500.19 on IIS 7, Cant log on locally - asp.net

I don't know where sholud I ask this...
I've seen this issue and I think the answer should me close to that, but seems that I can't still do this.
The funny thing is the same (I think) was done by me in another server w/ IIS 7 a year ago or so, without further trouble. It could be also that I don't remember so much of it.
I have an Apache server running on port 80 (That can't be changed)
This is what I've done:
Integrated AppPool was an issue on the other server I've placed so I've tried to change the
Default AppPool to a Classic .Net
The WebApp Pool to a Classic .Net
The User is also mandatory on the Webservice so I'm placing a Service Account that impersonates for any anonymous (or not) user that might access so I have
The ServiceAccount as Administrator of wwwroot and subfolders
The ServiceAccount as Impersonated by default in the Default Web Site
The ServiceAccount as Impersonated in every Web App I need
Shared r/w the folder with the ServiceAccount
Also
I've tested the access and both Authorization & Authentication works
marvelous.
I've restarted the app, the site and the IIS multiple times without
success.
Checked the Event Log without finding anything useful.
Modified applicationHost.config getting into more troubles than solutions.
This is what I get when I try to see the App Settings at IIS7
--------------------------- Application Settings ---------------------------
There was an error while performing this
operation.
Details:
Filename:
\?\C:\Windows\system32\inetsrv\config\applicationHost.config
Line number: 165
Error: Can not log on locally to %SystemDrive%\inetpub\wwwroot as user
MyDOMAIN\MyUser with virtual directory password
--------------------------- OK ---------------------------
This is what I see when I go to my page (an asmx)
HTTP Error 500.19 - Internal Server Error The requested page cannot be
accessed because the related configuration data for the page is
invalid.
Detailed Error Information Module IIS Web Core Notification
Unknown Handler Not yet determined
Error Code 0x80070569
Config Error Can not log on locally to C:\inetpub\wwwroot as user
MyDOMAIN\MyUser with virtual directory password
Config File Unavailable (Config Isolation)
Requested URL
http://localhost:8080/myApp/MyWebService.asmx
Physical Path
Logon Method Not yet determined
Logon User Not yet determined
#Edit: 0x80070569 Drove me to see that The service account weren't logging on as a Service (as it should), nor as a Batch process.
It was a Security Setting that should be touched, a group policy object has to be set to the account (in the Example MyDOMAIN\MyUser). And that's an access that only the area of IT Security can grant.
Even when this was changed the problem remained still.

The accepted answer didn't work for me.
But when I followed the below steps, my issue was resolved:
Go to your IIS manager.
Click on Sites
Right click on Default websites, Go to Manage Website and then click on
Advanced Settings
Set your physical path credential to Specific user with credentials
Restart IIS
Note: You may also need to reenter the credentials in the application pool, if the system password has been changed recently.

It actually was a secpol.msc Policy What was blocking the web access. The ServiceAccount wasn't a Service one.
As in the edit that I posted IT Security gave me the privileges to set it a*s a Service Account*, but that alone just wouldn't do the trick.
In the Advanced Settings of the webSite
Physical Path Credentials Logon Type, Batch logonMethod was selected.
And the service account still wasn't with the privileges to run as a Batch Process.
And that was it.
Not only the service account, but also The Run as a Batch Job was necessary.

Sometimes it causes by changing administrator password or changing user access.
After that application pool cannot access to local user.
One of the most stupid solution for this problem is remove website and application pool then make another website.
This solution helped me.

Check the Password of your Application pool and application. Try clicking on the Test Settings to check the connection is proper

The accepted answer didn't work for me.
But when I followed the below steps, my issue was resolved:
1. Go to your IIS manager.
2. Click on Sites
3. Right-click on Default Web Sites and select 'Basic Settings'
4. Select Classic .NET AppPool from the Application Pool drop down
5. Save and Exit
Everything went normal.

None of the other answers solved the issue for me.
In the end, I had a re-create my site and app pool, which is far from ideal, but was the only solution that worked.
IIS must have been caching an old value that I couldn't find/clear.

Related

I can't seem to access a web application externally

I am getting a "Server Unavailable" error message when I try to access a web application externally, but I can access it fine internally. It's got a message for administrators telling me to check the event log, but there's nothing there. Another thing, this is a work server, so I'm not exactly sure if they're using another firewall, but the Windows Firewall is disabled and the McAfee security installation does not have a firewall. Any thoughts on what could be causing this. If you need to see any code or need more information, let me know.The server is running Windows 2003 server OS.
I would be willing to bet the correct ports are not forwarded.
What kind of web app is it? You have to find out which port that app uses and forward it on the router.
Server Application Unavailable in IIS for ASP.NET application
Problem :Server Application Unavailable
The web application you are attempting to access on this web server is currently unavailable. Please hit the "Refresh" button in your web browser to retry your request.
Administrator Note: An error message detailing the cause of this specific request failure can be found in the application event log of the web server. Please review this log entry to discover what caused this error to occur.
Solution 1:
Open the command promt and direct to the folder C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727
and run the command to install ASP.NET in your IIS
aspnet_regiis.exe -i
Solution 2:
To work around this problem, verify that the ASPNET account has the correct user rights as follows:
a) %windir%\Microsoft.NET\Framework\Version\Temporary ASP.NET Files: Full Control
%windir%\Temp: Full Control
b) Application folder: Read
c) %installroot% hierarchy (for example, %windir%\Microsoft.Net\Framework\Version): Read
d) %windir%\Assembly: Read
e) Web site root (for example, %root%\Inetpub\Wwwroot) or the path that the default Web site points to: Read
f) %windir%\System32: Read(Typically, the ASPNET account has already been granted user rights as a member of the Users group.)
Now Close all the applications and reset IIS in command promt 'iisreset'
problem solved :) cheers

IIS application pool identity not allowing the server to start

This question:
IIS application pool access to remote directory on network ask how to allow iis to have the ability to access a file on a network drive. The answer is to set up a user with the appropriate rights and set the application pool identity to that user. We've done that and when we restart the app pool we get a 503 error on our web app.
It appears that the app isn't actually starting.
Here are more details which may help you analyze the problem:
This is Windows Server 2008 R2, iis 7
Our username is abc123\_svc_OSAT (Domain name isn't actually abd123 but I need to obscure it rather than risk publishing internal company information)
As abc123\_svc_OSAT I can map a drive to \\FPIAPPS01\Logs which is a directory on a network server so we know that this user has network access.
In iis we click on our app pool, select Advanced Settings, select Identity, Select the .. button, select "Custom Account" and set it to the user abc123\_svc_OSAT and use the proper password. We then stop and start that application pool.
When looking at the app in a browser we get a 503 error. Checking the logs at C:\inetpub\logs\LogFiles\W3SVC1 we don't see any error. However, the application appears not to have actually started.
Does abc123_svc_OSAT need a specific permission which we may be
missing?
Is there any other place with a log file which we should
look to get a better idea of what is causing the problem?
Thank you.
Does abc123_svc_OSAT have access to directory that hosts your ASPX files? The log files you are looking at are only for logging access to your website. You will want to check the event viewer to see the actual IIS error.
We ended up making the user an administrator and that worked. That's probably too broad for sufficient security rights. We'll keep looking. But it does show that the issue was somehow related to user roles rather than a password issue.

IIS7 IUSR account permissions not working with forms authentication and file upload

I am trying to deploy an asp.net 4 app to a new microsoft server 2008 R2
I have set up the application as I have done dozens of times before and set the folder permissions appropriately.
I have tried setting the application pool name directly to have write permissions
I have tried setting IUSR, IIS_IUSRS, NETWORK SERVICE and Users.
I have confirmed that windows authentication is disabled and anonymous is enabled as well as forms authentication is enabled. Logging in works fine i can access all pages normally except if i try to write to the folder. Then a password is required box pops up which looks like windows authentication (even though its disabled)
Every post here states and in my past experience says if I set the folder permissions for the defaultidentity application pool it should work, but for some reason this server wont let me do it!
Any help would be most appreciated.
Welp this turns out to be a really weird one. For some reason when SQL reporting services is installed it reserves the folder name "Reports" in any IIS Web application folder regardless of whether your actually using Reporting services. Its not created by default or anything, but if you happen to create folder titled "Reports" dont expect to access anything from it. After many hours of frustration it turns out it's a random reservation which doesn't throw any error just somehow overrides your authentication protocol to use windows authentication for their reserved folder.
Thanks Microsoft!

IIS7 Accessing Network Share

I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?
Update:
I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:
https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.
After making this change, you will need to do the following:
Stop the Web Site.
Recycle your Application Pool.
Start the Web Site.
UPDATE II
From the comment discussion on this answer, #HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...

IIS - Required permissions cannot be acquired. Enabled "Full Trust" and Load User Profile on App Pool is "True"

Setup
There is an IIS 6 application running in a .NET 2.0 App Pool on Server-A. IIS 7 Server-B needs to host that same code-base under a different URL. I created a virtual directory under Server-B's website to the network path of the application on Server-A. I've enabled this virtual directory on Server-B as an application running in its own .NET 2.0 App Pool in Classic Mode. Both app pools run as the same domain account that has access to that folder.
Issue
When accessing the site from Server-A it works fine. Accessing it from Server-B however generates the infamous "Required permissions cannot be acquired." error.
I have been trying to find a solution to this problem for two days. The two most common solutions have been to check the CLR Trust level on the Server-B box or to set the Load User Profile property on the App Pool to "True". Since I have full administrative rights I set the Trust level to Full and set the profile sitting to "True". Strongly naming all the assemblies the application and throwing them in the GAC is not where I want to go.
I'm sure I'm just missing some configuration somewhere. Any ideas? Thanks.
We have had a similar problem once.
In our case the user that was the identity of the app pool have never logged on to the server. Therefore, there was no local user profile, therefore there was a problem when the system tried to use the profile.
As a test try and set the identity of the app pool to the admin account you use to log in with.
Manually verify that user can access that share. Try logging into windows as that user and then accessing that share (or fake it with something like a "runas /User:{Domain\UserName} net use {\server\share}").
Also try loading ShareMonitor wherever the files actually live. It should tell you what user account is trying to access a given share. It might not be the account you think it is. I cannot recall if it was this program or not, but I have used something very similar in the past to figure out a really odd permission problem.
That should determine if it is a file access problem. If it isn't, then all I can say is to make sure you have ASP.NET enabled (on windows server it is a separate option).
Also check out the file permissions on your "Temporary ASP.NET Files" directory. I've had to explicitly add users write access to that before to get things working.
in my case my IIS App Pool had LoadUserProfile=false, so it was not loading the profile of the app pool's Identify (a domain account). This caused this unable to acquire permissions even though my Webroot files/folders (including /bin) had correct permissions. Setting LoadUserProfile=true fixed the issue for my setup.
I would set that application pools identity attribute (in advanced settings) as administrator. That way, you application will work on the server, just like it works on the local setup.

Resources