I'm trying to start a Windows service on Windows Server 2003
from an ASP.NET page:
the code of line 35 is:
32. Dim controller As New ServiceController
33. controller.MachineName = System.Environment.MachineName
34. controller.ServiceName = "WindowsServiceRealName"
35. controller.Start()
The error code is
System.InvalidOperationException: Cannot open WindowsServiceRealName service on computer 'DARWIN'. ---> System.ComponentModel.Win32Exception: Access is denied --- End of inner exception stack trace --- at System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess) at System.ServiceProcess.ServiceController.Start(String[] args) at System.ServiceProcess.ServiceController.Start() at AfconParking.Import.StartService() in E:\ProjectsNet\AfconParking\AfconParking\system\Import.aspx.vb:line 35
The account used for the identity of your ASP.NET application pool ("Network Service" by default) does not have the permissions required to start a service.
To fix this issue, you have a few options:
Re-architect your site to not require interactions between ASP.NET pages and the service control manager. I really can't think of a good reason to require this (the service can simply be started at boot time, and remain running: if the service crashes, you should fix the cause of that, and/or use the corrective actions provided by the SCM. If a service restart is needed to kick of some kind of processing, use an IPC mechanism, such as sockets or named pipes, to communicate between your web app and the service instead).
Create a service account with the appropriate permissions (basically, membership of the local Administrators group) as described in detail here. Do note that this has several security implications, none of them particularly good.
Its a permissions issue, try to run the application pool with an Identity that has permissions to perform service control operations.
Read this kb to find out how to grant user such a permissions:
http://support.microsoft.com/kb/325349
Services have Access Control Lists (like files etc.). By default most normal and restricted user accounts (including the default account used by ASP.NET workers) do not have permissions to control or see the status any services.
You can either set an ACL on the service that allows the IIS worker to control the service, or run the web application with an account that already has rights.
The latter option would probably give the web application a dangerous level of access (e.g. what would happen if a web user found a security vulnerability), but is a quick approach to confirming that it is a service access permission.
Setting an ACL is the better solution, but I don't think there is a UI to set the ACL (except in group policy) which makes things harder. You'll need to use the command line tools (e.g. SUBINACL.exe)
Related
I have two apps with distinct install directories and a shared SESSION table (in mysql).
I have multiple authenticators setup on the 'main' app and I can login just fine. When I navigate over to a second app (same domain, different port), Symfony is loading the user from the session and choking somewhere.
I've installed symfony security bundle (in both apps), but made the user and provider non-doctrine in the 2nd.
I am getting this series of exceptions:
Full authentication is required to access this resource.
Symfony\Component\HttpKernel\Exception\
HttpException
Symfony\Component\Security\Core\Exception\
InsufficientAuthenticationException
Full authentication is required to access this resource.
Symfony\Component\Security\Core\Exception\
AccessDeniedException
Access Denied.
https://symfony.com/doc/current/security/user_provider.html#understanding-how-users-are-refreshed-from-the-session
Suggests that as long as my User object in the second app is identical to the main app - I should be good - alternatively I could implement User::isEqualTo() - which I've done.
It's not even being called, so something way before this is halting my code...
Any thoughts? What have I misconfigured?
The Question:
How do I get my Web Application to use my connection string login and not the Application Pool Identity?
The Background:
I have started up a .net mvc project and currently use Arvixe for hosting. I made a simple page using a form to communicate with the SQL database. Here is the site.
Just type anything into the text boxes and hit the button. If the communication is successful, it should just return a message.
The error:
Cannot open database "jfphotography" requested by the login. The login failed.
Login failed for user 'SEAWEED\photosbyjoefor_web6'.
My database user is jfphoto_dbadmin. I have tried making it photosbyjoefor_web6, but with no luck. No where in my code do I use, or set anything to, photosbyjoefor_web6. I have tried using photosbyjoefor_web6 in my connection string.
My connection string is correct, and I have been chatting with support for a week now. We believe that the application is using the Application Pool identity, and, using basic services, I am not allowed/Arvixe will not make any custom Application Pool Identities (which makes sense for shared hosting). Unfortunately, I do not want to be paying 40 bucks a month for their private hosting to be able to edit the Application Pools.
My project is using a Code-First approach, data service layers, context layer, all the fun stuff. I have never encountered this type of error before, and I am unsure of how to approach it. I really do not want to re-build my project in a different manner, but if I have to so-be-it.
Connection string:
add name="PhotographyContext" connectionString="Data Source=seaweed.arvixe.com;Initial Catalog=jfphotography;Integrated Security=True;user id=jfphoto_dbadmin;password=**" providerName="System.Data.SqlClient"
I've been researching for days and I've gotten to the point where my WCF service creates an Access object via com/interop. I've ran the OpenCurrentDatabase call for the Access object without an error but Application.CurrentDB is still nothing/null. If the CurrentDB is nothing then I surely can't call Application.Run "myFunction" I realize WCF services aren't meant to be user interactive, but it's a long story why I'm trying to go this route. Basically I need to have a proof of concept ready sooner rather than later and the alternative (correct) route involves the complete re-writing of a large complex access VBA application. It's not a permissions issue, I have the IIS user names added to the security tab. What I really need is a way to set Environment.UserInteractive to true so my WCF service can create an instance of Access on my server machine, run the VBA functions, close out, return true. I'm using VS 2010 for the WCF, IIS 7 for my server, Access 2010 for the VBA application. Please help!
The answer is to have the WCF service write the access macro name to a database and have a desktop application on the server machine monitor the database. The desktop application loads access, performs the actions, and writes back to the database upon completion. The WCF service monitors the database waiting for an "operation complete" status and returns the result.
I have a website in IIS 6 (on Windows 2003 Server) that has an application pool that keeps crashing because of too many unhandled exceptions being thrown by some processes. These exceptions are related to a windows service that executes every five minutes. Every time the service runs i get the below warning in the system log (in event viewer):
A process serving application pool
'AppPool1' suffered a fatal
communication error with the World
Wide Web Publishing Service. The
process id was '4172'. The data field
contains the error number.
(to note: I also get two errors in the application log, one which displays the stack trace and the second which displays the EventType)
I am trying to recreate this exact scenario in another website (on the same server) so that I can attempt to catch the exception in a development environment and then apply the working code to the live environment. I have created a second service, a second application pool, etc. My problem is that I cannot cause the same warning above for the second application pool (i.e. AppPool2). I have the theory that my second service is somehow connected to my first application pool (AppPool1) but have been unable to prove or confirm this.
My question is, am I right? Is there some sort of "connection/relationship" between the windows service and the application pool (i.e. can i configure a service to access a certain application pool)? If so, how would I configure this? If not, then I am wondering if is it possible that a process from my second service is accessing my first application pool?
Thanks.
Application pools are isolated processes. Your Windows Service process should not affect an application pool process unless it shares a vital resource to that process(like a file...etc), thus causes it to crash.
It sounds like your Windows Service is calling a Web Service in your application or maybe the same resource on the server as your application?
I modified the ASP.NET login control to also allow specifying UserRole ('Employee' or 'Volunteer'). Users are authenticated via a call to a webservice written by our client, which accepts username/password/role and returns true or false.
If role is 'Employee' it represents an active directory user. The application should impersonate the user with the given username/password.
If role is 'Volunteer' the application should run under a set Windows account whose username/password are known in advance (i.e. hard-coded in web.config file).
The server runs on Windows Server 2003. I am confused by the myriad of configuration choices and trying to understand my options;
Is it possible to have multiple scenarios as described?
Should I specify the impersonation programmatically or can it be done through the config file? If so, is it required to use LogonUser or WindowsIdentity?
What config file setup should I use? (i.e. Forms authentication, impersonate=true, etc..)
Thank you in advance.
Because the decision about which identity to impersonate is based on run-time data, you'll likely have to deal with impersonation programmatically.
I use a combination of interop and WindowsIdentity to handle impersonation. The steps I follow are:
Log on using the interop LogonUserA(), which fills a handle to an IntPtr (token).
Duplicate the token with the interop DuplicateToken().
Create a new windows identity, a la: var identity = new WindowsIdentity(tokenDuplicate);.
Create an impersonation context via: var context = identity.Impersonate();
Close both tokens with the interop CloseHandle()
When finished impersonating, undo the impersonation context via: context.Undo();
I keep a disposable class around to handle the details. Steps 1-5 occur in a constructor, and step 6 occurs in the dispose routine. This helps ensure that I properly revert even in the face of an exception.
With this approach, since you are passing credentials via a service method, the web.config authentication scheme is not entirely forced. If, however, you are using integrated Windows auth, you could programmatically impersonate the current user from HttpContext.Current.User.Identity.Impersonate(), without passing credentials in a service method.
On an aside, and you may already know, PInvoke.net is a valuable resource for configuring signatures for interop methods.