How To Troubleshoot ASP in IIS 5.0
How To Troubleshoot ASP in IIS 5.0NOTE: Before you begin, ensure that .html or .htm files open on the Web server in question. If these files do not open, this is not an ASP issue.
1. If a Global.asa file exists in the root of your Web site, rename it as Global.old, stop and restart the Web services, and then create a test ASP page in Notepad with the following code:
<%
Response.Write "This is a test ASP page."
%>
Save this file as Test.asp in the root of your Web site, and try to open the file on the Web server.
If ASP pages load in your Web browser after you have performed this step, the problem is with the Global.asa file. If ASP pages still do not load, proceed to step 2.
2. Set the application protection for the Web site to Low and stop and restart the IISAdmin service. If ASP pages load in your Web browser after you have performed this step, the issue is with the IWAM account, and you can proceed to step 3. If ASP pages still do not load, check Component Services in Administrative Tools to ensure that you can view the IIS packages. This ensures that Component Services is not failing. Make sure the following users exist in the local Users group:
• NT AUTHORITY\Authenticated Users
• NT AUTHORITY\INTERACTIVE
3. If ASP pages load in your Web browser after you have performed step 2, set the site back to Medium or High application protection, and add the IWAM account to the local Administrators group. If ASP pages load in your Web browser after you have performed this step, a permissions issue involving the IWAM account exists, and you can proceed to step 4. If ASP pages still do not load, run the Synciwam.vbs utility from a command line. To do this, open a command prompt and type C:\Inetpub\adminscripts>cscript synciwam.vbs.
4. To resolve permissions issues with the IWAM account, use the Regmon and Filemon third-party products for Windows 2000. To download these these utilities, see the following Web site:
http://technet.microsoft.com/en-us/sysinternals/default.aspx
Run these utilities while you make a request for an ASP page, then search for "ACCDENIED" in Regmon and "FAILURE" in Filemon for the Dllhost.exe process.
NOTE: Do not be alarmed if you see "access denied" for the Iexplore.exe (Microsoft Internet Explorer) process. This is common behavior.
After you have identified "access denied" error messages for the Dllhost.exe process, use Regedt32 to make any necessary modifications to NTFS permissions in the registry.
5. In the system event log, look for the following events:
Source: DCOM
Event ID: 10010
User: NT AUTHORITY\SYSTEM
Description: The server {3D14228D-FBE1-11D0-995D-00C04FD919C1} did not register with DCOM within the required timeout.
This error message is followed in the event log by a warning message like the following:
Source: W3SVC
Event ID: 36
User: N/A
Description: The server failed to load application 'AppPath'. The error was 'Server execution failed'.
You may also see entries like the following in your %SystemRoot%\Iis5.log file:
OC_ABOUT_TO_COMMIT_QUEUE:Unreg iis_core:FindModules: FindProcessByNameW failed!
If you receive these error messages, the NT AUTHORITY\Authenticated Users or NT AUTHORITY\INTERACTIVE entry has been removed from the Users group. To resolve the problem, make sure that Authenticated Users and INTERACTIVE are members of the Users Group for that computer.
6.As a last resort, you can re-create the IIS packages. To do this, follow these steps:
a. Browse to Component Services and delete the following packages:NOTE: To delete the packages, you must first open the properties of the package, click the Advanced tab, and then click to clear the Disable Deletion check box.
• IIS In-Process Applications
• IIS Out-of-Process Pooled Applications
• IIS Utilities
b. Open a command prompt, and then use the following command to switch directories: cd %windir%\system32\inetsrv
c. Run the following commands:
rundll32 wamreg.dll, CreateIISPackage
NOTE: "CreateIISPackage" must be typed exactly; it is case-sensitive.
regsvr32 asptxn.dll
d. Close and reopen Component Services. You should see all three IIS COM+ applications that have been recreated.
e. Run IISRESET from a command line and test any ASP page that previously did not load correctly. --------------------编程问答-------------------- How To Secure an ASP.NET Application by Using Windows Security
1. How to Develop the Web Site
In this procedure, you will create a 易做图 ASP.NET Web application, which will be secured by using Windows authentication.
a. Start Visual Studio .NET, and then create a new Visual Basic ASP.NET Web application named "WindowsSite."
b. Drag a label control from the toolbox onto the WebForm1.aspx Web form, and then set its ID property to authUserPrincipalLabel.
c. Drag a second label control from the toolbox onto the WebForm1.aspx Web form, and then set its ID property to aspPrincipalLabel.
d. Double-click WebForm1.aspx to view the code window, and then add the following Imports statement above the class declaration:
Imports System.Security
Add the following code to the Page_Load event procedure:
Dim authUserName As String
Dim aspUserName As String
authUserName = User.Identity.Name
aspUserName = Principal.WindowsIdentity.GetCurrent.Name
authUserPrincipalLabel.Text = "You are: " & authUserName
aspPrincipalLabel.Text = "This page runs as: " & aspUserName
e. View the project's Web.config file, and then locate the authentication element. Verify that the mode attribute has a value of Windows.
f. Build and save the project.
g. Run the project, and then confirm that the page is displayed with the following message:
• In Windows 2000
You are:
This page runs as: DomainOrServer\ASPNET
• In Windows Server 2003
You are:
This page runs as: DomainOrServer\NETWORK SERVICE
Note Your user name is not displayed because you have not been authenticated by IIS; anonymous access is still enabled.
h. Quit Internet Explorer to stop the project.
2. How to Disable Anonymous Access
In this procedure, you will configure IIS to require Windows-integrated authentication for the WindowsSite site.
a. Minimize Visual Studio, and then start Internet Services Manager from the Administrative Tools program group.
b. Expand your server and its default Web site, right-click the WindowsSite site, and then click Properties.
c. On the Directory Security tab in the WindowsSite Properties dialog box, click the Edit button in the "Anonymous access and authentication control" section.
d. Click to clear the Anonymous access check box, verify that the Integrated Windows authentication check box is selected, and then click OK.
e. Click OK to close the WindowsSite Properties dialog box.
f. Switch back to Visual Studio, and then run the project. Confirm that the page is displayed with the following message:
• In Windows 2000
You are: Your Windows user name
This page runs as: DomainOrServer\ASPNET
• In Windows Server 2003
You are: Your Windows user name
This page runs as: DomainOrServer\NETWORK SERVICE
Note :You have been authenticated through your Windows account. If you had not been logged on to Windows, you would have been prompted for a Windows user name and password.
g. Quit Internet Explorer to stop the project.
3. Authorization
In ASP.NET, it is possible to allow authorization to the application when you make additional settings available within the Web.config file. You can allow certain users or certain groups access to these additional settings. The following examples describe this capability. To allow access to all users found in the Windows NT Group that is called "Managers," use the following code: <configuration>
<system.web>
<authorization>
<allow roles="domainname\Managers" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
To allow access to only certain users, use the following code:
<configuration>
<system.web>
<authorization>
<allow users="domainname\user1,domainname\user2,domainname\user3" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Note You can reference multiple roles or users when you use a comma-separated list.
4. How to Enable Impersonation
In this procedure, you will configure the WindowsSite application to impersonate the Windows user who is accessing it.
a. In Visual Studio, view the Web.config file for the WindowsSite project.
b. Add the following element after the authentication element:
<identity impersonate = "true" />
c. Save Web.config.
d. Run the project. Confirm that the page is displayed with the following message (note that the ASP.NET execution engine will use your Windows credentials to access resources on your behalf):
You are: Your Windows user name
This page runs as: Your Windows user name
e. Quit Internet Explorer to stop the project.
5. How to Assign a Custom Principal
In this procedure, you will configure the WindowsSite application to use a custom security principal:
a. Start the Computer Management feature from the Administrative Tools program group. Create a new Windows 2000 user account named "WindowsSite," with a password of "password" (note whether your server is a domain controller, and then use the Active Directory Users and Computers tool).
b. Click to clear the User must change password at next logon check box.
c. When the WindowsSite account has been created, close the administrative tool that you used to create it.
d. In Visual Studio, view the Web.config file for the WindowsSite project.
e. Edit the identity element to read as follows:
identity impersonate = "true"
userName = "DomainOrServerName\WindowsSite"
password = "password"/>
where DomainOrServerName is either the name of your Windows 2000 or Windows Server 2003 domain (in a domain environment) or of your computer (in a workgroup environment).
f. Save Web.config.
g. Run the project. Confirm that the page is displayed with the following message:
You are: Your Windows user name
This page runs as: DomainOrServerName\WindowsSite
Note :Aspnet_wp.exe will use the Windows credentials that you specified to access resources on your behalf.
h. Quit Internet Explorer to stop the project.
Note The identity of the process that impersonates a specific user on a thread must have the Act as part of the operating system privilege.
• On Windows 2000, by default, the Aspnet_wp.exe process runs under a computer account that is named ASPNET.
• On Windows Server 2003, by default, the Aspnet_wp.exe process runs under a computer account that is named NetworkService. However, this account does not have the correct privileges to impersonate a specific user. You receive an error message if you try to impersonate a specific user.
To work around this problem, use one of the following methods:
• Grant the Act as part of the operating system privilege to the ASPNET account (the least privileged account).
Note Although you can use this method to work around the problem, Microsoft does not recommend this method.
• Change the account that the Aspnet_wp.exe process runs under to the System account in the <processModel> configuration section of the Machine.config file. --------------------编程问答-------------------- 已经OK --------------------编程问答-------------------- 这有两个问题,一个是“怎样在 IIS 5.0 中排除 ASP 故障”
另一个是“如何使用 Windows 安全保护 ASP.NET 应用程序”
补充:.NET技术 , .NET技术前瞻
