I'm trying to get a website in my IIS 7.5 (Win 7 Pro machine) to run via a UNC path to the code for one of the default website and an underlying App. This is the first time I've ever tried to set up a site/app in IIS 7.5 based off a UNC path: a folder on another server in the same domain.
I've tried various things to try to get this resolved. The app pool is running under ApplicationPoolIdentity on my Win 7 Pro PC where I have this site set up.
The runtime error I get when trying to run the app in the browser via http://localhost/TheAppName is:
Module: IIS Web Core
Notification: Unknown
Handler: Not Yet Determined
Error Code: 0x800700005
Config Error: Cannot read configuration file due to insufficient permissions
Config File: \\?\UNC\theServerName\www\TheAppName
Requested URL: http://localhost:80/TheAppName
Physical Path: (nothing showing up here)
Logon Method: Not yet determined
Logon User: Not yet determined
I put in fake names for the server and app name above for privacy for this post.
So it's having trouble reading the web.config found in that UNC path for this site.
I tried to add a local user on the target server and then then gave that user permissions to the web.config and then used that user RemoteServerName\LocalUserICreated as the app pool's Identity on my machine but it had no effect.
No clue what to do here and how to go about it.
I assume the UNC path is to a different server?
If so are both servers in the same domain? If so then IIS needs to run the website under a user account that has permissions to read the files.
If not you need to create identical user accounts (same username, same password) on the web server and the file storage server and then change IIS to run the website under this user account.
Hope this helps/works.
When you create a web application or virtual directory from a UNC path, you need to provide the credentials to IIS for the connection.
In the Add Application dialog, below the Physical path section is the "Connect as..." button - you can then choose either "Application user (pass-through authentication)" or "Specific user".
Which ever you choose, they have to be credentials that will be recognised by the remote server - "Pass-through" will try and use the current desktop (or browser) credentials to authenticate the user which (if you're connecting via a VPN as per your comments) almost certainly won't be valid. In this case you should use "Specific user" and provide (ideally) a domain user with suitable permissions to run the site.
When we've needed to do this in the past, we'd create an account on the domain that the local AppPools would run under, and then this could be used in these situations as well.
If you've already created the application, the dialog can be reached using the "Basic Settings..." action link.
I took me a few hours to finally solve the same issue for myself. Turned out I used the wrong slashes in my physical path. It should be \ these, not // these.
Zhaph and Alan both identify the work-around suggested by Microsoft. Here's the rest of the information from Microsoft's page on your problem:
Cause
IIS 6.0 uses the hosting worker-process identity to connect to a remote directory. Then, IIS 6.0 authenticates the user against the remote directory. However, IIS 7.0 introduces delegation scenarios. In IIS 7.0, you can delegate Web-site settings and application-level settings to a Web.config file.
For pass-through authentication, the Web.config file is stored in a UNC directory. Therefore, the default-process identity in IIS 7.0 must examine the Web.config file first to determine whether any security-related settings must be applied before the authentication process starts. The default-process identity in IIS 7.0 does not have sufficient permissions to open the Web.config file. Therefore, the Web request is rejected.
If there is no Web.config file in the UNC directory, IIS 7.0 uses the rules that are defined for the parent directory. For the Web content to be served in this scenario, the worker-process identity must have access to the whole content directory. Otherwise, the Web request is rejected.
Resolution
To resolve this behavior and to make sure that pass-through authentication works correctly, follow these steps:
Make sure that all the user accounts that access the UNC directory have at least the Read permission for the UNC directory.
Note This behavior is the same as the behavior in IIS 6.0.
Make sure that the IIS worker-process identity is running under a domain account or under a workgroup account that also exists on the UNC file server. If it is necessary, create an account on the UNC file server that has the same user name and the same password as the IIS worker-process identity.
Notes
This behavior differs from the behavior in IIS 6.0.
By default, the DefaultAppPool application pool runs under the Network Service account. This account is local to the computer, and this account does not exist on another computer. Therefore, make sure that you configure the DefaultAppPool application pool to use an account that is a domain user. Then, you can use the same account on the UNC file server. Alternatively, you can create a workgroup account on the UNC file server and on the computer that is running IIS 7.0.
If there is a Web.config file in the UNC directory, edit the discretionary access control list (DACL) for the Web.config file so that the DACL contains the account that you verified in step 2. Alternatively, edit the DACL for the Web.config file so that the DACL contains the account that you created in step 2.
If there is no Web.config file in the UNC directory, edit the DACL for the UNC directory so that the DACL contains the account that you verified in step 2. Alternatively, edit the DACL for the UNC directory so that the DACL contains the account that you created in step 2.
Note This behavior differs from the behavior in IIS 6.0.
Related
I have an AspNet App (Blazor) running on IIS server.
I would like to create a txt file on the server, but it doesn't work.
I changed the AppPool identity to a domain user accound and the directories in E: have full permissions for this account.
It works in VisualStudio IIS Express, but not in IIS.
Anyone here who can help me? A permission problem`?
C# Code for creating txt file:
File.WriteAllText(#"E:\Publish\Export\Test.txt", "Hello World");
If you want to save to a specific path, use MapPath (or Server.MapPath) to get the physical path corresponding to the application. Because by default the web server (IIS or local development server) will save to its working directory.
Also you need to make sure the account running IIS has read/write permissions to the directory you need to write to. If you're looking for user accounts, go to "Advanced Settings" under Application Pools and check what's set for "Identity".
I have a website and it sits on the IIS Server and I have a folder on another server the file server. I have set the Virtual directory to the folder on the fileserver. This application both servers are on the same domain, but in the future I will have serves that are not on the same domain.
I have tried to set up local users on both machines and set up the app pool to use the local accounts and I get
System.UnauthorizedAccessException: Access to the path is denied.
and
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
I have set the virtual to connect as the local user and get the same error.
I have setup a domain user and then set the app pool to use the domain user and set to use pass through and when I test the settings in Directory Browsing it says everything is good but I get the same error from the webpage.
I have setup a domain user and then set the app pool to use the domain user and set to the connect as to the user and when I test the settings in Directory Browsing it says everything is good but I get the same error from the webpage.
I have set the apppool to use my login and it works with pass through permissions.
Is there something I am missing.
You need to set the folder permissions in your separate folder to give access to the "computer$" account of the server where your application is hosted.
See here: https://www.iis.net/learn/manage/configuring-security/application-pool-identities
application pool identities also use the machine account to access
network resources.
So in the server where you have your data files you should set the folder permissions to allow access to the machine name where your website is hosted.
I had this same challenge when deploying a web app using IIS on a Windows 2012 Server.
The issue was the App Pool Account did not have Full rights to the Website Root.
All I had to do was to go to the directory where the Website Root resides and then right-clicked on it. Next, I selected Security and then gave the IIS-Users group full access to the directory.
For me IIS-Users group contains all Users/App Pool Accounts that are created in IIS.
That's all.
I hope this helps
I have created a domain user specifically for the the virtual directory and it appears to work, but is this best practice?
I am running IIS 7 on Windows Server 2008 R2 with PHP 5.4. One of my PHP scripts is trying to access a file on a protected network share using a UNC path. How can I change the IIS service account to an account that has permission to access the share? This is really easy to do on Apache HTTP server (you just change it), but it's not clear how to do with IIS. What can I do?
Update:
I was able to get things working using the "Connect As" option in the "Basic Settings" of my website and then specifying an account that has access to the network share. It appears that my problem is related to this question:
https://serverfault.com/questions/366234/iis-identities-application-pool-vs-connect-as-in-basic-settings
For IIS 7 running on Windows Server 2008 R2 ... In the IIS Manager, select the Application Pool under which your Web Site is running.
Click "Advanced Settings". There will be an entry for Identity (it is under the Process Model section). Click it, provide credentials for your account that has permission to access the share.
UPDATE
You should make sure that if you are using an Active Directory Domain Account, you provided that correctly under Identity for the running App Pool. For example, MYDOMAIN\myAccount.
After making this change, you will need to do the following:
Stop the Web Site.
Recycle your Application Pool.
Start the Web Site.
UPDATE II
From the comment discussion on this answer, #HydroPowerDeveloper was able to get the PHP script to be able to access the network share via UNC path using WebSite -> Basic Settings -> "Connect As" and setting the credentials there.
In the past, I have always used the approach of setting Identity via Application Pool and that has allowed my code to access Network shares via UNC path.
However, all of the sites/applications I have deployed on IIS are .NET based WCF or ASPX sites.
I would speculate (but am not 100% certain on this, would need research/testing to confirm) that the Identity specified in the Application Pool is used by executing .NET code, whereas the "Connect As" is used by the PHP script.
Generally the Application Pool is set using the least amount of privileges as possible.
http://msdn.microsoft.com/en-us/library/ff647402.aspx
The easiest route is to allow access to the current IIS account.
In Explorer, navigate to the shared directory.
Right Click -> Properties -> Security
If you don't see the expected IIS user in the list (Group or user names), edit and add the user as required.
I used "NETWORK SERVICE" -> Check names.
The detailed instructions are on that site.
In this way, the system is still restricted, we're ONLY allowing access to specific directories, we don't need to create any new users, we don't need to recycle the application pool and we don't need to perform any nifty impersonation code.
To resurrect an old question...
I've just been setting up a Win 2016 server that uses some Perl to access a UNC share. I set the Application Pool to an account that I verified had the correct permissions on that share. I then set up my site to 'Connect as...' (under 'Basic Settings') the same user. I still couldn't get access working.
Much head scratching later, I realised that my 'Virtual Directory', cgi-bin, was running under the original 'pass through' account. I then set up the virtual directory to 'Connect as...' the same account as the site and the application pool and, bingo, it all works fine.
So, remember to update any Virtual Directories as well as the site and App Pool...
We are running ColdFusion 9 on IIS 7.5.
Our intranet website uses Windows Authentication with the Negotiate provider.
We have set up an Active Directory user group (Web Developers) and assigned the permissions to the web source directory.
Everything works fine for one particular user group.
We created a new group (General Staff) and assigned the permissions to the source directory.
After restarting all of the services involved we end up with 401.3 errors which are Authenticated but Access is denied errors.
The error happens with html as well as cfm files.
To verify access, I browsed the unc path in windows explorer. All worked well.
Are there permissions other than the actual source directory that need to be set to get past the access is denied errors?
Does ColdFusion run even if the request is an html file?
Assigning read permissions on the ColdFusion9\runtime\lib\wsconfig directory to the group in question allows the requests to proceed.
I am trying to use a textreader to retrieve data from a text file on a local machine. I have an upload routine to get the file for the reader to open.
When I run the application locally, it works fine. When I publish my application to my server, I am getting a Could not find a part of the path error. I assume this error has to do with permission in that the server cannot read from the local file system, but I don't know the proper way to remedy this.
do I set up the application to impersonate the user? I know I can't possibly set up each local users machine to allow the iusr account to access it.
Thanks for any thoughts.
UPDATE ****
I ensured that network service is they user for the app pool. I also ensured that the networkService has access to the local folder that the application resides in. I am running IIS7, and when I test the site, I am getting the error -
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again
I have tried suggestions from various posts, including adding domain\servername$ to the folder to allow access, but nothing seems to work.
Any thoughts?
Assuming this is IIS 6.5 or higher, the application pool user must have the necessary permission. By default, this is Network Service, which likely does not.
I solved this issue by first saving the file to the server, and then accessing the server's local file -
savedFileName = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, Path.GetFileName(file.FileName));
file.SaveAs(savedFileName);
The following blog helped me out - http://www.hanselman.com/blog/default.aspx?date=2008-06-28