I am developing an intranet ASP.NET web application that's configured to use Integrated Windows Authentication. My web app needs to check user entitlements using LDAP to get user memberships, etc.
The issue I noticed today is that, when I run my web app using IIS, sometimes the LDAP calls fail with strange errors, such as "Unable to contact the server..." ... or "...that domain doesn't exist..." (something along those lines, anyway). However, if I run my web app using Cassini, I don't get those errors.
If IIS is the issue, why would it fail some times and other times not? What does Cassini do different that IIS is not doing?
I'm using IIS 5.1 / Windows XP / Visual Studio 2008
Why is this happening, and how can I fix it?
Probably something to do with the fact that when you're running Cassini, it's your domain account that's querying the LDAP. It is strange that it would work in IIS sometimes though, and not others. Is the server registered on the network? What system account is IIS running under?
#James Johnson: I figured it out thanks to your comment, which got me thinking about my domain account... Finally, I found this post which points out that in order to connect to LDAP one needs to set Impersonation=True in web.config. It was working intermittently this morning, I think, because I was using Firefox instead of IE, which required me to enter my domain username and password.
The other strange thing was that my app worked fine in our development and stage environments even though my web.config is the same for all of them. I suppose the guys in the hosting group have this set at the machine.config level.
Related
My ASP-Webpages application needs to write self-generated files to a local folder under its root directory. Everything runs like a charm on- and from my development environment, even to any other given network locations.
The problem is that I can’t get the production environment to do the same. Just no files get created, anywhere. Nor are any exceptions thrown on missing permissions etc. Nada.
I believe I’ve read and tried out just about everything anyone had written on the Internet over the past seven years and I feel like I’m chasing my own behind trying to solve this problem. Should it be really that difficult?
At the risk of getting marked as duplicate I see no other option than to post my question here..
Basically, here is what I have this far:
The production application runs on Windows Server 2008 R2, IIS version 7.5. It has a dedicated Application Pool, with its identity set to ApplicationPoolIdentity (.NET Framework v4 / Integrated pipeline).
Application Basic Settings
Verified AppPool membership of IIS_IUSRS.
Verified Group Membership
User Authentication is set to Windows Authentication.
User Authentication
Should Anonymous Authentication be set to ‘Enabled’ to get the ApplicationPoolIdentity be used? I’ve tried setting it on, but it conflicts with the Windows Authentication, which is an essential part of our application and cannot be switched off.
If so, then how?
Both the Application Pool and the IIS_IUSRS have been granted Read & Write permissions on the folder.
I’ve tried setting Full control, but that didn’t help either.
Folder Security Settings
Here is the (stripped down) code that writes the files to the desired location:
Stripped-down Code
Other (silly) things I’ve tried are:
Playing around with absolute and relative path directions in my code.
Enabling Anonymous Authentication, resulting in a conflict with the necessary Windows Authentication.
Set Application Pool ProcessModel identity to Network Service.
Recycle Application Pool.
Load User Profile ‘On’ for the Application Pool.
Setting IE Enhanced Security Configuration ‘Off’ for users.
Restarting server machine.
Using different browsers.
Give 'everyone' full folder permissions, just to try the effects, nothing..
Set AuthenticatedUserOverride to UseWorkerProcessUser via IIS Configuration Editor. This causes that my application doesn't recognise Current.User.Identity.Name anymore, so it blocks further site access.
What I need is to keep Windows Authentication, but also be able to have the application anonymously write files to a given location.
Can anybody please hint me in the right direction or just tell me what I’ve overlooked?
Thanks!
I am developing on my local machine (Windows 7), and using IIS 7. I usually create a new website by right clicking on sites -> Add New Site. Then do the usual stuff by pointing to the physical files, and I'd stop all other websites which I didnt need. I could then run the site on port 80 without any binding conflicts.
I then recently started doing some ASP.NET development. When I published from my VS 2010 to local host I could run the website, and it all worked great. I then stopped the site (asp.net) but I couldnt start any of the other sites (not even the default). I am not sure why.
I started to read about App Pools and someone said to remove all the application pools. So I removed all my application pools (except the default app pool), and I also removed all the websites (as they had a red x next to them).
I now cannot start the default site as the restart, start and stop are greyed out. I cannot find out any way to reset the IIS server. One error I have received is;
the object identifier does not represent a valid object iis7
I dont know really know what this means, and when I search for this error it seems that many people have come across this error but in different contexts.
Is there any way to reset IIS so I can build simple websites again? Do I need to uninstall IIS and reInstall?
Uninstall IIS and reinstall would probably be the easiest and fastest way to accomplish this.
Other than that check the event logs see if you can find any clues there.
You'll want to ensure there is a one-to-one relationship between the number of sites & the app pools that host them. If they are 32-bit apps hosted on a 64-bit server, you'll need to enable this property (set it to True) on the app pool you want to use for your site. You'll want to run:
C:\inetpub\AdminScripts>cscript adsutil SET W3SVC/AppPools/Enable32bitapponWin64 1
The .NET Framework obviously needs to be installed, but then the separate step of running the ASP installation command needs to be done (C:\Windows\Microsoft.NET\Framework\v2.0.xxxx\aspnet_regiis.exe -i). If it already is, re-install them - it could be malfunctioning/corrupt.
After all that, I noticed IIS 7 puts on this generic app pool identity account to run the app pool with. I created a service account, gave this account Admin rights just to see if the site would run, and added it onto the app pool as the "Custom account". I no longer get the HTTP 503 error. The account should have the "Log on as a service" and "Log on as a batch job" rights. If it will be using impersonation and going out to a SQL database, the "Impersonate client after authentication" and "Allow log on locally" rights are also needed (hence why I like just giving it admin privileges to see if it works, first).
My web service needs to open some files located on a remote computer.
From Windows I can do the authentication so I can see those files using the File Explorer.
If I try to open the files from my Web Service while it's running using Visual Studio (ASP.NET Development Server) it also works.
However, if I do everything from IIS it doesn't.
In order to find out where is the problem what I did was to run a network sniffer and I found out that when using IIS, the system will try to use the account 'ASPNET' to login into those remote computers which will obviously fail.
However this doesn't happen if I run from the IDE (Using the ASP.NET Development Server)
I found out that if I use Impersonation for accessing this it will work, the problem is I need to have the same account names on the computer running IIS so I would rather not to do that.
Why is it working from the ASP.NET Development Server and not from IIS? Is there a way to give full access to the ASPNET account?
Thanks and hopefully somebody will be able to help with this. I don't know what else to try...
Any request on IIS is served by the ASPNET user. So the user ASPNET is working. I think you are using XP. On Win2K3 etc, the user is Network Service
But the Cassini (Visual Studio Dev server) runs under the current logged in user.
So the difference is. You need to use impersonation for your need.
I am currently using Visual Studio 2008 on XP Pro SP3.
Developing against http://localhost/ everything including debugging works fine.
I need a second website on my machine. IIS 5.1 only allows one website at a time so I used the JetStat XP Pro IIS Admin tool to create a second website. This runs by stopping the Default website and starting the other.
I have added the new website name into the Hosts file and mapped to 127.0.0.1.
Websites can be accessed via this address http://NewHostname/VirtualDirectoryName
Projects can be started without debugging (Web Applications & Websites).
However, when I try to debug I get an error: "Unable to start debugging on the web server. An authentication error occurred while communicating with the web server."
Integrated Authentication is enabled in IIS.
I have seen a lot of documentation with many fixes for "unable to start debugging on the web server" errors but they all seem like huge overkill for my problem, after all, debugging works fine provided I'm not doing it on this different hostname. They talk about doing things that I would do if debugging did not work at all even with http://localhost/.
Is there a place where I can just add this new hostname so that VS debugging is allowed? Do I need to change permissions somewhere? I feel like there should be a really simple solution that I'm just overlooking.
Here's a description of the problem: http://blogs.msdn.com/webdevtools/archive/2008/08/13/debugging-a-website-with-a-host-header.aspx
And here's the recommended registry workaround: http://support.microsoft.com/kb/896861
Do yourself a favour and download IIS Admin .NET.
This handy little tool allows you to switch between your websites at a snip - each one will become localhost when activated, and crucially, get you out of this debug debacle.
http://www.codeplex.com/iisadmin
You do have to add the hostname to a value within the registry.. but I can't remember where.
Since you can only have one website running at a time, why don't you just have them all running as 'localhost'? This way you don't have to change any annoying registry settings but you still have your applications running in individual IIS Websites.
I've recently had my PC upgraded to Vista, which means it includes IIS7. The problem is that the ASP.NET website we're working on doesn't work anymore. I get an error because the application is trying to connect to the SQL Server with NT AUTHORITY/ANONYMOUS LOGON instead of my domain user, and anonymous isn't authorized. I've tried several things, but no solution yet:
- install and enable the 'IIS Metabase and IIS 6 configuration compatibility'
- enable Windows Authentication for this website
- created a different Application Pool with managed pipeline mode set to Classic
- enabled IIS6 WMI compatibility and IIS6 management console (getting desperate here)
In our web.config there's and in our machine.config there's . I've tried putting impersonate to false and entering my domain user and password in the machine.config (it used to be like this) but that didn't help either.
Are there things I'm missing? Has anyone else had a similar problem?
How does your application authenticate with SQL Server? Does it use SQL or Windows Auth? I hope you are trying to use Windows Auth. In that case, your IIS worker process should be running under that Windows user account. If not, it should at the least impersonate a Windows user account that has necessary access rights to SQL Server. If you have impersonation enabled and if you are using the right Windows user account and if SQL Server authenticates using Windows auth and if you are still unable to access SQL Server, you may be running into the classic double hop issue. In other words, you are trying to authenticate to IIS once and you are using the same crdentials to authenticate to the SQL Server over a network next(which is your second hop) and Windows does not allow that for security reasons.
I believe I have found a/the solution. At least it's working now. This is what I did:
The website is now running in a seperate application pool with Managed Pipeline mode set to classic, Load userprofile set to False and Identity set to custom and using a domain user (and password) that has access to the database.
Under 'authorization' of the website itself, I have Anonymous set to enabled and ASP.NET impersonate set to disabled.
in the web.config of the site is also set.
Credit where it's due, this site helped me.
I'm sorry to say I can't look into the issue any further. Indeed, it probably is something with the way we connected to SQL Server (Win Auth) because we've changed it now. Now we connect with username and password in the connection string and it's solved.
So I can't really say if you provided the answer, msvcyc, but I did vote on your solution. Thanks for the time and trouble.
Well, I recommend you migrate to Integrated mode if there is not too many troubles to enjoy the innovation it brings. :)
http://mvolo.com/blogs/serverside/archive/2007/12/08/IIS-7.0-Breaking-Changes-ASP.NET-2.0-applications-Integrated-mode.aspx