It is also a common problem, especially in Win2003, often asking. The connection abnormality is usually caused by disk permissions, and the system default ASP.NET account has only minimal privileges for NTSF partitions, so it may cause access to exceptions. The solution is to fix the appropriate permissions in the system.
Also: The exclusive access method specified in the connection string may also cause an exception. This situation only needs to be corrected the connection string. Such as: conx.connectionstring = "provider = microsoft.jet.Oledb.4.0; password =; user ID = admin; data source =" server.mappath ("Data // Elegant holiday.mdb") ";" can
With MSDN to create a custom account to run the ASP.NET, it makes it easy to understand the security deployment ASP.NET project. -------------------------------------------------- -------------------------------- How to create a custom account to run ASP.NET
Microsoft Corporation Objective This module is used: • Create a minimum privilege account with sufficient permissions to properly run the ASP.NET application. • Configure ASP.NET to run it using a custom minimum permissions account. Suitable for: This module is suitable for the following products and technologies: • Microsoft_ Windows_ XP or Windows 2000 Server (with Service Pack 3) and Higher Versions • Microsoft .NET Framework version 1.0 (with Service Pack 2) and higher • Internet Information Services (IIS) 5.0 or 6.0 (only when using IIS 5.0 Isolation mode) This module uses this module to maximize: • Must have experience in developing ASP.NET web applications and is familiar with Machine.config The use and structure of the document. • There must be experience in creating and managing independent or domain-based Windows user accounts using the Windows Management Tool. • Read the module "ASP.NET Security". This module will provide you with details: ASP.NET security is working, ASP.NET secondary process identifies what impacts for the permissions of an executable application, and how to use simulation to easily The user of the web application grants the appropriate permission level.
Summary By default, each ASP.NET assist process runs in the context of the minimum privilege account named ASPNET. If the ASP.NET application is deployed on a domain-based server or requires access to resources on the remote server, you can simplify management by configuring the ASP.NET to run in the context of different accounts. This module describes how to configure ASP.NET to run in the context of a local account or domain account, and describe the permissions to assign this account to make it work. Preliminary knowledge Before starting using this module: ASP.NET secondary process identifies the default account for running ASP.NET (created during installation) is a minimum privilege of local account and in Machine.config As described below: This account is identified under local users and groups as ASPNET, and there is a safe protection in Local System Authority (LSA). Strong password. When you need to use the ASP.NET process to identify access to a network resource (such as a database), you can do any of the following: • Use domain accounts. • Use the Mirror Local Account (ie the account that matches the username and password on both computers). This method is required when the computer is located in different domains without trust relationships, or the computer is separated by the firewall without opening NTLM or Kerberos authentication. The easiest way is to change the password of the ASPNET account to a known value on the web server, then create an account called ASPNET with the same password on the target computer. On a web server, you must first change the ASPNET account password in the local user and group, and then replace the credentials on the element in Machine.config. Pure text passwords should not be stored in Machine.config, and the ASPNET_SETREG.EXE should be used to store the encrypted password in the registry. For more information, see Modules 8 "ASP.NET Security". may use the module The steps provided are created a minimum privilege of local accounts. The analog fixed identification You can set a fixed ID for a specific virtual directory by using the following settings in Web.config. Use ASPNET_SETREG.EXE to store encrypted credentials in the registry.
If on the same Web server There are multiple web sites, and these Web sites need to run different identities, and this method is usually used; for example, this method is needed in the application hosting scheme. This module describes a local account that describes how to create minimal privileges. If you primarily manage jobs, you can use a minimum privileged account account with strong password. When considering an account for running an ASP.NET, remember the following: • ASP.NET does not simulate by default. Therefore, any resource access performed by the web application uses the ASP.NET process identity. In this case, Windows resources must have an access control list (ACL) to access access to the ASP.NET Process Account. • If analog is enabled, the application uses the secure context of the original Compass party to access the resource, or if IIS is configured for anonymity authentication, use an anonymous Internet user account (IUSR_MACHINE by default). In this case, the resource must have an ACL based on the original caller ID (or IUSR_MACHINE). • When you create a custom account, you should always follow the minimum privilege principles - only the minimum required privileges and permissions. • Avoid running ASP.NET using the System account. • Avoid a privilege to "as part of the operating system" to this account. Create a new local account This procedure creates a new local account. By default, this new account will be added to the local USERS group. To create a new local account, do the following: 1. Create a local account (for example, "CustomASPNET"). Make sure you use strong passwords for this account. The strong password should contain at least seven characters and use cases of uppercase letters, numbers, and other characters (such as *, or $). 2. Clear the User Must Change Password At Next Logon option. 3. Select the Password Never ExpiRES option. Assign minimal privilege This procedure allocates a set of minimum privileges required to run ASP.NET. To assign minimal privileges, do the following: 1. From the Administrative Tools program group, launch the Local Security Policy tool. 2. Expand Local Policies and select User Rights Assignment. A privilege list is displayed in the right pane. 3. Assign the following privileges to the new account: • Access this computer from the network • Log in as a batch job • Declaple local login • Refuse to log in to the Terminal Services To pay attention to the account, please double-click this privilege, then click Add to select the required account. 4. Turn this tool. Assign NTFS Permissions This procedure grants the required NTFS permissions to the custom ASP.NET account in the local file system. Note The steps in this process apply to file systems on the web server (and not suitable for file systems on remote computers, in order to verify network authentication, you can copy this account on remote computers).
To assign NTFS permissions, perform the following steps: • Start the Windows Explorer and assign appropriate permissions to the folder specified in Table 1. The fixed analog account mentioned in Table 1 refers to an account that can be selectively configured using the element in Web.config, as shown below. In this embodiment, aspnet_setreg. EXE has been used to store custom account credentials in the registry in encrypted format. Table 1: Remarks required by the required NTFS permission positions Temporary ASP.NET file: c: /winnt/microsoft.net/framework/ / temporary ASP.NET file fully control Process and fixed analog account this is ASP Dynamic compilation position of .NET. Under this folder, generate application code in the discrete directory for each application. The Tempdir property in the element can be used to change this default location. Temporary folder: C: / Winnt / Temp Read / WRITE / DELETE Process Web service is used to generate a sequenced agent location. Note that DELETE Permissions Set the Advanced button on the Security page of the Windows Explorer Folder Properties dialog. Application Virtual Directory: C: / INETPUB / WWWROOT / WebApp1 Read Process Web application file (that is, the virtual root directory of the application). By default, the user group has the appropriate access. Install (% Installroot hierarchy: (c: /winnt/microsoft.net/framework/v1.0.3705) Read Process and fixed analog account ASP.NET must be able to access the .NET Framework assembly. By default, the user group has the appropriate access. Global Assembly Cache: C: / Winnt / Assembly Read Process and fixed analog account This is a global assembly cache. The Windows Explorer cannot be used directly to edit the ACL of this folder. You should use a command window and run the following command: CaCls% window / askIRAIN / USERACCOUNT: R In addition, before using the Windows Explorer, use the following command to cancel the SHFusion.dll's registration: Regsvr32 -U shfusion.dll After setting permissions with the Windows Explorer, use the following command to re-register SHFusion.dll: regsvr32 shfusion.dllweb Site root directory: c: / inetpub / wwwroot or default Web site pointing to the path Read Process ASP.NET Read configuration files and monitor file changes in this folder. System root directory: C: / Winnt / System32 Read Process Suitable for Framework loaded system DLL.
Application folder hierarchy C: / c: / inetpub / c: / inetpub / wwwroot / c: / inetpub / wwwroot / myWebapp1 list folder / read process For file change notifications and C # compilers (to make file standardization), procss The account requires a list of folders and read data privileges for the application folder hierarchy. This is the full parent folder returned to the root directory. Configure ASP.NET to use a new account to run this procedure to configure ASP.NET to run with new accounts with a new account by editing Machine.config. To configure the ASP.NET to run using a new account: 1. Under the command prompt, run the ASPNET_SETREG.EXE to add the encrypted version of the username and password of the custom account to the registry. For more information about this utility and its download, see Microsoft Knowledge Base Article 329290 "HOWTO: Use the asp.net Utility To Encrypt Credentials and Session State Connection Strings", located in http://support.microsoft.com/default .aspx? scid = 329290. ASPNET_SETREG-K: SOFTWARE / YOURSECUREAPP / ProcessModel -u: "CustomASPNET" -p: "YourStrongPassword" 2. Using Visual Studio.net or notepad to open Machine.config. Machine.config is located in the following folders: C: /Winnt/Microsoft.Net/framework/v1.0.3705/config3. Locate to the element and set the username and password properties to include the following character string to indicate the encrypted credentials . Default: Becomes:.. 4. Save the change to Machine.config
