Missing site assets when no local\Users permission on the folder - asp.net

I'm working on the Umbraco site (asp.net MVC) hosted on local Windows Server 2016+IIS10.
During regular template modification, I have experienced strange behavior - the site lost all of the assets hosted from local files. All the requests to cases or images were redirected to the login page. A few people reported similar behavior, commonly resolving it by permission checking. So did I - ensured that my pool user has granted full access to the folder and all its descendants. It was, so I removed it and applied it once again. Still no luck. I have copied the website files and created another web app in IIS - this one worked without any glitch.
Later, my co-worker found that the application folder is missing access permission for the local machine "Users" group. When we added it - the site is served without any issues.
The webserver is part of the corporate domain (AD) and the app pool user is a "service user".
Is it normal that it needs both - pool user and local "Users" permission?
Why is so?

It is normal. When the static file and the application are in same machine, the application needs higher permissions to read the static file.
When the application runs in IIS, it will use the identity of the application pool to read static files, and the default identity of the application pool is ApplicationPoolIdentity, with the lowest permissions.
The test in visual studio does not have this problem because IIS express runs the application with the same permissions as the administrator.

Related

IIS Requests Login Credentials on Windows Authentication

I have decided to transfer several of my web applications from one virtual server ot another. The way everything works on my current server is pretty bad - everyone has rights for reading and accessing the content of my "applications" folder on the machine, and so does the IIS. I want to organize stuff on the new server, so only IIS can access this folder.
I have installed IIS and the ASP.NET addons on the new server, and forced my test website to Windows Authentication, as all of my websites are configured on the current server. Then, after doing some reading regarding the permissions, I have given full control to the folder that contains my website to the next users: IIS_IUSRS & TestAppPool (which is the Application Pool I have created for my 'Test' application).
For some reason when I try to access the website from another user within the domain, through the browser, it promts for Login Credentials. I would like to understand why my application wont retrieve the permissions I have granted the IIS users upon accessing the website.
not sure if this would help, but can you try changing the app pool's identity to Network Service?

Web configuration file being accessed in the wrong folder

I have deployed an asp.net website on a production server. It is working on my local but on the server I get this error:
An error occurred loading a configuration file: Failed to start
monitoring changes to
'E:\HostingSpaces\xxxxx\xxxxxx.xxxxxx.com\wwwroot\admin\web.config'
because access is denied
This looks to me that the app is looking for the web.config in the admin folder while it is obviously in the root.
How is this possible? How do I solve this problem?
IIS which is hosting ASP.NET is looking for a potential web.config file in every folder of your site, not just in the root folder.
This is because you may want to override certain settings for just one folder.
So you may have a web.config in admin but IIS hasn't got access to it, or IIS hasn't got access to the whole admin folder.
Check the permissions on that directory.
The problem is that the directory it has been deployed to does not have the correct read/write permissions for IIS to read the web.config.
Each website configured in IIS 6+ runs under a specific AppPool. That app pool runs under a specific user account, and it is that user account that needs read/write permissions to this directory.

Configure IIS 6 web application on a personal server

A group of us wrote a .NET web application for our University class and in order to let our prof test with it I am setting it up on my webserver at home. Here is what I have done so far:
I created a new account on my domain, I then granted that account Read, write access to the folder where the app is stored. I have setup an application pool that uses this new account as its identity and created a new site that uses the new application pool.
I initially was receiving the Service unavailable error message, so I realized I had to add my account to the IIS_WPG account. So now I am stuck at the "page cannot be found". The website is pointing to the correct folder (I can see the aspx page list from within the IIS browser) but when browsing the site either in IIS, on a browser on the server or on a browser within my network I keep getting Page cannot be found. The home directory is pointing to default.aspx which is what our app uses.
The app of course works just fine when running from within the IDE, but now that I am trying to get it to work it doesn't want to.
Any thoughts?
Thanks.
you should give error details first.
for now, I suggest you check the 'network service' account's permission.this is the ASP.NET's account.
then publish your site to *.aspx file and *.dll file. to see if there is any errors.
So I found the issue. What I didn't know is that by default, IIS 6 does not turn on support of active server pages and .NET pages in Web Service Extensions. Once I had turned this on the site began to work just fine.

IIS - Required permissions cannot be acquired. Enabled "Full Trust" and Load User Profile on App Pool is "True"

Setup
There is an IIS 6 application running in a .NET 2.0 App Pool on Server-A. IIS 7 Server-B needs to host that same code-base under a different URL. I created a virtual directory under Server-B's website to the network path of the application on Server-A. I've enabled this virtual directory on Server-B as an application running in its own .NET 2.0 App Pool in Classic Mode. Both app pools run as the same domain account that has access to that folder.
Issue
When accessing the site from Server-A it works fine. Accessing it from Server-B however generates the infamous "Required permissions cannot be acquired." error.
I have been trying to find a solution to this problem for two days. The two most common solutions have been to check the CLR Trust level on the Server-B box or to set the Load User Profile property on the App Pool to "True". Since I have full administrative rights I set the Trust level to Full and set the profile sitting to "True". Strongly naming all the assemblies the application and throwing them in the GAC is not where I want to go.
I'm sure I'm just missing some configuration somewhere. Any ideas? Thanks.
We have had a similar problem once.
In our case the user that was the identity of the app pool have never logged on to the server. Therefore, there was no local user profile, therefore there was a problem when the system tried to use the profile.
As a test try and set the identity of the app pool to the admin account you use to log in with.
Manually verify that user can access that share. Try logging into windows as that user and then accessing that share (or fake it with something like a "runas /User:{Domain\UserName} net use {\server\share}").
Also try loading ShareMonitor wherever the files actually live. It should tell you what user account is trying to access a given share. It might not be the account you think it is. I cannot recall if it was this program or not, but I have used something very similar in the past to figure out a really odd permission problem.
That should determine if it is a file access problem. If it isn't, then all I can say is to make sure you have ASP.NET enabled (on windows server it is a separate option).
Also check out the file permissions on your "Temporary ASP.NET Files" directory. I've had to explicitly add users write access to that before to get things working.
in my case my IIS App Pool had LoadUserProfile=false, so it was not loading the profile of the app pool's Identify (a domain account). This caused this unable to acquire permissions even though my Webroot files/folders (including /bin) had correct permissions. Setting LoadUserProfile=true fixed the issue for my setup.
I would set that application pools identity attribute (in advanced settings) as administrator. That way, you application will work on the server, just like it works on the local setup.

Error 500.19 - IIS 7.5 Site based on UNC - File Permissions Problem

I'm trying to get a website in my IIS 7.5 (Win 7 Pro machine) to run via a UNC path to the code for one of the default website and an underlying App. This is the first time I've ever tried to set up a site/app in IIS 7.5 based off a UNC path: a folder on another server in the same domain.
I've tried various things to try to get this resolved. The app pool is running under ApplicationPoolIdentity on my Win 7 Pro PC where I have this site set up.
The runtime error I get when trying to run the app in the browser via http://localhost/TheAppName is:
Module: IIS Web Core
Notification: Unknown
Handler: Not Yet Determined
Error Code: 0x800700005
Config Error: Cannot read configuration file due to insufficient permissions
Config File: \\?\UNC\theServerName\www\TheAppName
Requested URL: http://localhost:80/TheAppName
Physical Path: (nothing showing up here)
Logon Method: Not yet determined
Logon User: Not yet determined
I put in fake names for the server and app name above for privacy for this post.
So it's having trouble reading the web.config found in that UNC path for this site.
I tried to add a local user on the target server and then then gave that user permissions to the web.config and then used that user RemoteServerName\LocalUserICreated as the app pool's Identity on my machine but it had no effect.
No clue what to do here and how to go about it.
I assume the UNC path is to a different server?
If so are both servers in the same domain? If so then IIS needs to run the website under a user account that has permissions to read the files.
If not you need to create identical user accounts (same username, same password) on the web server and the file storage server and then change IIS to run the website under this user account.
Hope this helps/works.
When you create a web application or virtual directory from a UNC path, you need to provide the credentials to IIS for the connection.
In the Add Application dialog, below the Physical path section is the "Connect as..." button - you can then choose either "Application user (pass-through authentication)" or "Specific user".
Which ever you choose, they have to be credentials that will be recognised by the remote server - "Pass-through" will try and use the current desktop (or browser) credentials to authenticate the user which (if you're connecting via a VPN as per your comments) almost certainly won't be valid. In this case you should use "Specific user" and provide (ideally) a domain user with suitable permissions to run the site.
When we've needed to do this in the past, we'd create an account on the domain that the local AppPools would run under, and then this could be used in these situations as well.
If you've already created the application, the dialog can be reached using the "Basic Settings..." action link.
I took me a few hours to finally solve the same issue for myself. Turned out I used the wrong slashes in my physical path. It should be \ these, not // these.
Zhaph and Alan both identify the work-around suggested by Microsoft. Here's the rest of the information from Microsoft's page on your problem:
Cause
IIS 6.0 uses the hosting worker-process identity to connect to a remote directory. Then, IIS 6.0 authenticates the user against the remote directory. However, IIS 7.0 introduces delegation scenarios. In IIS 7.0, you can delegate Web-site settings and application-level settings to a Web.config file.
For pass-through authentication, the Web.config file is stored in a UNC directory. Therefore, the default-process identity in IIS 7.0 must examine the Web.config file first to determine whether any security-related settings must be applied before the authentication process starts. The default-process identity in IIS 7.0 does not have sufficient permissions to open the Web.config file. Therefore, the Web request is rejected.
If there is no Web.config file in the UNC directory, IIS 7.0 uses the rules that are defined for the parent directory. For the Web content to be served in this scenario, the worker-process identity must have access to the whole content directory. Otherwise, the Web request is rejected.
Resolution
To resolve this behavior and to make sure that pass-through authentication works correctly, follow these steps:
Make sure that all the user accounts that access the UNC directory have at least the Read permission for the UNC directory.
Note This behavior is the same as the behavior in IIS 6.0.
Make sure that the IIS worker-process identity is running under a domain account or under a workgroup account that also exists on the UNC file server. If it is necessary, create an account on the UNC file server that has the same user name and the same password as the IIS worker-process identity.
Notes
This behavior differs from the behavior in IIS 6.0.
By default, the DefaultAppPool application pool runs under the Network Service account. This account is local to the computer, and this account does not exist on another computer. Therefore, make sure that you configure the DefaultAppPool application pool to use an account that is a domain user. Then, you can use the same account on the UNC file server. Alternatively, you can create a workgroup account on the UNC file server and on the computer that is running IIS 7.0.
If there is a Web.config file in the UNC directory, edit the discretionary access control list (DACL) for the Web.config file so that the DACL contains the account that you verified in step 2. Alternatively, edit the DACL for the Web.config file so that the DACL contains the account that you created in step 2.
If there is no Web.config file in the UNC directory, edit the DACL for the UNC directory so that the DACL contains the account that you verified in step 2. Alternatively, edit the DACL for the UNC directory so that the DACL contains the account that you created in step 2.
Note This behavior differs from the behavior in IIS 6.0.

Resources