Source Port:        YYYYY

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   NTLM V2
    Key Length:     128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

所以我认为,从远程服务器的角度来看,IIS 显示为 <IIS_MachinName> 但具有 ANONYMOUS LOGON,并且此帐户不包含在搜索目录的 ACL 列表中

标签: c#asp.netwindows-searchindexing-service

解决方案

推荐阅读