Ensure that IIS AppPool user is added to windows group - windows

I am trying to deploy an ASP.NET application to IIS using Powershell (run by Ansible).
I want my application to be able to query the performance counters so I am adding it to the Performance Monitor Users using this Powershell script:
appPoolName=$args[0]
$group = [ADSI]"WinNT://$Env:ComputerName/Performance Monitor Users,group"
$ntAccount = New-Object System.Security.Principal.NTAccount("IIS AppPool\$appPoolName")
$strSID = $ntAccount.Translate([System.Security.Principal.SecurityIdentifier])
$user = [ADSI]"WinNT://$strSID"
$group.Add($user.Path)
It actually comes from another SO question: Add IIS AppPool\ASP.NET v4.0 to local windows group.
After the deployment, it can happen that the user is added to the group but the application still can't access the performance counters.
The script is run just before starting the App Pool and the application.
I have tried the following things, without success:
Restart the application
Restart the App Pool
Set AnonymousAuthentication to 'Application pool identity'
Deploy again
I have modified my deployment scripts in the following ways, without success:
Remove the user from the group before adding it
Restart the App Pool after adding the user. IIS actually complains ("The service cannot accept messages at this time").
Add the user to the group after starting the application
Add the user to the group at the beginning of the deploy (before stopping the application and pool)
The only way I have to solve my problem is to restart the machine. I would like to know if there is a better one!
If it is possible, I think making the App Pool user log off and back on would solve my problem. I haven't found how to do that (restarting or recycling the App Pool doesn't work).

The answer was a simple iisreset (in command line or Powershell).

Related

Jenkins start failed after changing service to be started as specific Windows user

I set up a Windows Jenkins 2.156 and everythings works fine. Some jobs need to access file servers within the local network, so I want to start the Jenkins Windows Service as a specific user with rights to access these locations.
When restarting the service after that change, I am stuck on the "Please wait while Jenkins is getting ready to work ..." screen.
File failed-boot-attempts.txt is filled with current time stamp.
Any tips on how to proceed to get this issue fixed?
Solution: FSTrigger plugin scans all configured folders during startup.

Can a Windows service install another Windows service?

I am having trouble when I have one Windows service try to install another Windows service.
Specifically, I have a TeamCity agent running tests for me on a Windows 2008 AWS instance. The tests are written in Java, which shell out to a .bat script to install a service (let's call it Service A), giving it a unique name each time.
The offending line is in the .bat script: sc create "%serviceName%" binPath= %binPath% DisplayName= "%serviceDisplayName:"=%" start= %serviceStartType%. I believe as long as the service name is unique that should work.
And indeed it does work if I run the tests manually on the command line, using an administrator account. Service A is installed, the test completes and Service A is uninstalled at the end.
I have tried running the TeamCity agent as LocalSystem, as Administrator, and as another user that is member of the administrators group. I have also tried disabling UAC completely.
Presumably the problem is access denied type errors, although that is not clear at this point. There are a few avenues to explore still, but it is a simple question really: are processes running as services forbidden from installing other services? Are there special things I have to do to configure the machine/ account to allow it to do this?
The point of the test it to install and use Service A, so workarounds are not relevant - Service A must be operated as a black box.
Thanks!
There are no restrictions on creating services with regards to how the creating process can execute, as long as the process has the appropriate permissions. That is to say, a process could be running as a service and create another service -- the only consideration here is the appropriate permission level.
The problem that often occurs with running batch scripts from within processes (as opposed to directly through user input on the command line) is that the environment expected isn't always the environment that is loaded. In this case, it appears that the env variables referred to in the batch script weren't properly set when running as a service, which of course then caused the service install failure. Correcting the environment loaded when the batch script is shelled out is the correct solution here.

WMIPRVSE needs to be run under network services by default

I have 2 separate servers (windows server 2008 r2) from where I am running vbs scripts through a microsoft scheduler ( my-computer>manager>Schedule). when I run vbs scripts locally they are working fine, but when it is being run through scheduler one of servers is getting stacked. while the other is working fine. And also I have noticed from task manager that the working server runs the WMIPRVSE.exe though Network Service user and the other one shows SERVICES as user.
How to make sure that WMIPRVSE.exe will always run under Network Services. Thanks
Edit:
I have tried to change the log on user from services, but it failed to start the service than.
There are a few things I have tried, but I don't know which one helped me.
What I did is I granted all permissions to wscript file which is located in system32 somewhere, and after some time it became Network Servies. Again not really sure whether it was because of that change or other thing.

MVC3 site deployed on IIS6 stops working after 20 minuttes with 404 Not Found

I'll try to make this short, feel free to ask for more details.
A mobile edition a a web-site has been created using MV3 razor and deployed to an IIS6 web-server using extenstionless URL's. Since .NET4 is installed on the server there is no special configuration done on the server to get extensionless urls work. When I try to access the site with the URL: http://site/m/ i get a 404 Not Found error.
What I do to produce this problem:
Right-click on project in VS2010 and publish to local file system.
ZIP all files in and transfer to production server + unzip there
Right click on production web-site and add a virtual directory for the new application
Create a new application pool with all default settings
Put the new virtual directory/application in that application pool
Try to access the URL in the browser; receive 404 Not Found
The thing that puzzles me, is that if I replace Step 1 with "File->Create New MVC3 Project" and then publish to local file system everything works fine:
The test-project is displayed in the browser with the name i used http://site/mvctest/
I do not need to use any extensions
It does not stop working after 20 minutes (see next paragraph)
And now for the (even) weirder part:
If I now move the "m" application into the application pool just created for the "mvctest" application; it works too. But only for 20 minutes (or whatever value I have set for "Shutdown worker process after being idle for").
Any ideas?
EDIT: If I add wildcard mapping to the /m/ virtual directory it works, but that should/could also affect performance in a bad way?
it sounds like your first scenario the handler isn't setup to handle the mvc requests. IIS 6 needs to be integrated or an extension for MVC mapped.
Set the app pool up to run in integrated pipeline mode. What happens then? This should work. Also check the event log for rapid fail protection kicking in because of worker process resets.

On Terminal Server, how does a service start a process in a user's session?

From a Windows Service running on a Terminal Server (in global space), we would like to be able to start up a process running a windows application in a specific user's Terminal Server sessions.
How does one go about doing this?
The Scenerio: the windows service starts at boot time. After the user has logged into a Terminal Server user session, based on some criteria known only to the windows service, the windows service wants to start a process in the user's session running a windows application.
An example: We would like to display a 'Shutdown in 5 minutes' warning to the users. The windows service would detect this condition, and start up a process in each user session that starts the windows app that displays the warning. And, yes, I know there are other ways of displaying a warning dialog, this is the example, what we want to do is much more invasive.
You can use CreateProcessAsUser to do this - but it requires a bit of effort. I believe the following steps are the basic required procedure:
Get the user's session (WTSQuerySessionInformation).
Get a token for that user (WTSQueryUserToken).
Create a duplicate token for your use (DuplicateTokenEx).
Use the token to create an environment block (CreateEnvironmentBlock).
Launch the application with CreateProcessAsUser, using the block above.
You'll also want to make sure to clean up all of the appropriate handles, tokens, etc., after you've launched the process.
Really late reply but maybe somebody will find this helpful.
You can use PsExec to launch an application on a remote (or local) server inside a specified session by using the following command:
psexec \\COMPUTER_NAME -i SESSION_ID APPLICATION_NAME
Where SESSION_ID indicates the session id in which to launch the application.
You will need to know what sessions are active on the server and which session id maps to which user login. The following thread provides a nice code sample for this exact problem: How do you retrieve a list of logged-in/connected users in .NET?
Late reply but in the answer above DuplicateToken is not necessary since WTSQueryUserToken already returns a primary token.

Resources