I'm having a problem with testing a VB.NET program I'm using to programmatically change the DCOM launch / activation and access permissions for an OPC Server application (application is Kepware V5).
I've made a test program based on the following:
https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/21c80f4a-4d5e-4334-a33e-1c94e35fcfb4/verify-and-correct-dcom-setting-using-wmi?forum=windowscompatibility
I'm having no issue with the code and my test application is successfully adding a user (NewTestUser) to the DCOM 'Launch and Activation permissions' and the 'Access permissions' for the Kepware application.
I verify this by checking the 'Launch and Activation permissions' and the 'Access permissions' for the Kepware application in the Windows 'Component Services' DCOM configuration tool shown here:
However when I reboot the machine and I try to connect a local OPC client to the OPC server application (Kepware V5).
I get the following messge in the event log:
The application-specific access security descriptor for the COM Server application C:\Program Files (x86)\Kepware\KEPServerEX 5\server_runtime.exe with APPID
{B3AF0BF6-4C0C-4804-A122-6F3B160F4397}
is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.
I get the above message despite the fact that I can see all the users (including the newly added user) in the 'Component Services' screen for the application without any sign of anything being wrong.
I can resolve this by changing any one of the NewTestUser values for the settings in the DCOM 'launch and activation permissions' and the 'access permissions' for the Kepware application.
Basically by changing any one of the values and saving the change and then changing the value back to its original value this gets the local OPC comms to work (after reboot).
So it seems that the act of changing the settings (and changing back again) from 'Component Services' resolves the issue.
Being forced to do this defeats the purpose of my program.
Perhaps saving the settings from 'Component Services' is saving a change somewhere else in the registry besides what is shown on the screen?
I'm stuck on this so if anyone has any idea any help would be appreciated.
Related
I'm facing an issue currently where Crystal Reports are only working with "Local Service" or "Network Service" identities in Application Pool. If I switch to a "Custom Account" or ApplicationPoolIdentity, reports won't work and I'm getting "No printers are installed" exception. The same thing works perfectly when I switch the application pool identity to NetworkService or LocalService.
I need to use a custom account for each of my site on the server somehow. Can you please help me resolve this issue?
I created a custom account and added it in following user groups (lusrmgr.msc)
Administrator
Network Configuration Operators
IIS_USRS
The only thing I was missing was, I forgot to login using this newly created account before assigning it to the application pool identity (custom account). Once I logged in, it was working fine and I didn't receive 'No Printers are installed' error anymore.
BTW, The reason I did all this was to resolve a desktop heap memory issue which was probably a reason of using 'Network Service' account to all my IIS websites which are around 20 on our server. There was a suggestion to use individual accounts for each of my website and crystal was stopping that.
I have a COM application instantiated by a local Windows service with which I would like to gain access to a network share. To achieve this, I simply attempted to configure my COM server to run as a domain user with access to that share: I go to the 'dcomcnfg' console, locate my server under Console Root\Component Services\DCOM Config, right-click to 'Properties', go to the 'Identity' tab and specify the domain user for the "This user" option. When I do this on my own company network, it works beautifully. However, when a user tries it on their network, they get:
"Catalog Error
An error occurred while processing the last operation on the remote computer 'DOMAIN'.
Error code 80070569 - Logon failure: the user has not been granted the requested logon type at this computer."
where 'DOMAIN' is the name of the customer's domain. I'm presuming then that this is a problem with their domain policies, but network administration is not my area of expertise. Anybody have some idea what the problem might be so I can have a clue when I talk to their IT? Also, if anybody has an alternative approach, I'm open to suggestions. Thanks.
I developed an Intranet application which needs to realize a "git push" from a local repository (on the disk of the web server) to a remote repository.
I launch the git process from the web server, it runs under the IIS pool identity which is a domain account member of the administrators group of the web server machine.
Git needs the user credentials to perform the push action. I integrated a custom version of git-credential-winstore. This program uses the Windows Credential Manager to store generic credentials for a web site. But when the call to the credential's write occurs, I get the error :
Failed to write credential: A specified logon session does not exist. It may already have been terminated
I checked the policy "Network access: Do not allow storage of passwords and credentials for network authentication", it is disabled.
What goes wrong here ?
Pool account needs to gain access to its user profile.
So we need to connect one time to a Windows Session to create user profile (I think it's necessary). Next in the Advanced Settings of the dedicated Application Pool, set "Load User Profile" = true.
Note about credentials : Windows credential target must be changed to manage different users in the same Windows vault. I change "git:https://remote-host" by "git_USERID:https://remote-host".
I set this property to enabled and it works now, maybe it will work for you also:
I have an ASP.Net MVC3 application that has been running fine in the default Application Pool on my IIS 6 server.
I need to get it running under its own service account, so I created a new Application Pool and moved the application into it. With default settings the application continued to work fine.
I set a custom Identity on the application pool, and the application now just gives me the "Directory Listing Denied" error.
I tried switching the identity back to Network Service, and the application started working again.
What could be preventing the application from running with the custom Identity? It's like ASP.Net is not even starting up.
I've run aspnet_regiis -ga <domain\username> and added the account to the IIS_WPG group, so the identity account should have access to ASP.Net.
More Info
I've been doing some diagnostics with Process Monitor and it shows that aspnet_isapi.dll is not being loaded with the custom identity.
When the identity is "Network Service" I can see aspnet_isapi.dll being loaded followed by webengine4.dll. This happens immediately after the NTLM authentication occurs.
With the custom identity, the NTLM authentication happens and then the w3wp process just starts looking for the default files (Default.aspx, Default.htm, etc).
I've checked, and the account has access to the framework version folder where these DLLs are stored.
you need to give the user that you are specifying in the custom identity explicit read or read/write at the folder level of you application. Right click on the containing folder then "Properties" and add the user with the permissions required by the app to the security tab.
Turns out I needed a wildcard mapping to aspnet.isapi.dll, though I'm not sure why.
Without the custom identity the application works fine without a wildcard mapping. With the custom identity I need the mapping. On another server the custom identity work fine without a mapping. Weird.
Did you already check Directory browse settings?
http://www.iis.net/configreference/system.webserver/directorybrowse
Now that you are using a different user then the default one, make sure that you have set the Anonymous Authentication to use the app pool user. There could also be something related to what #Gabe Thorns mentioned, it might be an issue with wildcard mappings. If you do not have wildcard mappings set to run the asp process then it will try and look for files, avoiding asp processors.
Hope that helps.
Have you explicitly granted permissions to the application pool identity on the application folder?
The account should be something like IIS AppPool\MyAppPoolName
More info on this can be found here:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
I'm trying to run a simple ASP.NET application with basic authentication on an IIS server. Interestingly, the authentication works fine on almost all servers except my production server. When I deploy the application on that machine, it keeps prompting me over and over for the credentials. Unfortunately, it is a lab machine that I don't have access to and I'm not able to view the logs either.
It's an IIS 7.5 server running on a Windows 2008 VM server I guess, and the content folder (where the default app is pointing to) is on shared with us (we have write access to that folder and that's how we are deploying our applications).
Outside authentication settings on the server, what other things could be causing the issue? Please advise.
Most probably this is a access permission to resources used by the web application.
The reason you see this repeatedly login prompt is that the account doesn't have the needed permissions.
First you have to determine if you are using impersonation or not.
If you do impersonate, the authenticated accounts need the necessary permissions.
If you don't impersonate, the application pool account needs the necessary permissions.
So what's the needed permissions?
Well, that could be a lot of things, and we don't know the details of your application.
Do you connect to a database?
Then you have to make sure that current account context has the right permissions to connect to the DB.
Do you read images/files from disk?
Then you have to make sure that current account context has the right permissions to access those resources.
If it is file resources that you are accessing, I would recommend you to use Fiddler and determine which path(s) you'll need to address. It will tell you by those 404 errors.
EDIT: Make sure that your app pool account has the needed permissions for this DLL you mention. Where does it fetch this list from? Is it static in the DLL? Where's this DLL located?
Please also check the event logs on the server for any related errors at the time you try to logon.