arc-411 建立企业级 web service 案例分析 : authentication, membership 与 profile
Post on 20-Dec-2015
286 views
TRANSCRIPT
ARC-411ARC-411
建立企业级建立企业级 web serviceweb service 案例分析案例分析 : : Authentication, Membership Authentication, Membership 与与ProfileProfile
课程内容概述课程内容概述
复习:复习: ASP.NET 2.0 Membership & ProfileASP.NET 2.0 Membership & Profile
实际系统的要求:实际系统的要求:作为作为 ServiceService 而不是而不是 ASP.NETASP.NET 网站(没有网站(没有 HTTP HTTP Context)Context)
Scalability: Scalability: 不仅要再不仅要再 web serviceweb service 层,而且要在数层,而且要在数据库层据库层数据模型数据模型 : profile : profile 数据数据 for data miningfor data mining
支持现有的用户:支持现有的用户:Mobile user support: consistent across PC usersMobile user support: consistent across PC users
安全性安全性 : web service and database: web service and database
设计与实施设计与实施
实际要求实际要求 : Interoperability & Functionality: Interoperability & Functionality
必须是一 必须是一 stateless web servicestateless web service , 不需客户应用系统地, 不需客户应用系统地 HTTP HTTP ContextContext..
支持各种平台上的应用(支持各种平台上的应用( .NET Framework 1.1, 2.0, J2EE).NET Framework 1.1, 2.0, J2EE)
功能功能 ::登陆,核实登陆,核实 emailemail
User authenticationUser authentication
Membership management (password change, password reset)Membership management (password change, password reset)
Profile: Update and retrievalProfile: Update and retrieval
Profile managementProfile management
User favorites and preferencesUser favorites and preferences
实际要求 实际要求 (Functional (Functional Requirements)Requirements)
不仅要再不仅要再 web serviceweb service 层,而且要在数据库层层,而且要在数据库层用户数据必须用户数据必须 partitioned horizontallypartitioned horizontally
实际要求实际要求 : Scalability: Scalability
实际要求实际要求 : : scalability at web servicescalability at web service 层与数据层与数据库层库层
MAP DB MAP DB MAP DB
Web Server Web Server Web ServerWeb Server
App on J2EEApp on .NET Framework 2.0App on .NET Framework 1.1
Web service layer
Database layer
Membership and profile data must be Membership and profile data must be available as relational data for data available as relational data for data mining:mining:
A single-valued user attribute (such as zip, A single-valued user attribute (such as zip, email, name, etc) will have its own column;email, name, etc) will have its own column;
A multi-valued user attribute (such as favorites) A multi-valued user attribute (such as favorites) will be in a separate table.will be in a separate table.
实际要求实际要求 : : 数据模型数据模型
现有的用户仍然能够用现有的现有的用户仍然能够用现有的 passwords passwords logins.logins.现有的 现有的 passwords passwords are non-retrievable (only its hash is are non-retrievable (only its hash is stored);stored);
现有的 现有的 passwords have been encoded differently, salted passwords have been encoded differently, salted differently, hashed differently.differently, hashed differently.
HashHash 过程:过程: string -> encoding -> byte[] -> salt -> string -> encoding -> byte[] -> salt -> hash(byte[]) -> base64string hash(byte[]) -> base64string (CryptographyAPI.HashPassword_Aspnet20)(CryptographyAPI.HashPassword_Aspnet20)
现有的用户能够现有的用户能够 change or reset passwords.change or reset passwords.
PPassword change or resetassword change or reset 之后之后 , password hash , password hash 将将沿用新的标准沿用新的标准 ..
实际要求实际要求 : : 支持现有的用户支持现有的用户
手机用户与手机用户与 PCPC 用户有不同的用户有不同的 registration (registration ( 见下页的图见下页的图 ))。。手机用户与手机用户与 PCPC 用户的用户的 registrationregistration 没有一固定顺序。没有一固定顺序。为提供统一的用户体验,两种为提供统一的用户体验,两种 registrationregistration 必须能够合二必须能够合二为一。为一。 但是,这一合并必须由用户来启动。但是,这一合并必须由用户来启动。
实际要求实际要求 : : 支持手机用户支持手机用户
实际要求实际要求 : : 支持手机用户支持手机用户 -- 不同的不同的registrationregistration
.COM.COM MOBILEMOBILE
User nameUser name
PasswordPassword
First NameFirst Name
Last NameLast Name
Marketing emailMarketing email
Weekly movie emailWeekly movie email
Daily news emailDaily news email
Weekly news emailWeekly news email
Country/StateCountry/State Country/StateCountry/State
Zip codeZip code Zip codeZip code
GenderGender GenderGender
Date of birthDate of birth Date of birthDate of birth
Mobile numberMobile number
Mobile PINMobile PIN
CarrierCarrier
Away service IDAway service ID
Away zip codeAway zip code
NetworkNetwork
Handset modelHandset model
LocationLocation
Remote device IDRemote device ID
Channel Per PageChannel Per Page
设计决策(设计决策( Design Design Decision)Decision)
比较:实际要求与比较:实际要求与 ASP.NET 2.0 Membership & ProfileASP.NET 2.0 Membership & Profile
实际要求实际要求 ASP.NET 2.0 ASP.NET 2.0 功能功能Web service Web service 没有 没有 HTTPContextHTTPContext NoNo, membership and profile API , membership and profile API 用于用于
web appweb app 需要 需要 HTTPContextHTTPContext
多个多个 membership and profile membership and profile 数数据库服务器据库服务器
NoNo
关系型数据模型关系型数据模型 NoNo, , 只有两列只有两列 : PropertyStringsValue : PropertyStringsValue 与 与 PropertyBinaryValuePropertyBinaryValue
支持现有用户支持现有用户 NoNo, fixed encoding (UTF-8), salt and , fixed encoding (UTF-8), salt and configurable hash configurable hash
支持手机用户支持手机用户 NoNo, except for the existence of , except for the existence of mobile alias and mobile PIN columnsmobile alias and mobile PIN columns
Authenticated accessAuthenticated access WSE 3.0WSE 3.0
设计选择: 设计选择: Custom Providers Custom Providers 或或 ASP.NET 2.0 ASP.NET 2.0 ProvidersProviders
Provider Provider TypeType
NamespaceNamespace ProviderProvider
MembershiMembershipp
System.Web.SecuriSystem.Web.Securityty
SqlMembershipProvideSqlMembershipProviderr
ProfileProfile System.Web.ProfileSystem.Web.Profile SqlProfileProviderSqlProfileProvider
设计设计
SQL Server(MAP Database)
ASP.NET 2.0 Membership and Profile API
MAP web service
Security (WSE 2.0 SP 3/WSE 3.0)(Authentication, Authorization, Encryption, Message signing)
User Profile Schema Logging
设计: 设计: MAP (Membership, Authentication and MAP (Membership, Authentication and Profile) web serviceProfile) web service
MAP API
.NET FrameworkConfiguration API
SQL Server(MAP Database)
SQL Server(MAP Database)
……
Web ServerHosting
MAP Web ServiceWeb Server
HostingMAP Web ServiceWeb Server
HostingMAP Web Service
设计: 设计: ScalabilityScalability - - 多个 多个 Membership Providers and Profile Membership Providers and Profile ProvidersProviders
Membership/Profile DB for
User (A-J)
Membership/Profile DB for
User (K-S)
Membership/Profile DB for
User (T-Z)
Web ServerHosting
MAP Web Service
Membership Provider
1
ProfileProvider
1
Membership Provider
2
ProfileProvider
2
Membership Provider
3
ProfileProvider
3
Each web server hosting MAP web service will have multiple membership providers and profile providers, each dedicated to a database server.
Providerselector
设计设计 : : SScalabilitycalability:: A provider-centric approach A provider-centric approach
Determine Provider
User Name
ProviderName
RegisterLoginPassword
reset
Provider-Centric API (WebMethods)
# of providers and rules: Configuredin web.config
在在 Profile Profile Setter/GetterSetter/Getter 中所用到的中所用到的 .NET.NET Framework Framework 2.0 API2.0 API
NamespaceNamespace ClassClass
System.ConfigurationSystem.Configuration SettingsContextSettingsContext
SettingsPropertySettingsProperty
SettingsPropertyCollectionSettingsPropertyCollection
SettingsPropertyValueSettingsPropertyValue
SettingsPropertyValueCollectionSettingsPropertyValueCollection
System.Web.ConfigurationSystem.Web.Configuration ProfileSectionProfileSection
ProfilePropertySettingsProfilePropertySettings
ProfilePropertySettingsProfilePropertySettingsCollectionCollection
ProfileGroupSettingsProfileGroupSettings
ProfileGroupSettingsCollectionProfileGroupSettingsCollection
设计:安全性设计:安全性
Security – the key is to follow standardSecurity – the key is to follow standard
instead of home grown/custom/ad hoc instead of home grown/custom/ad hoc approaches:approaches:
Who set the Who set the standards?standards?
What standards?What standards? How to implement standards (.NET How to implement standards (.NET platform)?platform)?
W3CW3C
((http://www.w3.orghttp://www.w3.org ) )WS-Security inWS-Security in
WS-* SpecificationWS-* SpecificationWSE 2.0 SP3 - .NET Framework 1.1/2.0WSE 2.0 SP3 - .NET Framework 1.1/2.0
WSE 3.0 - .NET Framework 2.0WSE 3.0 - .NET Framework 2.0
WCF (Indigo) - .NET Framework 2.0WCF (Indigo) - .NET Framework 2.0
Secured access to web service
Secured access to databases
2 Security Surfaces:
Security Design PatternsSecurity Design Patterns
Platform independent design patterns focusing on critical Platform independent design patterns focusing on critical aspects of Web service security.aspects of Web service security. Authentication PatternsAuthentication Patterns
Direct authenticationDirect authenticationUsing: SQL, ADAM, KerberosUsing: SQL, ADAM, Kerberos
Brokered authenticationBrokered authenticationKerberos, X.509, Security Token Service (SAML)Kerberos, X.509, Security Token Service (SAML)
Message Protection PatternsMessage Protection PatternsData confidentialityData confidentialityData origin authentication and integrityData origin authentication and integrity
Resource Access PatternsResource Access PatternsProtocol transition and constrained delegationProtocol transition and constrained delegationTrusted subsystemTrusted subsystem
Boundary Defense PatternsBoundary Defense PatternsMessage replay detectionMessage replay detectionMessage validationMessage validationException shieldingException shielding
Secure Deployment PatternsSecure Deployment PatternsPerimeter service routerPerimeter service router
DESIGN: Aspects of message level securityDESIGN: Aspects of message level security
Security AspectSecurity Aspect Implementation OptionsImplementation Options ImplementeImplemented in MAP?d in MAP?
ConfidentialityConfidentiality
IntegrityIntegrity
AuthenticationAuthentication Turn-key scenarios:Turn-key scenarios:
1.1. Anonymous for certificateAnonymous for certificate
2.2. User name for certificateUser name for certificate
3.3. KerberosKerberos
4.4. Mutual certificate 10Mutual certificate 10
5.5. Mutual certificate 11Mutual certificate 11
XX
AuthorizationAuthorization
Non-repudiationNon-repudiation
Secure SessionsSecure Sessions
Secure AttachmentsSecure Attachments
设计设计 : : Resource AccessResource Access 的安全性(从的安全性(从 Web ServiceWeb Service 到数据到数据库)库)
SQL SQL AuthenticatAuthentication Modeion Mode
Connection Connection ModelModel
ASP.NET ASP.NET Service Service Account UsedAccount Used
ConnectioConnection Stringn String
ProsPros ConsCons
Windows Windows AuthenticatiAuthenticationon
Trusted Trusted SubsystemSubsystem
1.1. Network Network Service Service AcctAcct
2.2. Custom Custom Service Service AcctAcct
3.3. Mirrored Mirrored Service Service acctacct
Integrated Integrated Security = Security = “true”“true”
ScalabilityScalability No user No user level level auditingauditing
Impersonation/ Impersonation/ DelegationDelegation
User level User level auditing auditing across across tierstiers
Less Less scalablescalable
SQL SQL AuthenticatiAuthenticationon
Explicit Explicit connection connection stringstring
Network Service Network Service or Customor Custom
User Name User Name / Password/ Password
ScalabilityScalability Explicit Explicit passwordpassword
Trust boundary
Web / App Server SQL ServerSingle trusted service identity
设计设计 : : 如何得到关系型如何得到关系型 ProfileProfile 数据模型?数据模型?
假设假设 : : 用用 SQL Server 2005 for data mining and reporting;SQL Server 2005 for data mining and reporting;
如何得到关系型如何得到关系型 ProfileProfile 数据模型?数据模型?Wrap profile attributes in a single profile property, Wrap profile attributes in a single profile property, serializeAs=“xml” (see below);serializeAs=“xml” (see below);
PropertyValuesString column contains well-formatted XML PropertyValuesString column contains well-formatted XML documents, instead of a custom-formatted string blob;documents, instead of a custom-formatted string blob;
PropertyValuesString column becomes a PropertyValuesString column becomes a xml data typexml data type in SQL in SQL Server 2005, either typed or un-typed;Server 2005, either typed or un-typed;
用户用户 profileprofile 作为作为 XML XML (( PropertyValuesString PropertyValuesString 列)列)
用户用户 profileprofile 做为做为 XMLXML 列列
设计设计 : Profile: Profile 数据模型数据模型 -relational vs XML-relational vs XML
长时间以来长时间以来
•Storage: Relational data tables •Definition: Data model•Query: SQL
•Storage: XML documents or XML fragments•Definition: XML schema•Query: XPath
Relational Database XML file/stream/string
DOMXPath
ClassXml Serializer
设计设计 : Profile: Profile 数据模型数据模型 -relational vs XML-relational vs XML
数据库技术的进展数据库技术的进展
•Storage: Relational data tables •Definition: Data model•Query: SQL
•Storage: XML documents or XML fragments•Definition: XML schema•Query: XPath
Relational Database XML file/stream/string
• Standard: W3C (http://www.w3.org/TR/xquery/ )• Implementations:
1. Microsoft SQL Server 2005, 2. IBM DB2 9.0, 3. Oracle 10g
XQuery
数据库类型数据库类型 , , XQueryXQuery 的支持,今后的发展的支持,今后的发展 数据库类型数据库类型 产品产品 版本 版本
(( 支持支持 XQuery)XQuery)厂家厂家
SQL ServerSQL Server 20052005 MicrosoftMicrosoft
RelationalRelational OracleOracle 10g10g OracleOracle
DB2DB2 9.09.0 IBMIBM
XMLXML Ipedo XIPIpedo XIP IpedoIpedo
(Tagged node seq, (Tagged node seq, individually retrieved)individually retrieved)
TaminoTamino Software AGSoftware AG
Hybrid Hybrid Object/RelationObject/Relationalal
CacheCache InterSystemsInterSystems
设计设计 : Profile: Profile 数据模型数据模型
用户 用户 profile profile 作为表作为表 (table) (table) in PropertyValuesString columnin PropertyValuesString column
XQuery against MAPDB1_xmlXQuery against MAPDB1_xml
设计:现有用户的支持设计:现有用户的支持
难点难点 ::User passwords are non-retrievableUser passwords are non-retrievable
HashHash 过程:过程: string -> encoding -> byte[] -> salt -> string -> encoding -> byte[] -> salt -> hash(byte[]) -> base64string hash(byte[]) -> base64string (CryptographyAPI.HashPassword_Aspnet20)(CryptographyAPI.HashPassword_Aspnet20)
不同的不同的 user passwords encoding, salt and hash:user passwords encoding, salt and hash:新的系统新的系统(ASP.NET 2.0)(ASP.NET 2.0)
现有用户现有用户(Java)(Java)
Password encodingPassword encoding UnicodeUnicode UTF-8UTF-8
Hash algorithmHash algorithm SHA1 (default)SHA1 (default)
ConfigurableConfigurableMD5MD5
Pre-hash saltPre-hash salt Add saltAdd salt No salt (Dictionary attack)No salt (Dictionary attack)
SHA1 is preferable because it produces a larger hash and is considered cryptographically strongerthan MD5
背景信息背景信息 : : 为什麽要用为什麽要用 saltsalt??
Dictionary attack: pre-compute hashes of Dictionary attack: pre-compute hashes of a list of possible passwords and perform a list of possible passwords and perform queries on password hashqueries on password hash
Without salt: Without salt: Total # of hashes = [# words] * 1Total # of hashes = [# words] * 1
Total # of SELECT queries = [# words] * 1Total # of SELECT queries = [# words] * 1
With salt: With salt: Total # of hashes = [# words] * [# of users] Total # of hashes = [# words] * [# of users]
Total # of SELECT queries = [# words] * [# of users] Total # of SELECT queries = [# words] * [# of users]
如何输入现有的用户 如何输入现有的用户 Membership and ProfileMembership and Profile 数据?数据? <?xml version="1.0" encoding="UTF-8" ?><?xml version="1.0" encoding="UTF-8" ?> - - <<JiveJive xmlns:xsi xmlns:xsi="="http://www.w3.org/2001/XMLSchema-instancehttp://www.w3.org/2001/XMLSchema-instance""
xsi:noNamespaceSchemaLocationxsi:noNamespaceSchemaLocation="="http://www.jivesoftware.com/produhttp://www.jivesoftware.com/products/forums/jiveforums.xsdcts/forums/jiveforums.xsd"" xmlversion xmlversion="="4.04.0"" exportDate exportDate="="2006/06/13 2006/06/13 12:35:35.254 PDT12:35:35.254 PDT">">
- - <<UserListUserList>>- - <<User idUser id="="700000000700000000">"> <<UsernameUsername>>lwbernardlwbernard</</UsernameUsername>> <<PasswordPassword>>936e3bc0c93d56a2eb069e334c5303ac936e3bc0c93d56a2eb069e334c5303ac</</PasswordPassword>> <<Email visibleEmail visible="="falsefalse">">[email protected]@liveworld.com</</EmailEmail>> <<Name visibleName visible="="falsefalse">">Bernard BernsteinBernard Bernstein</</NameName>> <<CreationDateCreationDate>>2006/01/26 11:00:31.588 PST2006/01/26 11:00:31.588 PST</</CreationDateCreationDate>> <<ModifiedDateModifiedDate>>2006/05/12 10:57:12.638 PDT2006/05/12 10:57:12.638 PDT</</ModifiedDateModifiedDate>> - - <<PropertyListPropertyList>> <<PropertyProperty namename="="profileVisibilityprofileVisibility"" value value="="allall" />" /> <<PropertyProperty namename="="watch.modewatch.mode"" value value="="22" />" /> <<PropertyProperty namename="="LocationLocation"" value value="="test locationtest location" />" /> <<PropertyProperty namename="="jive.passwordreset.last_sentjive.passwordreset.last_sent"" value value="="11435721622681143572162268" />" /> <<PropertyProperty namename="="jiveThreadRangejiveThreadRange"" value value="="1010" />" /> <<PropertyProperty namename="="imageApprovedimageApproved"" value value="="falsefalse" />" /> <<PropertyProperty namename="="BiographyBiography"" value value="="This is my biographyThis is my biography" />" /> <<PropertyProperty namename="="OccupationOccupation"" value value="="test occupationtest occupation" />" /> <<PropertyProperty namename="="jiveOccupationjiveOccupation"" value value="="test occupationtest occupation" />" /> <<PropertyProperty namename="="jiveLocationjiveLocation"" value value="="test locationtest location" />" /> <<PropertyProperty namename="="jiveMessageRangejiveMessageRange"" value value="="1010" />" /> <<PropertyProperty namename="="jiveBiographyjiveBiography"" value value="="This is my biographyThis is my biography" />" /> <<PropertyProperty namename="="jiveAdminGroupRangejiveAdminGroupRange"" value value="="1515" />" /> <<PropertyProperty namename="="messageSortOrdermessageSortOrder"" value value="="revChronrevChron" />" /> <<PropertyProperty namename="="emailModeemailMode"" value value="="hidehide" />" /> <<PropertyProperty namename="="lastIPlastIP"" value value="="172.16.247.178172.16.247.178" />" /> <<PropertyProperty namename="="jiveThreadModejiveThreadMode"" value value="="flatflat" />" /> <<PropertyProperty namename="="profile-updatedprofile-updated"" value value="="200605311118200605311118" />" /> <<PropertyProperty namename="="jive.passwordreset.tokenjive.passwordreset.token"" value value="="pES4GAt8pES4GAt8" />" /> <<PropertyProperty namename="="curIPcurIP"" value value="="70.20.21.17870.20.21.178" />" /> <<PropertyProperty namename="="HomepageHomepage"" value value="="test homepagetest homepage" />" /> <<PropertyProperty namename="="profileApprovedprofileApproved"" value value="="falsefalse" />" /> <<PropertyProperty namename="="user-blog-updateduser-blog-updated"" value value="="200605311118200605311118" />" /> <<PropertyProperty namename="="jiveTimeZoneIDjiveTimeZoneID"" value value="="America/New_YorkAmerica/New_York" />" /> <<PropertyProperty namename="="showshow"" value value="="truetrue" />" /> <<PropertyProperty namename="="jiveLocalejiveLocale"" value value="="en_USen_US" />" /> <<PropertyProperty namename="="jiveSignatureVisiblejiveSignatureVisible"" value value="="falsefalse" />" /> <<PropertyProperty namename="="jiveHomepagejiveHomepage"" value value="="test homepagetest homepage" />" /> <<PropertyProperty namename="="jive.passwordreset.timestampjive.passwordreset.timestamp"" value value="="11435721622681143572162268" />" /> <<PropertyProperty namename="="emailOnPMemailOnPM"" value value="="truetrue" />" /> <<PropertyProperty namename="="blogForumIDblogForumID"" value value="="700000007,700000046700000007,700000046" />" /> </</PropertyListPropertyList>> </</UserUser>>
步骤步骤 ::1.1. Create user membership with Create user membership with dummy dummy
passwordpassword2.2. Set password directly to hashed Set password directly to hashed
passwordpassword3.3. Parse profile data and create user Parse profile data and create user
profileprofile
NOTES:NOTES: For performance and handling For performance and handling large file size, do not use large file size, do not use XmlDocument to read and parse the XmlDocument to read and parse the whole XML file. Instead, use whole XML file. Instead, use StreamReader and XmlReader to read StreamReader and XmlReader to read node by node.node by node.
Console app to load migrated user dataConsole app to load migrated user data
设计:支持现有的用户设计:支持现有的用户难点难点 ::
手机用户与手机用户与 PCPC 用户有不同的用户有不同的 registrationregistration 。。手机用户与手机用户与 PCPC 用户的用户的 registrationregistration 没有一固定顺序。没有一固定顺序。 We cannot force consolidation (PC user may not have We cannot force consolidation (PC user may not have mobile account, or mobile user may not have PC mobile account, or mobile user may not have PC account).account).
目的目的 : : 提供一统一的用户体验。提供一统一的用户体验。方案方案 :: 合并过程由用户来启动。合并过程由用户来启动。
总结:总结:
作为作为 ServiceService 而不是而不是 ASP.NETASP.NET 网站(没有网站(没有HTTP Context)HTTP Context)
Scalability: Scalability: 不仅要再不仅要再 web serviceweb service 层,而且层,而且要在数据库层要在数据库层数据模型数据模型 : profile : profile 数据数据 for data miningfor data mining
支持现有的用户:支持现有的用户:Mobile user support: consistent across Mobile user support: consistent across PC usersPC users
安全性安全性 : web service and database: web service and database
ResourcesResources
Web Services & Other Distributed Web Services & Other Distributed Technologies Developer CenterTechnologies Developer Center(msdn.microsoft.com/webservices/building/wse)(msdn.microsoft.com/webservices/building/wse)
Video presentations by WSE TeamVideo presentations by WSE Team
Hands on Labs for Messaging and SecurityHands on Labs for Messaging and Security
Articles on WSE 3.0Articles on WSE 3.0
WSE 3.0 Security: Interoperability ConsiderationsWSE 3.0 Security: Interoperability Considerationshttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wsshttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wss_appx_interopcons_wse30.asp_appx_interopcons_wse30.asp
Introduction to Building Windows Communication Foundation Services, Introduction to Building Windows Communication Foundation Services, Clemens Vasters, MSDN Online: http://msdn.microsoft.com/webservices/indigo/default.aspx?Clemens Vasters, MSDN Online: http://msdn.microsoft.com/webservices/indigo/default.aspx?pull=/library/en-us/dnlong/html/introtowcf.asppull=/library/en-us/dnlong/html/introtowcf.asp
APPENDIX: SecurityAPPENDIX: SecurityWS connecting to SQL using Trusted Subsystem ModelWS connecting to SQL using Trusted Subsystem Model
To use Network Service account:To use Network Service account:In SQL Server, add SQL Login/DB User: domain\In SQL Server, add SQL Login/DB User: domain\webmachinename$ (an existing internal account)webmachinename$ (an existing internal account)
To use custom service account in ASP.NET 2.0 (for To use custom service account in ASP.NET 2.0 (for mirrored service account):mirrored service account):
Create local or domain accountCreate local or domain account
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis –ga domain\acctaspnet_regiis –ga domain\acct
Create and use custom AppPoolCreate and use custom AppPool
Gotchas:Gotchas:Make sure World Wide Web Publishing service is started.Make sure World Wide Web Publishing service is started.
Restart World Wide Web Publishing service after change of Restart World Wide Web Publishing service after change of AppPool to avoid “Mutex cannot be created” error.AppPool to avoid “Mutex cannot be created” error.
Grant custom service account Read/Write access to C:\Windows\Grant custom service account Read/Write access to C:\Windows\Temp\Temp\
问答问答