I have created a Web application. i need to add 2 virtual directories. i have gone to the properties of the application and in the web tab i have created the 2 directories. i have the run the site and gone into the IIS express config and changed the physical path of the 2 directories. the directories are mapped from a server.
when i run the site i get "Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server."
how do i know which user is IIS express is using to know how to give access to the directories?
Thanks
Gareth
Related
I get the following .NET error when trying to load my Orchard CMS website:
Access to the path '\\.........\www\App_Data\Dependencies\Lucene.dll' is denied.
Exception Details: System.UnauthorizedAccessException: Access to the path '\\WDP\DFS\30\7\4\5\3024678547\user\sites\5481517.site\www\App_Data\Dependencies\Lucene.dll' is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in File Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
How do I actually go about granting access rights? I've googled and found I should go into the server and right-click on the directory and edit the properties. BUT, I am in a shared hosting plan and don't think I can do that.
Am I pretty much at a dead end?
Things I've tried:
Setting file permissions through FTP, but I get a:
500 'SITE CHMOD 777...command not understood
I've downloaded and installed IIS Manager and successfully connected to my site, but still did not find any options to set permissions in there.
I've also called Network Solutions, but all I was told was to try to do the file permissions settings (as I mentioned above).
Thanks in advance.
I have a website and it sits on the IIS Server and I have a folder on another server the file server. I have set the Virtual directory to the folder on the fileserver. This application both servers are on the same domain, but in the future I will have serves that are not on the same domain.
I have tried to set up local users on both machines and set up the app pool to use the local accounts and I get
System.UnauthorizedAccessException: Access to the path is denied.
and
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
I have set the virtual to connect as the local user and get the same error.
I have setup a domain user and then set the app pool to use the domain user and set to use pass through and when I test the settings in Directory Browsing it says everything is good but I get the same error from the webpage.
I have setup a domain user and then set the app pool to use the domain user and set to the connect as to the user and when I test the settings in Directory Browsing it says everything is good but I get the same error from the webpage.
I have set the apppool to use my login and it works with pass through permissions.
Is there something I am missing.
You need to set the folder permissions in your separate folder to give access to the "computer$" account of the server where your application is hosted.
See here: https://www.iis.net/learn/manage/configuring-security/application-pool-identities
application pool identities also use the machine account to access
network resources.
So in the server where you have your data files you should set the folder permissions to allow access to the machine name where your website is hosted.
I had this same challenge when deploying a web app using IIS on a Windows 2012 Server.
The issue was the App Pool Account did not have Full rights to the Website Root.
All I had to do was to go to the directory where the Website Root resides and then right-clicked on it. Next, I selected Security and then gave the IIS-Users group full access to the directory.
For me IIS-Users group contains all Users/App Pool Accounts that are created in IIS.
That's all.
I hope this helps
I have created a domain user specifically for the the virtual directory and it appears to work, but is this best practice?
I setup an asp.net web application on IIS that I have setup several times for other clients but getting a strange permission issue on this one.
It's setup so the App Pool Identity is NetworkService and the folder being used has Network Service as a permitted user with full permissions. The folder can be browsed from the server the application is on and items added, edited and deleted.
But for a reason I cannot determine any time the application tries to access a file from the virtual directory I get 'Access is Denied'. I have checked permissions on the root folder of the actual application which also has Network Service and checked the virtual directory permissions use the identity as well, not sure what else to try?
I'm trying to get a website in my IIS 7.5 (Win 7 Pro machine) to run via a UNC path to the code for one of the default website and an underlying App. This is the first time I've ever tried to set up a site/app in IIS 7.5 based off a UNC path: a folder on another server in the same domain.
I've tried various things to try to get this resolved. The app pool is running under ApplicationPoolIdentity on my Win 7 Pro PC where I have this site set up.
The runtime error I get when trying to run the app in the browser via http://localhost/TheAppName is:
Module: IIS Web Core
Notification: Unknown
Handler: Not Yet Determined
Error Code: 0x800700005
Config Error: Cannot read configuration file due to insufficient permissions
Config File: \\?\UNC\theServerName\www\TheAppName
Requested URL: http://localhost:80/TheAppName
Physical Path: (nothing showing up here)
Logon Method: Not yet determined
Logon User: Not yet determined
I put in fake names for the server and app name above for privacy for this post.
So it's having trouble reading the web.config found in that UNC path for this site.
I tried to add a local user on the target server and then then gave that user permissions to the web.config and then used that user RemoteServerName\LocalUserICreated as the app pool's Identity on my machine but it had no effect.
No clue what to do here and how to go about it.
I assume the UNC path is to a different server?
If so are both servers in the same domain? If so then IIS needs to run the website under a user account that has permissions to read the files.
If not you need to create identical user accounts (same username, same password) on the web server and the file storage server and then change IIS to run the website under this user account.
Hope this helps/works.
When you create a web application or virtual directory from a UNC path, you need to provide the credentials to IIS for the connection.
In the Add Application dialog, below the Physical path section is the "Connect as..." button - you can then choose either "Application user (pass-through authentication)" or "Specific user".
Which ever you choose, they have to be credentials that will be recognised by the remote server - "Pass-through" will try and use the current desktop (or browser) credentials to authenticate the user which (if you're connecting via a VPN as per your comments) almost certainly won't be valid. In this case you should use "Specific user" and provide (ideally) a domain user with suitable permissions to run the site.
When we've needed to do this in the past, we'd create an account on the domain that the local AppPools would run under, and then this could be used in these situations as well.
If you've already created the application, the dialog can be reached using the "Basic Settings..." action link.
I took me a few hours to finally solve the same issue for myself. Turned out I used the wrong slashes in my physical path. It should be \ these, not // these.
Zhaph and Alan both identify the work-around suggested by Microsoft. Here's the rest of the information from Microsoft's page on your problem:
Cause
IIS 6.0 uses the hosting worker-process identity to connect to a remote directory. Then, IIS 6.0 authenticates the user against the remote directory. However, IIS 7.0 introduces delegation scenarios. In IIS 7.0, you can delegate Web-site settings and application-level settings to a Web.config file.
For pass-through authentication, the Web.config file is stored in a UNC directory. Therefore, the default-process identity in IIS 7.0 must examine the Web.config file first to determine whether any security-related settings must be applied before the authentication process starts. The default-process identity in IIS 7.0 does not have sufficient permissions to open the Web.config file. Therefore, the Web request is rejected.
If there is no Web.config file in the UNC directory, IIS 7.0 uses the rules that are defined for the parent directory. For the Web content to be served in this scenario, the worker-process identity must have access to the whole content directory. Otherwise, the Web request is rejected.
Resolution
To resolve this behavior and to make sure that pass-through authentication works correctly, follow these steps:
Make sure that all the user accounts that access the UNC directory have at least the Read permission for the UNC directory.
Note This behavior is the same as the behavior in IIS 6.0.
Make sure that the IIS worker-process identity is running under a domain account or under a workgroup account that also exists on the UNC file server. If it is necessary, create an account on the UNC file server that has the same user name and the same password as the IIS worker-process identity.
Notes
This behavior differs from the behavior in IIS 6.0.
By default, the DefaultAppPool application pool runs under the Network Service account. This account is local to the computer, and this account does not exist on another computer. Therefore, make sure that you configure the DefaultAppPool application pool to use an account that is a domain user. Then, you can use the same account on the UNC file server. Alternatively, you can create a workgroup account on the UNC file server and on the computer that is running IIS 7.0.
If there is a Web.config file in the UNC directory, edit the discretionary access control list (DACL) for the Web.config file so that the DACL contains the account that you verified in step 2. Alternatively, edit the DACL for the Web.config file so that the DACL contains the account that you created in step 2.
If there is no Web.config file in the UNC directory, edit the DACL for the UNC directory so that the DACL contains the account that you verified in step 2. Alternatively, edit the DACL for the UNC directory so that the DACL contains the account that you created in step 2.
Note This behavior differs from the behavior in IIS 6.0.
I have a ASP.NET 1.1 application running on IIS 6 / Windows Server 2003.
It's our application, but we're trying to specifically replicate a customer's installation so the app folder has been copied entirely from their production server onto our test machine, and then we've created the Virtual Directory and Web Application for IIS manually.
Internet Information Services (IIS) Manager:
Application Pools
Web Sites
Default Web Site
xxxxx (Virtual Directory)
yyyyy (Web Application)
Web Service Extensions
The problem I have is that when we access the app, we get the standard IIS security error message:
The page cannot be displayed
You have attempted to execute a CGI, ISAPI, or other executable program from a directory that does not allow programs to be executed.
--------------------------------------------------------------------------------
Please try the following:
•Contact the Web site administrator if you believe this directory should allow execute access.
HTTP Error 403.1 - Forbidden: Execute access is denied.
Internet Information Services (IIS)
Now this is pretty standard, except as far as I can see it's not anything so simple.
I have checked:
IIS user has read access to the directory
IIS user and Network Service users have read/write access to the Temporary ASP.NET Files folder
Virtual directory is set to the correct version of ASP.NET
ASP.NET 1.1 Web Service Extension is allowed
Virtual directory has the correct mappings of file extensions and all verbs to the aspnet 1.1 DLL
Virtual directory properties allow Scripts and Executables to be run
Anonymous access is turned on and the username and password is correct
What am I missing?
When you did create an application on IIS did you check allow script execution ? You need to turn two first choices on in order to execute anything from this application including virtual directory you have made.
Right click on parent application > Home Directory tab > Executive Permissions set to Scripts only...
You might also need to check the "Edit Feature Permissions..." button on the right pane of the Handler Mappings settings for the specific application and enable "Execute". This is what held my co-workers and I for 3 hours with otherwise pretty identical symptoms.