This question seems to be similar to this one: IIS site not using identity specified in app pool IIS 7 +
However, there are no answers there.
There's a tl;dr at the bottom.
A thing to keep in mind is that I'm not the one who set up the server so they may have changed some settings I don't know about.
We have an ASP.NET web service running on IIS 7. The web service is set to use DefaultAppPool, and the app pool's Identity is set to a domain user (let's say it's "localdomain\user1").
The web service was unable to save to a certain network folder, so we gave localdomain\user1 read/write permissions to that folder. It still can't save there, however.
I can't remote debug, and it works fine on my own computer (probably because it's running in Visual Studio's IIS express and my user does have access), so I tried to change the web service so that the error message contains the user name it's running under.
If I use Environment.UserName to get it, the result is "IUSR". If I use System.Security.Principal.WindowsIdentity.GetCurrent().Name, it returns "NT AUTHORITY\IUSR".
Unless the above methods are not reliable, the web service seems to be running under the default user (IUSR) and not the one set in its application pool. I can't figure out why, can anyone explain?
EDIT: The Task Manager on the server, if I log in using RDP, shows that the w3wp.exe process IS being run by user1. I'm not sure which one to believe.
Thank you.
tl;dr: The web service's application pool is set to a domain user, but it seems to be running under IUSR anyway. How do I prevent that?
Impersonation was the issue. I didn't know this was a setting in the web service's web.config.
Changing <identity impersonate="true"/> to <identity impersonate="false"/> allows it to run as localdomain\user1.
Related
My ASP-Webpages application needs to write self-generated files to a local folder under its root directory. Everything runs like a charm on- and from my development environment, even to any other given network locations.
The problem is that I can’t get the production environment to do the same. Just no files get created, anywhere. Nor are any exceptions thrown on missing permissions etc. Nada.
I believe I’ve read and tried out just about everything anyone had written on the Internet over the past seven years and I feel like I’m chasing my own behind trying to solve this problem. Should it be really that difficult?
At the risk of getting marked as duplicate I see no other option than to post my question here..
Basically, here is what I have this far:
The production application runs on Windows Server 2008 R2, IIS version 7.5. It has a dedicated Application Pool, with its identity set to ApplicationPoolIdentity (.NET Framework v4 / Integrated pipeline).
Application Basic Settings
Verified AppPool membership of IIS_IUSRS.
Verified Group Membership
User Authentication is set to Windows Authentication.
User Authentication
Should Anonymous Authentication be set to ‘Enabled’ to get the ApplicationPoolIdentity be used? I’ve tried setting it on, but it conflicts with the Windows Authentication, which is an essential part of our application and cannot be switched off.
If so, then how?
Both the Application Pool and the IIS_IUSRS have been granted Read & Write permissions on the folder.
I’ve tried setting Full control, but that didn’t help either.
Folder Security Settings
Here is the (stripped down) code that writes the files to the desired location:
Stripped-down Code
Other (silly) things I’ve tried are:
Playing around with absolute and relative path directions in my code.
Enabling Anonymous Authentication, resulting in a conflict with the necessary Windows Authentication.
Set Application Pool ProcessModel identity to Network Service.
Recycle Application Pool.
Load User Profile ‘On’ for the Application Pool.
Setting IE Enhanced Security Configuration ‘Off’ for users.
Restarting server machine.
Using different browsers.
Give 'everyone' full folder permissions, just to try the effects, nothing..
Set AuthenticatedUserOverride to UseWorkerProcessUser via IIS Configuration Editor. This causes that my application doesn't recognise Current.User.Identity.Name anymore, so it blocks further site access.
What I need is to keep Windows Authentication, but also be able to have the application anonymously write files to a given location.
Can anybody please hint me in the right direction or just tell me what I’ve overlooked?
Thanks!
Hope you can help.
We have a web application (.NET 2.0) that has some custom code that is used to poke a windows service when a file is uploaded. We issue a command using the following code:
Dim serviceName As String = "Processor Service 1.0"
sc = New ServiceController(serviceName)
sc.ExecuteCommand(200)
Running this code in a standalone app works fine but when running through website throws an access denied error. Code works fine in IIS 6.
We are using an application pool with a user and is in Admin group. I figure it's something to do with IIS but now sure what.
Hoping you guys can help.
Thanks
The permissions that are needed to interact with local services are pretty high. Your asp.net app is likely running as anonymous (local account IUSR), or the "application pool identity". You would have setup your app in IIS (app pool) to use a different account with greater permissions.
In IIS Admin, under the section "IIS", "Authentication", you need to enable a stronger authentication method. If "Anonymous Authentication" is the only one enabled, then check the settings "Edit" to see if it is running as IUSR or "Application pool identity". This is where you determine, or set, the account (and permission set) that your ASP.NET app is using.
I feel that I should strongly warn against elevating the permissions for IIS and anonymous users. This would create a very dangerous back-door into your system. The suggestion from bgs264 is a very good one: make a separate service (or scheduled process) that watches for file uploads, or modify the existing service to use the file-watcher to monitor for uploaded files. It could run under a higher permission set and would be much more isolated from your IIS. Granting admin permissions to IIS or its app pools, is just like begging for trouble.
1) I want to know suppose we are using an ASP.NET web application in debug mode in VS, then, the code runs under which user account?
2) I also want to know, suppose we publish this to the IIS and then, set it up to use WBA/FBA, then, the username/password of logged in user is used to authenticate user to the ASP.NET site, however, the code (SQL query, etc) runs under credentials of apppool account. Further, which credential is used to access resources on server like files? What is your view on this point?
1) I want to know suppose we are using an ASP.NET web application in
debug mode in VS, then, the code runs under which user account?
This is depending on the hosting. VS provides 4 ways to host & debug a web application : VS Dev Server (VS 2012), IIS Express, Local IIS and Custom Host (VS 2013). Devs servers generally runs under your -Administrator- account, and may not be suitable to test security. Working directly with IIS as your development web server lets you work in an environment closer to that of an IIS production web server.
This is configured in the Web Tab in your web project properties.
2) I also want to know, suppose we publish this to the IIS and then,
set it up to use WBA/FBA, then, the username/password of logged in
user is used to authenticate user to the ASP.NET site, however, the
code runs under credentials of apppool account. What is your view on
this point?
Not very clear, but I think your undestanding of IIS security may not be correct. There is only one application pool per web site which runs under a specific account (by default apppool account, but it could be Network Service or Local System). When a user logs in, absolutely nothing is changed in this process. The user is just connected using an authentication provider : Windows Authentatication or Forms Authentication are 2 common providers. User identity is kept in http context, which allow you to use authorization rules later. So every code block always run under the same account (unless you enable delegation but that's another story).
I higly suggest you to read this complete introduction on asp.net security.
I am in the process of deploying a web application on IIS5 on my server which runs windows XP.So when i run my application in visual studio its perfect.But when i deployed it into IIS it throws me an error saying that the access denied to a particular file.
My app reads a xml file based on the input(which is nothing but the other system in the network).As i browsed to the properties of that file manually and unchecked the read only attribute,still it dint work out.Can any one guide me to the proper solution ?
you might have to give read/write (if needed) to following users:
iis_wpg
network service
aspnet
In IIS, your site runs under the credentials of the application pool assigned to it. You can either change the credentials of your application pool to an account that has permission to access that file, or else grant access to the default account that the application pool is currently using.
You mention that you are using basic auth...
Generally, the web application will then impersonate the user logged in.
So, if your file isn't accessible by the user that logged in, then it won't be accessible to the web application impersonating them on the system either. You will need to check the permissions of those files and set them accordingly.
I have a windows service that hosts the main WCF service. The clients for this service are both hosted in IIS 7, the first one is an IIS hosted WCF service and the second is a standard Asp.Net application. Both of the IIS hosted clients communicate with the windows service over named pipes.
The IIS hosted WCF service can communicate with the windows hosted WCF service perfectly, but the Asp.Net service fails with this error:
The pipe name could not be obtained from the pipe URI: Access is denied.
My first reaction is that this is a permissions issue somewhere, but I dont know where. And second, why would the IIS hosted WCF service be able to communicate without issue, but the Asp.Net application fail?
Ok, I solved it, or rather I figured out where the permission issue was.
It turns out the Anonymous Authentication setting was using some weird user created by our client (the physical person, not our WCF client), and not the NetworkService user (the identity the app pool was using).
But this almost begets another question: Why were even newly created sites defaulting to this IUSR and not the system defaults? In anycase, I just hope this gets indexed in google as, there were virtually no articles relating to it.
Check the Identity of the Application Pools that the WCF and ASP.NET services resides in.
Maybe the WCF service's AppPool has an identity that has different rights than the other AppPool?
Also, you might want to note that IUSR is the default IIS7 account for Anonymous accessors. See Understanding the Built-In User and Group Accounts in IIS 7.0 for an explanation of the default accounts.
Hope this is helpful.