跨应用程序池的SharePoint列表访问

时间:2022-10-02 22:58:02

I have a requirement where I need to be able to access a list which sits in Central Administration from an Application Page which sits on my Web Front End (WFE). The issue I have is that the Application Pool User for my WFE does not have access to the SharePoint_AdminContent database so I get access denied, they both have their own App Pools

我有一个要求,我需要能够从位于我的Web前端(WFE)的应用程序页面访问位于管理中心的列表。我遇到的问题是我的WFE的应用程序池用户无法访问SharePoint_AdminContent数据库,所以我被拒绝访问,他们都有自己的应用程序池

In the logs it shows the following:

在日志中显示以下内容:

  • Reverting to process identity
  • 恢复处理身份

  • Current user before SqlConnection.Open: Name: SharePointDemo\SPContentPool SID: S-1-5-20 ImpersonationLevel: None
  • SqlConnection.Open之前的当前用户:名称:SharePointDemo \ SPContentPool SID:S-1-5-20 ImpersonationLevel:None

  • Current user after SqlConnection.Open: Name: SharePointDemo\SPContentPool: S-1-5-20 ImpersonationLevel: None
  • SqlConnection.Open之后的当前用户:名称:SharePointDemo \ SPContentPool:S-1-5-20 ImpersonationLevel:无

  • Insufficient SQL database permissions for user 'SPContentPool' in database 'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275' on SQL Server instance 'SPNSQL'. Additional error information from SQL Server is included below. The EXECUTE permission was denied on the object 'proc_EnumLists', database 'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275', schema 'dbo'.
  • SQL Server实例“SPNSQL”上的数据库“SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275”中的用户“SPContentPool”的SQL数据库权限不足。 SQL Server的其他错误信息包含在下面。对象'proc_EnumLists',数据库'SharePoint_AdminContent_53169fb3-137c-44b2-b90e-961b656e4275',架构'dbo'上的EXECUTE权限被拒绝。

I have tried to runwithelevatedprivileges as well as trying Daniel Larsons method (http://daniellarson.spaces.live.com/blog/cns!D3543C5837291E93!1919.entry) which uses the SharePoint\System user token but it only seems to elevate as high as the Application Pool.

我曾试图运行使用SharePoint \ System用户令牌的Daniel Larsons方法(http://daniellarson.spaces.live.com/blog/cns!D3543C5837291E93!1919.entry)以及它似乎只是提升为高为应用程序池。

I am hoping there is an easy way to impersonate the Application Pool of the Admin Web Application but have been unable to find a way to do so yet... Or change the process identity to one which has access

我希望有一种简单的方法可以模拟管理Web应用程序的应用程序池,但是仍然无法找到这样做的方法......或者将进程标识更改为具有访问权限的进程标识

Any thoughts, ideas or solutions are thankfully received!

感谢您的任何想法,想法或解决方案!

Phill

3 个解决方案

#1


The problem is that the CA Application Pool and the WFE Application pool most likely run under different accounts, which is best practice though annoying when you are a developer. There is no amount of Elevating Privileges you can do using SPSecurity.RunWithElevatedPrivileges to get around this.

问题是CA应用程序池和WFE应用程序池最有可能在不同的帐户下运行,这是最好的做法虽然在您是开发人员时很烦人。您无法使用SPSecurity.RunWithElevatedPrivileges来解决此问题。

Providing your security policy allows this, you can give the application pool that runs your WFE Web Application the same credentials as the Central Administration Application Pool.

通过提供安全策略,您可以为运行WFE Web应用程序的应用程序池提供与管理中心应用程序池相同的凭据。

This can be done using the Service Accounts screen at:

这可以使用以下服务帐户屏幕完成:

http:///_admin/FarmCredentialManagement.aspx

If you go down the web service route, you may want to role your own web service to prevent too much 'chatting' over HTTP.

如果您沿着Web服务路线走下去,您可能希望为自己的Web服务设置角色,以防止通过HTTP进行过多的“聊天”。

#2


You should try to use the List web service to access the list items. And set the credentials before connecting to the web service.

您应该尝试使用List Web服务来访问列表项。并在连接到Web服务之前设置凭据。

#3


Have you tried regular windows impersonation? You should probably be able to impersonate the service account and get access to the list that way.

你有没有试过常规的Windows假冒?您应该可以模拟服务帐户并以这种方式访问​​列表。

#1


The problem is that the CA Application Pool and the WFE Application pool most likely run under different accounts, which is best practice though annoying when you are a developer. There is no amount of Elevating Privileges you can do using SPSecurity.RunWithElevatedPrivileges to get around this.

问题是CA应用程序池和WFE应用程序池最有可能在不同的帐户下运行,这是最好的做法虽然在您是开发人员时很烦人。您无法使用SPSecurity.RunWithElevatedPrivileges来解决此问题。

Providing your security policy allows this, you can give the application pool that runs your WFE Web Application the same credentials as the Central Administration Application Pool.

通过提供安全策略,您可以为运行WFE Web应用程序的应用程序池提供与管理中心应用程序池相同的凭据。

This can be done using the Service Accounts screen at:

这可以使用以下服务帐户屏幕完成:

http:///_admin/FarmCredentialManagement.aspx

If you go down the web service route, you may want to role your own web service to prevent too much 'chatting' over HTTP.

如果您沿着Web服务路线走下去,您可能希望为自己的Web服务设置角色,以防止通过HTTP进行过多的“聊天”。

#2


You should try to use the List web service to access the list items. And set the credentials before connecting to the web service.

您应该尝试使用List Web服务来访问列表项。并在连接到Web服务之前设置凭据。

#3


Have you tried regular windows impersonation? You should probably be able to impersonate the service account and get access to the list that way.

你有没有试过常规的Windows假冒?您应该可以模拟服务帐户并以这种方式访问​​列表。