I have an issue with IIS7 when mapping virtual directories to another machine.
This is my setup:
my Web APP is running on the web server (let's call it WEBSERVER). Windows Server 2008, IIS 7.
I got some assets/images in an assets server (let's call it ASSETSSERVER). Windows Server 2003, on the C:\Assets folder, shared as \\ASSETSSERVER\Assets
Servers are in a workgroup, not a domain. This is something beyond my control, which I can't change.
Following the recommendation of our network team, I configured the app pool to run under the user WEBSERVER\portaluser
In my web app, I define a virtual directory. I map it to \\ASSETSSERVER\Assets. In the log in credentials, I specify the user ASSETSERVER\assetsuser (which exists). The 'Test credentials' buttons show that i am authenticated OK and that I have authorisation.
At first, I got a 500.19 error telling me I could not log in. This post revealed the solution: I had to create a WEBSERVER\assetsuser user with same password (counter-intuitive, but it worked).
After that, my assets still refuse to display. I now get a message similar to this:
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: An error occurred loading a configuration file: Failed to start monitoring changes to '\\ASSETSERVER\assets'.
Source Error:
[No relevant source lines]
Source File: \\ASSETSERVER\assets\web.config Line: 0
I have done some extensive googling, and I have tried the following:
Modified the local policy to allow WEBSERVER\portaluser to impersonate other accounts after login, as suggested here (it's for Windows 2000 Server but it was worth a try!)
Added permissions to everyone to the \\ASSETSSERVER\assets, as indicated here (bottom answer)
Added read/execute/list permissions to the c:\ drive in ASSETSSERVER to the ASSETSSERVER\assetsuser user, as suggested here (method 3)
I edited the registry key to stop IIS from monitoring the folders for changes, as indicated here (the writer claims that it's not related to IIS but I am quite certain that IIS does monitor the folders for changes in web.config)
I have configured allowsubdirconfig="false" in applicationHost.config as indicated here
None of these solutions have worked, and I am running out of ideas of what to try. It seems like I'm so close yet so far. Any suggestions?
After several of work I found the solution to this issue.
It was as simple as creating a user called "portaluser" (the same as my app pool identity user) in ASSETSSERVER.
This is counter-intuitive: I explicitly told IIS7 to connect to ASSETSERVER as the assetsuser server, but it was still using portaluser to check for the existence of web.config (and monitor for changes).
Having seen that, I decided to use the same account to run the app pool and to connect to the remote virtual directory. I just used 'assetsuser' instead of 'portaluser'
Hope this helps
Related
I'm getting the above error when I publish my application and move it from development to production server. Below are the error details.
Detailed Error Information
Module IIS Web Core
Notification BeginRequest
Handler Not yet determined
Error Code 0x80070003
Config Error Cannot read configuration file
Config File \?\C:\inetpub\wwwroot\WorkmenCompTest\web.config
Requested URL http://localhost:80/wictest
Physical Path C:\inetpub\wwwroot\WorkmenCompTest
Logon Method Not yet determined
Logon User Not yet determined
This website used to work previously but recently the published version stopped working due to this error. As far as I can tell, the only change was installing iTextSharp and iTextSharp xmlworker through nuget.
I have tried, without success:
giving modify permission on the site folder to Everyone
checking the web.config file, and using an older version of the web.config file (from when the site worked).
uninstalling iTextSharp and iTextSharp XMLWorker
The project still runs without issue from Visual Studio.
This is solved. The error was caused by the folder name not matching the path for the virtual directory. Oh wow I feel dumb.
Check the applicationhost.config file under - .vs\lpsWeb-UI\config folder of your application root.
Under sites section of the config file check what the physical path points to.
If you modify those you should be able to fix the issue.
This is because of different physical path in the IIS.To change the physical path of application content
You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.
User Interface
To use the UI
Open IIS Manager. For information about opening IIS Manager, see Open IIS Manager (IIS 7).
In the Connections pane, expand the Sites node and click to select the site in which your application runs.
In the Actions pane, click View Applications.
On the Applications feature page, select an application from the list and then click Basic Settings in the Actions pane.
In the Physical path box, change the path of the application content.
Click OK.
DefaultAppPool application pool runs under the Network Service account. This account is local to the computer and this account does not exist on another computer. Make sure that you configure the DefaultAppPool application pool to use an account that is a domain user. Then, you can use the same account on the WorkmenComp file server. Alternatively, you can create a workgroup account on the WorkmenComp file server.
I am getting this HTTP Error 500.19 error when I am giving physical path as Z:\App_Live in IIS
Instead of using z:\ ,
I used network path \\server\share\live_folder in the IIS physical path – something like this \\server\share\wwwroot\inetpub\wwwroot
Also you may need to specify username/password in "connect as".
I am getting a "Server Unavailable" error message when I try to access a web application externally, but I can access it fine internally. It's got a message for administrators telling me to check the event log, but there's nothing there. Another thing, this is a work server, so I'm not exactly sure if they're using another firewall, but the Windows Firewall is disabled and the McAfee security installation does not have a firewall. Any thoughts on what could be causing this. If you need to see any code or need more information, let me know.The server is running Windows 2003 server OS.
I would be willing to bet the correct ports are not forwarded.
What kind of web app is it? You have to find out which port that app uses and forward it on the router.
Server Application Unavailable in IIS for ASP.NET application
Problem :Server Application Unavailable
The web application you are attempting to access on this web server is currently unavailable. Please hit the "Refresh" button in your web browser to retry your request.
Administrator Note: An error message detailing the cause of this specific request failure can be found in the application event log of the web server. Please review this log entry to discover what caused this error to occur.
Solution 1:
Open the command promt and direct to the folder C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
and run the command to install ASP.NET in your IIS
aspnet_regiis.exe -i
Solution 2:
To work around this problem, verify that the ASPNET account has the correct user rights as follows:
a) %windir%\Microsoft.NET\Framework\Version\Temporary ASP.NET Files: Full Control
%windir%\Temp: Full Control
b) Application folder: Read
c) %installroot% hierarchy (for example, %windir%\Microsoft.Net\Framework\Version): Read
d) %windir%\Assembly: Read
e) Web site root (for example, %root%\Inetpub\Wwwroot) or the path that the default Web site points to: Read
f) %windir%\System32: Read(Typically, the ASPNET account has already been granted user rights as a member of the Users group.)
Now Close all the applications and reset IIS in command promt 'iisreset'
problem solved :) cheers
I don't know where sholud I ask this...
I've seen this issue and I think the answer should me close to that, but seems that I can't still do this.
The funny thing is the same (I think) was done by me in another server w/ IIS 7 a year ago or so, without further trouble. It could be also that I don't remember so much of it.
I have an Apache server running on port 80 (That can't be changed)
This is what I've done:
Integrated AppPool was an issue on the other server I've placed so I've tried to change the
Default AppPool to a Classic .Net
The WebApp Pool to a Classic .Net
The User is also mandatory on the Webservice so I'm placing a Service Account that impersonates for any anonymous (or not) user that might access so I have
The ServiceAccount as Administrator of wwwroot and subfolders
The ServiceAccount as Impersonated by default in the Default Web Site
The ServiceAccount as Impersonated in every Web App I need
Shared r/w the folder with the ServiceAccount
Also
I've tested the access and both Authorization & Authentication works
marvelous.
I've restarted the app, the site and the IIS multiple times without
success.
Checked the Event Log without finding anything useful.
Modified applicationHost.config getting into more troubles than solutions.
This is what I get when I try to see the App Settings at IIS7
--------------------------- Application Settings ---------------------------
There was an error while performing this
operation.
Details:
Filename:
\?\C:\Windows\system32\inetsrv\config\applicationHost.config
Line number: 165
Error: Can not log on locally to %SystemDrive%\inetpub\wwwroot as user
MyDOMAIN\MyUser with virtual directory password
--------------------------- OK ---------------------------
This is what I see when I go to my page (an asmx)
HTTP Error 500.19 - Internal Server Error The requested page cannot be
accessed because the related configuration data for the page is
invalid.
Detailed Error Information Module IIS Web Core Notification
Unknown Handler Not yet determined
Error Code 0x80070569
Config Error Can not log on locally to C:\inetpub\wwwroot as user
MyDOMAIN\MyUser with virtual directory password
Config File Unavailable (Config Isolation)
Requested URL
http://localhost:8080/myApp/MyWebService.asmx
Physical Path
Logon Method Not yet determined
Logon User Not yet determined
#Edit: 0x80070569 Drove me to see that The service account weren't logging on as a Service (as it should), nor as a Batch process.
It was a Security Setting that should be touched, a group policy object has to be set to the account (in the Example MyDOMAIN\MyUser). And that's an access that only the area of IT Security can grant.
Even when this was changed the problem remained still.
The accepted answer didn't work for me.
But when I followed the below steps, my issue was resolved:
Go to your IIS manager.
Click on Sites
Right click on Default websites, Go to Manage Website and then click on
Advanced Settings
Set your physical path credential to Specific user with credentials
Restart IIS
Note: You may also need to reenter the credentials in the application pool, if the system password has been changed recently.
It actually was a secpol.msc Policy What was blocking the web access. The ServiceAccount wasn't a Service one.
As in the edit that I posted IT Security gave me the privileges to set it a*s a Service Account*, but that alone just wouldn't do the trick.
In the Advanced Settings of the webSite
Physical Path Credentials Logon Type, Batch logonMethod was selected.
And the service account still wasn't with the privileges to run as a Batch Process.
And that was it.
Not only the service account, but also The Run as a Batch Job was necessary.
Sometimes it causes by changing administrator password or changing user access.
After that application pool cannot access to local user.
One of the most stupid solution for this problem is remove website and application pool then make another website.
This solution helped me.
Check the Password of your Application pool and application. Try clicking on the Test Settings to check the connection is proper
The accepted answer didn't work for me.
But when I followed the below steps, my issue was resolved:
1. Go to your IIS manager.
2. Click on Sites
3. Right-click on Default Web Sites and select 'Basic Settings'
4. Select Classic .NET AppPool from the Application Pool drop down
5. Save and Exit
Everything went normal.
None of the other answers solved the issue for me.
In the end, I had a re-create my site and app pool, which is far from ideal, but was the only solution that worked.
IIS must have been caching an old value that I couldn't find/clear.
We're having trouble migrating our ASP.NET applications to Windows Server 2008 R2 x64 and IIS7.5. The problem is that our ASP.NET apps write log files, and these log files are not being written. The only way the apps write their log files is if I'm logged into the server as the local Administrator user or if I right click and run IE as Run as Administrator, neither of which is an acceptable solution for us.
Our platform is:
Windows Server 2008 R2 x64 (UAC setting is the default setting)
IIS7.5
ASP.NET 4.0 (using Windows authentication and impersonation, both on in web.config)
Our app gets installed to:
D:[appname]
[appnameWebSite] (all the .aspx, .dll, etc. files are in here)
\Log (the app tries to write the log file to this folder)
On the server:
Created new App Pool (name: [appname], .NET 4.0, Managed Pipeline Mode: Classic, Identity: ApplicationPoolIdentity, Load User Profile: False, all other properties are the defaults)
Created IIS application pointing to D:[appname][appnameWebSite] and added it the the new App Pool (Full trust level)
Have a domain user in local Administrators group
With all the configuration and default settings listed above, the ASP.NET app will not write the log file. The app appears to work fine in the browser, but no log.txt file.
To try to "fix" this issues, we've tried many things:
Tried Application Pool setting: Managed Pipeline Mode: Integrated
Tried Application Pool setting: Identity: NetworkService
Tried Application Pool setting: Identity: LocalSystem
Tried Application Pool setting: Load User Profile: True
Gave Users group full control to file system for our application folder structure (tried appname folder, tried Log folder only, tried appnameWebSite and Log folders only)
Gave IIS AppPool[appname] (matching the new App Pool) user full control to file system for our application folder structure (tried appname folder, tried Log folder only, tried appnameWebSite and Log folders only)
None of these things helped. Again, the app would run fine, just no log file created.
As mentioned above, the only way that the log file is created when the app runs is if we log into the server using the local Administrator account (which makes sense since he's a super user) or if we run IE as administrator and elevate privileges.
Any suggestions? Help? Questions?
Thanks!
I tried granting every permission possible and still wasn't getting any log files. Finally I came across this which suggested changing the ownership of my logfiles directory. I checked, and the directory ownership was set to SYSTEM. I changed it to Administrators and applied the change recursively. I bounced IIS, hit a webpage from the site in the browser, and now I have log files. Hooray!
Note: the thing that tipped me off was checking the System event log. I was getting 15006 errors saying "Owner of the log file or directory C:\inetpub\logfiles\W3SVC1\some.log is invalid. This could be because another user has already created the log file or the directory."
Well, after days of trying every IIS option, user and group accounts, file system permissions, Process Explorer, etc., I think we got it working:
We reset all our IIS app pool and web site settings to their default values
We also reset the folder/file system permissions on our Log folder to the default settings
Then we turned off Internet Explorer Enhanced Security Configuration on the server
And success! The log file is written as expected no matter what user is using the ASP.NET application, and no matter if they're running it on the server itself or from a workstation.
I don't know if turning off Internet Explorer Enhanced Security Configuration on the server is the "correct" thing to do or if it violates any best practices, but it seems to work for us.
Does anyone have anything to add?
I struggled with this one for a while. The ApplicationPoolIdentity is a member of the Users group and the Users group has limited access.
From Explorer, right-click on the folder where you are trying to write and go to Security. Click the Advanced button. you will see that Users have Read and Execute permission and the Users group may or may not have Special permissions. If not, Click on Change Permissions and give Users the ability to Create files / write data and Create folders / append data. This is restricted to this folder. I usially use a subfolder so that I not provide write access to my whole website.
Try creating log files again. This is the only permission that I needed to set to make it work.
For me the trick was giving write access for SYSTEM and Administrators not only to the log folder itself, but also every folder in the path. This is not how permissions usually work in Windows, but IIS appears to be really rather particular about it. Not that there is a good reason to remove these two from the ACLs to begin with.
If you suspect this to be the problem, check the Event Log under Windows Logs / System. This issue manifests itself as an Error entry from source HttpEvent, and reads "Unable to create log file C:\path\to\logs\W3SVC1\u_extend1.log. Make sure that the logging directory is correct and this computer has write access to that directory."
P.S. This is true for IIS 10 but may apply to other versions too.
When setting up a virtual directory under IIS using a UNC path to a remote share, what user identity should I be expecting to see the read request to the share come under?
I've setup the above scenario and configured the user under 'Connect As' as a known user who has permissions on the remote share, which I checked with Windows Explorer.
However, when trying to access a file from within a web browser on the share using http://localhost/myfiles/atestfile.txt, I am getting an HTTP Error 401.5 - Unauthorized: Authorization failed by an ISAPI/CGI application error returned. 'myfiles' is mapped to the remote share and atestfile.txt resides in the shared folder.
If I use sysinternals filemon application to see what process and user the read request to the share is being carried out under, then I get the details that the request is through the w3wp.exe process and the user is shown as "NT AUTHORITY\NETWORK".
I was expecting the user to be shown as the user I confugured under the 'Connect As' option.
Any guidance appreciated.
If i recall correctly (used iis about 4 years ago) it was IUSR_. I'm not sure that it's still so, but give it a try.
Edit: try to give a look at this post, maybe you will find some clues ;)
Did you try it also with other file extensions than "txt", maybe "test.html"? What DLL is used for txt in the ISAPI extensions configuration (web -> Home Directory -> Configuration...)?
The section "To configure security and authentication for a virtual directory" in the MSDN article "How to: Create and Configure Virtual Directories in IIS 5.0 and 6.0" should contain the information you'll need for finding the right configuration.
I guess the account used in the security settings should be able to access the network share. This could be accomplished inserting the account in the right group or changing that account.