问题描述
===================
一个SharePoint 2010服务器场内有多台前端服务器,在管理中心服务器上创建了新的web application后,有的前端上IIS站点没有被创建出来。
排查错误
===================
查看ULS log,可以发现下面的条目。
The Execute method of job definition Microsoft.SharePoint.Administration.SPWebApplicationProvisioningJobDefinition (ID a3452d38-4f6f-474a-8839-953b63cb31b4) threw an exception. More information is included below. Access is denied.
Exception stack trace: at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_IsContainer() at System.DirectoryServices.DirectoryEntries.ChildEnumerator..ctor(DirectoryEntry container) at System.DirectoryServices.DirectoryEntries.GetEnumerator() at Microsoft.SharePoint.Administration.SPIisWebSite.LookupByServerComment(String serverComment, Int32& instanceId) at Microsoft.SharePoint.Administration.SPWebApplication.GetLocalIisWebSites() at Microsoft.SharePoint.Administration.SPWebApplication.Provision() at Microsoft.SharePoint.Administration.SPWebApplicationProvisioningJobDefinition.Execute(Guid targetInstanceId) at Microsoft.SharePoint.Adminis...
通过进一步的研究,发现该抛异常处的代码在所的事情等效于如下的PowerShell脚本。
$s_w3svc=”IIS://localhost/w3svc”
$iis=New-Object System.DirectoryServices.DirectoryEntry
$iis.Path=$s_w3svc
foreach($i in $iis.Children) {$i}
在问题机器上,该脚本运行正常。
用WinDBG attached到OWSTimer.exe上,抓到了该异常,该异常类型为System.Runtime.InteropServices.COMException。
如果是SharePoint 2007,该异常的类型是会记录在Event log中的。在SPS2010中却没有。这对我的排错造成了些困扰。
发现了异常的类型,就知道了该异常是COM抛出的。症状:脚本直接运行正常,OWSTimer.exe运行却不正常。
于是怀疑COM的impersonation的配置是不是处于正确的配置。
通过下面的步骤来检查COM的default impersonation level配置。
发现该配置被设置成了Delegate。
由于Delegate是最强的impersonation level,其要求也最严格,显然SharePoint的OWSTimer.exe在impersonate app pool account或farm account时,并不满足所有的条件。
于是被Access Deny了。
解决方案
====================
修改SharePoint前端的Default Impersonal Level为默认值Identify。
问题解决。
关于Impersonation一些概念
====================
什么是Impersonation?
Impersonation is the ability of a thread to execute in a security context that is different from the context of the process that owns the thread.
什么是Access tokens ?
Access tokens are objects that describe the security context of a process or thread. They provide information that includes the identity of a user account and a subset of the privileges available to the user account
If impersonation succeeds, it means that the client has agreed to let the server be the client to some degree. The varying degrees of impersonation are called impersonation levels, and they indicate how much authority is given to the server when it is impersonating the client.
Identify和Delegate两种Impersonation level哪个更严格?
Delegate是最强大的Impersonation level, 当然也最严格,要求必须满足以下的条件:
- The client must set the impersonation level to RPC_C_IMP_LEVEL_DELEGATE.
- The client account must not be marked "Account is sensitive and cannot be delegated" in the Active Directory Service.
- The server account must be marked with the "Trusted for delegation" attribute in the Active Directory Service.
- The computers hosting the client, the server, and any "downstream" servers must all be running in a domain.
Q108324: Configure the DCOM Settings on Your Computer
http://consumerdocs.installshield.com/selfservice/viewContent.do?externalId=Q108324&sliceId=1
Delegation and Impersonation
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680054(v=vs.85).aspx
Impersonation Levels
http://msdn.microsoft.com/en-us/library/windows/desktop/ms686632(v=vs.85).aspx
Setting an Impersonation Level
http://msdn.microsoft.com/en-us/library/windows/desktop/ms681722(v=vs.85).aspx