Permissions required to create/modify tasks in Windows Task Scheduler - asp.net

I need to create and modify tasks in Windows Task Scheduler on Windows Server 2003 from an ASP.NET web application. The Network Service that the web app runs under is unable to make the changes. It errors with an System.UnauthorizedAccessException exception.
It works fine running from Visual Studio on my desktop.
What permissions do I need to grant an account so that the tasks can be modified from ASP.NET?

The account needs to have read/write permissions to the "Tasks" directory. Here's the path:
%SystemRoot%\system32\Tasks\

Jose's answer solved my problem partially. However, there was an additional problem where Windows Server 2003 didn't like me specifying Local System as the account that the task would run under. It seemed to not like me passing in a null password which is how you specify Local System. I worked around the problem by making a local account on the server for tasks to run under and specifying this new account.
Specifying Local System didn't cause any problem on Windows XP.
Additional info

CACLS TASKS /E /G builtin\administrators:F
According to: https://social.technet.microsoft.com/Forums/lync/en-US/67734412-bb17-42d5-80ff-0edf3147c169/cannot-create-scheduled-task-access-denied

Related

Connecting to a COM interface in an aspx code-behind running on IIS?

I've created a Windows service (an exe based on the Visual Studio ATL wizard) which exposes a COM interface. No problems running as an in-proc server or a Windows service. I need a Windows service since I need some processes to be available outside of IIS access.
I've been creating some web pages (aspx/C#) calling my service and everything has worked fine testing within the Visual Studio .NET Development Server. Now, I'm trying to push the web pages to IIS 7 (running on windows 7) for further testing. But, when the pages are running under IIS the calls to my COM interface all fail with the error
"Retrieving the COM class factory for component failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))."
I've verified the service is:
registered with Windows under HKCR\Clsid\ (note, I registered running "myservice.exe /RegServer" since regsvr32.exe only works with dll's)
myservice.exe has read and execute rights for the IIS_IUSRS user
is a 64bit exe (so should load in the default IIS app-pool space)
Works great in .NET Developement Server debugger (but not IIS)
Any ideas why this would not work? Something to do with the COM interfaces contained in an exe vs dll?
Any possibilites of IIS calling a COM interface exposed in a Windows service?
I believe you need to grant access to your site's app pool process to use your COM object, under DCOM Config.
Go to the Component Services
> Computers > My Computer > DCOM Config branch
Locate the AppID or Name of your service in the list. Right-Click on it and select properties.
Open the Security tab
Pick Launch and Activation Permissions and select Customize.
Grant the app pool process (probably ASPNET, but check the IIS app pool properties for your site) the following: Local Launch and Local Activation.
Please let us know if this solves your problem.
Incidentally:
> is a 64bit exe (so should load in the default IIS app-pool space)
That's not quite true. The app pool is an ISS-controlled process. Your service runs on its own separate process no matter what. So your service has nothing to do with IIS app pools.
It looks very much like a security/permissions problem - so first make sure that whatever user the IIS worker is running under has sufficient rights and in particular check that your ASPNET group has permission to use COM (I think it doesn't by default).
EDIT - after posting that, I did find another post that might help - take a look here too
Thanks Guys. I really appreciate your responses. Your information pointed me in the right direction. The problem was indeed a security\permissions issue. To compound the problem, whenever I rebuilt my service, the rights I set for IIS_IUSRS was purged from the exe so some of the failures I was seeing was due to simple rights on the service.exe. So if you start seeing intermitent errors access your COM object during development then check the rights on your exe after re-builds! I hope that helps others.
For completion, here's how I resolved the issue:
changed the 'identity' of my services application pool to 'LocalSystem' (since my COM was in a Windows service running under the system account - most people will not require this level) (IIS Manager | Application Pools | right-click on your app pool | Advanced Settings | Identity

ASP.NET error log

Every time the ASP.NET application in question throws an error the Global.asax writes to an error file: logs\error.log. The ASP.NET applications works using Windows authentication.
I am able to write to the log file when debugging using Visual Studio, however it does not work when the application is deployed in the live environment. How do I find out what user account I need to give access to: logs/error.log?
The application is deployed on a Windows 2003 Server with IIS6. Microsoft.NET 3.5.
You would have to give the required permissions to the network service account. This link might be able to help you out.
Windows Server 2003 defaults to the "Network Service" account.
This can be verified by opening IIS (expand the computer if needed), expand the "Application Pools" folder, right click on the pool used by your web app, and go to the Identity tab.
FYI: Windows Server 2008 uses the IIS_IUSER instead of Network Services.
I hope that logs folder is a virtual directory setup outside the web site directory.
Otherwise every time you deploy the entire solution you will overwrite the logs folder and its content.
Microsoft has a tool for monitoring file access that can be useful for troubleshooting permission issues.
Process Monitor - http://technet.microsoft.com/en-us/sysinternals/bb896645
You will also want to check if your application is using windows authentication & identity impersonation since that can change the identity the application is executing with when enabled.

Remote Debugging on IIS - Access Denied Nightmare!

We have two Win2k3 servers here, one is a domain controller and the other our webserver.
I'm running an ASP.NET MVC web app setup as a website in IIS on the webserver.
I've copied across the x86 remote debugging tools to the webserver, logged in to an admin account and ran msvsmon. I added the user I'm logged into my workstation as to the permissions list.
Opened up the web app project in VS2008 and went to Attach to Process, here are my settings:
Transport: Default
Qualifier: OURDOMAIN\AdminUsername#OURWEBSERVER
Attach To: Managed Code
Selected: w3wp.exe
Upon clicking Attach, the windows flicker for a few seconds and then I get:
Unable to attach to the process. Access is denied.
I've tried right-clicking msvsmon and using Run As to run it under the same account as I'm logged into my machine, but still no difference.
However, if I change the Attach To field to Auto: Native Code, it attaches fine, but I can't debug any of my managed .NET code.
This has me baffled - any ideas?
Anthony
Have you seen this article?
http://support.microsoft.com/default.aspx?scid=kb;en-us;833977&Product=vsnet
It's not clear from your question, but remote debugging requires that the user you are logged into on the remote machine exist on your local machine as well. You basically have to create a local account on your dev machine (yes, that sounds backwards). I'm not sure it respects domain accounts.
Is the code sitting precompiled on the server or in individual uncompiled .cs files?
I've tried right-clicking msvsmon and
using Run As to run it under the same
account as I'm logged into my machine,
but still no difference.
Did you add that account as an administrator in the server? I would try that, and instead of doing Run As, I would effectively log in with that account.
When running server and client in different domains, the plot thickens slightly. In those cases, the trick I use is to create a local account with the same name and same password on both machines. Login with the same account (it is not really the same account) in both machines and launch the remote debugger on the server and VS on the client. If any of the machines in this scenario is running Windows XP, you have to change the Local Security Policy, "Network access: Sharing and security model for local accounts", under "Security Options", to "Classic - local users authenticate themselves".
I have yet to see this work across domains. As with #paul-mrozowski, I've been able to do it on the same domain so long as the user running the debugger server matches your local user AND your able to properly auth against the machine. That last bit can be hampered by firewall configurations.

Access denied when creating a virtual directory via Web Deployment Project

I’m trying to use a (VS 2008) Web Deployment project in a TFS solution to deploy the web site to the (TFS 2008) build server to run web based unit tests.
For some reason, that I can't yet figure out, it is failing to create the virtual directory:
Using "CreateVirtualDirectory" task from assembly "C:\Program Files\MSBuild\Microsoft\WebDeployment\v9.0\Microsoft.WebDeployment.Tasks.dll".
Task "CreateVirtualDirectory"
Initializing IIS Web Server...
C:\Program Files\MSBuild\Microsoft\WebDeployment\v9.0\Microsoft.WebDeployment.targets(667,5): error : Access is denied.
C:\Program Files\MSBuild\Microsoft\WebDeployment\v9.0\Microsoft.WebDeployment.targets(667,5): error :
Failed to create virtual directory 'abc'.
Done executing task "CreateVirtualDirectory" -- FAILED.
The TFSService user certainly is in the Administrators group on the TFS Build machine (which is running Windows Server 2008). I don’t know what else could be wrong. I’ve checked the event log an there’s no clues there. I am able to manually create the virtual directory on that machine through the IIS console with no problem.
Any ideas what could be the problem or suggestions for how to diagnose this further?
it has got to be permissions...did you try putting the TFSService in the same Groups you are in?
Is the TFS account running under the same privileges as the account that you use to connect to IIS? Do as Craig suggested and move the TFS account into the groups that you participate in.
You're sure that the build is running under the TFSService id and not under another id set up just for builds, and which may not be in the administrator's group? I haven't done more than just play with automated builds since I do mostly solo development, but I recall setting up a separate build id when I was looking at this.
I have seen this occur when the IIS server wasn't running on the default port. I'd recommend checking IIS to see if it's running on port 80 as a step to diagnose your issue further.
I eventually managed to get deployment working by calling the _CopyWebApplication build target of the web application from my TFS build script (after manually creating the IIS virtual directory).
I had to add an additional target though to get linked files in the project to be copied also as the built in _CopyWebApplication target doesn't include those.

NAntContrib/NAnt mkiisdir fails on IIS 7.0 / windows 2008

I'm trying to use NAnt/NAntContrib build script to build a web application on Windows 2008 (IIS 7.0).
In the build file, there is mkiisdir task, which fails with:
[mkiisdir] The webservice at 'localhost' does not exist or is not reachable.
All the documents/posts I found so far (non for w2k8, only Vista) say to install IIS 6 Compatibility services (all of them, including scripting tools, etc.) So I did, but it still throws this error.
Any idea what else need to be changes, so NAnt be able to create/delete virtual directories on IIS 7.0?
EDIT: New data - when I log in as local administrator to this server, the nant task succeeds, but it fails when I log in as a domain admin. I have added the domain admins group in the local Administrators group, but it still fails. Any idea what other permissions I need to check/change in order to make my domain admin user to be able to execute this task? I can create manually virtual folders without any problems.
In order to get iis nantcontrib tasks to work you need to install IIS6 Management Compatibility Tools. Here is the blog describing how to do it in Vista:
http://thoughtworker.in/2008/01/15/nant-the-webservice-at-localhost-does-not-exist-or-is-not-reachable/
Here is a screenshot of how to do it in Windows Server 2008:
alt text http://img407.imageshack.us/img407/699/iis6tools.png
To answer my own question - I have isolated the part of the code in NantContrib which was causing the problem, and made a sample application to test.
I have posted this as a separate question here, and there is the solution as well.
Cheers

Resources