AppFabric Caching - works locally but not from another machine - caching

I've have added my domain account permissions to Windows AppFabric 1.1 Caching using the "grant" Powershell command. A sample app runs locally on the machine itself fine. Also, I'm able to telnet to the port 22233 from another box successfully (I'm pretty sure its not firewall issue).
Could this be IIS permissions somehow? I don't see a site created under IIS. Is there a log I can check to see specifically why the remote calls are getting rejected with a "ErrorCode:SubStatus:There is a temporary failure. Please retry later."

You granted permissions your account to AppFaric Cache, but are you sure that your app runs under this account ? If this is a WebSite, this another user (ApplicationPoolIdentity).
Try to grant your machine (by adding a $ at the end) or run your app under your granted user.
To be sure it is a problem in security, you can try to disable it at server side, just for testing purpose.
Set-CacheClusterSecurity -SecurityMode None -ProtectionLevel None
please find msdn here.

Related

Active Directory Remote (VPN) Users are facing problem with newly set group policies

I am facing some issue with Active directory group policies,
The issue is i have many users working from home and all of them are using one SSL to connect to the company domain their file sharing is working fine, their group old group policy updating but i have setup few new group policy and they are not reflecting on remote users system,
For example there is one policy i have setup for deploying an application using GPO to remote users so when they restart the system the policy get applied to them and the MSi package should install to their system,
I tried GPUPDATE /force, /synch, normal mode and admin mode nothing helped
I am not sure why this is happening and how to fix that.
Thanks in advance.
It's normal cause software deployment via GPO is installed before user login, and your VPN connection is established after user login, non of computer installation GPO will work via VPN, there is other option to deploy software on VPN connection, Fog Project it's open source software deployment.

Network access to windows service

I have problem with creating service that has access to files on network disk.
Service must have admin rights and it will be run by users that don't have admin privileges.
I send path as UNC
and file is seen by service but it return ACCES_DENIED errors when try to open or do anything on Network drive.
When I run my service as server , everything works fine.
I try to find answer but everywhere I can found only partial answers that do not help me at all.
========
I read that standard service logged as SYSTEM can't have access to network.
So i tried to log id as
NetworkService, LocalService
It didn't work. After run it as one of those user my service can't save files on c:
Some kind of admin account.But I didn't manage to success on that.
Actually logged user.
I don't know how to get password for current user.
Still this will not work for user without admin rights.
========
Please tell me what can I do?
There are plenty of Services that use somehow network resources. How do they do that?
You need to configure your service to run as a user which has sufficient rights. In this case you are looking for rights to network shares. Typically that's going to need a domain user with appropriate rights. Normally you'd ask your network manager to create a dedicated user account for the purpose.
You appear to be labouring under some false information as to how services work. You talk about running the service under the account of the logged on user. Remember that services run when there are no users logged on. And remember that there may be multiple logged users at any point in time.
For me, the port was getting blocked through firewall, I had to add a inbound rule and specify the port which i was using in my application. This way firewall did not blocked my port for outgoing connections.
References:
https://www.firehousesoftware.com/webhelp/FH/Content/FHEnterprise/FHEnterpriseInstallationGuide/24_StaticPort.htm

Basic authentication on IIS 7.5

I'm trying to run a simple ASP.NET application with basic authentication on an IIS server. Interestingly, the authentication works fine on almost all servers except my production server. When I deploy the application on that machine, it keeps prompting me over and over for the credentials. Unfortunately, it is a lab machine that I don't have access to and I'm not able to view the logs either.
It's an IIS 7.5 server running on a Windows 2008 VM server I guess, and the content folder (where the default app is pointing to) is on shared with us (we have write access to that folder and that's how we are deploying our applications).
Outside authentication settings on the server, what other things could be causing the issue? Please advise.
Most probably this is a access permission to resources used by the web application.
The reason you see this repeatedly login prompt is that the account doesn't have the needed permissions.
First you have to determine if you are using impersonation or not.
If you do impersonate, the authenticated accounts need the necessary permissions.
If you don't impersonate, the application pool account needs the necessary permissions.
So what's the needed permissions?
Well, that could be a lot of things, and we don't know the details of your application.
Do you connect to a database?
Then you have to make sure that current account context has the right permissions to connect to the DB.
Do you read images/files from disk?
Then you have to make sure that current account context has the right permissions to access those resources.
If it is file resources that you are accessing, I would recommend you to use Fiddler and determine which path(s) you'll need to address. It will tell you by those 404 errors.
EDIT: Make sure that your app pool account has the needed permissions for this DLL you mention. Where does it fetch this list from? Is it static in the DLL? Where's this DLL located?
Please also check the event logs on the server for any related errors at the time you try to logon.

How to remote debug when user accounts do not match?

How can I configure Visual Studio remote debugging when:
My developer machine is a member of an AD domain, and my username is "DevelopersName".
The "remote" machine is on the same Ethernet segment, but is not part of the domain.
The "remote" machine must run software under "RemoteUserName".
Most documentation I can find suggests that you need have both machines in the same domain and with identical usernames. That's not possible here.
I could possibly add my username to "remote", but the software still needs to run under "RemoteUserName.
If it helps, I could add 2nd network card to my developer machine and directly connect the "remote" machine.
Using VS2008, but will be moving soon to VS2010.
Thank you.
Sorry, but I've just spent the last 10 hours trying to debug your exact problem. My findings are not good.
You need to get your accounts synced, especially if you are using your remote app to connect to other systems in your SOA environment, ie: Sharepoint, AD.
You can to some extent get remote debugging to work, if you create an account on your local machine with the same name as that of your remote machine (lets do it like this rather rather than working with the domain account).
You then need to make sure the remote service is running under this account, and its a member of the administrators group. And by this I mean hold down control, and right click run as - with the remote debugger, and select the user (not required if remote server is logged in as the required user).
Run the wizard it will open the required ports, use Authentication, because non authentication won't debug managed code. Breakpoints are never met, and there is nothing you can do about this.
On your local dev machine, log off your domain account, and log onto the local account with matching name as the account on server thats running the remote service.
Now you stand a change of remote debugging. If you can't do any of the above, sorry there is no workaround, its entirely dependent on the user account and having the right permissions.
If you don't want to create a local account, try starting our debugger via command prompt using the following command:
runas /user:[user#machinename] /netonly [debugger.exe]
E.g.:
runas /user:john#mypc123 /netonly devenv.exe
I assume it's managed debugging you're talking about (for native debugging there's a remote debugging solution with no authentication). In this case, I would suggest that you use a local user to launch the debugger on your machine. If this local user's name and password match "RemoteUserName"'s name and password, it should work.
(Note that this does not preclude you from using the AD account to log in to your workstation, you just need to set up another account and use runas to launch Visual Studio.)

Restarting windows service from website

I've a website that puts info into a mySQL database and a windows service (written in VB.Net) that polls the db and actions what's in there.
However, occasionally it stalls and rather than having to RDP into the server, I want superusers to click on a button to restart the service.
I can get the button to say, do a directory listing of c:\ output to a test file so the whole 'getting a command to execute on a remote server' issue works. However, I can't restart services.
I assume this is a security thing (although it has full rights to c:\ I thought I'd sussed that already).
The website runs under the normal IUSR_user so am I doing something really stupid or can someone explain how to get the service to be restarted ?
Many thanks
Adrian
I think a significantly bigger problem is that you have a service that's stalling. Do you have any logs or errors that the service outputs to that you could use to diagnose why it's stalling?
I'd write a service that restarts selected services and call that from my website, just for fun!
It seems that you need to give the user permissions on the specific service. The simplest way to do this (in my view) is to use subinacl.exe from the Windows Resource Kit.
subinacl.exe /service MySQL /Grant=IUSR_user
I'm would be very careful when doing this on a public-facing web server. Have both authentication and rate limiting on the restarting code.
Use the ServiceController class:
http://msdn.microsoft.com/en-us/library/system.serviceprocess.servicecontroller.aspx
This should allow you to connect to the named service and stop/start it.
EDIT:
In addition, you probably need to have your web app impersonate a user with rights to restart the service. This can be accomplished via an identity impersonate in the web.config, or running the web app in a configured application pool in IIS. Keep in mind that the web app will have to run on the same box as the service is running on.

Resources