Hope you can help.
We have a web application (.NET 2.0) that has some custom code that is used to poke a windows service when a file is uploaded. We issue a command using the following code:
Dim serviceName As String = "Processor Service 1.0"
sc = New ServiceController(serviceName)
sc.ExecuteCommand(200)
Running this code in a standalone app works fine but when running through website throws an access denied error. Code works fine in IIS 6.
We are using an application pool with a user and is in Admin group. I figure it's something to do with IIS but now sure what.
Hoping you guys can help.
Thanks
The permissions that are needed to interact with local services are pretty high. Your asp.net app is likely running as anonymous (local account IUSR), or the "application pool identity". You would have setup your app in IIS (app pool) to use a different account with greater permissions.
In IIS Admin, under the section "IIS", "Authentication", you need to enable a stronger authentication method. If "Anonymous Authentication" is the only one enabled, then check the settings "Edit" to see if it is running as IUSR or "Application pool identity". This is where you determine, or set, the account (and permission set) that your ASP.NET app is using.
I feel that I should strongly warn against elevating the permissions for IIS and anonymous users. This would create a very dangerous back-door into your system. The suggestion from bgs264 is a very good one: make a separate service (or scheduled process) that watches for file uploads, or modify the existing service to use the file-watcher to monitor for uploaded files. It could run under a higher permission set and would be much more isolated from your IIS. Granting admin permissions to IIS or its app pools, is just like begging for trouble.
Related
Deploying an asp.net project on local IIS server as a release version. Getting 401 unauthorized error on API call (allow anonymous enabled). Server runs with administrator user principal. This principal has all the permissions. And the project declared as application with correct .net library. The only thing I can't change is read only flag on the project directory. Anyone can help? Nothing in google resources worked...
Update: After a lot of searching and digging, I found a solution:
IIS Application basic settings - The default settings is to run application with Application pool user, which is usually limited with it's files access permissions. So the idea is to run application with administrator user.
Run as - enter administrator user name and password
Application pool type - The default application pool type is 2 and sometimes new .NET libraries are not accessible. So you have to add all the missing ASP.NET types to IIS.
Usually ASP.Net version suppose to be classic, in this case application works fast. Otherwise application refresh time may take long period.
Local folder permission - add local administrator, that you defined on IIS settings, and grand him all permissions to the folder recursively
SQL Server Management- the default server authentication is Windows Authentication, make it SQL Server and Windows Authentication mode
Add new user to the server and grand him all the permission to the database
Add this user to database Users and change the SQL connection string at the project accordingly. This way you prevent application pull trying to connect with database with it's user
Just posting this here as I went around in circles trying to diagnose an intermittent 401 error.
I had a virtual sub directory within the web application that referenced an external folder which was out of the directory tree so had different folder permissions.
Any scripts that referenced this folder failed - while others ran completely fine.
I'm trying to track down why when the web app accesses a network drive, I see Network path not found (error 53). When I log into the server I can open up a file on that drive with no problem. But the application (asp.net) cannot. I was wondering if this was a permissions error and that lead me to try to find out what the usename of the app is and where I would find that out.
It depends on your OS version and your security settings. Your web-site should have an app pool assigned to it (which may be shared with other applications). By default in windows server 2008R2 the pseudo account ApplicationPoolIdentity is used, which is not really an account.
IIS Accounts
You can check under advanced settings for the app pool and see what it is using. I believe if you have impersonation set up in your web.config, the app pool will access resources using the credentials of whomever is using the application--you can use Kieran's snippet to get that information.
This question seems to be similar to this one: IIS site not using identity specified in app pool IIS 7 +
However, there are no answers there.
There's a tl;dr at the bottom.
A thing to keep in mind is that I'm not the one who set up the server so they may have changed some settings I don't know about.
We have an ASP.NET web service running on IIS 7. The web service is set to use DefaultAppPool, and the app pool's Identity is set to a domain user (let's say it's "localdomain\user1").
The web service was unable to save to a certain network folder, so we gave localdomain\user1 read/write permissions to that folder. It still can't save there, however.
I can't remote debug, and it works fine on my own computer (probably because it's running in Visual Studio's IIS express and my user does have access), so I tried to change the web service so that the error message contains the user name it's running under.
If I use Environment.UserName to get it, the result is "IUSR". If I use System.Security.Principal.WindowsIdentity.GetCurrent().Name, it returns "NT AUTHORITY\IUSR".
Unless the above methods are not reliable, the web service seems to be running under the default user (IUSR) and not the one set in its application pool. I can't figure out why, can anyone explain?
EDIT: The Task Manager on the server, if I log in using RDP, shows that the w3wp.exe process IS being run by user1. I'm not sure which one to believe.
Thank you.
tl;dr: The web service's application pool is set to a domain user, but it seems to be running under IUSR anyway. How do I prevent that?
Impersonation was the issue. I didn't know this was a setting in the web service's web.config.
Changing <identity impersonate="true"/> to <identity impersonate="false"/> allows it to run as localdomain\user1.
I am in the process of deploying a web application on IIS5 on my server which runs windows XP.So when i run my application in visual studio its perfect.But when i deployed it into IIS it throws me an error saying that the access denied to a particular file.
My app reads a xml file based on the input(which is nothing but the other system in the network).As i browsed to the properties of that file manually and unchecked the read only attribute,still it dint work out.Can any one guide me to the proper solution ?
you might have to give read/write (if needed) to following users:
iis_wpg
network service
aspnet
In IIS, your site runs under the credentials of the application pool assigned to it. You can either change the credentials of your application pool to an account that has permission to access that file, or else grant access to the default account that the application pool is currently using.
You mention that you are using basic auth...
Generally, the web application will then impersonate the user logged in.
So, if your file isn't accessible by the user that logged in, then it won't be accessible to the web application impersonating them on the system either. You will need to check the permissions of those files and set them accordingly.
at work I am struggling a bit with the following situation:
We have a web application that runs on a WIndows Server 2008 64 bits machine. The app's ApplicationPool is running under the ApplicationPoolIdentity and configured for .net 2 and Classic pipeline mode.
This works fine up to the moment that XmlSerialization requires creation of Serializer assemblies where MEF is being used to create a collection of knowntypes.
To remedy this I was hoping that granting the ApplicationPoolIdentity rights to the ASP.Net Temporary Files directory would be enough, but alas...
What I did was the run the following command from a cmd prompt:
icacls "c:\windows\microsoft.net\framework64\v2.0.50727\Temporary ASP.NET Files" /grant "IIS AppPool\MyAppPool":(M)
Obviously this did not work, otherwise you would not be reading this :)
Strange thing is that whenever I grant the Users or even more specific, the Authenticated Users Group those permissions, it works. What's weird as well (in my eyes) is that before I started granting access the ApplicationPoolIdentity was already a member of IIS_IUSRS which does have Modify rights for the temporary asp files directory.
And now I'm left wondering why this situation requires Modify rights for the Authenticated Users group. I thought it could be because the apppool account was missing additional rights (googling for this returned some results, so I tried those), but granting the ApplicationPoolIdentity modification rights to the Windows\Temp directory and/or the application directory itself did not fix it.
For now we have a workaround, but I hate that I don't know what is exactly going on here, so I was hoping any of you guys could shed some light on this.
Thanx in advance!
If the application pool is running as AppPool Identity then things should work out-of-the box since the worker process will be injected the IIS_IUSRS SID which will have the right permissions to write.
My guess, is that the application must be using Windows authentication and impersonation is enabled in ASP.NET so that code is probably be ran as the specific user that is making the request and not necesarilly the process identity.
Am I right on the guess that the app is running Windows Authentication? and impersonation is enabled in asp.net ?
Might not be relevant to you - but if you are running the app pool as a domain user, the rules change on the automatic injection of IIS_IUSRS token into the process at startup. This caught us out recently when moving to .net 4, and not having permission on the new Temporary ASP.net Files directory.
See here for a workaround: http://www.yusufozturk.info/iis7/asp-net-write-access-error-on-iis7-5.html