Every time the ASP.NET application in question throws an error the Global.asax writes to an error file: logs\error.log. The ASP.NET applications works using Windows authentication.
I am able to write to the log file when debugging using Visual Studio, however it does not work when the application is deployed in the live environment. How do I find out what user account I need to give access to: logs/error.log?
The application is deployed on a Windows 2003 Server with IIS6. Microsoft.NET 3.5.
You would have to give the required permissions to the network service account. This link might be able to help you out.
Windows Server 2003 defaults to the "Network Service" account.
This can be verified by opening IIS (expand the computer if needed), expand the "Application Pools" folder, right click on the pool used by your web app, and go to the Identity tab.
FYI: Windows Server 2008 uses the IIS_IUSER instead of Network Services.
I hope that logs folder is a virtual directory setup outside the web site directory.
Otherwise every time you deploy the entire solution you will overwrite the logs folder and its content.
Microsoft has a tool for monitoring file access that can be useful for troubleshooting permission issues.
Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645
You will also want to check if your application is using windows authentication & identity impersonation since that can change the identity the application is executing with when enabled.
Related
I've created a Windows service (an exe based on the Visual Studio ATL wizard) which exposes a COM interface. No problems running as an in-proc server or a Windows service. I need a Windows service since I need some processes to be available outside of IIS access.
I've been creating some web pages (aspx/C#) calling my service and everything has worked fine testing within the Visual Studio .NET Development Server. Now, I'm trying to push the web pages to IIS 7 (running on windows 7) for further testing. But, when the pages are running under IIS the calls to my COM interface all fail with the error
"Retrieving the COM class factory for component failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))."
I've verified the service is:
registered with Windows under HKCR\Clsid\ (note, I registered running "myservice.exe /RegServer" since regsvr32.exe only works with dll's)
myservice.exe has read and execute rights for the IIS_IUSRS user
is a 64bit exe (so should load in the default IIS app-pool space)
Works great in .NET Developement Server debugger (but not IIS)
Any ideas why this would not work? Something to do with the COM interfaces contained in an exe vs dll?
Any possibilites of IIS calling a COM interface exposed in a Windows service?
I believe you need to grant access to your site's app pool process to use your COM object, under DCOM Config.
Go to the Component Services
> Computers > My Computer > DCOM Config branch
Locate the AppID or Name of your service in the list. Right-Click on it and select properties.
Open the Security tab
Pick Launch and Activation Permissions and select Customize.
Grant the app pool process (probably ASPNET, but check the IIS app pool properties for your site) the following: Local Launch and Local Activation.
Please let us know if this solves your problem.
Incidentally:
> is a 64bit exe (so should load in the default IIS app-pool space)
That's not quite true. The app pool is an ISS-controlled process. Your service runs on its own separate process no matter what. So your service has nothing to do with IIS app pools.
It looks very much like a security/permissions problem - so first make sure that whatever user the IIS worker is running under has sufficient rights and in particular check that your ASPNET group has permission to use COM (I think it doesn't by default).
EDIT - after posting that, I did find another post that might help - take a look here too
Thanks Guys. I really appreciate your responses. Your information pointed me in the right direction. The problem was indeed a security\permissions issue. To compound the problem, whenever I rebuilt my service, the rights I set for IIS_IUSRS was purged from the exe so some of the failures I was seeing was due to simple rights on the service.exe. So if you start seeing intermitent errors access your COM object during development then check the rights on your exe after re-builds! I hope that helps others.
For completion, here's how I resolved the issue:
changed the 'identity' of my services application pool to 'LocalSystem' (since my COM was in a Windows service running under the system account - most people will not require this level) (IIS Manager | Application Pools | right-click on your app pool | Advanced Settings | Identity
I am in the process of deploying a web application on IIS5 on my server which runs windows XP.So when i run my application in visual studio its perfect.But when i deployed it into IIS it throws me an error saying that the access denied to a particular file.
My app reads a xml file based on the input(which is nothing but the other system in the network).As i browsed to the properties of that file manually and unchecked the read only attribute,still it dint work out.Can any one guide me to the proper solution ?
you might have to give read/write (if needed) to following users:
iis_wpg
network service
aspnet
In IIS, your site runs under the credentials of the application pool assigned to it. You can either change the credentials of your application pool to an account that has permission to access that file, or else grant access to the default account that the application pool is currently using.
You mention that you are using basic auth...
Generally, the web application will then impersonate the user logged in.
So, if your file isn't accessible by the user that logged in, then it won't be accessible to the web application impersonating them on the system either. You will need to check the permissions of those files and set them accordingly.
My web service needs to open some files located on a remote computer.
From Windows I can do the authentication so I can see those files using the File Explorer.
If I try to open the files from my Web Service while it's running using Visual Studio (ASP.NET Development Server) it also works.
However, if I do everything from IIS it doesn't.
In order to find out where is the problem what I did was to run a network sniffer and I found out that when using IIS, the system will try to use the account 'ASPNET' to login into those remote computers which will obviously fail.
However this doesn't happen if I run from the IDE (Using the ASP.NET Development Server)
I found out that if I use Impersonation for accessing this it will work, the problem is I need to have the same account names on the computer running IIS so I would rather not to do that.
Why is it working from the ASP.NET Development Server and not from IIS? Is there a way to give full access to the ASPNET account?
Thanks and hopefully somebody will be able to help with this. I don't know what else to try...
Any request on IIS is served by the ASPNET user. So the user ASPNET is working. I think you are using XP. On Win2K3 etc, the user is Network Service
But the Cassini (Visual Studio Dev server) runs under the current logged in user.
So the difference is. You need to use impersonation for your need.
I am developing a remote control application where a client (aspx page in a browser) can request a server to "launch a notepad" (for testing purpose, for real life, turning off a light bulb, etc). So I created a dll with a simple function for launching the notepad (on the server side) and dropped this dll in the root bin folder.
It worked fine when the aspx page is running under ASP.NET development server (launched from Visual Studio). But when I tested the same aspx page under a FireFox browser, it did not work (launch the notepad) even though it did call for the same function (I stepped through in debugger).
Is this a permission issue? How do I set this up in IIS manager, or even better in web.config?
Please help.
Yes, it sounds like a permission issue.
The application pool in IIS 7 that your site is running under is probably using the default identity, which is the most restrictive. You can change the identity in IIS Manager by right-clicking on the app pool (probably called DefaultAppPool) and selecting Advanced Settings. From there change the Identity value to Local Service or Network Service. If neither of those work, making it Local System should allow your page to work.
I assume the Visual Studio integrated web server runs under the context of the account you are logged in with on the machine, which likely has a lot more rights.
When you say:
it did not work (launch the notepad)
Did you mean it through an exception or you didn't see a notepad window open. If it was a permissions issue I would expect you that you would get an exception. Chris is right on when he says:
The application pool in IIS 7 that
your site is running under is probably
using the default identity, which is
the most restrictive.
and
I assume the Visual Studio integrated
web server runs under the context of
the account you are logged in with on
the machine, which likely has a lot
more rights.
and if this is a permissions issue he is right on. However, the user your running under (when not debugging in Visual Studio) most likely cannot access the desktop of the logged in user. Maybe you should try your test with an app that doesn't need to interact with the desktop.
Hi: I'm reading up on ASP.NET, and just came to a chapter that explains how to upload a file to your website. It says that in order to save a file to your file system, in the case of every OS except Win Server '03, an ASP.NET page executes in the security context of the ASPNET account. I don't have an ASPNET account running on my machine (win xp pro sp3; .NET 3.5). The program runs fine, by the way, I'm just trying to understand what an ASPNET account is exactly, and why it doesn't seem to show up on my list of user accounts. Thanks.
ASPNET is only used if use IIS. This was the norm in ASP.Net 1.1
However in new versions of Visual Studio IIS is not needed, so it uses an internal web server.
If ASPNET exists in a command window ( Start -> Run cmd Clikc OK) type and press enter
net user ASPNET
you should see the details of the account and in Task Manager you will see a process asp_wp.exe
File Access
The Network Service account has Read and Execute permissions on the IIS server root folder by default. The IIS server root folder is named Wwwroot. This means that an ASP.NET application deployed inside the root folder already has Read and Execute permissions to its application folders. However, if your ASP.NET application needs to use files or folders in other locations, you must specifically enable access.
http://msdn.microsoft.com/en-us/library/ff647402.aspx