Small question, was anyone able to control iTunes through any local webdeployment?
Most preferable through a hosted IIS WCF service?
I've tried on my Windos 7 with IIS7.5 and when I set the Process Model - Identity to 'Local System' on the IIS apppool containing the WCF service, I see the iTunes.exe popping up in the Task Manager.
But iTunes doesn't come 'alive' - no visual shell and even though the iTunesApp object is initialized in my WCF Service code, perfomring any actions on it won't work.
Side not, running the same service through Visual Studio 2010 debug mode, everything works just great!
UPDATE *
I was trying to communicate to iTunes through my windows phone and I thought of going round that with a website/service... but with the new Mango update we can do TCP sockets native on the phone! SO I'll try that route.
The reason service does not show any UI windows is becuase of Session Isolation. Your service (IIS application pool process) is running in session 0. Your desktop is attached to session 1 (or some other number if more than one user is logged on on this machine).
There are couple of workarounds to allow services to show UI to user:
1. You can mark service with option "Allow service to interact with desktop". This only works for services that are running as local system. This option is deprecated, should only be used for compatibility with legacy services.
2. Service can launch an intermediate process in user session and communicate to it.
If you don't want to interact with iTunes, and only want to lanch it in user session, what you need to do is:
Obtain name of windows station the user is running. You can use windows terminal services API for that. You will have to be creative to figure out which user session is currently active (if there is more than one). You probably also want to query user security token, so that process is run as a user, and not as a local system.
Call CreateProcessAsUser and pass STARTUPINFO structure. Set lpDesktop field in STARTUPINFO to point to window station you identified.
The reason this works when debugging in Visual Studio 2010 is because you're running VS under your login and your login has a visible desktop that iTunes can interact with.
If you launch from a process running under a service account then yes you'll see the executable in task manager but the iTunes won't have a visible desktop to interact with.
Related
CONTEXT
My client has an ASP.NET web application running in IIS 10 on Windows Server 2016. The web application needs to access files on network shares on different servers in a WORKGROUP environment. So, I created the same local user account on all servers, set the password to all the local user accounts to be the same, granted said user with full control permissions to the network shares, and reconfigured the IIS application pool to run under the identity of the aforementioned local user account. There is also a custom Windows service running under the same local user account for the same reason: to access files on remote network shares. All of this works fine. The web application and the Windows service can successfully access files from the network shares residing on servers other than the server on which IIS and the custom Windows service are both running.
ISSUE
However, there is a feature in the web application when an authorized user modifies a particular validation matrix record, it triggers a custom command sent to the aforementioned Windows service to cause the service to update its in-memory copy of the validation matrix. This worked fine when the IIS application pool was running under the built-in ApplicationPoolIdentity which apparently has permissions to interact with Windows services. But, the feature fails when the IIS application pool is running under the identity of the aforementioned local user account. The message in the exception is: Cannot open {SERVICE_NAME} service on computer '.'. Again, the Windows service and IIS are running on the same server. And recall that the Windows service is running under the same local user account as the IIS application pool identity.
QUESTION
How do I grant permissions to the local user account to allow said account the ability to issue the custom command to the Windows service from within the ASP.NET web application?
RESOLUTION ATTEMPTS
I've tried using subinacl.exe in an attempt to grant the necessary access but never got it to do anything other than to indicate Done 0, Modified 0, Failed 0, Syntax errors 0. I'm using version 4.2.1.1604 and executing it from an Administrative Command Prompt. The syntax I used was:
subinacl /service customServiceName /grant=localUserAccount
and the result is below
+service customServiceName
/grant=localUserAccount
Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 0
I also tried /grant=localUserAccount=U and /grant=localUserAccount=F but to no avail ... same results as shown above.
I admittedly am not familiar with subinacl.exe and I saw somewhere that someone indicated earlier versions of subinacl.exe are buggy and suggested using version 5.2.3790.1180 which I cannot find. Result: failed.
I have added the local user account to the Administrators group on the server where IIS and the Windows service are running. Result: failed. CORRECTION 02/13/2023: This succeeded but required a server reboot for it to take effect. To be clear, I do NOT want to permanently add this user to the Administrators group. This was simply a test. As far as the server reboot being required for this to take effect is concerned, I tried recycling the application pool in IIS, restarting the Windows service of interest, and restarting the World Wide Web Publishing Service but no joy. Only a server reboot caused the addition of the local user account to the Administrators group to take effect from the standpoint of said local user having permissions to send a custom command to the Windows service from within the web application. I absolutely am inclined to believe that there is a better way to achieve the desired end without adding the local user account to the Administrators group. Surely someone else before me has encountered this and solved it.
The local user account is already set up in the Local Security Policy with the ability to "Log on as a service".
I have reconfigured the IIS application pool identity to NETWORK SERVICE and granted NETWORK SERVICE full control permissions to the network shares (which are on a different server in a WORKGROUP environment, not a domain environment). In this configuration, the feature to update the Windows service works, but access to the network shares is denied ... likely because NETWORK SERVICE is a built-in local account [with no password?? not sure on this] and does not behave the same as a "regular" local user account.
So, I have a catch-22 that has me stumped. I would be grateful for any insight on this dilemma.
Cheers!
We recently had to change a domain admin password due to a security issue. As a result, on our prod web server, we're seeing a large number of Event ID 4625 errors showing up in our security log associated with an IIS App Pool. We're on Windows 2012 R2/IIS 8.5; ASP.NET 2.0 & 4.0 are installed on the system.
The interesting piece is that the App Pool in question never used the domain admin account as its Identity. It has always used the out of the box ApplicationPoolIdentity. I should also note that the server was logged off using that affected user well prior to the password change & a new account is now used to administer the server.
The server itself though was in fact built using the affected domain admin account. All roles/features were added while logged in as the aforementioned account. With this in mind, no services are running as the account, ie World Wide Web Publishing Service/IIS Admin service. They're running as Local System & always have.
No functionality has been compromised, everything is operating normally on the web server. The issue is that our tech services team is receiving constant notifications from their account monitoring software regarding the bad logon attempts & it is impeding their operations. Full disclosure... We haven't had an opportunity to reboot the server yet since its production, we will be doing that tonight.
The problem seems to be relegated to the root of the site, the \wwwroot folder. Segregating only the root app to its own app pool/turning off the pool is not an option since it services file system requests. We've tried explicitly setting the identity on the affected app pool to use Local Service as well as a regular domain user. The issue persists regardless:
So naturally, our hope is that the reboot takes care of it... Perhaps the old password is stuck in a kerberos cache, but it's just strange since this app pool never used the ID as its identity, that it continues to show up.
We had a virtual directory that was using the ID in order to reach out to a CIFS share on the network. Once we changed that, the error ceased.
I'm trying to access a sql server database from an ASP NET app configured to work with IIS.
I have several questions now,
1) Authentication in IIS: I need to know if my authentication settings for the site are ok:
I tried with Windows Authentication set to Disabled, but the problem continues.
2) Are the settings for the user NT AUTHORITY\Sericio de red well configured? ("Servicio de red" means Network Service)
3) When I added the login for network service, I only found "Servicio de red", I guess it's the equivalent for NetworkService, I'm I right?, My windows 7 ultimate is an spanish version, I just changed the windows interface by using a windows upgrade to make it appear in english. Is there a problem with it?, I guess it's right because the access to the database is being done through the IIS APPPOOL\Servicio de red user.
My DefaultAppPool identity is set to to AppPoolIdentity
If you want to see what I have tried, see this thread.
The whole project, along with a backup of the database I'm using can be found here, called MyServiceSolutionInIIS
What I'm trying is to build a WCF Data Service that offers information that comes from an entity data model generated from a sql server database. This service will be used by a WPF App as a client.
I'd like to avoid creating a user for it, I think it can be done with the App Pool
Okay so the way this works is, whatever application pool your endpoint is running under passes its credentials to the SQL Server. So, you have two options:
Run the default application pool under NetworkService, or;
Use SQL Authentication when connecting with your web service to the SQL Server.
Honestly, the latter is the most common, but in your situation you may be just fine by changing the default application pool to run under NetworkService.
This has nothing to do with the authentication you've chosen (well, mostly nothing.. you can control which credentials anonymous users run under). Every website runs in an app pool, and this app pool has an AppPoolIdentity.
I'm a little confused as to why it would be claiming it's IIS AppPool\NetworkService, since NetworkService should be NT AUTHORITY\NetworkService, or IIS AppPool\MyAspService or IIS AppPool\DefaultAppPool.
There is a lot more information on App Pool Identities here:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Note: There is a bug in IIS 7.5 (the version of IIS that comes with Windows 7 and Windows Server 2008 R2) that sometimes causes authentication problems with AppPoolIdentities if the users password changes (say, if you have mandatory password change policies). There is a hotfix here:
http://support.microsoft.com/kb/2545850/en-us
More info here:
IIS application using application pool identity loses primary token?
There so many scenarios in which this issue occurs.
First thing you need to clear if you are using windows authentication and you are not mentioning any username password in your connection string then:
What happens when you run your code through localhost: when you run your wcf test client from localhost, it will be able to communicate to database as local debug mode application is calling database by your account's service. So it has access to database because devenv.exe is running under your user account.
But when you deploy your web service in IIS. Now understand this service runs under IIS not under your account. So you need to assign access rights to IIS service to access the sql server for windows authentication. Here your web service would not be able to communicate to the SQL server because of access rights issue and Login Failed for user_______ (here your user will come)
So if you are using windows authentication to connect your database, you just have to change the IIS Application pool settings. You need to change IIS Application pool's identity to:
local System (for single windows user).
Network Service (for intranet users or domain users)
Below are the Steps for windows authentication WCF:
•Open IIS (windows+R (run) then type inetmgr, then click ok)
•double click your PC name under Connections
•Click Application Pools
•Select your app pool (DefaultAppPool)
•Then under actions on the right click Advanced Settings:
•Go to Process Model section and
•click on Identity.
•Now select LocalSystem (for single windows authentication user).
or select Network Service (for Intranet users)
Now open your sql server management studio: open run-> then type ssms then press ok in ssms, login using your windows authentication account. open security tab expand logins tab then you will be able to view your account.
Now open properties of your account go to userMapping then select the database you want to connect then check the role membership services you want to use for the selected database click ok. (For network services i.e. intranet users you need to configure above settings for NT AUTHORITY\SYSTEM user too)
add Trusted_Connection=True; property in your connection string. Save it & deploy the web service. Restart app pool.
you will be able to connect the database now.
I have an existing VS2010 ASP.NET webforms site that I am trying to get running on Azure as a POC for a client.
I migrated the site to a VS2012 project, added an Azure Cloud Service Project, and have deployed the site as well as the back end DB to a 3 month trial account.
I've added the IP address of my dev machine to the firewall rules for the Azure db, and I can run the project locally and connect to the Azure db without incident.
On the firewall rules for the website, I have Windows Azure Services set to yes under Allowed services. I have no other rules in place other than the one for my dev machine.
When trying to access the site from the site deployed to Azure, I get the following exception:
Cannot open server requested by the login. Client with IP address '137.135.65.13' is not allowed to access the server.
To enable access, use the SQL Azure Portal or run sp_set_firewall_rule
on the master database to create a firewall rule for this IP address
or address range. It may take up to five minutes for this change to
take effect.
Login failed for user .
This session has been assigned a tracing ID of . Provide this tracing ID to customer support when you need assistance.
The site works normally if I add a firewall rule for the azure server IP address, but doesn't this defeat the whole purpose of Azure? Shouldn't allowing Azure services handle this? Is there an additional config item necessary or am I missing something basic in the design? I'm not sure if this is related but the site was deployed by VS2012 as a cloud service instead of a website, is this the issue? I also added the db as a linked resource in the cloud service but that didn't seem to have any effect.
Adding the DB as a linked resource for the WebSite will fix the problem w/out having to muck about with firewall settings.
Go to your website in m.anage.windowsazure.com.
Go to the LINKED RESOURCES tab.
Press the LINK button on the bottom of the page
Select your DB from the modal dialog
This is a bug in Azure. Newer IP ranges aren't included in their boiler plate "Azure Services" configuration, or something like that.
Been happening for a long time (at least ~3 years), unfortunately.
Happens with Web Roles, Worker Roles, and VMs as well - NOT specific to Web Sites. We regularly hit this with our Web and Worker Roles in US East but never saw it once in US North.
Our work-around is to add the range: 10.0.0.0-10.255.255.255. Probably not the most secure work-around but fortunately, this has so far only hit our Dev environments and not any of our Production environments.
I am new to the WCF model, but I have created a service, that seems to work in VS2010
Now I would like to access this windows service from an asp.net application. The reason behind this is: I want to be able to call the service to connect via SSH to a server, and keep that connection open (as I did in a Windows Forms app)
Any ideas on how to go about doing this? I tried it with an IIS hosted service, but the connection is lost each time the request finishes.
At least in VS2010 with the tester, I can invoke my connect function, then invoke other functions to query data, then disconnect.
FYI, the local Windows Service and IIS are on the same box.
WCF services by default create a new instance for each request. There are other models, although I'm not sure they will manage as long running a process as you want. This article has some good info on managing sessions: http://msdn.microsoft.com/en-us/magazine/cc163590.aspx
Alternatively, why not use a technology like workflow foundation, that was designed to run / persist / re-awaken long-running processes? http://msdn.microsoft.com/en-us/library/ee342461.aspx