I have a asp.net application where I am using running process.start. it runs on my pc but not the server.
I have read that I needed to give my iis worker permission to run interactivity with the desktop however this still is not working.on my server the asp.net app is under its own application pool. How do I give my application pool access to run the process.start?
Give permission for ASP.NET worker process account (\ASPNET) to interact with desktop or allow ASP.NET worker process to run in SYSTEM account.
To know how to allow worker process to run in SYSTEM account and to know the default permissions of ASPNET account, check this article
INFO: Process and Request Identity in ASP.NET (http://support.microsoft.com/default.aspx?scid=kb;en-us;317012)
2. Enable IIS Admin Service to interact with desktop
To configure this, follow this steps.
a. Open Control Panel and follow these steps:
For Windows NT: click Services.
For Windows 2000, Windows XP, and .NET Server: click Administrative Tools, and then click Services.
b. Double-click IIS Admin Service.
c. On the Log On tab, select the Allow Service to Interact with Desktop check box.
Note: This article assumes that the IIS Admin Service runs as a local system.
d. Stop and restart the IIS Admin Service.
Then you need to change you Application Pool Identity to Local Service. Start and Stop Application Pool and Website.
Then this will work
Related
I have a powershell script file called Script1.ps1 And I execute it from a web application in ASP.NET with the following code:
process.StartInfo.FileName = #"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe";
process.StartInfo.Arguments = $"-File \"{ScriptNameOne}\" \"{param1}\" \"{param2}\" \"{param3}\"";
process.StartInfo.UseShellExecute = true;
process.Start();
The problem is when I deploy my web app in IIS the process doesn't start.
I don't get any error, just my powershell doens't run.
the code works fine in my IIS express from visual Studio, because my user in the computer is executing all the process, so I have permissions to every source in the machine.
Important: I need to execute this powershell script LOCALLY IN THE SERVER WHERE THE SITE IS.
I know that is user/permissions Issue, so...
In IIS, which permissions do I need?
What of all IIS users should I use?
Do I need give permissions in the folder where the powershell.exe is?
ASP.NET Web page and server control code executes in the context of the ASP.NET worker process on the Web server. If you use the Start method in an ASP.NET Web page or server control, the new process executes on the Web server with restricted permissions. The process does not start in the same context as the client browser, and does not have access to the user desktop.
Give permission for ASP.NET worker process account
to interact with desktop or allow ASP.NET worker process to run in SYSTEM account.
To know how to allow worker process to run in SYSTEM account and to know the default permissions of ASPNET account, check this article INFO: Process and Request Identity in ASP.NET: http://support.microsoft.com/default.aspx?scid=kb;en-us;317012
Enable IIS Admin Service to interact with desktop
To configure this, follow this steps.
a. Open Control Panel and follow these steps: For Windows NT: click Services. For Windows 2000, Windows XP, and .NET Server: click Administrative Tools, and then click Services.
b. Double-click IIS Admin Service.
c. On the Log On tab, select the Allow Service to Interact with Desktop check box. Remember to run IIS Admin Service as a local system.
d. Stop and restart the IIS Admin Service.
More infor about this question you can refer to this link: https://stackoverflow.com/a/4679686/13336642.
WHAT WORKED FOR ME:
Right click the directory where the .EXE file is and select Properties
Select the Security tab
Click the Edit button and then Add button
Click the Locations button and make sure that you select your computer
Enter IIS AppPool<appoolname> (eg: IIS AppPool\DefaultAppPool)
https://support.pkware.com/home/smar/latest/sem-knowledge-base/kb-granting-folder-permissions-to-iis-application-pools
I have 1 web application 1 web service and 1 windows application and I am calling a web service method from web application and in that method i am calling windows application exe. I have put windows application exe on server machine and also host that web service on server machine. If I the web service is hosted on local iis then its working and if it is on server IIS then it gives me Time Out error
Web service executes in the context of the ASP.NET worker process on the Web server. If you use the Process.Start method in an ASP.NET Web page or server control, the new process executes on the Web server with restricted permissions.
Give permission for ASP.NET worker process account to interact with desktop or allow ASP.NET worker process to run in SYSTEM account.
Open Control Panel and follow these steps: For Windows NT: click Services. For Windows 2000, Windows XP, and .NET Server: click Administrative Tools, and then click Services.
Double-click IIS Admin Service.
On the Log On tab, select the Allow Service to Interact with Desktop check box. Remember to run IIS Admin Service as a local system.
Stop and restart the IIS Admin Service.
1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.
Every time the ASP.NET application in question throws an error the Global.asax writes to an error file: logs\error.log. The ASP.NET applications works using Windows authentication.
I am able to write to the log file when debugging using Visual Studio, however it does not work when the application is deployed in the live environment. How do I find out what user account I need to give access to: logs/error.log?
The application is deployed on a Windows 2003 Server with IIS6. Microsoft.NET 3.5.
You would have to give the required permissions to the network service account. This link might be able to help you out.
Windows Server 2003 defaults to the "Network Service" account.
This can be verified by opening IIS (expand the computer if needed), expand the "Application Pools" folder, right click on the pool used by your web app, and go to the Identity tab.
FYI: Windows Server 2008 uses the IIS_IUSER instead of Network Services.
I hope that logs folder is a virtual directory setup outside the web site directory.
Otherwise every time you deploy the entire solution you will overwrite the logs folder and its content.
Microsoft has a tool for monitoring file access that can be useful for troubleshooting permission issues.
Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645
You will also want to check if your application is using windows authentication & identity impersonation since that can change the identity the application is executing with when enabled.
I've a small asp.net application which write logs on the file system in a directory 'Logs'.
I've given the modify permission to Asp.Net machine account for this folder which works fine. However when I tried to deployed it to the another server it doesn't work. I have to give the same modify permission to Network service account also. Why?
Because that's the account that's used to run the application pools under. So on IIS6 and 7 this will be the case. On workstations with IIS5, you won't have application pools, and so the ASP.NET worker process runs under the local ASPNET account.
Also, it's better to grant the permissions on the IIS_WPG local group, of which the Network Service is a member.
Because on your local machine IIS worker process runs under Asp.Net machine account but on a windows server IIS worker process runs under Network service account.