Basic authentication on IIS 7.5 - windows

I'm trying to run a simple ASP.NET application with basic authentication on an IIS server. Interestingly, the authentication works fine on almost all servers except my production server. When I deploy the application on that machine, it keeps prompting me over and over for the credentials. Unfortunately, it is a lab machine that I don't have access to and I'm not able to view the logs either.
It's an IIS 7.5 server running on a Windows 2008 VM server I guess, and the content folder (where the default app is pointing to) is on shared with us (we have write access to that folder and that's how we are deploying our applications).
Outside authentication settings on the server, what other things could be causing the issue? Please advise.

Most probably this is a access permission to resources used by the web application.
The reason you see this repeatedly login prompt is that the account doesn't have the needed permissions.
First you have to determine if you are using impersonation or not.
If you do impersonate, the authenticated accounts need the necessary permissions.
If you don't impersonate, the application pool account needs the necessary permissions.
So what's the needed permissions?
Well, that could be a lot of things, and we don't know the details of your application.
Do you connect to a database?
Then you have to make sure that current account context has the right permissions to connect to the DB.
Do you read images/files from disk?
Then you have to make sure that current account context has the right permissions to access those resources.
If it is file resources that you are accessing, I would recommend you to use Fiddler and determine which path(s) you'll need to address. It will tell you by those 404 errors.
EDIT: Make sure that your app pool account has the needed permissions for this DLL you mention. Where does it fetch this list from? Is it static in the DLL? Where's this DLL located?
Please also check the event logs on the server for any related errors at the time you try to logon.

Related

Can my application server find out which Java hosting provider it lives in?

I'd like to have my Scala application server find out if it's running inside Heroku or CloudBees or Cloud Foundry or something else. Is there some standard way of finding out which Java hosting provider is currently in use? (if any)
Perhaps the hosting provider's firewall/load-balancer/whatever adds some standard HTTP header that the app server could check? Or perhaps it's possible to do hosting provider specific checks somehow, for the most popular hosting providers?
Background: The app server could then show helpful tips to the server admin that tells him/her how to view the server's log files. This would be useful during the initial setup of the server + database, because then the admin needs to find a certain magic password in the log file, which s/he then uses to get access to the admin interface web pages the very first time (before any admin user exists in the database, see this security question). — The installation would be more user-friendly, if the server could tell the admin exactly how to view the log files (which varies from hosting provider to hosting provider).
In the case of cloudbees there are several ways, none of which are guaranteed to be future proof (given changing containers).
Perhaps what is needed is a standard environment variable to make this doable.

AppFabric Caching - works locally but not from another machine

I've have added my domain account permissions to Windows AppFabric 1.1 Caching using the "grant" Powershell command. A sample app runs locally on the machine itself fine. Also, I'm able to telnet to the port 22233 from another box successfully (I'm pretty sure its not firewall issue).
Could this be IIS permissions somehow? I don't see a site created under IIS. Is there a log I can check to see specifically why the remote calls are getting rejected with a "ErrorCode:SubStatus:There is a temporary failure. Please retry later."
You granted permissions your account to AppFaric Cache, but are you sure that your app runs under this account ? If this is a WebSite, this another user (ApplicationPoolIdentity).
Try to grant your machine (by adding a $ at the end) or run your app under your granted user.
To be sure it is a problem in security, you can try to disable it at server side, just for testing purpose.
Set-CacheClusterSecurity -SecurityMode None -ProtectionLevel None
please find msdn here.

Directory Listing Denied with custom application pool identity

I have an ASP.Net MVC3 application that has been running fine in the default Application Pool on my IIS 6 server.
I need to get it running under its own service account, so I created a new Application Pool and moved the application into it. With default settings the application continued to work fine.
I set a custom Identity on the application pool, and the application now just gives me the "Directory Listing Denied" error.
I tried switching the identity back to Network Service, and the application started working again.
What could be preventing the application from running with the custom Identity? It's like ASP.Net is not even starting up.
I've run aspnet_regiis -ga <domain\username> and added the account to the IIS_WPG group, so the identity account should have access to ASP.Net.
More Info
I've been doing some diagnostics with Process Monitor and it shows that aspnet_isapi.dll is not being loaded with the custom identity.
When the identity is "Network Service" I can see aspnet_isapi.dll being loaded followed by webengine4.dll. This happens immediately after the NTLM authentication occurs.
With the custom identity, the NTLM authentication happens and then the w3wp process just starts looking for the default files (Default.aspx, Default.htm, etc).
I've checked, and the account has access to the framework version folder where these DLLs are stored.
you need to give the user that you are specifying in the custom identity explicit read or read/write at the folder level of you application. Right click on the containing folder then "Properties" and add the user with the permissions required by the app to the security tab.
Turns out I needed a wildcard mapping to aspnet.isapi.dll, though I'm not sure why.
Without the custom identity the application works fine without a wildcard mapping. With the custom identity I need the mapping. On another server the custom identity work fine without a mapping. Weird.
Did you already check Directory browse settings?
http://www.iis.net/configreference/system.webserver/directorybrowse
Now that you are using a different user then the default one, make sure that you have set the Anonymous Authentication to use the app pool user. There could also be something related to what #Gabe Thorns mentioned, it might be an issue with wildcard mappings. If you do not have wildcard mappings set to run the asp process then it will try and look for files, avoiding asp processors.
Hope that helps.
Have you explicitly granted permissions to the application pool identity on the application folder?
The account should be something like IIS AppPool\MyAppPoolName
More info on this can be found here:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities

IIS (w3wp.exe) runs with a User Name of the App Pool that doesn't belong to Users, Groups, or Built-in security principals

The Orchardcms Application works fine accept when trying to Install new modules using the module installer within the dashboard. I get this error below.
Install package failed
Package installation failed: There was an error installing the requested package. This can happen if the server does not have write access to the '~/Modules' or '~/Themes' folder of the web site. If the site is running in shared hosted environement, adding write access to these folders sometimes needs to be done manually through the Hoster control panel. Once Themes and Modules have been installed, it is recommended to remove write access to these folders.
It seems that the installed IIS 7 App Pool (Presumably installed with Orchard in Web Platform Installer) using ApplicationPoolIdentity. w3wp.exe runs with username orchardmain (this is what i named my application I could have left it to default orchard) Though the problem with this that I can't update my NTFS permissions for orchardmain as when trying to add a username in permissions it can't find any Users, Groups, or Built-in security principals with the name OrchardMain.
Is it best practise to change the App Pool to run under an User / Service Account that doesn't behave like this, or is there just a little thing i can do to get this working?
Try using IIS APPPOOL\OrchardMain as the object name when editing permissions.
See this blog post for details.

Restarting windows service from website

I've a website that puts info into a mySQL database and a windows service (written in VB.Net) that polls the db and actions what's in there.
However, occasionally it stalls and rather than having to RDP into the server, I want superusers to click on a button to restart the service.
I can get the button to say, do a directory listing of c:\ output to a test file so the whole 'getting a command to execute on a remote server' issue works. However, I can't restart services.
I assume this is a security thing (although it has full rights to c:\ I thought I'd sussed that already).
The website runs under the normal IUSR_user so am I doing something really stupid or can someone explain how to get the service to be restarted ?
Many thanks
Adrian
I think a significantly bigger problem is that you have a service that's stalling. Do you have any logs or errors that the service outputs to that you could use to diagnose why it's stalling?
I'd write a service that restarts selected services and call that from my website, just for fun!
It seems that you need to give the user permissions on the specific service. The simplest way to do this (in my view) is to use subinacl.exe from the Windows Resource Kit.
subinacl.exe /service MySQL /Grant=IUSR_user
I'm would be very careful when doing this on a public-facing web server. Have both authentication and rate limiting on the restarting code.
Use the ServiceController class:
http://msdn.microsoft.com/en-us/library/system.serviceprocess.servicecontroller.aspx
This should allow you to connect to the named service and stop/start it.
EDIT:
In addition, you probably need to have your web app impersonate a user with rights to restart the service. This can be accomplished via an identity impersonate in the web.config, or running the web app in a configured application pool in IIS. Keep in mind that the web app will have to run on the same box as the service is running on.

Resources