I am trying to deploy a site using msdeploy and cannot get it to deploy under an IIS user account. My admin account is able to deploy successfully.
Steps I have taken:
Created IIS user account
Give the account access to the relevant website
Setup deployment for the site granting the iis user account permissions to deploy
Ensured that the WMSVC has full rights to the physical folder
Add the IIS user account to the relevant rule in Management Service Delegation
I get the following error back:
Unable to perform the operation. Please contact your server administrator to check authorization and delegation settings.
Turns out it was an expired password for the WDeployConfigWriter account.
Following changes fixed my issue.
Start >> Administrative tools >> Computer Mangement.
There is a user called WDeployConfigWriter. Set to password never expired and updated in IIS as per the below link.
https://blog.workinghardinit.work/2011/07/18/wdeployconfigwriter-account-issues-trouble-shooting-web-deploy-2-0-with-lessons-learned/
As other's have mentioned, it is usually a problem with an expired password for the WDeployConfigWriter user in Windows Server.
What I usually do when resetting the password and configuring password never expires is not enough:
Go to Windows Programs and Features
Select Uninstall for Web Deploy 3.6
Now select Repair
Go to IIS Manager. Then reconfigure Web Deploy for your IIS site: You can change the old Web Deploy userĀ“s password or delete that user and create a new user.
Next, go to Start | Administrative tools | Computer Management.
Then go to Local Users and Groups - check password never expires on the user WDeployConfigWriter
That usually solves my problem.
Related
I've a requirement of writing into a network folder from ASP.NET.
So I just used Streamwriter class and it works fine when trying from local system using Visual studio web server. But when trying to host it into IIS on the same machine writing into network folder not working at all.
It saying
Access to {\MYSERVER\specialfolder} is denied
So I thought it as some access issue. What I tried was as follows
Changed Default Applicaiton Pool (Which is the pool using for my
domain) identity to local system (And tried the other 4 ones too) :
Still the error
Authentication change for my site. Change from
Anonymous for specific user IUSR into Application pool Identity : No
help
Right clicked on my site and then selected edit permission, then
specified write permission for IIS_IUSRS group : Not worked
Also I tried, Right Click on the network folder itself -> security ->
But there is not IIS_IUSRS group
What else I'm missing for having the write permission into network
folder.
Details about my system
IIS 8.5
WINDOWS SERVER 2012R2
VISUAL STUDIO 2015
As far as I know, the IIS use the LOCAL user which generated by the IIS, this is local computer account.
If you want to access another network folder, you should set the enough permission to the IIS application pool identity.
You should use AD to assain enough permission to a spcial AD account.
Alternatively, using ActiveDirectory you could create a Domain User account, configure the application pool identity to use that domain user, and grant that user access to the network files.
More details, you could refer to below article:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
This question:
IIS application pool access to remote directory on network ask how to allow iis to have the ability to access a file on a network drive. The answer is to set up a user with the appropriate rights and set the application pool identity to that user. We've done that and when we restart the app pool we get a 503 error on our web app.
It appears that the app isn't actually starting.
Here are more details which may help you analyze the problem:
This is Windows Server 2008 R2, iis 7
Our username is abc123\_svc_OSAT (Domain name isn't actually abd123 but I need to obscure it rather than risk publishing internal company information)
As abc123\_svc_OSAT I can map a drive to \\FPIAPPS01\Logs which is a directory on a network server so we know that this user has network access.
In iis we click on our app pool, select Advanced Settings, select Identity, Select the .. button, select "Custom Account" and set it to the user abc123\_svc_OSAT and use the proper password. We then stop and start that application pool.
When looking at the app in a browser we get a 503 error. Checking the logs at C:\inetpub\logs\LogFiles\W3SVC1 we don't see any error. However, the application appears not to have actually started.
Does abc123_svc_OSAT need a specific permission which we may be
missing?
Is there any other place with a log file which we should
look to get a better idea of what is causing the problem?
Thank you.
Does abc123_svc_OSAT have access to directory that hosts your ASPX files? The log files you are looking at are only for logging access to your website. You will want to check the event viewer to see the actual IIS error.
We ended up making the user an administrator and that worked. That's probably too broad for sufficient security rights. We'll keep looking. But it does show that the issue was somehow related to user roles rather than a password issue.
I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?
Update:
I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:
https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.
After making this change, you will need to do the following:
Stop the Web Site.
Recycle your Application Pool.
Start the Web Site.
UPDATE II
From the comment discussion on this answer, #HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...
I don't know where sholud I ask this...
I've seen this issue and I think the answer should me close to that, but seems that I can't still do this.
The funny thing is the same (I think) was done by me in another server w/ IIS 7 a year ago or so, without further trouble. It could be also that I don't remember so much of it.
I have an Apache server running on port 80 (That can't be changed)
This is what I've done:
Integrated AppPool was an issue on the other server I've placed so I've tried to change the
Default AppPool to a Classic .Net
The WebApp Pool to a Classic .Net
The User is also mandatory on the Webservice so I'm placing a Service Account that impersonates for any anonymous (or not) user that might access so I have
The ServiceAccount as Administrator of wwwroot and subfolders
The ServiceAccount as Impersonated by default in the Default Web Site
The ServiceAccount as Impersonated in every Web App I need
Shared r/w the folder with the ServiceAccount
Also
I've tested the access and both Authorization & Authentication works
marvelous.
I've restarted the app, the site and the IIS multiple times without
success.
Checked the Event Log without finding anything useful.
Modified applicationHost.config getting into more troubles than solutions.
This is what I get when I try to see the App Settings at IIS7
--------------------------- Application Settings ---------------------------
There was an error while performing this
operation.
Details:
Filename:
\?\C:\Windows\system32\inetsrv\config\applicationHost.config
Line number: 165
Error: Can not log on locally to %SystemDrive%\inetpub\wwwroot as user
MyDOMAIN\MyUser with virtual directory password
--------------------------- OK ---------------------------
This is what I see when I go to my page (an asmx)
HTTP Error 500.19 - Internal Server Error The requested page cannot be
accessed because the related configuration data for the page is
invalid.
Detailed Error Information Module IIS Web Core Notification
Unknown Handler Not yet determined
Error Code 0x80070569
Config Error Can not log on locally to C:\inetpub\wwwroot as user
MyDOMAIN\MyUser with virtual directory password
Config File Unavailable (Config Isolation)
Requested URL
http://localhost:8080/myApp/MyWebService.asmx
Physical Path
Logon Method Not yet determined
Logon User Not yet determined
#Edit: 0x80070569 Drove me to see that The service account weren't logging on as a Service (as it should), nor as a Batch process.
It was a Security Setting that should be touched, a group policy object has to be set to the account (in the Example MyDOMAIN\MyUser). And that's an access that only the area of IT Security can grant.
Even when this was changed the problem remained still.
The accepted answer didn't work for me.
But when I followed the below steps, my issue was resolved:
Go to your IIS manager.
Click on Sites
Right click on Default websites, Go to Manage Website and then click on
Advanced Settings
Set your physical path credential to Specific user with credentials
Restart IIS
Note: You may also need to reenter the credentials in the application pool, if the system password has been changed recently.
It actually was a secpol.msc Policy What was blocking the web access. The ServiceAccount wasn't a Service one.
As in the edit that I posted IT Security gave me the privileges to set it a*s a Service Account*, but that alone just wouldn't do the trick.
In the Advanced Settings of the webSite
Physical Path Credentials Logon Type, Batch logonMethod was selected.
And the service account still wasn't with the privileges to run as a Batch Process.
And that was it.
Not only the service account, but also The Run as a Batch Job was necessary.
Sometimes it causes by changing administrator password or changing user access.
After that application pool cannot access to local user.
One of the most stupid solution for this problem is remove website and application pool then make another website.
This solution helped me.
Check the Password of your Application pool and application. Try clicking on the Test Settings to check the connection is proper
The accepted answer didn't work for me.
But when I followed the below steps, my issue was resolved:
1. Go to your IIS manager.
2. Click on Sites
3. Right-click on Default Web Sites and select 'Basic Settings'
4. Select Classic .NET AppPool from the Application Pool drop down
5. Save and Exit
Everything went normal.
None of the other answers solved the issue for me.
In the end, I had a re-create my site and app pool, which is far from ideal, but was the only solution that worked.
IIS must have been caching an old value that I couldn't find/clear.
Setup
There is an IIS 6 application running in a .NET 2.0 App Pool on Server-A. IIS 7 Server-B needs to host that same code-base under a different URL. I created a virtual directory under Server-B's website to the network path of the application on Server-A. I've enabled this virtual directory on Server-B as an application running in its own .NET 2.0 App Pool in Classic Mode. Both app pools run as the same domain account that has access to that folder.
Issue
When accessing the site from Server-A it works fine. Accessing it from Server-B however generates the infamous "Required permissions cannot be acquired." error.
I have been trying to find a solution to this problem for two days. The two most common solutions have been to check the CLR Trust level on the Server-B box or to set the Load User Profile property on the App Pool to "True". Since I have full administrative rights I set the Trust level to Full and set the profile sitting to "True". Strongly naming all the assemblies the application and throwing them in the GAC is not where I want to go.
I'm sure I'm just missing some configuration somewhere. Any ideas? Thanks.
We have had a similar problem once.
In our case the user that was the identity of the app pool have never logged on to the server. Therefore, there was no local user profile, therefore there was a problem when the system tried to use the profile.
As a test try and set the identity of the app pool to the admin account you use to log in with.
Manually verify that user can access that share. Try logging into windows as that user and then accessing that share (or fake it with something like a "runas /User:{Domain\UserName} net use {\server\share}").
Also try loading ShareMonitor wherever the files actually live. It should tell you what user account is trying to access a given share. It might not be the account you think it is. I cannot recall if it was this program or not, but I have used something very similar in the past to figure out a really odd permission problem.
That should determine if it is a file access problem. If it isn't, then all I can say is to make sure you have ASP.NET enabled (on windows server it is a separate option).
Also check out the file permissions on your "Temporary ASP.NET Files" directory. I've had to explicitly add users write access to that before to get things working.
in my case my IIS App Pool had LoadUserProfile=false, so it was not loading the profile of the app pool's Identify (a domain account). This caused this unable to acquire permissions even though my Webroot files/folders (including /bin) had correct permissions. Setting LoadUserProfile=true fixed the issue for my setup.
I would set that application pools identity attribute (in advanced settings) as administrator. That way, you application will work on the server, just like it works on the local setup.