Processing IIS (process) and Account Processing Model for Sharepoint

[Go to http://www.cnblogs.com/wsdj-ittech/archive/2012/11/06/2544118.html]

Sharepoint210 has four execution models:

1. Full Trust)

2. bin/CAS execution model (both 1 and 2 are field solutions)

3. Sandbox execution model (sand box)

4. hybrid approach)

The simplest Processing Model of Sharepoint is a complete Asp.net application.ProgramProcessing model, but the sandbox processing method is introduced in sharepoint2010, which makes the processing scenario complicated.

Here we start with an HTTP request to look at the processing process of SharePoint and its execution trust model.

1. From HTTP. sys to the corresponding application pool)

When an HTTP request arrives at the front-end web server of SharePoint. sys will detect the arrival of an HTTP request, so it analyzes and judges to see which website the request belongs to (website) in which application pool is running, and submit it to the corresponding application pool, for example:

HTTP. sys is the listener used on the Web server to receive HTTP requests. It is a core operating system component in Windows that allows any application to use the interfaces provided by it, communication over HTTP. All external HTTP service requests will be saved to the queue in HTTP. SYS. Even if the service program restarts, the requests that have not been processed will not be lost.

2. the HTTP request is taken over and processed by the IIS Working Process (w3wp) in the application pool.

When the HTTP request reaches the application pool, it is sent to the IIS Worker Process for further processing.

IIS Worker Process (w3wp) is the host of the IIS application. We can view it in the task manager.

Its main task is to process the arrival of httprequest, including the request session, viewstate, cache maintenance, and allocation of various resources requested by the request.

2.1.1 create IIS Worker Process (w3wp)

W3wp is created and managed by Windows activation Service (was: Windows Process activation Service). Windows Process activation Service manages w3wp, it is also responsible for managing the application pool configuration and the creation and lifecycle management of worker processes related to HTTP or other protocols.

Therefore, when an HTTP request enters, was creates a w3wp workflow. However, when you close a Web page, because HTTP is not accessible, it does not return the corresponding closing information, so the w3wp process will not be closed because you have disabled the web application. However, in the application pool configuration, the default value is 20 minutes. You can also set the specified time, so the application is not accessed within this time range, the system will automatically shut down the w3wp process. without human intervention.

2.1.2 application pool

We can regard the application pool as a container. It is a configuration that links one or more applications to one or more worker processes. Because applications in the application pool are separated from other applications by working process boundaries, applications in an application pool will not be affected by problems caused by applications in other application pools.

2.1.3 relationship between application pool and w3wp

For IIS, there may be several application pools, and each application pool usually creates a w3wp process. However, not all cases are an application pool corresponding to a w3wp process. Web garden, or when some exceptions occur, an application pool will correspond to multiple w3wp processes.

Web garden refers to an application that can be executed in multiple processes (w3wp) and one of them can be used in a single request. This is mainly used to improve the availability of the program. When an error occurs in one of the processes, other processes will not be affected. A process with an error can be disabled according to the rule, while other processes can continue to work.

As for exceptions, it means that the application pool will be recycled on a regular basis when no request is made, but when an error occurs, a processing process (w3wp process) will be automatically re-established)

2.1.4 w3wp Worker Process Identity-WPI)

A clear identity is required when the w3wp worker process is running. This identity is called the Worker Process Identity-WPI ). The server does not provide a direct means to set the identity under which the workflow runs, but is implemented through the identity settings of the application pool.

In IIS6 and Windows 2008 iis7, the default associated permission is NetworkService.

In Windows 2008 R2 iis7.5, the associated permission is application pool identity (application pool identity account) by default. We will introduce it later.

At runtime, IIS injects the application pool identity (that is, the application pool identity API) into worker process, and runs as the application pool identity. it can be considered that the application pool and its running identity of the worker process are consistent.

2.1.5 application pool identity-API)

As mentioned above, the application pool ID is the name of the service account used by the worker process running the application pool.

In IIS6 and Windows 2008 iis7, the default associated permission of the application pool ID is NetworkService.

In Windows 2008 R2 iis7.5, the default application pool permission is application pool identity.

Note that the application pool identity here refers to the application pool identity account, which is a type of associated account of the application pool identity (application pool identity-API, although their English spelling is the same, they are two different concepts: one is the identifier and the other is the account. We can see from the advanced setting of the application pool, in this figure, we can see the difference between the two.

We can see that the application pool ID (API) can be set to many types of accounts (local service, Local System, networkservice, application pool identity account <application pool identity> and user-defined account ).

2.1.6 w3wp service account)

A service account is an account provided by a Windows Server for programs running on it. Its role is to provide security context) to provide visitors with a set of valid security attributes or rules in the system. You can create a domain-based service account under active directory or a local service account on the local machine.

2.1.7 application pool account)

The w3wp process in IIS is the same as all other programs or processes and must run under a specific service account. This service account is the application pool account ). When you create an application pool in IIS, the Windows Process activation Service (was) automatically creates an application pool account for you ), this account is usually a Sharepoint Server Farm account, so the process (w3wp) has the read and write permissions for Sharepoint resources. In a multi-server farm, the server farm account is generally a domain user ). This account is the same account that accesses the content database.

Therefore, from the above description, we can see that the application pool account is actually the w3wp workflow identity (Worker Process Identity-WPI) we mentioned earlier) the account associated with the application pool identity-API. It is only different fromArticleThis concept is abstracted from different perspectives. In other words, the application pool account is the account associated with the application pool identity-API or w3wp workflow identity-WPI, they all belong to service accounts ).

As mentioned above, in iis7.5 (only supported by win7, win2008 SP2, win2008 R2), the application pool account (in addition to the LocalService, LocalSystem, in addition to the three built-in accounts, NetworkService also adds an applicationpoolidentify (application pool identity account). The following describes these built-in accounts:

• Applicationpoolidentity account (application pool ID account): iis7.5 by default, select "application pool ID" account. This account is the safest for your applications, because this account has low permissions and only belongs to the iis_iusrs user group. applicationpoolidentity is a "virtual" account, it is virtual because the user or user group cannot be seen in user management, and the net user cannot be displayed in the command line, but the account does exist. In fact, application pool identity is a general term and does not actually have this name. it depends on the name of your application pool. For example, if an application pool is named defaultapppool, the full name of the virtual identity is: IIS apppool \ defaappapppool the worker process running in this application pool can be seen from the task manager that w3wp is running in the defaultapppool user.

   

  You can assign permissions to this account in the file system. the advantage of doing so is that permissions can be separated for finer-grained configuration. Unlike networkservice, many applications are based on this, setting a permission affects a large volume. If your program needs to access the local file system (such as log output), you need to set the NTFS permission for the applicationpoolidentity account. This account cannot be found in the security dialog box, you can only manually enter IIS apppool \ {app pool name.

• The LocalService "local service" account is a member of a user group. It has the same user permissions as the "Network Service" Account (NetworkService), but is only used on a local computer. This account can be used when a worker in the application pool does not need to access content other than the Web server on which it runs.
• The LocalSystem "Local System" account has all user permissions. It is a member of the Administrator Group on the Web server. The local SYSTEM account is a powerful account with access to the entire system (including the directory service on the domain controller. If a service logs on to the local system account on the domain controller, the Service has the right to access the entire domain. By default, some services are configured to log on to the local system account. Do not change the default service settings. Avoid using the "local system" account whenever possible because it brings more serious security risks to Web servers.
• The NetworkService "Network Service" account is a member of a user group and has the user permissions required to run the application. By using the creden of the computer account, it can interact across the Active Directory-based network. In IIS 6.0 and IIS 7, the worker process runs this type by default, which is the built-in identity of window. It does not require a password and only has user permissions.

After the application pool account is set, it is automatically added to each server in SharePoint farm) in the wss_wpg, wss_admin_wpg, or iis_users groups, or in other words, the three groups all have application pool accounts ).

Let's take a look at the three groups in SharePoint farm:

Wss_wpgThe Group has the permission to read and access local resources. In addition to the application pool account, the Group also has accounts such as Local Service and Network Service (if the application pool account does not use them.

Wss_admin_wpgThe Group also has the permission to read and access local resources. In addition to the application pool account, it also has accounts such as builtin \ administrators, network service, Sharepoint farm admin, and timer services.

Iis_iusrs GroupGroup: This is the built-in group of iis7 and is used to replace the iis_wpg group in IIS6. By default, it has the appropriate permissions to run worker process. all running accounts under the Worker Process Identity-WPI are implicitly automatically added to this group to obtain the minimum running permissions. for example, if you set the application pool running identity of myapppool to application pool identity, the user of IIS apppool \ myapppool will be automatically added to the iis_iusrs group to have all his permissions. therefore, the assignment of permissions to this group should be very careful and easily affect a large volume without knowing it. in iis7, it also uses the built-in iuser account to replace the IUSR_machinename account in IIS6. IUSR is an anonymous account. Although it is an anonymous account and has no password, it belongs to authenticated users, and authenticated users belongs to the users group. Therefore, IUSR has Users group permissions by default.

For SQL Server databases, the application pool account also needs the following permission configuration settings:

1. Assign the db_owner role of the content database to the application pool account of the Web application.

2. Assign the wss_content_application_pools role associated with the server farm configuration database to this account.

3. Assign the wss_content_application_pools role associated with the sharepoint_admin content database to this account.

In addition, the application pool account is different from the server farm administrator account. The latter has three groups: wss_wpg, wss_admin_wpg, and iis_users, it is also included in the wss_restricted_wpg_v4 and Performance Monitor user groups.

However, the application pool account has exceptions, such as the SharePoint Administration Center website) the application pool ID of the used account and the process account of the Windows SharePoint services scheduled service "is not" application pool account (application pool account), but a server farm account, this account is also called the database access account.

Summary: Sharepoint is an ASP.. NET application, which works with ASP.. NET applications. When the front-end web server receives an HTTP request. sys) detects the request and routes it to the application pool that processes the request for the target IIS website and target SharePoint web application. Each application pool has an IIS workflow (w3wp.exe) used to execute the request pipeline for each request. This workflow needs to set the application pool account, which is usually a server farm account, therefore, this process has the read and write permissions for Sharepoint resources. On multiple server farms, server farm accounts are generally domain users. This account is the same account that accesses the content database), and the application pool account can be set to LocalService, LocalSystem, networkservice, and applicationpoolidentify built-in accounts, or user-defined accounts, sharePoint then sets this account to the wss_wpg, wss_admin_wpg, or iis_users groups on each server in the farm, the application pool account also has SQL Server database permissions to access SharePoint database content (eg: content database ).

when you enter the IIS Worker Process stage, the four execution models of SharePoint must be processed. The Farm solution runs in the IIS Worker Process (w3wp) like any ASP. NET application. The Sandbox solution runs in an execution environment with special restrictions (this slows down the application for Code that prevents unauthorized or poor performance) it is important that the speed of the program pool may cause the application pool to crash. As a result, Sharepoint will impose restrictions on the code that can be executed in the sandbox solution ). When a request attempts to access the sandbox solution, the IIS Working Process (w3wp) will hand over the work to the SharePoint execution manager running inside it ), the execution manager is responsible for checking the sandbox workflow (spucworkerprocess.exe) (if no sandbox worker process is running, a sandbox worker process is started ). The Sandbox working process is the process responsible for running the sandbox solution code.