Convert to application in IIS under service account - asp.net

I want convert to application my Asp.Net app.
I created application Pool what use service account. And want "convert to application" under this application pool.
BUT if i check connection setting show me error "Invalid application path".
When I set my personal user account in to "connect as"
everything was alright.
Question : what must fulfill service account to right use? Or any suggestion whot I must change, try or verify?

You should be able to use the Setting "ApplicationPoolIdentity" for Identity in the Pool Advanced-Properties.
Usually your folder security settings must grant read, execute, browse folder and read for the local group IIS_IUSRS.
if you did both, the conversion to application should work.

Related

Two web applications, one error when writing to the eventlog

I have two ASP.NET web applications and in both I use EventLog.WriteEntry with a custom source name to write custom events to the application log.
Both on my programming machine and on the webserver this works in one of the applications, in the other it doesn't - I get a security exception:
[SecurityException: The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security.]
I am wondering why this happens, both web applications are identical (as far as I see it). The only difference from a security point of view is the authentication mode: one uses Forms (there Eventlog.WriteEntry works) and one uses Windows (here it doesn't work). Can this be the reason?
Giving "everyone" read access to the application log doesn't change this behavior.
Your problem on Windows authentication mode essentially similar with these problems:
System.Security.SecurityException when writing to Event Log
System.Security.SecurityException: The source was not found, but some or all event logs could not be searched. Inaccessible logs: Security.
The exception means that your web app tried to write on event log using a value given to "source" which has not been registered due to insufficent privilege on corresponding account.
When using Windows authentication mode to perform event log tasks, you need to give read permission on NETWORK SERVICE account on eventlog\Security key. Below are these steps to do:
Open Regedit (Registry Editor).
Go to HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security
Right click the branch, select "Permissions".
Click "Add", find RDN named NETWORK SERVICE or type it directly, then add the account.
Under "Permissions for Network Service", check "Read" or "Full Control" to give the read permission, then apply the change.
Restart your application pool on IIS host.
If it still not enough, do actions below:
Open IIS Manager. Check the Identity column on Application Pools section, it should given LocalSystem or NetworkService.
When you need to change Identity, right click the application pool with Windows authentication, choose Advanced Settings.
Under Process Model, change ApplicationPoolIdentity to LocalSystem or NetworkService, apply your edit and restart the application pool.
NB: NetworkService identity is more preferred to LocalSystem due to security vulnerability reasons.
Also you may try setting <trust level="Full" /> in web.config file, depending on security consideration.
If all solutions above still won't work, set Visual Studio on development machine or deployed app on web server to run as administrator privilege, gaining full access to Windows authentication event log. After all, it depends of your choice to ensure proper security measure was applied.

Access to the port 'COM4' is denied

I am using arduino (some micro-controller), and I made an ASP.net page to communicate with it. I connected arduino to serial-port COM4. When I run the ASP.net website, I get the following error:
Exception Details: System.UnauthorizedAccessException: Access to the port 'COM4' is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
now i know it may sound like the solution is right there: " to grant asp.net access to..." but i don't know what file they are talking about!
So please can anybody point out the solution ?
PS: I first did a windows form application and it worked. So there is nothing else using the COM4.
Thanks in advance.
Ignoring that it's strange that a web application should talk to a COM port on the server, the issue is as follows: by default an ASP.NET application in IIS runs under a low privilege user (as specified in the error message). That user is not allowed to access the port.
A console application runs under the user who launched it. I'm assuming that's you and you're an admin on the machine.
To get the ASP.NET doing the same open IIS (Start - Run - inetmgr), select 'Application Pools', choose the app pool under which your web application is running, click 'Advanced Settings', set the 'Identity' field to your user.
Restart the app pool and launch the web application.

Getting "Service Unavailable" error when browsing IIS website

I have a website in IIS 6.0 using an application pool with a custom service account. When I browse the website, I get an error "service unavailable" and the error in event log says
The identity of application pool 'SampleAppPool' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled.
I think the utility "Aspnet_regiis" can be used to grant access to an account to IIS metabase according to this article, but is that the right way to fix this issue? Because this utility is used for multiple things and may do more than just granting the permissions to the account, or should I just add the account manually to IIS_WPG group?
When I see this in IIS 6 and the user has a custom app pool identity, the problem typically originates in the entry of credentials in the app pool properties. So there are generally two origins for the issue.
One is a simple typo in the credentials, unfortunately the form validation is not very good in IIS 6, so I often will have users change the identity of the app pool, then immediately check that the credentials "took" and/or check the System event log for W3SVC and related errors.
The second specific cause I see in this scenario is when people enter an Active Directory user, they sometimes forget to add the domain name. (e.g. DOMAIN\Username). Which leads me to the next point, the IIS_WPG is the builtin local group which grants members the required ACLs to run as an app pool identity. The aspnet_regiis.exe -ga grants the same thing to users, but IMO it is best suited for use when the IIS_WPG group is not an option. Also a dedicated app pool user account is generally a good idea. If the AD user password is changed, you'll bring your app to its knees until you again re-enter the credentials in the IIS Manager.
Edit: I added some para breaks to make this chunk more readable.
I had this same problem and I resolved it by starting the application pool. Ours was stopped even though IIS was running.
"The identity of application pool 'SampleAppPool' is invalid..."
Every time I have had that error, it was because the user name and password where not correctly entered in the application pool. This happens also when you import the pool settings from another server. Reentering the password in the application pool identity configuration has always solved the problem.
Once you get that right, you will probably meet the second problem you are describing, but that's an unrelated issue. It can be fixed as you describe, or even manually granting the required access permissions to the application pool identity.
If you are connecting to a remote machine using one or more remote access tools, take note: your keyboard mappings may be getting screwed up somewhere along the way!
In my case, I tried typing out certain letters of the password in a plain text editor on the remote machine (not necessarily in the same order, to retain security). When attempting to type the dollar character, I found that if I used the left shift key I got a "$" but if I used the right shift key I got a "4".
Once I had that figured out, I could enter the correct password for the Application Pool Identity. (Note: when filling out the identity section, IIS does not validate the password you enter against the user identity, only that the two passwords you enter match each other).

Accessing network folder with ASP.NET Network Service account

My ASP.NET MVC 2 application runs under built-in local NETWORK SERVICE account. I want to set up access permissions for the folder which resides in another computer, but in the same domain. I located that folder right-clicked to open its properties form, clicked to Security tab and pressed Add button which displayed Add user form with correct domain name in the location field. I referred to the account with following syntax:
<domain name>\<server name>$
because I learned that NETWORK SERVICE account uses machine account when connected to other computers in the domain.
However, the system couldn't find the account, so refuses to add the account. Without the domain name it adds a user, but that user seems to be local user, not web server's NETWORK SERVICE account. What am I doing wrong?
By the way, the above syntax worked when I created login for the sql server which is different computer from the web server.
OK, I will answer my own question. The above syntax \$ was correct. Just make sure to select computers checkbox in the object type, when adding user permissions.
I have been in this same situation before. I don't think I got it to work with the Server/Network Service but this might be worth a try.
Figure out the account network service is using to access the network resource.
Configure windows auditing (on the server the folder is located) to log the failed security events of the folder.
or monitor the folder with something like filemon.exe
.. from here you can try and add the account to the security settings of the forlder. (IIRC I did'nt ever get this to work)
Alternatively you can ensure the action is performed under the context of a domain user. Either by:
Impersonating the user in code and performing the action (my preference)
Setting the impersonation settings in web.config to a named user
setting the application pool to run as a domain user.

IIS7 Permission Problem

I have a normal Windows Server 2008 installation with II7. Each website has it's own application pool. But there is a security realated problem.
There is no restriction for an asp.net application to write a file into C: or any other directorys.
In IIS 6 before this could happen I would have to set those rights in the windows folder secuity permissions and allow the ASPNET_Usr to do that.
What is the best practice for hosting asp.net applications and not allowing them to write an read files in eg c:?
EDIT
Anonymous Auth. is enabled and the User specified is "ISUR". All other Authentications are disabled. In the application pool I use as Process Identity "Network Service".
I created a new User on the Server (not in the domain) "www.xyz.test" and deleted all his group memberships. Changed the Process identity to this user and made the anonymous authetication use the app pool identity and was still able to write to C:.
Changing the trust level is in my case not an option because we use an 3rd party application
It all depends on what user account your asp.net website is running on. I.e. is it Network Service? As far as I am aware, if I want to be able to write to the web directory then I give my website account write access solely to the directory where I want to save files. The account I use is the one used for Anonymous Authentication.
I.e. I have a website called mycompany.com . I create this user account as part of the domain user group. I add this as the anonymous authentication credentials and give it access to the web root, and also write access tot he nested folder which I want to write too.
The User account would be called mycompany.com so i know that it has a reponsibility solely for permissions related to the web and that particular website.
Sounds like the web site permissions (in IIS) are set to either
- Windows Auth: And you are logging in with someone who has permissions to those folders
or
- Anonymous Auth: And the account that is being used for impersonation has permissions
Best practice would be to make sure the account which is being used to access the site (i.e. if windows auth - your account or if anonymous then the account which is impersonated) does not have permissions on the folders.
You could also raise the trust level to medium, high or full in the machine.config for additional security enforcement policies - however use with caution as it can cause some ASP.NET apps to fail.

Resources