Error hosting WCF on WAS - asp.net

I am getting this error while hosting my WCF application on windows service. The service is hosted on a server and i want to access it over internet. So i gave it networkservice permission.
Service cannot be started. System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL http://+:8085/lupload/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). ---> System.Net.HttpListenerException: Access is denied
at System.Net.HttpListener.AddAllPrefixes()
at System.Net.HttpListener.Start()
at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
--- End of inner exception stack trace ---
at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.HttpChannelListener.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(Tim...
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

NetworkService is actually a limited account, you need to go for LocalSystem which is the equivalent of an Administrator account. That'll solve your problem.

Related

Can't get simple Azure AD ASP.NET authenticated web app to work

I have used the Visual Studio template for an ASP.NET Webforms app with Azure AD authentication to create a simple web app. It works 100% fine locally. I can sign in, sign out, all good. Whenever I deploy to either AWS or Azure however, the behavior changes. The sign in still comes up fine, no issues at all, but after signing in, instead of taking me to the site, the browser just thinks for ages before dumping me to this error in the browser:
Server Error in '/' Application.
Runtime Error Description: An application error occurred on the
server. The current custom error settings for this application prevent
the details of the application error from being viewed remotely (for
security reasons). It could, however, be viewed by browsers running on
the local server machine.
Details: To enable the details of this specific error message to be
viewable on remote machines, please create a tag within
a "web.config" configuration file located in the root directory of the
current web application. This tag should then have its
"mode" attribute set to "Off".
I have tried adding the web.config setting and redeploying and it makes zero difference. Because I'm using App service on Azure for instance, I can't run the site on the actual web server as I don't have access to it. I tried looking at diagnostic log streaming, and got the below? Please help? Anyone? I have no idea why this isn't working. Interestingly, although I have asked that the site be http and it runs locally as http, once uploaded the url becomes https. Not sure if that' related.
From streaming logs (Azure)
HTTP Error 500.0 - Internal Server Error The page cannot
be displayed because an internal server error has occurred.
Most likely
causes: IIS received the request; however, an internal
error occurred during the processing of the request. The root cause of
this error depends on which module handles the request and what was
happening in the worker process when this error occurred.
IIS was not able to access the web.config file for the Web site
or application. This can occur if the NTFS permissions are set
incorrectly. IIS was not able to process configuration for
the Web site or application. The authenticated user does not
have permission to use this DLL. The request is mapped to a
managed handler but the .NET Extensibility Feature is not
installed. Things you can try:
Ensure that the NTFS permissions for the web.config file are
correct and allow access to the Web server's machine account.
Check the event logs to see if any additional information was
logged. Verify the permissions for the DLL.
Install the .NET Extensibility feature if the request is mapped
to a managed handler. Create a tracing rule to track failed
requests for this HTTP status code. For more information about
creating a tracing rule for failed requests, click here.
Detailed Error Information:
Module __DynamicModule_Microsoft.Owin.Host.SystemWeb.OwinHttpModule,
Microsoft.Owin.Host.SystemWeb, Version=3.0.1.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35_79846f5c-7e22-4a97-8a1c-24bc400cf7db
Notification EndRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x00000000
Requested
URL https://SimpleADApp:80/
Physical
Path D:\home\site\wwwroot Logon Method Not yet
determined Logon User Not
yet determined
More Information: This error means that there was
a problem while processing the request. The request was received by
the Web server, but during processing a fatal error occurred, causing
the 500 error. View
more information ยป Microsoft Knowledge Base
Articles:

Cant add bindings to IIS programmatically - redirection.config permissions (with a video!)

Here is a video summary of my problem http://screencast.com/t/v6th4BuRLhV
I am trying to add bindings programmatically to IIS with this code:
public void AddBindings(string sitename, string hostname)
{
ServerManager serverMgr = new ServerManager();
Site mySite = serverMgr.Sites[sitename];
mySite.Bindings.Add("*:80:" + hostname, "http");
mySite.ServerAutoStart = true;
serverMgr.CommitChanges();
}
And I get this error:
Filename: redirection.config
Error: Cannot read configuration file due to insufficient permissions
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Filename: redirection.config
Error: Cannot read configuration file due to insufficient permissions
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
I have addressed the permissions on redirection.config (both IUSR and IIS_IUSRS have permissions)
As well as the errors on web.config as suggested here http://www.codeproject.com/Questions/348972/Error-Cannot-read-configuration-file-due-to-insuff
But it still doesn't work.
ANSWER
Websites don't run under the IIS group. Whoever owns the app pool is the user and this is the user that needs permission. Or put that user in the IIS_IUSRS group.
Figure out what account your application pool is running as. Then you need to give that account access to the entire %SystemRoot%\System32\inetsrv\config folder. It wasn't enough for me to give access to just %SystemRoot%\System32\inetsrv\config\redirection.config
in my case "run as administrator" solved the problem

WebDeploy - Not able to log on the user '.\WDeployConfigWriter'

I have problem with MsDeploy to publish my website to remote IIS from Visual Studio.
I encountered the following error:
Microsoft.Web.Delegation.DeploymentAuthorizationException: Not able to
log on the user '.\WDeployConfigWriter'. --->
System.Runtime.InteropServices.COMException: The user name or password
is incorrect. (Exception from HRESULT: 0x8007052E) --- End of inner
exception stack trace --- at
Microsoft.Web.Deployment.LogonUserHandle.LogonUser(String userName,
String domain, String password)
I tried to change WDeployConfigWriter's password in Local Users and Groups (lusrmgr.msc).
Then, I open Management Service Delegation.
I try to set credentials in edit rule for WDeployConfigWriter page and it's always fail with message "The spesified password is invalid. Type a new password".
I am working in Windows Server 2012.
Any help would be appreciate.
Thanks!
I had this too but with a slightly different detail
Not able to log on the user '.\WDeployConfigWriter'.
Logon failure: the specified account password has expired.
Full credit to this blog, the problem is that the Web Deploy installer creates users with expiring passwords that are used to elevate permissions during deployment. The fix is to:
Use server manager on the accounts WDeployAdmin and WDeployConfigWriter to
reset the password
check password never expires
uncheck user must change password next logon
Use IIS -> Management Service Delegation to reset the passwords for the rules where those accounts have been configured to elevate to a specific user
Fixed!
The easiest fix to this problem is:
Computer Management ->Local Users And Groups -> Users
Right click -> properties on WDeployAdmin
Uncheck "User must changed password at next logon
Check "Password never expires"
Do the same for WDeployConfigWriter
Done!
Similar to #fiat solution, but you don't really need to change the password.
Here are simple CMD commands:
WMIC USERACCOUNT WHERE "Name='WDeployConfigWriter'" SET PasswordExpires=FALSE
WMIC USERACCOUNT WHERE "Name='WDeployAdmin'" SET PasswordExpires=FALSE
It will set deploy users passwords to never expire
The WDeploy* users are not intended to be used directly as part of your deployment process. Instead, they are used to implicitly elevate permissions in order to perform specific tasks (modifying IIS for WDeployConfigWriter, and GAC installations among others for WDeployAdmin).
I'd recommend creating a non-admin user specifically for your website. You can find the instructions for doing so at Installing and Configuring Web Deploy on iis.net. If you continue to have problems with the WDeployConfigWriter user, you're probably best off uninstalling Web Deploy and starting again.
In my case, I got this error because either WDeployConfigWriter nor WDeployAdmin had been created during the installation of WebDeploy (3.6 / 4.) even if the installation ran through successfully.
Found out, that the servers rule for password complexity was more restricting that the generated one with the script in C:\Program Files\IIS\Microsoft Web Deploy V3\Scripts\AddDelegationRules.ps1 didn't meet the requirements.
So I edited GenerateStrongPassword() in the PowerShell file and run it.
The users then have been created successfully.
There is some cases where setting "Password never expires" not is enough. Reinstalling webdeploy will fix the issue.
The other way to fix this is to set new passwords for the users WDeployAdmin and WDeployConfigWriter.
User management
The next step is to set the new passwords in IIS > Management Service Delegation for those users.
Management Service Delegation
I had the same problem trying to changes the passwords in Management Service Delegation and it did not fix the problem. It turns out that I had to change the WDeployConfigWriter to a different user(ie Admin) change it back and then the password changes only took effect
I had the same problem with Visual Studio 2017 with a different error message. The solution is also uncheck (WDeployConfigWriter) "User must changed password at next logon"
Publish failed
Publish has encountered an error.
Publish failed due to build errors. Check the error list for more details.
A diagnostic log has been written to the following location:
"C:\User\MyUser\AppData\Local\Temp\tmpXXXX.tmp"
The content of the log file
06.04.2018 19:56:13
System.AggregateException: One or more errors occurred. ---> System.Exception: Publish failed due to build errors. Check the error list for more details.
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
at Microsoft.VisualStudio.Web.Publish.PublishService.VsWebProjectPublish.<>c__DisplayClass40_0.<PublishAsync>b__2()
at System.Threading.Tasks.Task`1.InnerInvoke()
at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.VisualStudio.ApplicationCapabilities.Publish.ViewModel.ProfileSelectorViewModel.<RunPublishTaskAsync>d__108.MoveNext()
---> (Inner Exception #0) System.Exception: Publish failed due to build errors. Check the error list for more details.<---
===================

Security issue accessing microsoft interop dll sending email

We have a simple piece of code here that recently stopped working and I have tried many 'things' to try and resolve the error.
The code
Application outLook = new Application(); :)
The error
Retrieving the COM class factory for component with CLSID
{0006F03A-0000-0000-C000-000000000046} failed due to the following
error: 80070005. Description: An unhandled exception occurred during
the execution of the current web request. Please review the stack
trace for more information about the error and where it originated in
the code.
Exception Details: System.UnauthorizedAccessException: Retrieving the
COM class factory for component with CLSID
{0006F03A-0000-0000-C000-000000000046} failed due to the following
error: 80070005.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add
the appropriate user or group. Highlight the ASP.NET account, and
check the boxes for the desired access.
Now whilst the error is quite obvious I cannot resolve it.
The application is a .net 2.0 web application and the server is windows 2008 r2 standard using IIS 7.0
Thanks
Using Client appliactions on a server is always going to be problematic - there are other ways to access mailboxes.
That said, this might help:
http://technoblogy.net/retrieving-the-com-class-factory-for-component-with-clsid-00024500-0000-0000-c000-000000000046-failed-due-to-the-following-error-80040154/

WMI access denied error when query remote computer from ASP.NET

I have an ASP.NET application that executes a WMI call to a remote system. The application Web.config contains <identity impersonate="true"> and <authentication mode="Windows"> options which, as I understand, should force the application code to be executed on behalf of the application user.
The problem is that I get "Access is denied" error, despite the fact I can successfully execute the my WMI request from PowerShell console on the same host under the same user to the remote server in question.
// this doesn't work
ManagementScope scope = new ManagementScope();
scope.Path.NamespacePath = "root\\virtualization";
scope.Path.Server = "vs01";
scope.Connect(); // <-- here comes exception
# this works just fine
Get-WmiObject -Namespace 'root\virtualization' -Class Msvm_ComputerSystem -ComputerName vs01
Dumping HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, System.Threading.Thread.CurrentPrincipal.Identity.Name properties suggest that impersonation works as expected.
Ideas? Could the issue be some kind of .NET or IIS security?
You need to have a domain administrator enable Delegation for your web server machine. This is a security feature of Kerberos. By default an intermediate server (in this case your web server) is not allowed to pass the impersonation context of a client to the remote server unless it has been given Delegation permission. If you don't do this the remote target server will see the request coming in as Anonymous User... which if its properly secured will be denied access.
Note its a common policy to only allow an intermediate server to delegate to specific target servers (called constrained delegation), so if your web app needs to be able to call WMI on any server in your network you may have problem. Talk to your domain admin.

Resources