My web service needs to open some files located on a remote computer.
From Windows I can do the authentication so I can see those files using the File Explorer.
If I try to open the files from my Web Service while it's running using Visual Studio (ASP.NET Development Server) it also works.
However, if I do everything from IIS it doesn't.
In order to find out where is the problem what I did was to run a network sniffer and I found out that when using IIS, the system will try to use the account 'ASPNET' to login into those remote computers which will obviously fail.
However this doesn't happen if I run from the IDE (Using the ASP.NET Development Server)
I found out that if I use Impersonation for accessing this it will work, the problem is I need to have the same account names on the computer running IIS so I would rather not to do that.
Why is it working from the ASP.NET Development Server and not from IIS? Is there a way to give full access to the ASPNET account?
Thanks and hopefully somebody will be able to help with this. I don't know what else to try...
Any request on IIS is served by the ASPNET user. So the user ASPNET is working. I think you are using XP. On Win2K3 etc, the user is Network Service
But the Cassini (Visual Studio Dev server) runs under the current logged in user.
So the difference is. You need to use impersonation for your need.
Related
I need to run unit tests and test database connections using integrated security with SQL Server for a domain service account that will be the appPoolIdentity when we push to dev and production. I have been trying to find an answer to this for some time and can't seem to get a handle on it. It seems like it should be possible to impersonate this account given userid and password. Any help would be appreciated.
It's relatively simple. Rather than using the integrated IIS Express, you install the full IIS on your local computer, then you assign the app pool the identity of the service account you are going to use.
You do need to run Visual Studio as Administrator in this scenario to debug a different user.
Make sure that you setup the project to use IIS rather than IIS Express, and you should be good to go.
Every time the ASP.NET application in question throws an error the Global.asax writes to an error file: logs\error.log. The ASP.NET applications works using Windows authentication.
I am able to write to the log file when debugging using Visual Studio, however it does not work when the application is deployed in the live environment. How do I find out what user account I need to give access to: logs/error.log?
The application is deployed on a Windows 2003 Server with IIS6. Microsoft.NET 3.5.
You would have to give the required permissions to the network service account. This link might be able to help you out.
Windows Server 2003 defaults to the "Network Service" account.
This can be verified by opening IIS (expand the computer if needed), expand the "Application Pools" folder, right click on the pool used by your web app, and go to the Identity tab.
FYI: Windows Server 2008 uses the IIS_IUSER instead of Network Services.
I hope that logs folder is a virtual directory setup outside the web site directory.
Otherwise every time you deploy the entire solution you will overwrite the logs folder and its content.
Microsoft has a tool for monitoring file access that can be useful for troubleshooting permission issues.
Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645
You will also want to check if your application is using windows authentication & identity impersonation since that can change the identity the application is executing with when enabled.
I am developing an intranet ASP.NET web application that's configured to use Integrated Windows Authentication. My web app needs to check user entitlements using LDAP to get user memberships, etc.
The issue I noticed today is that, when I run my web app using IIS, sometimes the LDAP calls fail with strange errors, such as "Unable to contact the server..." ... or "...that domain doesn't exist..." (something along those lines, anyway). However, if I run my web app using Cassini, I don't get those errors.
If IIS is the issue, why would it fail some times and other times not? What does Cassini do different that IIS is not doing?
I'm using IIS 5.1 / Windows XP / Visual Studio 2008
Why is this happening, and how can I fix it?
Probably something to do with the fact that when you're running Cassini, it's your domain account that's querying the LDAP. It is strange that it would work in IIS sometimes though, and not others. Is the server registered on the network? What system account is IIS running under?
#James Johnson: I figured it out thanks to your comment, which got me thinking about my domain account... Finally, I found this post which points out that in order to connect to LDAP one needs to set Impersonation=True in web.config. It was working intermittently this morning, I think, because I was using Firefox instead of IE, which required me to enter my domain username and password.
The other strange thing was that my app worked fine in our development and stage environments even though my web.config is the same for all of them. I suppose the guys in the hosting group have this set at the machine.config level.
App works fine in IIS on Windows 7 on my dev machine. Trying to debug on a client machine running XP and VS2008 and the app works ok running on Cassini, however when I select IIS I am getting a 403 forbidden error. Anonymous access is switched on in ISS. Can anyone help work out why it won't work in IIS?
try to add permission to this folder for Network Service user, may be help.
check that it isn't set to impersonate. Usually you just have to give permissions to Network Service (as mentioned by #loviji), but depending on your application and your computer configuration you may need to give permissions to the account that is configured for anonymous users in IIS.
I am developing a remote control application where a client (aspx page in a browser) can request a server to "launch a notepad" (for testing purpose, for real life, turning off a light bulb, etc). So I created a dll with a simple function for launching the notepad (on the server side) and dropped this dll in the root bin folder.
It worked fine when the aspx page is running under ASP.NET development server (launched from Visual Studio). But when I tested the same aspx page under a FireFox browser, it did not work (launch the notepad) even though it did call for the same function (I stepped through in debugger).
Is this a permission issue? How do I set this up in IIS manager, or even better in web.config?
Please help.
Yes, it sounds like a permission issue.
The application pool in IIS 7 that your site is running under is probably using the default identity, which is the most restrictive. You can change the identity in IIS Manager by right-clicking on the app pool (probably called DefaultAppPool) and selecting Advanced Settings. From there change the Identity value to Local Service or Network Service. If neither of those work, making it Local System should allow your page to work.
I assume the Visual Studio integrated web server runs under the context of the account you are logged in with on the machine, which likely has a lot more rights.
When you say:
it did not work (launch the notepad)
Did you mean it through an exception or you didn't see a notepad window open. If it was a permissions issue I would expect you that you would get an exception. Chris is right on when he says:
The application pool in IIS 7 that
your site is running under is probably
using the default identity, which is
the most restrictive.
and
I assume the Visual Studio integrated
web server runs under the context of
the account you are logged in with on
the machine, which likely has a lot
more rights.
and if this is a permissions issue he is right on. However, the user your running under (when not debugging in Visual Studio) most likely cannot access the desktop of the logged in user. Maybe you should try your test with an app that doesn't need to interact with the desktop.