Configuration file cannot be accessed, insufficient permissions - asp.net

I apparently, according to this error, cannot access my site:
Cannot read configuration file due to insufficient permissions
which basically means it cannot access my web.config file due to it not having permission to do so.
I tried goint to control panel->programs->turn windows features on/off->IIS->ADF->click ASP.net
and yet I still do not have access to my configuration file.
How can I tell IIS to give permission to this file? I am running version 7 on windows 7 64bit if that helps.

In web.config insert
<authentication mode="Forms">
<allow users="*"/>
</authentication>
This gives everybody permission to view your site

Related

Error in web.config "location"

My site has 2 logins. 1 on the front end for regular users, and one in the admin section, for admins (I need 2 logins because each one asks for different login criteria). To authenticate the admin directory, I setup a "location" element in my main site's web.config like this:
<location path="Admin">
<system.web>
<authentication mode="Forms" >
<forms loginUrl="/Accounts/adminLogin.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
If I try to type any page from my "Admin" directory, into my browser, I get the following error:
It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level. This
error can be caused by a virtual directory not being configured as an
application in IIS.
How can I setup my location element to redirect properly?
Thanks
There are mainly one of the two reason why you got this error message.
If you have not configured your asp.Net application in iis. If you have not configure your application to run on iis first configure your site to run on iis.For that create virtual directory from iis and give permission to application (read,write)
If above is not problem then there are mainly problem of two or many web.Config exists on your site.When you open some site and if software crate backup of that application then software mainly do create subfolder and copy all files + web.Config in application.Just remove this subfolder web.Config from subfolder.
Check the web.Config in your admin folder and main root folder for settings and configurations.
You can't change the Authentication mode within a subdirectory. Only WebApplications can define this setting which applies to the entire application. A location element is only used in subdirectories to change authorization, not authentication settings.

Permissions required to use Microsoft.Web.Administration

I'm trying to use IIS 7 management API but stuck with a security issue. My application is regular ASP.NET site running on .NET 4 (integrated pipeline). The machine is Windows 7 x64 (the app pool is default, running under ApplicationPoolIdentity, x64). The site uses the following settings:
<identity impersonate="true" />
<authentication mode="Windows" />
<customErrors mode="Off" />
<authorization>
<deny users="?" />
</authorization>
My site tries to read other site's details via IIS management API (at localhost). I'm logged in as a member of local Administrators. In IE i try to open my page but get this:
Site 'mysite' at 'myhost' is unknown.System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.Web.Administration.Interop.IAppHostProperty.get_Value()
at Microsoft.Web.Administration.ConfigurationElement.GetPropertyValue(IAppHostProperty property)
at Microsoft.Web.Administration.Site.get_State()
I don't understand why. I'm damn sure the code runs in impersonation context of my account (can see this is debugger watching System.Threading.Thread.CurrentPrincipal). What am i doing wrong?
p.s.
UAC is on, but i believe that's not important.
Checked NTFS permissions on C:\Windows\system32\inetsrv\config folder - full access for Administrators.
UAC is indeed the root of all evil. Impersonation behavior is broken when it's on. Something is really over-complicated here :(
When UAC is enabled and the current security context is impersonated, the principal reports he's not a member of local Administrators group. But he is. It has something to do with interactive/non-interactive sessions.
Try set temp directory into web.config to folder with full permissions.
<compilation tempDirectory="c:\temp" ... ></compilation>

HttpContext, WindowsIdentity, Thread on Anonymous IIS

I've worked at this quite a bit, but cannot seem to find a good solution.
I have a ASP.NET app (.Net 3.5) with IIS which pulls the user machine name and username from the account. This works on my local machine, but when uploading using IIS it gives null or IIS APPPOOL/appname. On IIS I have "Integrated Windows Authentication" and "Anonymous" set and in my Web.config file
<authentication mode="Windows"/>
<identity impersonate="true"/>
And I am trying to access the user information a number of different ways, some are:
HttpContext.Current.User.Identity.Name
System.Threading.Thread.CurrentPrincipal.Identity.Name
System.Security.Principal.WindowsIdentity.GetCurrent().Name
Environment.UserName
Each of these work on my local machine, but when uploaded to the IIS server, everything gives invalid information. The app is internal, but I still need it to grab the Username without giving a login screen. Ideas?
Update: I've changed IIS to Anonymous Authentication Disabled and Windows Auth Enabled. And my web.config file I've tried the following
<authentication mode="Windows"/>
<!-- <identity impersonate="true"/> -->
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
Sorry about the update, but are there any ideas?
For anyone following this and needing an answer, the problem lies in IIS. In the Authentication area in IIS only have ASP.NET Impersonation and Windows Authentication enabled, the others should be disabled. And in Windows Authentication, go to Advanced Settings and UNCHECK the Enable Kernel-mode authentication. The Authorization Rules area should allow for all users (note this is done in IIS, not in the config file) And the following code in config is necessary.
<system.web><authentication mode="Windows"/><identity impersonate="true"/></system.web>
Hope this helps someone, here's a couple links that helped me. Good luck!
http://msdn.microsoft.com/en-us/library/aa302377.aspx
http://www.eggheadcafe.com/tutorials/aspnet/1f12cd61-6bb3-4ffd-bac1-124d40837006/aspnet-request-identity--an-analysis.aspx

forms authentication, not able to save web.config programmatically

im using visual studio 2008. in my project im using forms authentication, my project structure is as follows
root
|
login.aspx
home.aspx
web.config
admin (folder)
|
admin.aspx
web.config
here in root web.config is as follows
<authentication mode="Forms">
<forms name="Authen" protection="All" timeout="60" loginUrl="Login.aspx" enableCrossAppRedirects="true" cookieless="AutoDetect"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
and in inner web.config
and my users are
Username Role
admin1 Admin
admin2 Admin
user1 User
user2 User
as you can see that in second web.config, i gave access to users with "Admin" role and "user1" user.
for giving access to "admin" folder, i wrote the following:
Configuration config = WebConfigurationManager.OpenWebConfiguration("~/HR");
SystemWebSectionGroup systemWeb = (SystemWebSectionGroup)config.GetSectionGroup("system.web");
AuthorizationSection section = (AuthorizationSection)systemWeb.Sections["authorization"];
AuthorizationRule newRule = new AuthorizationRule(AuthorizationRuleAction.Allow);
newRule.Users.Add("user1");
section.Rules.Add(newRule);
and saved the web.config as
config.Save();
this is working fine when i run it from visual studio development server, when i host it in IIS, im getting the following error
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: An error occurred loading a configuration file: Access to the path 'F:\dotnet\samples\myproj\UI\hr\f-q_g-yn.tmp' is denied.
Source Error:
[No relevant source lines]
Source File: F:\dotnet\samples\myproj\UI\hr\web.config Line: 0
here the problem is, it is not able to save the web.config
i got one solution, that is, i added
<identity impersonate="true" userName="myusername" password="mypassword"/>
to root web.config and it is working fine. but my boss says that is not the correct way. what is the correct way to solve this problem ??
please help
The account your website is running under does not have permissions to write to the directory your web.config is in. There are two options how to solve that:
Run your website under another account which does have the required permissions. You set the account in the settings of the respective Application Pool in IIS Manager.
Modify the security settinsg (ACLs) of the directory/directories, and add write permissions for the user your application pool is running under.
You should probably combine both methods – use a separate user account and add the write permissions only to this account, not to e.g. Network Service.
(But note that I am not sure whether a website modifying its own web.config files is a good idea at all.)

IIS 7.5, ASP.NET, impersonation, and access to C:\Windows\Temp

Summary: One of our web applications requires write access to C:\Windows\Temp. However, no matter how much I weaken the NTFS permission, procmon shows ACCESS DENIED.
Background (which might or might not be relevant for the problem): We are using OLEDB to access an MS Access database (which is located outside of C:\Windows\Temp). Unfortunately, this OLEDB driver requires write access to the user profile's TEMP directory (which happens to be C:\Windows\Temp when running under IIS 7.5), otherwise the dreaded "Unspecified Error" OleDbException is thrown. See KB 926939 for details. I followed the steps in the KB article, but it doesn't help.
Details:
This is the output of icacls C:\Windows\Temp. For debugging purposes I gave full permissions to Everyone.
C:\Windows\Temp NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\IIS_IUSRS:(OI)(CI)(S,RD)
BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(OI)(CI)(F)
Everyone:(OI)(CI)(F)
However, this is the screenshot of procmon:
Desired Access: Generic Read/Write, Delete
Disposition: Create
Options: Synchronous IO Non-Alert, Non-Directory File, Random Access, Delete On Close, Open No Recall
Attributes: NT
ShareMode: None
AllocationSize: 0
Impersonating: MYDOMAIN\myuser
PS: When logged in as MYDOMAIN\myuser, I can create files in C:\Windows\Temp using Windows Explorer without any problems.
EDIT: Relevant parts of web.config:
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Authentication seems to work, i.e., System.Security.Principal.WindowsIdentity.GetCurrent().Name (which is shown on my custom error page) returns MYDOMAIN\myuser.
Have you tried following the steps on this:
loadUserProfile and IIS 7 temporary directory failures

Resources