I have an ASP.Net MVC3 application that has been running fine in the default Application Pool on my IIS 6 server.
I need to get it running under its own service account, so I created a new Application Pool and moved the application into it. With default settings the application continued to work fine.
I set a custom Identity on the application pool, and the application now just gives me the "Directory Listing Denied" error.
I tried switching the identity back to Network Service, and the application started working again.
What could be preventing the application from running with the custom Identity? It's like ASP.Net is not even starting up.
I've run aspnet_regiis -ga <domain\username> and added the account to the IIS_WPG group, so the identity account should have access to ASP.Net.
More Info
I've been doing some diagnostics with Process Monitor and it shows that aspnet_isapi.dll is not being loaded with the custom identity.
When the identity is "Network Service" I can see aspnet_isapi.dll being loaded followed by webengine4.dll. This happens immediately after the NTLM authentication occurs.
With the custom identity, the NTLM authentication happens and then the w3wp process just starts looking for the default files (Default.aspx, Default.htm, etc).
I've checked, and the account has access to the framework version folder where these DLLs are stored.
you need to give the user that you are specifying in the custom identity explicit read or read/write at the folder level of you application. Right click on the containing folder then "Properties" and add the user with the permissions required by the app to the security tab.
Turns out I needed a wildcard mapping to aspnet.isapi.dll, though I'm not sure why.
Without the custom identity the application works fine without a wildcard mapping. With the custom identity I need the mapping. On another server the custom identity work fine without a mapping. Weird.
Did you already check Directory browse settings?
http://www.iis.net/configreference/system.webserver/directorybrowse
Now that you are using a different user then the default one, make sure that you have set the Anonymous Authentication to use the app pool user. There could also be something related to what #Gabe Thorns mentioned, it might be an issue with wildcard mappings. If you do not have wildcard mappings set to run the asp process then it will try and look for files, avoiding asp processors.
Hope that helps.
Have you explicitly granted permissions to the application pool identity on the application folder?
The account should be something like IIS AppPool\MyAppPoolName
More info on this can be found here:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Related
I've got EC2 instance with IIS and mapped FSx file system on AWS. All in one VPC in one subnet.
IIS config works perfectly as long as it's configured with local drive. When I change config to use path from that mapped FSx I've got an error. Even for just a test static page.
All current users have full access to those files. Do I need to set up any special users for IIS on Domain Controller? Any special permissions? I would appreciate any ideas...
First of all, you need to figure out the substatus code of your IIS server and detailed error message. So please enable IIS detailed error message for your website.
I assume this issue happened just because your identity don't have permission to access configuration file.
1.Please Ensure your IIS site->basic settings->connect as..->set your domain account that have permission to accessyour FSX
2.Please set your application pool identity to your domain account that have access to the FSx.
3.Please grant permission for that application pool account.
4.Please set your authentication user to use application pool identity. For example, if you are using anonymous authentication. Then go to->anonymous authentication->edit..->Application pool identity.
If you don't know how to troubleshooting this issue. Prcoss monitor would help.
You only have to create a filter "RESULT=Access denied & Processname="w3wp.exe".
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
SOLTUION: you can not use the drive letter must be full DNS name for fsx console \DNS_NAME\share
I am having this exact issue. Drive is available on ec2 instance but authorization in IIS fails. Browse directory from IIS workd but can not get authorization to pass test. I have tried admin on EC2 and admin on active directory as users in IIS virtual drive.
It seems that you need to configure the IIS application pool identity to use a domain account that has access to the FSx file system. By default, the application pool identity is a local account that does not have any permissions on the network share.
To change the application pool identity, follow these steps:
Open IIS Manager and select the application pool that hosts your website.
Click on Advanced Settings in the Actions pane.
Under Process Model, click on Identity and then on the ellipsis (...) button.
Select Custom account and enter the domain user name and password that has access to the FSx file system. Click OK to save the changes.
Restart the application pool and the website.
Alternatively, you can use the command line tool appcmd.exe to set the application pool identity. For example, to set the identity to domain\user for the DefaultAppPool, you can run:
appcmd.exe set config /section:applicationPools /[name='DefaultAppPool'].processModel.identityType:SpecificUser /[name='DefaultAppPool'].processModel.userName:domain\user /[name='DefaultAppPool'].processModel.password:password
You can also use PowerShell to set the application pool identity. For example, to set the identity to domain\user for the DefaultAppPool, you can run:
Import-Module WebAdministration
Set-ItemProperty IIS:\AppPools\DefaultAppPool -Name processModel -Value #{identityType="SpecificUser";userName="domain\user";password="password"}
For more information, see this article on how to access FSx file shares from IIS.
When inspecting a dump file from our application in NTSD, I ran the !DumpDomain SOS command. I was expecting to see just the system, shared and default app domains, but in addition the was a domain called /LM/W3SVC/2/ROOT-1-130793976001194923 which had loaded quite a few assemblies.
Where does this app domain come from and what is the purpose? Our app is hosting IIS - is IIS creating this app domain?
Yes, IIS creates an AppDomain per website like
/LM/W3SVC/2/Root/Website1-x-xxxxxxx
/LM/W3SVC/2/Root/Website2-x-xxxxxxx
If one of the .NET application crashes, it will not affect the others.
From MSDN:
When a request first enters managed code (managed modules or handlers), the IIS ManagedEngine module creates an application domain. The application domain then performs necessary processing tasks, such as authenticating a user with Forms authentication or other application services provided by managed code.
I'm trying to run a simple ASP.NET application with basic authentication on an IIS server. Interestingly, the authentication works fine on almost all servers except my production server. When I deploy the application on that machine, it keeps prompting me over and over for the credentials. Unfortunately, it is a lab machine that I don't have access to and I'm not able to view the logs either.
It's an IIS 7.5 server running on a Windows 2008 VM server I guess, and the content folder (where the default app is pointing to) is on shared with us (we have write access to that folder and that's how we are deploying our applications).
Outside authentication settings on the server, what other things could be causing the issue? Please advise.
Most probably this is a access permission to resources used by the web application.
The reason you see this repeatedly login prompt is that the account doesn't have the needed permissions.
First you have to determine if you are using impersonation or not.
If you do impersonate, the authenticated accounts need the necessary permissions.
If you don't impersonate, the application pool account needs the necessary permissions.
So what's the needed permissions?
Well, that could be a lot of things, and we don't know the details of your application.
Do you connect to a database?
Then you have to make sure that current account context has the right permissions to connect to the DB.
Do you read images/files from disk?
Then you have to make sure that current account context has the right permissions to access those resources.
If it is file resources that you are accessing, I would recommend you to use Fiddler and determine which path(s) you'll need to address. It will tell you by those 404 errors.
EDIT: Make sure that your app pool account has the needed permissions for this DLL you mention. Where does it fetch this list from? Is it static in the DLL? Where's this DLL located?
Please also check the event logs on the server for any related errors at the time you try to logon.
The Orchardcms Application works fine accept when trying to Install new modules using the module installer within the dashboard. I get this error below.
Install package failed
Package installation failed: There was an error installing the requested package. This can happen if the server does not have write access to the '~/Modules' or '~/Themes' folder of the web site. If the site is running in shared hosted environement, adding write access to these folders sometimes needs to be done manually through the Hoster control panel. Once Themes and Modules have been installed, it is recommended to remove write access to these folders.
It seems that the installed IIS 7 App Pool (Presumably installed with Orchard in Web Platform Installer) using ApplicationPoolIdentity. w3wp.exe runs with username orchardmain (this is what i named my application I could have left it to default orchard) Though the problem with this that I can't update my NTFS permissions for orchardmain as when trying to add a username in permissions it can't find any Users, Groups, or Built-in security principals with the name OrchardMain.
Is it best practise to change the App Pool to run under an User / Service Account that doesn't behave like this, or is there just a little thing i can do to get this working?
Try using IIS APPPOOL\OrchardMain as the object name when editing permissions.
See this blog post for details.
I've a website that puts info into a mySQL database and a windows service (written in VB.Net) that polls the db and actions what's in there.
However, occasionally it stalls and rather than having to RDP into the server, I want superusers to click on a button to restart the service.
I can get the button to say, do a directory listing of c:\ output to a test file so the whole 'getting a command to execute on a remote server' issue works. However, I can't restart services.
I assume this is a security thing (although it has full rights to c:\ I thought I'd sussed that already).
The website runs under the normal IUSR_user so am I doing something really stupid or can someone explain how to get the service to be restarted ?
Many thanks
Adrian
I think a significantly bigger problem is that you have a service that's stalling. Do you have any logs or errors that the service outputs to that you could use to diagnose why it's stalling?
I'd write a service that restarts selected services and call that from my website, just for fun!
It seems that you need to give the user permissions on the specific service. The simplest way to do this (in my view) is to use subinacl.exe from the Windows Resource Kit.
subinacl.exe /service MySQL /Grant=IUSR_user
I'm would be very careful when doing this on a public-facing web server. Have both authentication and rate limiting on the restarting code.
Use the ServiceController class:
http://msdn.microsoft.com/en-us/library/system.serviceprocess.servicecontroller.aspx
This should allow you to connect to the named service and stop/start it.
EDIT:
In addition, you probably need to have your web app impersonate a user with rights to restart the service. This can be accomplished via an identity impersonate in the web.config, or running the web app in a configured application pool in IIS. Keep in mind that the web app will have to run on the same box as the service is running on.