We have to access a network UNC share which is say allowing access to USER1. Our exe is running with LOCAL SYSTEM account. In the exe, we do Impersonation with "USER1" credentials so that exe can access UNC share. But after doing the impersonation, we are still getting error "Access denied" while accessing that UNC share.
After the impersonation, we are enabling following privileges on the Impersonated thread:
SE_BACKUP_NAME
SE_CHANGE_NOTIFY_NAME
SE_CREATE_GLOBAL_NAME
SE_DEBUG_NAME
SE_IMPERSONATE_NAME
SE_RESTORE_NAME
SE_SECURITY_NAME
SE_TAKE_OWNERSHIP_NAME
SE_TCB_NAME
Do we need to enable any other privileges or we are missing something else?
Thanks
-- Nitin
If you're on an Active Directory domain you need to configure for delegation.
Given the following:
Server A hosting the EXE
Server B hosting the UNC share
Both servers on a domain managed by Active Directory
You must configure AD so that server A has the right to "delegate" for users on the domain or, to be more secure, for server B only.
For more help, check out serverfault.com.
Related
What permissions are necessary for a user to use web deploy to IIS running on a different server?
When I try to deploy from VS 2010 using that users credentials, I get the below error.
Error 36 Web deployment task failed.(Remote agent (URL https://server:8172/msdeploy.axd?site=site.name.com) could not be contacted. Make sure the remote agent service is installed and started on the target computer.)
Make sure the site name, user name, and password are correct. If the issue is not resolved, please contact your local or server administrator.
Error details:
Remote agent (URL https://server:8172/msdeploy.axd?site=site.name.com) could not be contacted. Make sure the remote agent service is installed and started on the target computer.
An unsupported response was received. The response header 'MSDeploy.Response' was '' but 'v1' was expected.
The remote server returned an error: (401) Unauthorized. C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v10.0\Web\Microsoft.Web.Publishing.targets
I am able to use web deploy when I use my domain account (e.g. domain\user) with the following publish arguments.
My domain account is an administrator on the destination server, but granting the service account full admin privileges is not an option.
The user must have the following permissions.
Read/Write permissions on the site folder directory
WDeployConfigWriter and WDeployAdmin must be configured to have their password never expire and user cannot change password like the below screenshot
The account that runs the build should be enabled under IIS Manager Users
The account that the build runs under must have permissions to the site under IIS Manager Permissions
Configure Management Service
Configure Management Service Delegation like the below
Useful reference
Web Deploy 3.0 infuriating 401 error on publish
The user that the account runs under should be a Power User and must have full control permissions to the folder that the destination iis site is running from.
I have a Classic ASP page that configures a port exclusion on the server's windows firewall using the HNetCfg.FwMgr object. On my IIS 6, Win 03 server, I had to add Set/CreateKey/Delete access to the IUSR_machine account to the HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ registry entry.
When I run on my new Windows Server 2008, IIS 7, I get a Permission Denied. If I change the Anonymous user to Admin, or even a newly created user that is a member of the Users group, I don't get the permission denied, and the updates occur.
I noticed that the location in the registry where the firewall entries are stored has changed. But even if I give IUSR Full Control of my HKLM, it still gets a Permission Denied when attempting to add the port exclusion. It can read the list of port exclusions fine, so I am assuming that access to the HNetCfg.FwMgr is working fine.
Anyone have any ideas how to get IUSR to be able to add an exclusion using that object (HNetCfg.FwMgr)? Rewriting using the new fw policy 2 in not an option at this time.
You need to run your application pool as an administrative user. If you are worried about security, then run it as a virtual directory that has the admin permissions. You can use xmlhttp from a script not in that virtual directory (one under the control of I_user) to call the script in the (Firewall) virtual directory which has admin sercurity permissions. This way, the url (virtual directory) of your firwall script is not public.
We have developed a ASP.Net application. My apppool is running under Network Service Identify.Throug code we need to install a certificate. As my app pool is running with Network Service Privilages, it is throwing cryptographic exception "Access Denied".
I've tried the following option:
Given Full permissions to Network Service for the following path:
"C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys"
installed and the below tool to give permission to network service.
WinHttpCertCfg.exe
Not able to give permissions to Certificate Root. This tool is only helpful to give permission to access a specific certificate.
Please help me on resolving this issue.
According to article found at msdn
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384088(v=vs.85).aspx
It says:
Note The user must have sufficient privileges to use this tool, which requires the user to be an administrator and the same user who installed the client certificate, if installed.
So check if network service is member of local administrators group.
whole story
ASP.net permissions to root certificate store
download WCF sample projects from the link below and compile FindPrivatekey project. ( tips: Add reference system.security otherwise you will catch a undefine X509Certificate2UI function error )
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21459
I have this load balanced asp.net application which needs to upload files to a shared location. The web app is not impersonated, which means it will cross the machine boundry using network service credentials. Now my question is, to which account do I need to assign permissions on the folder where the files are being uploaded? How can I say the network service of these web servers need write permissions?
If your server is part of AD domain, then you can add the Server itself from the security permission dialog to have read/write permission (in fileshare server). Remember to select "Computers" when searching Active Directory. Depending on your setup, might have to search from the root of your Active Directory or select "Entire Directory". You will have to add all of your servers that are part of load-balanced ring to have permission in fileshare server's directory.
If your server is not within an AD domain, then your local server's network service will not have any security context to write on another server; which means only generic permission will work (e.g. giving write permission to "Everyone").
Otherwise you will have to use UNC authentication. An example is posted here.
I used Plesk to open a new domain and under the "Web hosting setup for domain" I checked the "Shell access to server with FTP user's credentials" - "bin/bash".
I can log in to the account using SFTP (port 22) but when I try to upload files I get "Permission Denied". How is that possible if I enabled it through Plesk?
Joel
Have you checked permissions on the folder you're uploading to?