My ASP-Webpages application needs to write self-generated files to a local folder under its root directory. Everything runs like a charm on- and from my development environment, even to any other given network locations.
The problem is that I can’t get the production environment to do the same. Just no files get created, anywhere. Nor are any exceptions thrown on missing permissions etc. Nada.
I believe I’ve read and tried out just about everything anyone had written on the Internet over the past seven years and I feel like I’m chasing my own behind trying to solve this problem. Should it be really that difficult?
At the risk of getting marked as duplicate I see no other option than to post my question here..
Basically, here is what I have this far:
The production application runs on Windows Server 2008 R2, IIS version 7.5. It has a dedicated Application Pool, with its identity set to ApplicationPoolIdentity (.NET Framework v4 / Integrated pipeline).
Application Basic Settings
Verified AppPool membership of IIS_IUSRS.
Verified Group Membership
User Authentication is set to Windows Authentication.
User Authentication
Should Anonymous Authentication be set to ‘Enabled’ to get the ApplicationPoolIdentity be used? I’ve tried setting it on, but it conflicts with the Windows Authentication, which is an essential part of our application and cannot be switched off.
If so, then how?
Both the Application Pool and the IIS_IUSRS have been granted Read & Write permissions on the folder.
I’ve tried setting Full control, but that didn’t help either.
Folder Security Settings
Here is the (stripped down) code that writes the files to the desired location:
Stripped-down Code
Other (silly) things I’ve tried are:
Playing around with absolute and relative path directions in my code.
Enabling Anonymous Authentication, resulting in a conflict with the necessary Windows Authentication.
Set Application Pool ProcessModel identity to Network Service.
Recycle Application Pool.
Load User Profile ‘On’ for the Application Pool.
Setting IE Enhanced Security Configuration ‘Off’ for users.
Restarting server machine.
Using different browsers.
Give 'everyone' full folder permissions, just to try the effects, nothing..
Set AuthenticatedUserOverride to UseWorkerProcessUser via IIS Configuration Editor. This causes that my application doesn't recognise Current.User.Identity.Name anymore, so it blocks further site access.
What I need is to keep Windows Authentication, but also be able to have the application anonymously write files to a given location.
Can anybody please hint me in the right direction or just tell me what I’ve overlooked?
Thanks!
Related
This question seems to be similar to this one: IIS site not using identity specified in app pool IIS 7 +
However, there are no answers there.
There's a tl;dr at the bottom.
A thing to keep in mind is that I'm not the one who set up the server so they may have changed some settings I don't know about.
We have an ASP.NET web service running on IIS 7. The web service is set to use DefaultAppPool, and the app pool's Identity is set to a domain user (let's say it's "localdomain\user1").
The web service was unable to save to a certain network folder, so we gave localdomain\user1 read/write permissions to that folder. It still can't save there, however.
I can't remote debug, and it works fine on my own computer (probably because it's running in Visual Studio's IIS express and my user does have access), so I tried to change the web service so that the error message contains the user name it's running under.
If I use Environment.UserName to get it, the result is "IUSR". If I use System.Security.Principal.WindowsIdentity.GetCurrent().Name, it returns "NT AUTHORITY\IUSR".
Unless the above methods are not reliable, the web service seems to be running under the default user (IUSR) and not the one set in its application pool. I can't figure out why, can anyone explain?
EDIT: The Task Manager on the server, if I log in using RDP, shows that the w3wp.exe process IS being run by user1. I'm not sure which one to believe.
Thank you.
tl;dr: The web service's application pool is set to a domain user, but it seems to be running under IUSR anyway. How do I prevent that?
Impersonation was the issue. I didn't know this was a setting in the web service's web.config.
Changing <identity impersonate="true"/> to <identity impersonate="false"/> allows it to run as localdomain\user1.
I am developing on my local machine (Windows 7), and using IIS 7. I usually create a new website by right clicking on sites -> Add New Site. Then do the usual stuff by pointing to the physical files, and I'd stop all other websites which I didnt need. I could then run the site on port 80 without any binding conflicts.
I then recently started doing some ASP.NET development. When I published from my VS 2010 to local host I could run the website, and it all worked great. I then stopped the site (asp.net) but I couldnt start any of the other sites (not even the default). I am not sure why.
I started to read about App Pools and someone said to remove all the application pools. So I removed all my application pools (except the default app pool), and I also removed all the websites (as they had a red x next to them).
I now cannot start the default site as the restart, start and stop are greyed out. I cannot find out any way to reset the IIS server. One error I have received is;
the object identifier does not represent a valid object iis7
I dont know really know what this means, and when I search for this error it seems that many people have come across this error but in different contexts.
Is there any way to reset IIS so I can build simple websites again? Do I need to uninstall IIS and reInstall?
Uninstall IIS and reinstall would probably be the easiest and fastest way to accomplish this.
Other than that check the event logs see if you can find any clues there.
You'll want to ensure there is a one-to-one relationship between the number of sites & the app pools that host them. If they are 32-bit apps hosted on a 64-bit server, you'll need to enable this property (set it to True) on the app pool you want to use for your site. You'll want to run:
C:\inetpub\AdminScripts>cscript adsutil SET W3SVC/AppPools/Enable32bitapponWin64 1
The .NET Framework obviously needs to be installed, but then the separate step of running the ASP installation command needs to be done (C:\Windows\Microsoft.NET\Framework\v2.0.xxxx\aspnet_regiis.exe -i). If it already is, re-install them - it could be malfunctioning/corrupt.
After all that, I noticed IIS 7 puts on this generic app pool identity account to run the app pool with. I created a service account, gave this account Admin rights just to see if the site would run, and added it onto the app pool as the "Custom account". I no longer get the HTTP 503 error. The account should have the "Log on as a service" and "Log on as a batch job" rights. If it will be using impersonation and going out to a SQL database, the "Impersonate client after authentication" and "Allow log on locally" rights are also needed (hence why I like just giving it admin privileges to see if it works, first).
I currently am in the process of deploying a MVC 3 Web App to an IIS 7 server. When I work on the web app from visual studio and deploy through development server, the web app has no problem using a custom .dll that interacts with a local server. However, when I deploy onto IIS 7, the same dll fails to pull data from the server through the dll. I am assuming this is permissions related. I have assigned the AppPool to use an account I created that is a member of the local 'Adminstrators' account. No Success. My account is a member of this group. One quirk I noticed was when I tried to modify security setting in the %WINDIR%\inetsvr folder, which holds the process that runs web server for IIS, I was unable to modify these setting even tho I am a member of the 'administrator' account. Confused about this, and have been running around in circles trying to figure this one out. Any help would be appreciated.
Your web app's associated user definitely don't need to have access permission to %WINDIR%\inetsvr.
Assuming that your website runs on C:\interpub\myWebsite and .Net 4.0, your web app's user needs to have at least reader access to following folders :
C:\interpub\myWebsite
%windir%\Microsoft.NET\FrameWork\v4.0.30319\Temporary ASP.NET Files
If you don't grant those access to those folder then it is so likely that your app won't run.
Also, visit your site with a browser inside your production server and see the detailed IIS error. That might help to narrow the problem down.
NOTE
Also, be sure that your app pool is in integrated mode because ASP.NET
MVC won't work properly under classic mode if you have extensionless
Urls. It is highly likely that you will get 404.
I am developing ASP.Net project (framework 2.0) on local machine (Windows 7). IIS 7.5 is the local webserver.
When I run the project locally Environment.GetFolderPath(Environment.SpecialFolder.InternetCache) returns empty string.
I am a bit sheepish and frustrated since I encountered this issue when I setup this new dev machine, but cannot remember the solution and cannot find solution by Googling. Others on the dev team running XP do not encounter this problem.
I am expecting a return of C:\Users\DefaultAppPool\AppData\Local\Microsoft\Windows\Temporary Internet Files.
Not sure if this a iis setting issue or can I set the environment variable somewhere.
Thanks, Jeff
I'm 99% sure this is going to come down to a permissions issue. In IIS7, there is a new "user" called AppPoolIdentity that is the default identity for an app pool. This user has much lower permissions than the defaults in IIS 6.
I can reproduce your issue, I have to set my AppPool to run as either LocalSystem or a specific user with administrative rights to retrieve Environment.SpecialFolder.InternetCache which makes sense when I look at the folder in question and view it's permissions.
Be aware, there are security issues with running IIS app pools with higher permissions.
at work I am struggling a bit with the following situation:
We have a web application that runs on a WIndows Server 2008 64 bits machine. The app's ApplicationPool is running under the ApplicationPoolIdentity and configured for .net 2 and Classic pipeline mode.
This works fine up to the moment that XmlSerialization requires creation of Serializer assemblies where MEF is being used to create a collection of knowntypes.
To remedy this I was hoping that granting the ApplicationPoolIdentity rights to the ASP.Net Temporary Files directory would be enough, but alas...
What I did was the run the following command from a cmd prompt:
icacls "c:\windows\microsoft.net\framework64\v2.0.50727\Temporary ASP.NET Files" /grant "IIS AppPool\MyAppPool":(M)
Obviously this did not work, otherwise you would not be reading this :)
Strange thing is that whenever I grant the Users or even more specific, the Authenticated Users Group those permissions, it works. What's weird as well (in my eyes) is that before I started granting access the ApplicationPoolIdentity was already a member of IIS_IUSRS which does have Modify rights for the temporary asp files directory.
And now I'm left wondering why this situation requires Modify rights for the Authenticated Users group. I thought it could be because the apppool account was missing additional rights (googling for this returned some results, so I tried those), but granting the ApplicationPoolIdentity modification rights to the Windows\Temp directory and/or the application directory itself did not fix it.
For now we have a workaround, but I hate that I don't know what is exactly going on here, so I was hoping any of you guys could shed some light on this.
Thanx in advance!
If the application pool is running as AppPool Identity then things should work out-of-the box since the worker process will be injected the IIS_IUSRS SID which will have the right permissions to write.
My guess, is that the application must be using Windows authentication and impersonation is enabled in ASP.NET so that code is probably be ran as the specific user that is making the request and not necesarilly the process identity.
Am I right on the guess that the app is running Windows Authentication? and impersonation is enabled in asp.net ?
Might not be relevant to you - but if you are running the app pool as a domain user, the rules change on the automatic injection of IIS_IUSRS token into the process at startup. This caught us out recently when moving to .net 4, and not having permission on the new Temporary ASP.net Files directory.
See here for a workaround: http://www.yusufozturk.info/iis7/asp-net-write-access-error-on-iis7-5.html