

(类似静脉的问题已经被问 之前,但无论是问题和接受的答案不提供我正在寻找)细节

(A question of similar vein has been asked before but both the question and the accepted answer do not provide the detail I am looking for)

通过在一个专用的域帐户运行的ASMX Web服务的意图是什么 的使用场景和/或利弊 使用一个应用程序池的域帐户与假冒身份?

With the intention of running an asmx web service under a dedicated domain account what are the usage scenarios and/or pros and cons of using an Application Pool with the identity of the domain account versus Impersonation?

我们有一个相对低负荷下运行3小的内部Web服务,我们想给他们切换到下自己的域帐户运行(与SQL Server等集成安全性的目的)。我似乎已经为每个应用程序创建专用应用程序池,或具有对所有应用程序的单一应用程序池,并在每个使用模拟的选择。

We have 3 small internal web services that run under relatively low load and we would like to switch them to running under their own domain accounts (for the purpose of integrated security with SQL Server etc). I appear to have the choice of creating dedicated app pools for each application, or having a single app pool for all the applications and using impersonation in each.


I understand app pools provide worker process isolation and there are considerations for performance when using impersonation, however those aside what else would dictate the correct option?


Typically, you will choose different identity for worker process (or do ASP.NET impersonation) because there is need to access local/network resources that needs specific permissions. Obvious dis-advantage is that your application code may run under more permissions than it may need and thereby increasing the vulnerability against malicious attacks.

ASP.NET模拟将有更多的开销,因为用户上下文需要为每个请求切换。我会建议去与单独的应用程序池的做法 - 只与应用程序池的方法的缺点是,你必须过程,他们中的每一个,所以将每个过程(从操作系统的角度来看)的开销。如果您的应用程序体积较小,不具有很强的记忆需求,那么这不应该是一个问题,

ASP.NET impersonation would have more overhead because user context needs be switched for each request. I will suggest to go with separate app pool approach - only disadvantage with app pool approach is that you have process for each one of them and so there will be overhead (from OS perspective) for each process. If your applications are smaller and don't have strong memory demands then this should not be an issue,