I have written a web service that reads from a message queue.
This works fine under Cassini.
Now that I have deployed the service under IIS, I receive an error message when the service tries to access the queue:
The queue does not exist or you do not have sufficient permissions to perform the operation.
I have set the anonymous access user on the IIS virtual directory to be my own domain account, which is a member of the administrators group on the local machine. I have granted this same user full permissions on the queue, as well as NETWORK SERVICE and ASPNET.
I still get the same error message.
I have also tried disabling anonymous access on the virtual directory and connecting to the service using my own login details - to no avail.
Any help with this problem will be greatly appreciated!
I have also tried various combinations of:
and
With testUsr having full permissions on the queue. I have added permissions for the user and ASPNET on the MSMQ store folders on C:\
My understanding of the problem is that the process trying to execute the code is running as a different account under IIS than it does under Cassini.
The problem was that regardless of which user I impersonated - I always got the same error message - even when the user was a member of the local and domain administrator groups, and this user had full permissions on the queue. i.e. It is barely possible to assign more rights to a user.
It turns out, that using a FormatName for the queue, rather than a path name (myMachine\queueName) has solved the problem...
FormatName:DIRECT=OS:myMachine\myQueue
I am uncertain as to exactly why this is the case. Reading up has showed that when a path name is used, there is a necessity for an AD lookup, and although I think that the users that I have been testing with should have rights to do this, perhaps there is something missing.
However the immediate problem is solved and that's good enough for me.
Related
Ive created a app in asp.net using c# that needs to create folders on a number of network shares. Ive configured the app pool account to use a domain account and given that domain account the correct permissions to the network share folder. When i run my code im getting the following exception. Any ideas?
Exception: System.ComponentModel.Win32Exception
Message: Logon failure: unknown user name or bad password
You should create an account on the network that has the relevant access to that share and then set your application pool to use that identity.
This way, all requests from your application will appear to be that user.
Take care with this approach, however, as if anyone changes the password to that account, you will need to update it within your IIS
OK seems I've been a bit of a chump. Seems there was some code I wrote (cant remember doing it) that impersonated the account I had set for the custom app pool but with the old password. Simply commented out the code and it now works as expected. Note to self!!!!!! Must read stack trace more carefully in future.
Apologies for wasting your time
We've created a windows authenticated sub directory on our web server, however, intermittently when we go there (once logged in as an authenticated user - member of a authenticated group) we get the following error:
Module IIS Web Core
Notification BeginRequest
Handler Not yet determined
Error Code 0x80070005
Config Error Cannot read configuration file due to insufficient permissions
Config File \\?\C:\Inetpub\wwwroot\admin\web.config
Requested URL http://testsite.dev:80/admin
Physical Path C:\Inetpub\wwwroot\testsite\admin
Logon Method Not yet determined
Logon User Not yet determined
The odd thing is once we see this error, hit F5 or refresh and the error goes away, only to reappear a short time later. Very frustrating!!
I have done extensive searches online, but can find nothing. We may also create other sub dirs allowing the same "group" to have access, so this needs to work across all these subs without having to relog in.
We are using IIS7. I've found guides that state for IIS7 ( http://kenno.wordpress.com/2008/10/23/iis7-cannot-read-configuration-file-due-to-insufficient-permissions/ ) but when I do this it seems to then make the directory accessible to all which is clearly not required.
Following my own advice and knowing nothing about the problem, I give you an answer to be accepted or improved upon:
Set IIS_IUSRS to have read access on your windows authenticated directory.—user901820
Configure access in IIS Manager | Your Site | Authentication. Make sure you have disabled "Anonymous Auth" for that folder—this should close it for everyone. If you now enable another Auth method for that folder ... then user should only access it if he provides proper login details.—LazyOne
See Configuring Security at IIS.net.
My ASP.NET MVC 2 application runs under built-in local NETWORK SERVICE account. I want to set up access permissions for the folder which resides in another computer, but in the same domain. I located that folder right-clicked to open its properties form, clicked to Security tab and pressed Add button which displayed Add user form with correct domain name in the location field. I referred to the account with following syntax:
<domain name>\<server name>$
because I learned that NETWORK SERVICE account uses machine account when connected to other computers in the domain.
However, the system couldn't find the account, so refuses to add the account. Without the domain name it adds a user, but that user seems to be local user, not web server's NETWORK SERVICE account. What am I doing wrong?
By the way, the above syntax worked when I created login for the sql server which is different computer from the web server.
OK, I will answer my own question. The above syntax \$ was correct. Just make sure to select computers checkbox in the object type, when adding user permissions.
I have been in this same situation before. I don't think I got it to work with the Server/Network Service but this might be worth a try.
Figure out the account network service is using to access the network resource.
Configure windows auditing (on the server the folder is located) to log the failed security events of the folder.
or monitor the folder with something like filemon.exe
.. from here you can try and add the account to the security settings of the forlder. (IIRC I did'nt ever get this to work)
Alternatively you can ensure the action is performed under the context of a domain user. Either by:
Impersonating the user in code and performing the action (my preference)
Setting the impersonation settings in web.config to a named user
setting the application pool to run as a domain user.
I am trying to write to a file on a server (web05) from a classic asp site running on Windows 2008 serer on IIS7 (webadmin). This fails and web05 logs an anonymous logon attempt during the course of the save operation.
Webadmin's site is running on an app pool in classic mode with a domain user as the process account. The process account has rights to "Trust this user for delegation to any service (Kerberos only)". The same applies for the web05 and webadmin servers.
The site is using Windows Authentication and the idea is that when I log on the site with my domain user, the rights of my user should define what I am allowed to do in the context of the IIS site. If I turn on Basic Authentication, everything works fine.
I have also used setspn.exe to add an SPN for the URL. If I type setspn.exe -L webadmin, I get:
HTTP/webadmin.companyname.com
TERMSRV/webadmin
TERMSRV/webadmin.companypub.local
HOST/webadmin
HOST/webadmin.companypub.local
So from what I understand the SPNs are set up correctly.
If I run processmonitor on webadmin while the save operation is executed, it says that the process is indeed impersonating my domain user - but getting "Access denied" (and as I said before, web05 logs an anonymous logon attempt).
Any idea what causes this?
Kind regards,
Simon
It sounds to me like you're a little confused over impersonation. The process isn't impersonating the domain user account its simply running as that user. There is a difference.
When a request arrives into ASP it will then impersonate a user and the thread handling the request will be running under the security token of the impersonated user. Its quite possible to have the same process impersonating multiple different users in multiple threads. In most cases where the anonymous user access is enabled this user is the Guest level IUSR account. Its most likely that its under this user your code is attempting and failing to run.
However if anonymous is turned off for the resource being accessed or the IUSR account does not have access to the resource then the a 401 response is sent back, with some indication of what authentication protocols it will accept. The browser may then attempt to authenticate the connection using either the current users credentials or request some credentials from the user.
You don't specify exactly how you are attempting to save file. Its worth pointing out couple of things though.
ASP code exection which may subsequently result in an access denied will not use the above mechanism to try to resolve the user.
Once a connection is authenticated it often continues to be re-used for subsequent requests (which is counter-intuative to the knowledge the HTTP is a "connection-less" protocol).
I am trying to clean up my previous questions. This answer is not sufficient to answer the question above, but I concluded that it is better to provide some insight than none. If op disagrees, please take necessary action.
This is a way back - but I recall wanting to run kerberos authentication on this app. The problem turned out to be that I tried to do kerberos outside the firewall. The app would work fine within the domain and firewall of the server's home domain but failed whenever requests came from outside.
I did a lot of chatting with an Irish technician in Microsoft, and he taught me a little about the limitations when using Kerberos. The reason I wanted to use Kerberos was that I didn't like the thought of Basic Windows authentication being unencrypted.
Good luck with your Kerberos quest :-)
I ran into this same issue and it turned out to be a simple change to the application pool. If enable 32-bit applications is set to FALSE then I recieved a prompt to login to the machine. Setting this value to true fixed the issue.
I recently had to change my active directory account password.
Ever since then I am unable to deploy BizTalk projects or put my Receive Locations in the stop state (Sendports & orchestrations is fine).
I noticed that my Enterprise Single Sign-On Service isn't running, if I try to start the service it complains about a login failure.
The thing is, you would think that it used my account to start this service and that it can't login anymore because of some old password or something. However I run the service with another user, namely: BiztalkUser. This user is set on the service and u can also see him in the biztalk server configuration.
Anyone have any ideas what I have to do? Cuz I can't do much anymore now.
The procedures for changing service accounts and password is clearly documented by Microsoft http://msdn.microsoft.com/en-us/library/aa561505(BTS.10).aspx please follow the steps outlined under "Enterprise Single Sign-On Service on Master Secret Server" to correct your issue.
I agreed with the first paragraph of answer 1. That would be the first option I would look to correct the problem. The second option would be, restoring the master secret server.
See below;
Open a command prompt - Navigate to C:\Program Files\Common Files\Enterprise Single Sign-On\
Type in command - ssoconfig -restoresecret SSOXXXX.bak
(Where XXXX is a randomly generated name created with SSO was installed. This is the SSO back-up file)
Enter the password - (Again you entered/created/accepted this when configuring SSO in the BizTalk configuration.)
Additionally you should create a new backup file if you have changed the account the SSO service runs under.
To create a new back-up file - ssoconfig -backupsecret latestbackup.dat
If SSO is running under your account and it stopped working when you changed the password, you need to update your password on the service's credentials. You can do this in the serivces control panel. If you have other BizTalk items running under your account, you will need to update them as well... host instances, application pools, etc.
BizTalk User may not not have the necessary permission to run SSO. I'd suggest put the account back in that worked. Comb the error log for other messages to help you diagnose th eproblem. For furtherhelp, I'd suggest posting more specific details of your current problem here (ie. Error Messages, Log Files, etc.).