Setting up a virtual directory on IIS7 - asp.net

I'm setting up our server so we can install an ASP.Net web application on it.
I right clicked Sites in the IIS7 Manager and selected Add Virtual Directory and I clicked the Test Settings button, this messages is displayed:
The server is configured to use pass-through authentication with a built-in
account to access the specified physical path. However, IIS Manager cannot
verify whether the built-in account has access. Make sure that the application
pool identity has Read access to the physical path. If this server is joined to
a domain, and the application pool identity is NetworkService or LocalSystem,
verify that <domain>\<computer_name>$ has Read access to the physical path.
Then test these settings again.
The message does not tell us how to do any of these things.
The server I'm setting up has Windows7 Home Premium installed on it. The computer is set up with all defaults set and has a computer name such as MyComputer-PC (not the real name). There is no domain set up.
Can you tell us how to do what is described in the message?

1) Go to IIS, click on the IIS entry that holds your virtual directory. On the right click on Basic Setting to see which appliatino pool it's using.
2) Go to IIS, go to application Pools. Right click on your application pool and check the advance setting -> Identity property to find out which user it's using.
3) Go to the folder that your IIS Entry maps to, make sure that user is added to this directory. If you want to give it write permission, give it write. Otherwise, make give it read & execute is fine.

The message is pretty clear in what needs to be done. Go to the Application Pool section of IIS and open the advanced settings of the default Application pool. Check what username is specified in the Identity property.
Go to the location where you are physically storing your virtual directory and go to the folder properties -> Security. Ensure that the user has the appropriate access.

Basically, you can ignore this message if you don't plan to write files to your site directory.
This message means that IIS can't check if it's system windows account has enough permissions on your site folder.

Related

How can I host a sub domain

Hello I have a website hosted on remote desktop. ("mywebsite.com")
I want to host another web app with domain "app.mywebsite.com". I created a website in IIS but its not working. What's the configuration setting I need to do make this working ?
(I use IIS7) first app(mywebsite.com) is hosted before. I downt know anything about.
I just created an app and want to host it in same remote desktop with "app.mywebsite.com" alias.
there is an warrning seem on basic settings > Test settings pane
Error message is : "The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again."
How can I fix this ?
Thanks for help
You'll need to add a binding:
Open IIS Manager.
In the Connections pane, expand the Sites node in the tree, and then click to select the site for which you want to add a binding.
In the Actions pane, click Bindings.
In the Site Bindings dialog box, click Add.
In the Add Site Binding dialog box, add the binding information and then click OK.

IIS7 Accessing Network Share

I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?
Update:
I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:
https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.
After making this change, you will need to do the following:
Stop the Web Site.
Recycle your Application Pool.
Start the Web Site.
UPDATE II
From the comment discussion on this answer, #HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...

IIS - Required permissions cannot be acquired. Enabled "Full Trust" and Load User Profile on App Pool is "True"

Setup
There is an IIS 6 application running in a .NET 2.0 App Pool on Server-A. IIS 7 Server-B needs to host that same code-base under a different URL. I created a virtual directory under Server-B's website to the network path of the application on Server-A. I've enabled this virtual directory on Server-B as an application running in its own .NET 2.0 App Pool in Classic Mode. Both app pools run as the same domain account that has access to that folder.
Issue
When accessing the site from Server-A it works fine. Accessing it from Server-B however generates the infamous "Required permissions cannot be acquired." error.
I have been trying to find a solution to this problem for two days. The two most common solutions have been to check the CLR Trust level on the Server-B box or to set the Load User Profile property on the App Pool to "True". Since I have full administrative rights I set the Trust level to Full and set the profile sitting to "True". Strongly naming all the assemblies the application and throwing them in the GAC is not where I want to go.
I'm sure I'm just missing some configuration somewhere. Any ideas? Thanks.
We have had a similar problem once.
In our case the user that was the identity of the app pool have never logged on to the server. Therefore, there was no local user profile, therefore there was a problem when the system tried to use the profile.
As a test try and set the identity of the app pool to the admin account you use to log in with.
Manually verify that user can access that share. Try logging into windows as that user and then accessing that share (or fake it with something like a "runas /User:{Domain\UserName} net use {\server\share}").
Also try loading ShareMonitor wherever the files actually live. It should tell you what user account is trying to access a given share. It might not be the account you think it is. I cannot recall if it was this program or not, but I have used something very similar in the past to figure out a really odd permission problem.
That should determine if it is a file access problem. If it isn't, then all I can say is to make sure you have ASP.NET enabled (on windows server it is a separate option).
Also check out the file permissions on your "Temporary ASP.NET Files" directory. I've had to explicitly add users write access to that before to get things working.
in my case my IIS App Pool had LoadUserProfile=false, so it was not loading the profile of the app pool's Identify (a domain account). This caused this unable to acquire permissions even though my Webroot files/folders (including /bin) had correct permissions. Setting LoadUserProfile=true fixed the issue for my setup.
I would set that application pools identity attribute (in advanced settings) as administrator. That way, you application will work on the server, just like it works on the local setup.

HTTP Error 401.3 - Unauthorized

I am getting this errror in my newly created website in Windows 7 and IIS 7.5. I created an SSL certificate and done binding new website.
HTTP Error 401.3 - Unauthorized
You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server.
Earlier when I created the website, I selected 'application user(pass through authentication)' in 'Add Website' dialogue. and when I click "Test Settings ..." button, I get this error message:
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again.
Please suggest solution to this.
Thanks.
I had the same issue, ensured my DefaultAppPool was running under ApplicationPoolIdentity and the DefaultAppPool had permissions to the folder, but some files still didn't load.
Turns out my problem was that the anonymous authentication user was set to someone else instead of ApplicationPoolIdentity
Screenshot
Make sure that application pool of your website and website both are running under the same identity. Then make sure that this identity has required permissions on the virtual directory. I had exact same issue and above two checks fixed it.
IIS 7 also creates "IUSR" as default user to access files via IIS. So make sure user IUSR has read access to files/folders.
How to check if IUSR has read Access? Right Click -> Folder -> Properties -> Security Tab See if IUSR is in Group or user names list, If No.
Click Edit -> Add -> Advanced -> Find Now -> Select IUSR and click OK -->click Apply
The below worked for me. I did not set up an SSL, just a new website within IIS. Upon doing so I was immediately unable to access the website with this error message.
When I created the new website, a new Application Pool was also created. The Identity of this Application Pool was set to ApplicationPoolIdentity. As mentioned by Suhas, the Application Pool of the website and the website itself must be running under the same identity. (I do not know how to check the identity of the website, but the Application Pool's Identity can be checked by going to Application Pools and looking at the Identity column). The default Application Pool name is DefaultAppPool.
I added permissions to the site (right click the site name -> Edit Permissions -> Security -> Edit -> Add), linking the site to the DefaultAppPool object, which in turn gives the site access to the default user and it's settings. (The default user is created when IIS is installed. Read more about this in Microsoft's docs).
I thought this would be all that's needed to obtain access, but this is incorrect. The website's Application Pool must also be set to DefaultAppPool. This can be done by right clicking on the site -> Manage Website -> Advanced Settings -> Change the Application Pool value to DefaultAppPool.

How to give NT AUTHORITY\IUSR access to shared folder content?

I find something related, but not same thing.
The error "Login failed for user 'NT AUTHORITY\IUSR'" in ASP.NET and SQL Server 2008
My issue is that the files are shared on the network, and I would like to debug from local IIS, I find that all static files seems to be access denied (401.3)
I have used the trace system, and find that the IIS is accessing the source using "NT AUTHORITY\IUSR"
Url http://localhost:8451/umbraco_client/panel/images/panel_boxhead_h2_bg.gif
App Pool Debug451
Authentication anonymous
User from token NT AUTHORITY\IUSR
Activity ID
I have set the shared folder to be accessible to everyone, and changed the application pool's identity to domain administrator.
I have also tried to use 'Network Service' as identity and assign Domain\MachineName$ full access to the shared folder...
It looks to me that iis always using "NT AUTHORITY\IUSR" to access static resouce? If so, how can I give access on a shared folder to a local account? Or how can I force IIS to use some other identity?
update:
as there are some new answer to this old question which I gave up at that time. I accentually have encounter this similar issue again recently on a server running windows 2008 R2, which I resolved, and I would like to give some update.
I resolve the issue this time by add read permission to $ComputerName/Users. This seems only an issue with server environment, and not sure if related to any group policy or similar kind. Hope this might help someone in future.
Once you have configured the user of the application pool to have access permission to the shared folder ( create a new user in windows and add it to the IUSER group, and add specifique access rights to the shared folder for that user), YOU HAVE TO change in IIS the Authentification settings: IIS->site that need access->Authentification settings -> anonymous authentification->edit->select aplication pool identity (instead of IUSER).
Make sure you have enabled IIS to serve static content. I had this issue, too, and it drove me nuts until I figured that out.
In "Turn Windows Features on or off", go to "Internet Information Services > World Wide Web Services > Common HTTP Features > Static Content" (for Windows 7; you'll have to find the similar option in XP).
I don't know how much this will help, but also see Microsoft's documentation.
this worked for me, thanks.
Go to the Shared Folder –> right click –> properties -> security –>edit –> add (so far as usual ) -> choose object types –> check on computers –> now enter the computer name where your application is working from , where you published your application
You can try $[computername]\IUSR > you'll want to use advanced search to look this one up in windows permissions.
Or... you can set up your shared folder as drive on IIS's local and access it that way. So [serverb]\share becomes mapped to a letter on server A and IIS accesses it that way.
Set the identity of the application pool by going to advanced settings:
Remember to edit the Anonymous Authentication and either use the application pool identity or else specify a user account that has access to the resource you are wanting to access

Resources