我创建了一个web服务,它应该允许向Exchange Server Powershell传递命令。当我通过使用VS (localhost)在机器上运行它来测试它时,一切都正常。但是,当我尝试从其他机器上使用此服务时。I get Access Denied Error.
这是服务:
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Services;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Remoting;
using System.Management.Automation.Runspaces;
using System.Configuration;
using Microsoft.Exchange.WebServices.Data;
namespace pshell
{
[WebService(Namespace = "http://some1.domain.int/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[System.ComponentModel.ToolboxItem(false)]
public class PowerShellService : System.Web.Services.WebService
{
private bool Authenticate(string u, string p)
{
if ((u == "xxxxxx") && (p == "xxxxxxx"))
return true;
else
return false;
}
private int SecurityLevel(string u)
{
if (u == "xxxxx")
return 100;
else
return 0;
}
[WebMethod]
public string PSCmd(string authuser, string authpass, string cmd, string pars)
{
if (!Authenticate(authuser, authpass))
return "<collection><RESULT status='"ERROR'" message='"Authentication failed!'" /></collection>";
String Password = System.Configuration.ConfigurationManager.AppSettings["UUPASS"];
System.Security.SecureString secureString = new System.Security.SecureString();
foreach (char c in Password)
secureString.AppendChar(c);
PSCredential ExchangeCredential = new PSCredential(System.Configuration.ConfigurationManager.AppSettings["UUNAME"], secureString);
WSManConnectionInfo connectionInfo = new WSManConnectionInfo(new Uri(System.Configuration.ConfigurationManager.AppSettings["UURI"]), "http://schemas.microsoft.com/powershell/Microsoft.Exchange", ExchangeCredential);
Runspace runspace = RunspaceFactory.CreateRunspace(connectionInfo);
connectionInfo.AuthenticationMechanism = AuthenticationMechanism.Basic;
PowerShell powershell = PowerShell.Create();
PSCommand command = new PSCommand();
if (cmd.Trim() != "")
{
//here we check for security level
if (SecurityLevel(authuser) >= 100)
{
//admin fully allowed
command.AddCommand(cmd);
}
else
{
//test for allowed commands
if ((SecurityLevel(authuser) < 100) &&
(SecurityLevel(authuser) >= 90))
{
if (cmd.ToLower() == "get-mailbox")
{
command.AddCommand(cmd);
}
}
}
}
else
return "<collection><RESULT status='"ERROR'" message='"Missing command!'" /></collection>";
if (pars.Trim() != "")
{
string[] parameters = pars.Split('|');
foreach (string item in parameters)
{
String p = item.Substring(0, item.IndexOf("="));
String v = item.Substring(item.IndexOf("=") + 1);
if (p.Trim().ToLower() == "password")
{
System.Security.SecureString passString = new System.Security.SecureString();
foreach (char c in v)
passString.AppendChar(c);
command.AddParameter(p, passString);
}
else if ((v.Trim().ToLower() == "false") ||
(v.Trim().ToLower() == "true"))
{
if (v.Trim().ToLower() == "false")
command.AddParameter(p, false);
else
command.AddParameter(p, true);
}
else
{
command.AddParameter(p, v);
}
}
}
powershell.Commands = command;
runspace.Open();
Pipeline pl = runspace.CreatePipeline();
powershell.Runspace = runspace;
Collection<PSObject> results = null;
string xml = "<collection>";
try
{
results = powershell.Invoke();
var error = pl.Error.Read() as Collection<ErrorRecord>;
if (error != null)
{
foreach (ErrorRecord er in error)
{
xml += "<RESULT status='"ERROR'" type='"pipe'" message='"" + er.ErrorDetails.Message + "'" />";
}
pl.Stop();
}
xml += "<RESULT status='"OK'" />";
}
catch(Exception err)
{
xml += "<RESULT status='"ERROR'" type='"exception'" codelevel='"1'" message='"" + err.Message + "'" />";
}
try
{
foreach (PSObject item in results)
{
for (int i = 0; i < item.Properties.Count(); i++)
{
if (item.Properties.ElementAt(i).MemberType == PSMemberTypes.Property)
{
xml += "<" + item.Properties.ElementAt(i).Name + ">" +
item.Properties.ElementAt(i).Value +
"</" + item.Properties.ElementAt(i).Name + ">";
}
}
}
}
catch(Exception err)
{
xml += "<RESULT status='"ERROR'" type='"exception'" codelevel='"2'" message='"" + err.Message + "'" />";
}
xml += "</collection>";
return xml;
}
}
}
这是我要用来发送命令的PHP代码:
$ini = ini_set("soap.wsdl_cache_enabled","0");
$params = array('authuser' => 'xxxx',
'authpass' => 'xxxx',
'cmd' => 'get-mailbox',
'pars' => '');
$client = new SoapClient("http://web.domain.com/pshell/callpshell.asmx?WSDL", array('soap_version' => SOAP_1_2));
$response = $client->PSCmd($params)->PSCmdResult;
print $response;
,这是我收到的错误信息:
连接到远程服务器some1.domain.int失败,错误信息如下:Access is denied。有关详细信息,请参阅about_Remote_Troubleshooting帮助主题。
我已经在Exchange服务器上启用了远程访问,并且我做了所有远程故障排除建议。
有什么建议吗?
由于web服务作为IIS_USER启动,没有足够的权限调用远程powershell,导致访问被拒绝错误。
好了,经过长时间的摸索,我解决了这样的问题:
- 创建新的应用程序池
- 设置应用池的身份为具有远程访问Powershell权限的用户
- 绑定WebService到应用程序池