is there a way to run iisexpress app pool under a different identity other than the currently logged in user?
I am getting around this problem using the "runas" command currently but I would like to know if there is something built-in to iisexpress that I can utilize.
It looks like this should be possible. In your IIS Express site's applicationhost.config file, there is a <processModel/> element defined in <applicationPoolDefaults> under <applicationPools>
The <processModel> element has attributes for userName and password.
From MSDN:
Specifies that ASP.NET will run the worker process with a Windows identity that is different from the Windows identity for the default process identity. By default, this attribute is set to the Machine, and the process runs under a user account named ASPNET that is created automatically when ASP.NET is installed. The password for the ASPNET account is cryptographically generated at the time of installation. If valid credentials are presented in this attribute and the password attribute, the process is run with the given account.
This should allow you to run the site under different credentials from the logged in user.
I could not get the above solution to work and I wanted to be able to debug through Visual Studio while running IIS Express under different credentials.
Open the command prompt using "Run as administrator" (you need elevated privileges)
Navigate to the directory of Visual Studio in the command prompt (in my case: "cd C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE" for VS2010).
runas /netonly /user:[domain]\[userid] devenv.exe
Open your solution from VS and complete your TFS credentials (if applicable).
You can now debug as normal under IISExpress (assuming this is how you have your project configured) under the run as credentials. This is great if you need to use integrated security for database connections or something similar but need to use different credentials.
"runas" is only the solution. IIS Express maynot respect processModel settings which are defined in applicationhost.config file.
Runas /netonly IISExpress.exe from command line does work and is very viable if you're as desperate for an answer as we were. Related post
I wonder if this really works - IIS Express seems to run all application pools in the same process - and that process is executed in the context of the current user...?
Seems the "Run as" option could work, but that would require us to launch IIS Express from the command line (or build event) instead of relying on Visual Studio starting it up. :(
Related
I keep getting Error: 1) Administrative Permissions Needed for Logged In user in Visual Studio Online.
I am the VS online Site Administrator. I double checked and I am a member of the Project Collection Service Account. Any ideas?
I tried reinstalling, I tried deleting and re adding the TFS server connection
Can you please check if user is under Project Collection Administrators as well Project Collection Service Accounts group or not. For more information please refer following guide to check you have correct group privileges for the account you are using from TFS Utility.
http://www.opshub.com/ohrel/Resources/TFS/permissions.php?page=admin
Let us know in case if it does not work for you.
Thanks,
OpsHub
If anyone else should come across this, you need to RDP onto your TFS (on-premise) box. Open a command prompt. Change Directory (cd) to the Program Files folder where TFS was installed into. See my example below:
cd "C:\Program Files\Microsoft Team Foundation Server 11.0\Tools"
Within the directory above (path may be different for your TFS install), there should be a tfssecurity.exe file. You need to run that using the following command (within the same command prompt window you ran the above command):
tfssecurity /g+ "Project Collection Service Accounts" n:"{VISUAL STUDIO ONLINE ACCOUNT EMAIL ADDRESS}" /collection:"{FULL URL TO YOUR VS SUBSCRIPTION}"
Don't forget to replace the values within braces ({VALUE}) with the values applicable to your accounts!
Is there an option in the application properties ? I cannot find anything that tells Visual Studio that my application will need to be run in an elevated state.
If you're just trying to do this on your development machine, you could:
Log in as the Administrator and run Visual Studio
-OR-
Right-click the Visual Studio shortcut and click "Run As" and supply the Administrator account credentials.
If this is for an application you are developing to live on a server where the server cannot be left logged in as an Administrator while your application runs, you should either:
Build in impersonation into the code of the application, so it will run as whatever account you want it to run under
Give that account Administrator privileges (if allowed) or choose an account that already has the desired privileges for the WindowsImpersonationContext.
Info on Impersonation:
MSDN Windows Impersonation Code
Code Project Example
StackOverflow Impersonation Question/Example
Without information about your app, i.e. if it is a web app or standard exe or SharePoint web page, it's hard to give you more specific info. For .NET web apps, ensure you use Windows authentication and set your app pool to run under the account with Admin privileges. Note that you may still need to add the Impersonation code into your app where you need the higher privileges, even if it is running under that account.
For SP pages, you need SPSecurity.RunWithElevatedPrivileges(function(){ ... });
I have been using IIS express as my web server for awhile now, but I've run into a scenario where I need the application pool to run as a specific user, rather than NetworkService or some other account.
Using the commands below, I created an app pool and configured the site to use it. Now, I'm unable to launch IIS Express as through Visual Studio. When I try, I get the "Visual Studio is unable to launch the IIS Express Web Server" message. If I use the command line to launch IIS Express, everything appears to work. If I change the app pool back to using a service account, or even just change the site to use a different app pool, things work just fine. Any ideas?
commands used to create the app pool
appcmd add apppool /name:MyPool /managedRuntimeVersion:v4.0 /managedPipelineMode:Integrated
appcmd set config /section:applicationPools /[name='MyPool'].processModel.identityType:SpecificUser /[name='MyPool'].processModel.userName:'MyUser' /[name='MyPool'].processModel.password:MyPass
appcmd set app /app.name:MySiteName/ /applicationPool:MyPool
command used to launch iisexpress.exe manually
iisexpress /config:c:\users\me\documents\iisexpress\config\applicationHost.config /trace:error
I've tried reinstalling both IIS Express and Visual Studio 2010 SP1. No difference.
Just an idea: since the problem is likely to be security-related, I'd suggest trying to run Visual Studio in elevated mode (Run as Admin). Or use IIS instead of Express, if you can.
Did you take look at how to run iisexpress app pool under a different identity
By default iisexpress.exe runs as current logged on user. If the above given link does not work, probably you should launch visual studio as desired user (use 'runas' command) and then automatically iisexpress.exe would run as whatever identity VS is running.
I am running the following
Win7 SP1 Enterprise
VS2010 Pro SP1
Non admin user
I need to attach to the w3wp.exe process
I have assigned myself debug privs via GPO
When attempting to attach to the process I get
Microsoft Visual Studio
Unable to attach to the process. Visual Studio has insufficient privileges to debug this process. To debug this process, Visual Studio must be run as an administrator.
The main issue is I need to debug a site that handles multiple hostheaders (sitecore)
Cassini has no concept of hostheaders
IISExpress does not handle hostheaders - cannot launch site with different hostheaders*
Is there an alternative around this ?
Side note
I have tried to give myself admin token with the following as a test as well
http://www.scriptlogic.com/products/privilegeauthority/
VS launches as an 'admin' but gives me the whole Unable to attach to the process. Visual Studio has insufficient privileges to debug this process.
Side note 2
Using process explorer on devenv.exe doesn't show the SeDebugPrivilege enabled
I have tried using ntrights.exe to grant the rights - rebooted and still not there.
If you have an admin password you can (when you open VS) right click, and then say 'run as administrator', otherwise you just may be out of luck as far as I know.
This link here: Working with Web Projects in Visual Studio as a Non-Administrative User says it clearly:
You cannot attach to a process that is running under the IIS worker
process because it requires administrative privileges.
We ended up using http://www.scriptlogic.com/products/privilegeauthority/ granting the SeDebug Token as well.
This worked out well as we could also apply this to other products like ants profiler which needed admin rights to run (wasn't required for XP)
I'm creating a WinForms application in Visual Studio 2008.
I want to run my application in the debugger and I want the application to run as a user other than the user running Visual Studio. What is the best way to do this?
If you have access to an OS that lets you have multiple terminal server sessions open, then simply open a new terminal server session as that user. With an administrator account running Visual Studio you should be able to debug the process in the other session.
You could add calls to your app to login as the desired user, but that isn't ideal since the environment is clearly not identical to the experience of running as that user.
Otherwise I think you need to look at remote debugging scenarios where VS is installed on a separate box.