I have a Classic ASP page that configures a port exclusion on the server's windows firewall using the HNetCfg.FwMgr object. On my IIS 6, Win 03 server, I had to add Set/CreateKey/Delete access to the IUSR_machine account to the HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ registry entry.
When I run on my new Windows Server 2008, IIS 7, I get a Permission Denied. If I change the Anonymous user to Admin, or even a newly created user that is a member of the Users group, I don't get the permission denied, and the updates occur.
I noticed that the location in the registry where the firewall entries are stored has changed. But even if I give IUSR Full Control of my HKLM, it still gets a Permission Denied when attempting to add the port exclusion. It can read the list of port exclusions fine, so I am assuming that access to the HNetCfg.FwMgr is working fine.
Anyone have any ideas how to get IUSR to be able to add an exclusion using that object (HNetCfg.FwMgr)? Rewriting using the new fw policy 2 in not an option at this time.
You need to run your application pool as an administrative user. If you are worried about security, then run it as a virtual directory that has the admin permissions. You can use xmlhttp from a script not in that virtual directory (one under the control of I_user) to call the script in the (Firewall) virtual directory which has admin sercurity permissions. This way, the url (virtual directory) of your firwall script is not public.
Related
CONTEXT
My client has an ASP.NET web application running in IIS 10 on Windows Server 2016. The web application needs to access files on network shares on different servers in a WORKGROUP environment. So, I created the same local user account on all servers, set the password to all the local user accounts to be the same, granted said user with full control permissions to the network shares, and reconfigured the IIS application pool to run under the identity of the aforementioned local user account. There is also a custom Windows service running under the same local user account for the same reason: to access files on remote network shares. All of this works fine. The web application and the Windows service can successfully access files from the network shares residing on servers other than the server on which IIS and the custom Windows service are both running.
ISSUE
However, there is a feature in the web application when an authorized user modifies a particular validation matrix record, it triggers a custom command sent to the aforementioned Windows service to cause the service to update its in-memory copy of the validation matrix. This worked fine when the IIS application pool was running under the built-in ApplicationPoolIdentity which apparently has permissions to interact with Windows services. But, the feature fails when the IIS application pool is running under the identity of the aforementioned local user account. The message in the exception is: Cannot open {SERVICE_NAME} service on computer '.'. Again, the Windows service and IIS are running on the same server. And recall that the Windows service is running under the same local user account as the IIS application pool identity.
QUESTION
How do I grant permissions to the local user account to allow said account the ability to issue the custom command to the Windows service from within the ASP.NET web application?
RESOLUTION ATTEMPTS
I've tried using subinacl.exe in an attempt to grant the necessary access but never got it to do anything other than to indicate Done 0, Modified 0, Failed 0, Syntax errors 0. I'm using version 4.2.1.1604 and executing it from an Administrative Command Prompt. The syntax I used was:
subinacl /service customServiceName /grant=localUserAccount
and the result is below
+service customServiceName
/grant=localUserAccount
Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 0
I also tried /grant=localUserAccount=U and /grant=localUserAccount=F but to no avail ... same results as shown above.
I admittedly am not familiar with subinacl.exe and I saw somewhere that someone indicated earlier versions of subinacl.exe are buggy and suggested using version 5.2.3790.1180 which I cannot find. Result: failed.
I have added the local user account to the Administrators group on the server where IIS and the Windows service are running. Result: failed. CORRECTION 02/13/2023: This succeeded but required a server reboot for it to take effect. To be clear, I do NOT want to permanently add this user to the Administrators group. This was simply a test. As far as the server reboot being required for this to take effect is concerned, I tried recycling the application pool in IIS, restarting the Windows service of interest, and restarting the World Wide Web Publishing Service but no joy. Only a server reboot caused the addition of the local user account to the Administrators group to take effect from the standpoint of said local user having permissions to send a custom command to the Windows service from within the web application. I absolutely am inclined to believe that there is a better way to achieve the desired end without adding the local user account to the Administrators group. Surely someone else before me has encountered this and solved it.
The local user account is already set up in the Local Security Policy with the ability to "Log on as a service".
I have reconfigured the IIS application pool identity to NETWORK SERVICE and granted NETWORK SERVICE full control permissions to the network shares (which are on a different server in a WORKGROUP environment, not a domain environment). In this configuration, the feature to update the Windows service works, but access to the network shares is denied ... likely because NETWORK SERVICE is a built-in local account [with no password?? not sure on this] and does not behave the same as a "regular" local user account.
So, I have a catch-22 that has me stumped. I would be grateful for any insight on this dilemma.
Cheers!
What permissions are necessary for a user to use web deploy to IIS running on a different server?
When I try to deploy from VS 2010 using that users credentials, I get the below error.
Error 36 Web deployment task failed.(Remote agent (URL https://server:8172/msdeploy.axd?site=site.name.com) could not be contacted. Make sure the remote agent service is installed and started on the target computer.)
Make sure the site name, user name, and password are correct. If the issue is not resolved, please contact your local or server administrator.
Error details:
Remote agent (URL https://server:8172/msdeploy.axd?site=site.name.com) could not be contacted. Make sure the remote agent service is installed and started on the target computer.
An unsupported response was received. The response header 'MSDeploy.Response' was '' but 'v1' was expected.
The remote server returned an error: (401) Unauthorized. C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v10.0\Web\Microsoft.Web.Publishing.targets
I am able to use web deploy when I use my domain account (e.g. domain\user) with the following publish arguments.
My domain account is an administrator on the destination server, but granting the service account full admin privileges is not an option.
The user must have the following permissions.
Read/Write permissions on the site folder directory
WDeployConfigWriter and WDeployAdmin must be configured to have their password never expire and user cannot change password like the below screenshot
The account that runs the build should be enabled under IIS Manager Users
The account that the build runs under must have permissions to the site under IIS Manager Permissions
Configure Management Service
Configure Management Service Delegation like the below
Useful reference
Web Deploy 3.0 infuriating 401 error on publish
The user that the account runs under should be a Power User and must have full control permissions to the folder that the destination iis site is running from.
Short version:
For IIS 7.5 web applications with Windows Authentication does the end
user need to have Read file access?
Long version:
I have an intranet ASP.NET web app that uses windows authentication. It's installed at dozens of different companies and normally the authentication works fine: users navigate to the site e.g. http://appserver/MyApp, the app recognizes who they're logged in as and displays pages accordingly. I just installed it at a new client and encountered a problem:
When connecting e.g. to http://appserver/MyApp I'm prompted for windows credentials but after entering them I'm repeatedly prompted. After several re-entering credentials I'm shown a 401 error page saying "401 - Unauthorized: Access is denied due to invalid credentials.". So not only is it not passing through my identity but even when entering the username & password it's still denying access.
Giving Read & Execute permissions to the end users of the app solves this problem, but I don't think this should be necessary at all.
In the windows Application Event Log there's a message "File authorization failed for the request" along with Thread account name: NT AUTHORITY\NETWORK SERVICE and User: [the correct workstation users's domain account]. This suggests that the file access is being performed with the User's identity, not the AppPool identity of Network Service. Sure enough if I grant the end user Read & Execute permission (I didn't try Read only) to the application's directory then everything works correctly: when the user browses to the site they're authenticated automatically, not prompted, and the web site correctly recognizes their identity! Therefore my workaround solution is to give Read & Execute permission to Everybody on the application directory...but this is not an ideal solution.
This seems very strange. I've never needed to do this before in IIS 7.5, so far as I recall, and definitely never needed to in IIS 6 or IIS 7. Is this a new IIS7.5 thing? The documentation says that Impersonation is turned off by default. I added a element to the web.config to be sure, removed file permissions other than Network Service, but the problem remained.
Any thoughts? Is it normal for Windows Authenticated sites on IIS 7.5 for end users to need file permissions on the web server files?
Some relevant details:
Network Service
has Full Control file permissions to the app folder.
When connecting from the server itself I was prompted for credentials
but after entering them i'm authenticated and the application works
correctly including displaying my windows login and connecting and
retrieving data from the db. I later determined that it was prompting
for credentials because http://localhost was in the trusted sites
and therefore not recognised as the Intranet Zone and thus not
passing identity through. I also determined that it was working as
this user identity because it's an admin user who has file
permissions.
The web server is running Windows Server 2008 R2 / IIS
7.5. It didn't have IIS on it until I installed it. I installed the default features as well as Windows Authentication, ASP.NET, and
possibly a couple of other items. A separate WCF app I installed that
uses IIS, anonymous authentication & .net 2.0 is working fine on
that web server.
The app install process is a manual copy of files,
creation of IIS App Pools & web apps, updating connection strings,
etc.
I checked the IE security settings. It was recognizing the
server as in the Intranet zone and had the option 'Automatic logon
only in Intranet zone' selected. Also on Advanced Settings the
'Enable Integrated Windows Authentication' option was checked.
After
installing IIS I ran aspnet_regiis -i for .net 2.0 and
aspnet_regiis -iru for .net 4.0.
Anonymous authentication is
disabled for my app and Windows Authentication enabled.
The app is
running on ASP.NET v4 but there's another app I installed
experiencing the same issue running ASP.NET v2.
The app is running
with Identity = Network Service and in 32-bit mode.
Database
connection string includes Trusted Connection=True and database
permissions are granted to the web server account [domain]\[server]$
e.g. DGM\MyServer$.
In IIS > Authentication > Windows Authentication > Providers the list was Negotiate first then NTLM. I tried reordering so NTLM is first.
In the Windows Security Event Log there
were a series of Microsoft Windows security auditing events: Logon
and Logoff. They indicated that the Logon was successful and was
displaying the User Id of the workstation user. This are from when
I'm connecting from another workstation and receive a 401
Unauthorized after several attempts.
I see someone has had this problem reported here but with no solution. Originally I posted in the ASP and then the IIS forums with no answers so far.
Update:
This msdn article says
When Windows authentication is enabled but impersonation is disabled, ASP.NET performs file access checks in the file authorization module using the credentials that are sent from the browser (my emphasis). Impersonation does not need to be enabled, because the FileAuthorizationModule module ensures that the requesting user is allowed read access or write access to the resource, depending on the request verb (for example, GET or POST) before executing the request. This behavior applies to any requests that enter managed code. In earlier versions of ASP.NET, accessing files based on URIs such as "Default.aspx" triggered the access check. In ASP.NET MVC applications, where access to resources is typically performed using extensionless URLs, this check typically does not apply, because there is not a physical file to check. In that case, the FileAuthorizationModule class falls back to checking access-control lists (ACLs) for the folder.
This does suggest that the end user needs permissions to the files (in the case of .aspx) or the folder (for MVC) ... although still this seems slightly tucked away and non-definitive. This article about App Pools says they're used as the identity for securing resources, which contradicts the idea of needing to grant privileges to end users. Unless the rules are different for App Pools and NETWORK SERVICE, which could be the case but would be surprising.
Are authenticated users allowed to the app folder?
We were also fighting with this issue, and started setting up security groups so we could give our users file level permissions. Then one of our server admins stumbled across a couple of new properties that allow the app to authenticate to the file system under set credentials, and resolved the need for the users to have access. Here is what he came up with…
There are two IIS settings that control this:
Physical Path Credentials Physical Path Credentials Logon type
By default, Physical Path Credentials is set to Application User
(Pass-through authentication). This means that IIS doesn’t do any
impersonation when handling Windows Authentication requests. This can,
however, be set to a specific user (though not, unfortunately, the
application pool identity, which would be ideal). Physical Path
Credentials Logon Type is set by default to Clear-Text. For my testing
I set this to Interactive (though this may not be the correct value).
Possible values are Clear-Text, Batch, Interactive, and Network.
To set this up I did the following:
Created a local account (IIS-AccessUser)
Granted IIS-AccessUser read and execute access to the /home directory of the site.
Added IIS-AccessUser to IIS_IUSRS group (necessary for accessing .NET temporary files)
Set IIS-AccessUser as the Physical Path Credentials
Set Physical Path Credentials Logon Type to Interactive
Doing the above allowed me to log in to the application directly,
without having to allow Authenticated Users, or me having to be a
member of any of the groups in the /home folder. It also still
preserved .NET Authorization roles, so I still could not access parts
of the site that I was not allowed to.
The short answer is NO. You are not required to grant file access permissions when using Windows Authentication in IIS 7.0 and IIS 7.5.
We were only able to discover this because our server admin smelled the security and management issues that arise from taking the route of granting file level access to users and groups.
For anyone dealing with this issue or if you are setting up a new IIS7/IIS7.5 server and/or moving from IIS 6, here is an article that gives you all of the Windows Authentication options and configurations that need to be modified to avoid granting file level access to individuals or groups.
Please read the two comments in at the end of the POST for some valid critiques of the methods used in this article.
http://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-disk
In addition to the information in the article, please be aware that IIS 7.5 is not using the web configuration tags for system.web (at least not in my MVC 4 application).
It is looking in the system.webserver tags for authorization configuration (where you will need to list the windows domain\groups a user needs to be in to access your application).
-- DSB
My ASP.NET MVC 2 application runs under built-in local NETWORK SERVICE account. I want to set up access permissions for the folder which resides in another computer, but in the same domain. I located that folder right-clicked to open its properties form, clicked to Security tab and pressed Add button which displayed Add user form with correct domain name in the location field. I referred to the account with following syntax:
<domain name>\<server name>$
because I learned that NETWORK SERVICE account uses machine account when connected to other computers in the domain.
However, the system couldn't find the account, so refuses to add the account. Without the domain name it adds a user, but that user seems to be local user, not web server's NETWORK SERVICE account. What am I doing wrong?
By the way, the above syntax worked when I created login for the sql server which is different computer from the web server.
OK, I will answer my own question. The above syntax \$ was correct. Just make sure to select computers checkbox in the object type, when adding user permissions.
I have been in this same situation before. I don't think I got it to work with the Server/Network Service but this might be worth a try.
Figure out the account network service is using to access the network resource.
Configure windows auditing (on the server the folder is located) to log the failed security events of the folder.
or monitor the folder with something like filemon.exe
.. from here you can try and add the account to the security settings of the forlder. (IIRC I did'nt ever get this to work)
Alternatively you can ensure the action is performed under the context of a domain user. Either by:
Impersonating the user in code and performing the action (my preference)
Setting the impersonation settings in web.config to a named user
setting the application pool to run as a domain user.
I have written a web service that reads from a message queue.
This works fine under Cassini.
Now that I have deployed the service under IIS, I receive an error message when the service tries to access the queue:
The queue does not exist or you do not have sufficient permissions to perform the operation.
I have set the anonymous access user on the IIS virtual directory to be my own domain account, which is a member of the administrators group on the local machine. I have granted this same user full permissions on the queue, as well as NETWORK SERVICE and ASPNET.
I still get the same error message.
I have also tried disabling anonymous access on the virtual directory and connecting to the service using my own login details - to no avail.
Any help with this problem will be greatly appreciated!
I have also tried various combinations of:
and
With testUsr having full permissions on the queue. I have added permissions for the user and ASPNET on the MSMQ store folders on C:\
My understanding of the problem is that the process trying to execute the code is running as a different account under IIS than it does under Cassini.
The problem was that regardless of which user I impersonated - I always got the same error message - even when the user was a member of the local and domain administrator groups, and this user had full permissions on the queue. i.e. It is barely possible to assign more rights to a user.
It turns out, that using a FormatName for the queue, rather than a path name (myMachine\queueName) has solved the problem...
FormatName:DIRECT=OS:myMachine\myQueue
I am uncertain as to exactly why this is the case. Reading up has showed that when a path name is used, there is a necessity for an AD lookup, and although I think that the users that I have been testing with should have rights to do this, perhaps there is something missing.
However the immediate problem is solved and that's good enough for me.