My "Hello World" c#.Net application works fine on my local Windows 7. Moving to our server I get 401.2 error.
Here what I have done (following advices in some forums):
Changed the Anonymous authentication use to application pull user
Created a new application pull
Created a new Windows user with access to application folders
Set the authentication of the application pull to that user
Set the application pull for my application to that application pull
Please note that:
I receive the error both from within the server and outside
I receive this error from all the browser I tested: Chrome, IE 9.0 and Firefox
An html file in the same folder is visible
What am I missing?
Thanks,
Asaf
You don't need to create a new windows user. I know you've said what steps you've done, but I'm going to highlight what I do each time I add a new site.
Set the Identity of the Application Pool to
ApplicationPoolIdentity.
In the website, set Anonymous Authentication to Enabled. Click
Edit on the right and set the Authentication Credentials to
Application pool identity.
In the website, again, choose Basic Settings on the right. Click
the Connect As.. button and make sure Application User is
selected.
Give the appropriate access to the folder on your hard drive(s); i.e
Application Pool name = hello.com, the user is IIS
AppPool\hello.com.
I think your issue is that you haven't given the folder permissions for the Application Pool User. I think you've incorrectly given them to an unneccessary Windows account.
HTH
Do you have the correct version of .NET installed on Server? Also you need to register ASP.NET in IIS - c:\windows\Microsoft.NET\framework\v2.0.50727 (or v4.0....)
aspnet_regiis.exe -i
and after restart IIS with iisreset in command line
Related
I'm trying to run a COM component from my Asp.Net app on IIS server, but getting error:
Cannot create ActiveX component
So I'm calling it like that in the code, passing login on the end
gobjDaabOLE = CreateObject("Daab.Application." & DaabLogin)
Login is actually a profile name that the Daab app use.
So it all works on the local machine but when I run it through and IIS app is coming with the error.
I believe the problem is related to Daab app configuration on IIS. Every time I login to the IIS server using different credential and open Daab app it has default configuration. So I need to configure it (add location of the profile).
So now if ApplicationPool is running the app it gives me an error as there is default configuration. There is no option to globally set up the Daab app. How can I go around that? What login is Application pool using? Can I log in as that user to configure the app? Is it possible to impersonate Application pool to use one of the login already configured?
The configuration is recorded in HKEY_CURRENT_USER in registry, but nothing in HKEY_LOCAL_MACHINE. I have tried manually add it, didnt work.
Thanks for any help
I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?
Update:
I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:
https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.
After making this change, you will need to do the following:
Stop the Web Site.
Recycle your Application Pool.
Start the Web Site.
UPDATE II
From the comment discussion on this answer, #HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...
I created a web application by going to IIS right-clicking on Default Web Site and selecting Add Application. Then I give the Alias name, select DefaultAppPool and point it to Physical path.
When I try to browse to http://localhost/mywebapp I get 'Access is denied' with following details:
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
Anonymous Authentication is enabled on the IIS Website.
The web application is ASP.NET MVC5 application.
The web application is running under its default identity: ApplicationPoolIdentity
Here are the settings for DefaultAppPool
Make sure your application is not on a network share or in the windows user (magic) directory. (It can be in the Visual Studio default magic user directory if you follow my instructions below)
If you're on Win7, create a new MVC 3 application, ^F5 to run. Then in solution explorer, right click the project and select properties. In the left pane, select the Web tab. The default is Cassini ( Use Visual Studio Development Server). Select the next radio, Use Local IIS Web server. Now ^F5 and it will launch your app from IIS. You can also find your application in IIS manager and in the right pane, select browse 80. Now that it's working, compare the differences in your two application.
Your approach should also work. You might try creating a new MVC application and use your approach to test on IIS. The most common mistake is creating a vDir, not an application
The error message is pretty good. To set ACLS on the application pool identity, follow the instructions under Securing Resources at http://learn.iis.net/page.aspx/624/application-pool-identities/
Also see Understanding Built-In User and Group Accounts in IIS 7
IF the new MVC app should fail, repeat, but create a Web Forms app.
Make sure IUSR has permission to the directory that webapp is sitting in.
Also, if your application is accessing permissioned resources(File IO, MSMQ...etc), you will have to change the Identity of the app pool or make sure ISUR has permission.
Make sure that the NETWORK SERVICE account (or whatever system account IIS is using) has permissions to the application folder.
To check the system account that's being used, go to the application pool settings, and the system account will be listed under the Identity tab:
EDIT
Make sure that the application is using the correct application pool. Also, if you haven't already specified a default document, that could be your problem. You can test this by including a page name in the URL, e.g. http://localhost/mywebapp/default.aspx
I want to authorize the asp.net account to access some folders in my project.
However, I get this error::
System.UnauthorizedAccessException: Access to the path 'D:\ProgramingPart\FromYamn\WebExercise\WebExercise\AccordionImgs' is denied.
I am using win 7 so what is the name of the asp.net account that I should use?
This depends on a couple of things:
What identity is the application pool running as?
What IIS authentication method are you using?
If you are using IIS7 in Classic Pipeline Mode, what authentication method are you using for ASP.NET (see your web.config file).
Try running visual studio as Administrator.
Under Win7 the default IIS user is ApplicationPoolIdentity. This is somewhat confusing as it's not a real user account. In order to adjust the permissions you need to drop to the command line first and issue
icacls D:\ProgramingPart\FromYamn\WebExercise\WebExercise\AccordionImgs /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)(RX)
From there you can return to explorer and edit the permissions using the properties tab for the directory. Or you can simply type "IIS APPPOOL\DefaultAppPool" in the add users field in explorer, but I have a preference for icacls myself :)
Probably you want to add the permissions a bit further up the tree. In real shared hosting scenarios application pools tend to get their own, full user accounts, but Server 2008/Win7 added the app pool user so pools can be created, isolated without having to do that.
This worked for me:
On the folder of your application, which might be something like:
C:\Users\YourName\Documents\YourSite
or
C:\inetpub\wwwroot\YourSite
Right-click the folder, choose Properties, go to the Security tab.
You need to add IIS_IUSRS to this list, and probably give full control.
Then, in IIS Manager, assuming you've set up your project folder as an application here, click on your folder/application. Then click the Authentication option. Right click the Anonymous Authentication, and check the user identity. Mine is IUSR.
Go back to your folder security, and add this user, with full control too.
Hopefully it works now!
I have authentication mode set to forms in my asp.net web.config but am still getting a windows login prompt when i browse to the website.
Could authentication mode be set elsewhere, in IIS for example? My site runs on IIS 6.
Thanks.
This could be because the permissions on the folder that is being served is not allowed to be accessed by the user running the web site
I have had issues where the authentication was set to forms and the directory security was set to allow anonymous, but some resources (images in my particular case) did not have the proper permissions to allow the anonymous user to read them.
The effect is that the user was prompted to login so that the graphics could be displayed, after which the form was displayed and the user logged in (again) with the intended form.
Sounds like windows permissions problem.
Windows permissions will always override anything that you have set up in aspnet.
I would start by looking at "anonymous access" permissions in IIS admin, then work your way through the file system.
You have configured anonymous access in IIS Administrator, but the IIS user does not have permission to access the filesystem, defaulting to the login dialog to authenticate as Windows user.
As it happens a colleague updated my machine to .NET Framework 3.5 SP1 whilst I was away. So I compiled my project and released onto the server which does not have SP1 installed and the above happened.
I've installed SP1 on the server and it's working fine now.
Thanks for all your input.
Just to clarify : the login popped up because the application was unable to load a file due to the problem described in the following: Link