From c1e2aa84772261ce1067802883dc047ab8d776dc Mon Sep 17 00:00:00 2001 From: robvde Date: Thu, 12 Jul 2012 18:14:40 +0400 Subject: [PATCH] AD Integration enabled on the IIS7 provider. This will allow to store site content on a remote (highly available) filesystem and enabled the scenario of webfarm with a shared IIS configuration as well. The netbios domain name will need to be set in the configuration of the provider. and off course "Create Active Directory accounts" checked as well --- .../Code/WebServers/WebServerController.cs | 6 + .../OS/SystemUser.cs | 15 ++ .../WebsitePanel.Providers.Web.IIS70/IIs70.cs | 128 +++++++++++++----- .../SecurityUtils.cs | 12 ++ .../IIS70_Settings.ascx.resx | 7 +- .../ProviderControls/IIS70_Settings.ascx | 8 ++ .../ProviderControls/IIS70_Settings.ascx.cs | 2 + .../IIS70_Settings.ascx.designer.cs | 18 +++ 8 files changed, 159 insertions(+), 37 deletions(-) diff --git a/WebsitePanel/Sources/WebsitePanel.EnterpriseServer/Code/WebServers/WebServerController.cs b/WebsitePanel/Sources/WebsitePanel.EnterpriseServer/Code/WebServers/WebServerController.cs index fced17ff..db512686 100644 --- a/WebsitePanel/Sources/WebsitePanel.EnterpriseServer/Code/WebServers/WebServerController.cs +++ b/WebsitePanel/Sources/WebsitePanel.EnterpriseServer/Code/WebServers/WebServerController.cs @@ -2715,6 +2715,12 @@ namespace WebsitePanel.EnterpriseServer // WebServer server = GetWebServer(item.ServiceId); + StringDictionary webSettings = ServerController.GetServiceSettings(item.ServiceId); + if (webSettings["WmSvc.NETBIOS"] != null) + { + accountName = webSettings["WmSvc.NETBIOS"].ToString() + "\\" + accountName; + } + // if (server.CheckWebManagementAccountExists(accountName)) { diff --git a/WebsitePanel/Sources/WebsitePanel.Providers.Base/OS/SystemUser.cs b/WebsitePanel/Sources/WebsitePanel.Providers.Base/OS/SystemUser.cs index f9564913..314b44cc 100644 --- a/WebsitePanel/Sources/WebsitePanel.Providers.Base/OS/SystemUser.cs +++ b/WebsitePanel/Sources/WebsitePanel.Providers.Base/OS/SystemUser.cs @@ -40,6 +40,8 @@ namespace WebsitePanel.Providers.OS private string fullName; private string description = "WebsitePanel system account"; private string password; + private string msIIS_FTPDir = ""; + private string msIIS_FTPRoot = ""; private bool passwordCantChange; private bool passwordNeverExpires; private bool accountDisabled; @@ -98,5 +100,18 @@ namespace WebsitePanel.Providers.OS get { return memberOf; } set { memberOf = value; } } + + public string MsIIS_FTPDir + { + get { return msIIS_FTPDir; } + set { msIIS_FTPDir = value; } + } + + public string MsIIS_FTPRoot + { + get { return msIIS_FTPRoot; } + set { msIIS_FTPRoot = value; } + } + } } diff --git a/WebsitePanel/Sources/WebsitePanel.Providers.Web.IIS70/IIs70.cs b/WebsitePanel/Sources/WebsitePanel.Providers.Web.IIS70/IIs70.cs index 001401da..b80bc76c 100644 --- a/WebsitePanel/Sources/WebsitePanel.Providers.Web.IIS70/IIs70.cs +++ b/WebsitePanel/Sources/WebsitePanel.Providers.Web.IIS70/IIs70.cs @@ -325,6 +325,7 @@ namespace WebsitePanel.Providers.Web public class WebManagementServiceSettings { public string Port { get; set; } + public string NETBIOS { get; set; } public string ServiceUrl { get; set; } public int RequiresWindowsCredentials { get; set; } } @@ -3500,7 +3501,7 @@ namespace WebsitePanel.Providers.Web bool adEnabled = ServerSettings.ADEnabled; // !!! Bypass AD for WMSVC as it requires full-qualified username to authenticate user // against the web server - ServerSettings.ADEnabled = false; + //ServerSettings.ADEnabled = false; if (IdentityCredentialsMode == "IISMNGR") { @@ -3521,7 +3522,7 @@ namespace WebsitePanel.Providers.Web bool adEnabled = ServerSettings.ADEnabled; // !!! Bypass AD for WMSVC as it requires full-qualified username to authenticate user // against the web server - ServerSettings.ADEnabled = false; + //ServerSettings.ADEnabled = false; // ResultObject result = new ResultObject { IsSuccess = true }; @@ -3556,7 +3557,7 @@ namespace WebsitePanel.Providers.Web bool adEnabled = ServerSettings.ADEnabled; // !!! Bypass AD for WMSVC as it requires full-qualified username to authenticate user // against the web server - ServerSettings.ADEnabled = false; + //ServerSettings.ADEnabled = false; // string fqWebPath = String.Format("/{0}", siteName); @@ -3565,6 +3566,32 @@ namespace WebsitePanel.Providers.Web Log.WriteInfo("Site Name: {0}; Account Name: {1}; Account Password: {2}; FqWebPath: {3};", siteName, accountName, accountPassword, fqWebPath); + + string contentPath = string.Empty; + using (ServerManager srvman = webObjectsSvc.GetServerManager()) + { + WebSite site = webObjectsSvc.GetWebSiteFromIIS(srvman, siteName); + // + contentPath = webObjectsSvc.GetPhysicalPath(srvman, site); + // + Log.WriteInfo("Site Content Path: {0};", contentPath); + } + + string FTPRoot = string.Empty; + string FTPDir = string.Empty; + + + if (contentPath.IndexOf("\\\\") != -1) + { + string[] Tmp = contentPath.Split('\\'); + FTPRoot = "\\\\" + Tmp[2] + "\\" + Tmp[3]; + FTPDir = contentPath.Replace(FTPRoot, ""); + } + + // + string accountNameSid = string.Empty; + + // if (IdentityCredentialsMode == "IISMNGR") { @@ -3583,40 +3610,33 @@ namespace WebsitePanel.Providers.Web PasswordNeverExpires = true, AccountDisabled = false, Password = accountPassword, - System = true + System = true, + MsIIS_FTPDir = FTPDir, + MsIIS_FTPRoot = FTPRoot }, ServerSettings, - String.Empty, - String.Empty); + UsersOU, + GroupsOU); // Convert account name to the full-qualified one - accountName = GetFullQualifiedAccountName(accountName); + accountName = GetFullQualifiedAccountName(accountName); + accountNameSid = GetFullQualifiedAccountNameSid(accountName); // Log.WriteInfo("FQ Account Name: {0};", accountName); } - using (ServerManager srvman = webObjectsSvc.GetServerManager()) + + ManagementAuthorization.Grant(accountName, fqWebPath, false); + // + + if (IdentityCredentialsMode == "IISMNGR") { - // - ManagementAuthorization.Grant(accountName, fqWebPath, false); - // - WebSite site = webObjectsSvc.GetWebSiteFromIIS(srvman, siteName); - // - string contentPath = webObjectsSvc.GetPhysicalPath(srvman, site); - // - Log.WriteInfo("Site Content Path: {0};", contentPath); - // - if (IdentityCredentialsMode == "IISMNGR") - { - SecurityUtils.GrantNtfsPermissionsBySid(contentPath, SystemSID.LOCAL_SERVICE, permissions, true, true); - } - else - { - SecurityUtils.GrantNtfsPermissions(contentPath, accountName, permissions, true, true, ServerSettings, String.Empty, String.Empty); - } - // Restore setting back - ServerSettings.ADEnabled = adEnabled; + SecurityUtils.GrantNtfsPermissionsBySid(contentPath, SystemSID.LOCAL_SERVICE, permissions, true, true); } - } + else + { + SecurityUtils.GrantNtfsPermissions(contentPath, accountNameSid, NTFSPermission.Modify, true, true, ServerSettings, UsersOU, GroupsOU); + } + } public override void ChangeWebManagementAccessPassword(string accountName, string accountPassword) @@ -3625,7 +3645,7 @@ namespace WebsitePanel.Providers.Web bool adEnabled = ServerSettings.ADEnabled; // !!! Bypass AD for WMSVC as it requires full-qualified username to authenticate user // against the web server - ServerSettings.ADEnabled = false; + //ServerSettings.ADEnabled = false; // Trace input parameters Log.WriteInfo("Account Name: {0}; Account Password: {1};", accountName, accountPassword); @@ -3653,7 +3673,7 @@ namespace WebsitePanel.Providers.Web bool adEnabled = ServerSettings.ADEnabled; // !!! Bypass AD for WMSVC as it requires full-qualified username to authenticate user // against the web server - ServerSettings.ADEnabled = false; + //ServerSettings.ADEnabled = false; // string fqWebPath = String.Format("/{0}", siteName); // Trace input parameters @@ -3677,9 +3697,18 @@ namespace WebsitePanel.Providers.Web } else { - ManagementAuthorization.Revoke(GetFullQualifiedAccountName(accountName), fqWebPath); - SecurityUtils.RemoveNtfsPermissions(contentPath, accountName, ServerSettings, String.Empty, String.Empty); - SecurityUtils.DeleteUser(accountName, ServerSettings, String.Empty); + if (adEnabled) + { + ManagementAuthorization.Revoke(GetFullQualifiedAccountName(accountName), fqWebPath); + SecurityUtils.RemoveNtfsPermissions(contentPath, accountName, ServerSettings, UsersOU, GroupsOU); + SecurityUtils.DeleteUser(accountName, ServerSettings, UsersOU); + } + else + { + ManagementAuthorization.Revoke(GetFullQualifiedAccountName(accountName), fqWebPath); + SecurityUtils.RemoveNtfsPermissions(contentPath, accountName, ServerSettings, String.Empty, String.Empty); + SecurityUtils.DeleteUser(accountName, ServerSettings, String.Empty); + } } // Restore setting back ServerSettings.ADEnabled = adEnabled; @@ -3749,10 +3778,14 @@ namespace WebsitePanel.Providers.Web // Retrieve account name if (scopeCollection.Count > 0) { - iisObject.SetValue( + /* + iisObject.SetValue( WebSite.WmSvcAccountName, GetNonQualifiedAccountName((String)scopeCollection[0]["name"])); - // + */ + iisObject.SetValue( + WebSite.WmSvcAccountName, (String)scopeCollection[0]["name"]); + // iisObject.SetValue( WebSite.WmSvcServiceUrl, ProviderSettings["WmSvc.ServiceUrl"]); // @@ -3906,6 +3939,31 @@ namespace WebsitePanel.Providers.Web return domainName != null ? domainName + "\\" + accountName : accountName; } + + protected string GetFullQualifiedAccountNameSid(string accountName) + { + // + if (!ServerSettings.ADEnabled) + return String.Format(@"{0}\{1}", Environment.MachineName, accountName); + + if (accountName.IndexOf("\\") != -1) + return accountName; // already has domain information + + // DO IT FOR ACTIVE DIRECTORY MODE ONLY + string domainName = null; + try + { + DirectoryContext objContext = new DirectoryContext(DirectoryContextType.Domain, ServerSettings.ADRootDomain); + Domain objDomain = Domain.GetDomain(objContext); + domainName = objDomain.Name; + } + catch (Exception ex) + { + Log.WriteError("Get domain name error", ex); + } + + return domainName != null ? domainName + "\\" + accountName : accountName; + } #endregion #region SSL diff --git a/WebsitePanel/Sources/WebsitePanel.Server.Utils/SecurityUtils.cs b/WebsitePanel/Sources/WebsitePanel.Server.Utils/SecurityUtils.cs index 5e87756b..7a3f5d77 100644 --- a/WebsitePanel/Sources/WebsitePanel.Server.Utils/SecurityUtils.cs +++ b/WebsitePanel/Sources/WebsitePanel.Server.Utils/SecurityUtils.cs @@ -507,6 +507,11 @@ namespace WebsitePanel.Providers.Utils { if (serverSettings.ADEnabled) { + if (user.Name.IndexOf("\\") != -1) + { + string[] tmpStr = user.Name.Split('\\'); + user.Name = tmpStr[1]; + } //check is user name less than 20 symbols if (user.Name.Length > 20) @@ -538,6 +543,13 @@ namespace WebsitePanel.Providers.Utils SetObjectProperty(objUser, "UserPrincipalName", user.Name); SetObjectProperty(objUser, "sAMAccountName", user.Name); SetObjectProperty(objUser, "UserPassword", user.Password); + + if (user.MsIIS_FTPDir != string.Empty) + { + SetObjectProperty(objUser, "msIIS-FTPDir", user.MsIIS_FTPDir); + SetObjectProperty(objUser, "msIIS-FTPRoot", user.MsIIS_FTPRoot); + } + objUser.Properties["userAccountControl"].Value = ADAccountOptions.UF_NORMAL_ACCOUNT | ADAccountOptions.UF_PASSWD_NOTREQD; objUser.CommitChanges(); diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/App_LocalResources/IIS70_Settings.ascx.resx b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/App_LocalResources/IIS70_Settings.ascx.resx index 12ab9ee7..067a8d89 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/App_LocalResources/IIS70_Settings.ascx.resx +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/App_LocalResources/IIS70_Settings.ascx.resx @@ -112,10 +112,10 @@ 2.0 - System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 + System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 - System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 + System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 Active Directory Integration: @@ -246,4 +246,7 @@ <All unassigned> + + NETBIOS Domain name: + \ No newline at end of file diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx index 920e3c80..32015972 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx @@ -312,6 +312,14 @@ + + + + + + + + diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx.cs b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx.cs index 5422e65b..b1b6c30a 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx.cs +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx.cs @@ -165,6 +165,7 @@ namespace WebsitePanel.Portal.ProviderControls // txtWmSvcServicePort.Text = settings["WmSvc.Port"]; + txtWmSvcNETBIOS.Text = settings["WmSvc.NETBIOS"]; // string wmsvcServiceUrl = settings["WmSvc.ServiceUrl"]; // @@ -235,6 +236,7 @@ namespace WebsitePanel.Portal.ProviderControls settings["ProtectedGroupsFile"] = txtProtectedGroupsFile.Text.Trim(); settings["SecureFoldersModuleAssembly"] = txtSecureFoldersModuleAsm.Text.Trim(); + settings["WmSvc.NETBIOS"] = txtWmSvcNETBIOS.Text.Trim(); settings["WmSvc.ServiceUrl"] = txtWmSvcServiceUrl.Text.Trim(); settings["WmSvc.Port"] = Utils.ParseInt(txtWmSvcServicePort.Text.Trim(), 0).ToString(); settings["WmSvc.CredentialsMode"] = ddlWmSvcCredentialsMode.SelectedValue; diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx.designer.cs b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx.designer.cs index 9a5071dc..8ebc30d1 100644 --- a/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx.designer.cs +++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/ProviderControls/IIS70_Settings.ascx.designer.cs @@ -480,6 +480,24 @@ namespace WebsitePanel.Portal.ProviderControls { /// protected global::System.Web.UI.WebControls.DropDownList ddlWmSvcCredentialsMode; + /// + /// Label1 control. + /// + /// + /// Auto-generated field. + /// To modify move field declaration from designer file to code-behind file. + /// + protected global::System.Web.UI.WebControls.Label Label1; + + /// + /// txtWmSvcNETBIOS control. + /// + /// + /// Auto-generated field. + /// To modify move field declaration from designer file to code-behind file. + /// + protected global::System.Web.UI.WebControls.TextBox txtWmSvcNETBIOS; + /// /// secColdFusion control. ///