Azure 应用服务上的 ActiveDirectoryMembershipProvider:拒绝访问
ActiveDirectoryMembershipProvider on Azure App Service: Access Denied
IIS 7 上的遗留应用程序之一 运行 最近已移植到 Azure 应用服务。
该应用程序使用 WebMatrix(简单成员资格)和 Active Directory 作为成员资格提供程序。在 Azure App Service 上托管它后,我们收到 Access Denied
错误
web.config
<membership defaultProvider="simple">
<providers>
<clear />
<add name="simple" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" />
<add name="AD1MembershipProvider" description="Active Directory"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
applicationName="appName" connectionStringName="AD1ConnectionString"
connectionUsername="..." connectionPassword="..."
connectionProtection="None"
enableSearchMethods="true" attributeMapUsername="sAMAccountName" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="DefaultRoleProvider">
<providers>
<add name="DefaultRoleProvider" type="WebMatrix.WebData.SimpleRoleProvider, WebMatrix.WebData" />
</providers>
</roleManager>
<connectionStrings>
<add name="AD1ConnectionString" connectionString="LDAP://something.DIR/DC=something,DC=something,DC=DIR" />
</connectionStrings>
应用启动报错:
[COMException]: Access is denied.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType)
[UnauthorizedAccessException]: Access is denied.
at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType)
at System.DirectoryServices.ActiveDirectory.DirectoryContext.isServer()
at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
at System.Web.Security.DirectoryInformation.InitializeDomainAndForestName()
at System.Web.Security.ActiveDirectoryMembershipProvider.Initialize(String name, NameValueCollection config)
at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
[ConfigurationErrorsException]: Access is denied.
(D:\home\site\wwwroot\web.config line 106)
at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
at System.Web.Configuration.ProvidersHelper.InstantiateProviders(ProviderSettingsCollection configProviders, ProviderCollection providers, Type providerType)
at System.Web.Security.Membership.InitializeSettings(Boolean initializeGeneralSettings, RuntimeConfig appConfig, MembershipSection settings)
at System.Web.Security.Membership.Initialize()
at System.Web.Security.Membership.get_Providers()
at WebMatrix.WebData.WebSecurity.PreAppStartInit()
at WebMatrix.WebData.PreApplicationStartCode.Start()
[InvalidOperationException]: The pre-application start initialization method Start on type WebMatrix.WebData.PreApplicationStartCode threw an exception with the following error message: Access is denied.
(D:\home\site\wwwroot\web.config line 106).
at System.Web.Compilation.BuildManager.InvokePreStartInitMethodsCore(ICollection`1 methods, Func`1 setHostingEnvironmentCultures)
at System.Web.Compilation.BuildManager.InvokePreStartInitMethods(ICollection`1 methods)
at System.Web.Compilation.BuildManager.CallPreStartInitMethods(String preStartInitListPath, Boolean& isRefAssemblyLoaded)
at System.Web.Compilation.BuildManager.ExecutePreAppStart()
at System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters, PolicyLevel policyLevel, Exception appDomainCreationException)
[HttpException]: The pre-application start initialization method Start on type WebMatrix.WebData.PreApplicationStartCode threw an exception with the following error message: Access is denied.
(D:\home\site\wwwroot\web.config line 106).
at System.Web.HttpRuntime.FirstRequestInit(HttpContext context)
at System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
我们尝试在 providers
和 roleManager
中禁用 WebMatrix
,但即使 ActiveDirectoryMembershipProvider
也会出现同样的错误。
有什么建议吗?
Azure App Service 在 sanbox 中运行,这就是它失败的原因。您将无法允许访问,因为您无权访问主机 OS。不过有几个选项。
- 将您的应用程序部署到 Azure VM 并将其join部署到您的本地
域名。
- Migrate your local AD authentication for your app over to Azure Active Directory and enable AAD 在您的应用上。
- 将您现有的 Active Directory 迁移到 Azure Active Directory
在我看来,选项 2 将是您的最佳选择。 doc 是此类混合云解决方案的架构概述。根据 VM 大小,选项 1 的成本会更高一些,而选项 3 将需要大量规划。
IIS 7 上的遗留应用程序之一 运行 最近已移植到 Azure 应用服务。
该应用程序使用 WebMatrix(简单成员资格)和 Active Directory 作为成员资格提供程序。在 Azure App Service 上托管它后,我们收到 Access Denied
错误
web.config
<membership defaultProvider="simple">
<providers>
<clear />
<add name="simple" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" />
<add name="AD1MembershipProvider" description="Active Directory"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
applicationName="appName" connectionStringName="AD1ConnectionString"
connectionUsername="..." connectionPassword="..."
connectionProtection="None"
enableSearchMethods="true" attributeMapUsername="sAMAccountName" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="DefaultRoleProvider">
<providers>
<add name="DefaultRoleProvider" type="WebMatrix.WebData.SimpleRoleProvider, WebMatrix.WebData" />
</providers>
</roleManager>
<connectionStrings>
<add name="AD1ConnectionString" connectionString="LDAP://something.DIR/DC=something,DC=something,DC=DIR" />
</connectionStrings>
应用启动报错:
[COMException]: Access is denied.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType)
[UnauthorizedAccessException]: Access is denied.
at System.DirectoryServices.ActiveDirectory.DirectoryContext.IsContextValid(DirectoryContext context, DirectoryContextType contextType)
at System.DirectoryServices.ActiveDirectory.DirectoryContext.isServer()
at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
at System.Web.Security.DirectoryInformation.InitializeDomainAndForestName()
at System.Web.Security.ActiveDirectoryMembershipProvider.Initialize(String name, NameValueCollection config)
at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
[ConfigurationErrorsException]: Access is denied.
(D:\home\site\wwwroot\web.config line 106)
at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
at System.Web.Configuration.ProvidersHelper.InstantiateProviders(ProviderSettingsCollection configProviders, ProviderCollection providers, Type providerType)
at System.Web.Security.Membership.InitializeSettings(Boolean initializeGeneralSettings, RuntimeConfig appConfig, MembershipSection settings)
at System.Web.Security.Membership.Initialize()
at System.Web.Security.Membership.get_Providers()
at WebMatrix.WebData.WebSecurity.PreAppStartInit()
at WebMatrix.WebData.PreApplicationStartCode.Start()
[InvalidOperationException]: The pre-application start initialization method Start on type WebMatrix.WebData.PreApplicationStartCode threw an exception with the following error message: Access is denied.
(D:\home\site\wwwroot\web.config line 106).
at System.Web.Compilation.BuildManager.InvokePreStartInitMethodsCore(ICollection`1 methods, Func`1 setHostingEnvironmentCultures)
at System.Web.Compilation.BuildManager.InvokePreStartInitMethods(ICollection`1 methods)
at System.Web.Compilation.BuildManager.CallPreStartInitMethods(String preStartInitListPath, Boolean& isRefAssemblyLoaded)
at System.Web.Compilation.BuildManager.ExecutePreAppStart()
at System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters, PolicyLevel policyLevel, Exception appDomainCreationException)
[HttpException]: The pre-application start initialization method Start on type WebMatrix.WebData.PreApplicationStartCode threw an exception with the following error message: Access is denied.
(D:\home\site\wwwroot\web.config line 106).
at System.Web.HttpRuntime.FirstRequestInit(HttpContext context)
at System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
我们尝试在 providers
和 roleManager
中禁用 WebMatrix
,但即使 ActiveDirectoryMembershipProvider
也会出现同样的错误。
有什么建议吗?
Azure App Service 在 sanbox 中运行,这就是它失败的原因。您将无法允许访问,因为您无权访问主机 OS。不过有几个选项。
- 将您的应用程序部署到 Azure VM 并将其join部署到您的本地 域名。
- Migrate your local AD authentication for your app over to Azure Active Directory and enable AAD 在您的应用上。
- 将您现有的 Active Directory 迁移到 Azure Active Directory
在我看来,选项 2 将是您的最佳选择。 doc 是此类混合云解决方案的架构概述。根据 VM 大小,选项 1 的成本会更高一些,而选项 3 将需要大量规划。