How can we force an IIS app pool to go into Unknown state? Is there a way to do this through the inetmgr GUI or through power shell ? I want to test a script that I'm writing, based off the Unknown state of my IIS app pool
As far as I know, if you log into the IIS server machine with non-admin account, then go to inetsrv folder and run "appcmd.exe list apppool" in command prompt ,you will get unkown state like below:
And before that you may need to add this non-admin user access permission to the config folder.
By the way, are you trying to test Powershell session? using "Get-IISapppool" in powershell with non-admin account will also get an empty state showing.
Related
Background info: Automatically run data connections in XLSM
I have a batch script which logs a start and end time, and runs a VBS scripts, which in turn opens up a excel file, runs a couple of data connections and closes the file again.
This works just fine when I run the batch script. However when I run it through the task scheduler the data connections are not run on the excel file. It seems like it might be related to some sort of security issue, but I cant figure out what the issue is exactly.
In the eventviewer of the server I was setting this up I found this little message:
The machine-default permission settings do not grant Local Activation
permission for the COM Server application with CLSID
{00024500-0000-0000-C000-000000000046} and APPID Unavailable to the
user DOMAIN\USER SID
(S-1-5-21-3431573511-3352521975-2604885492-32293) from address
LocalHost (Using LRPC) running in the application container
Unavailable SID (Unavailable). This security permission can be
modified using the Component Services administrative tool.
But I have no idea what this means.
I ran into the same issue when trying saving an Excel file via a Powershell script. I wasn't able to adjust the security settings for CLSID “000C101C-0000-0000-C000-000000000046”, which should resolve this, so I ran the task under the SYSTEM account, which already had the necessary permissions. This resolved the issue.
This error is being logged into the System event logs in Event Viewer due to inadequate permission for the farm admin account on the DCOM component 000C101C-0000-0000-C000-000000000046. In order to change the permission settings, perform the following steps:
Open Component Service by clicking Start → Administrative Tools → Component Services.
Navigate and expand the node Component Services → Computers → My Computer → DCOM Config.
Right-click the sub node “000C101C-0000-0000-C000-000000000046” and select “Properties”.
On the Properties dialog box, select Security tab. In most cases you will notice that the settings are grayed out. This is because the logged in user doesn't have enough permissions on this component to change the settings. In order to provide this permissions, perform the steps described in next section “Change Component Service Owner and Permission”. You may need to restart the server after doing this.
Once you set up the permission mentioned in previous step, in the Launch and Activation Permissions section in Security tab, select Customize option and click Edit.
In the popup window, add the farm admin user account and check Local Launch and Local Activation permissions.
Restart IIS and SP Timer. If possible, restart the server itself.
Reference: http://sajiviswam.wordpress.com/2011/04/15/the-machine-default-permission-settings-do-not-grant-local-activation-permission-for-the-com-server-application-with-clsid-000c101c-0000-0000-c000-000000000046-sharepoint-2010/
Ive been trying to use Visual Studio Online's new build definitions with linux. I set up an Azure VM running CentOS 7.1 installed Nodejs (v0.10.36) and npm (v3.3.9) the prerequisites for the vNext build agent.
when running the vsoagent.js file to set up the agent and filling in the fields, i am able to connect to my VSO account successfully but the build agent doesnt start.
following is the console output i get:
Console output
Im getting a bad request (400) error, why is this occuring and how do i fix it?
You need to set some permissions before you can add and run a new agent. First, you need to enable alternate credentials for your account. Log in to VSO using your account and open your profile settings.
Then, go to the “Credentials” tab and enable your alternate credentials there.
After that, go back to the “Agent pools” administration page, go to Roles tab, there are two security groups there. You’ll need to add your account to both.
•Agent Pool Administrators: allows adding agent to pool
•Agent Pool Service Accounts: allows the agent to listen to the build queue
When you create the server, you'll need to login using the credentials you provided when creating the virtual machine. More steps of creating a Build.vNext agent on Linux, please check http://realalm.com/2015/06/26/creating-a-build-vnext-agent-on-linux/
From the screenshot you provided, you got bad request with the URL.
And the server URL you need to provide should be something like: https://servername.visualstudio.com
I'm trying to connect to default web site on localhost – but IIS asks me for credentials (I know I can use an Administrator account, but I'm trying to log on when IIS is not run as an Administrator). I tried putting in the administrator user name and password for windows, but it doesn't accept them.
I'm using windows 7 home premium.
What should I enter?
ok - so anonymous is enabled. The next thing to check is that the identity the website is running under has access to the website folder. Each site in IIS runs in an application pool, and each pool runs under a user account. So first find out what app pool you're running under. On the right hand side click on Advanced Properties and check the name of you application pool. Then close that window and double click on application pools above your website on the left. Click on the app pool your site is running under, and then click advanced properties on the right. In the dialog box that launches, under process model check the value of Identity. Then go check the permissions on your website folder and make sure that identity has a minimum of read and execute rights on the folder.
Added another answer as the text above exceeds the comment limit
If you're trying to set your identity for a site to run under then you either need to run it as the local system account or you need to create a new user account on the machine and use those credentials.
I'm running Windows 7 SP 1 and have just turned on IIS 7. Just trying to access the default page it creates I get a 503 error, and the application pool stops. I look in the event log and I find the error:
Windows cannot copy file \?\C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm to location \?\C:\Users\TEMP.IIS APPPOOL.000\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm. This error may be caused by network problems or insufficient security rights.
DETAIL - Access is denied.
I tried making the TEMP.IIS APPPOOOL.000 folder available to everyone. I tried making Users available to everyone. No luck, it still dies with the same error.
What is happening here, and how can it be fixed?
It sounds like you're having the same problem as details in this IIS.NET forums thread. You didn't mention if you have x64 Windows 7 or not. Suspect that your development machine is misconfigured somehow; sounds like the uninstallation and reinstallation of IIS7 would help/fix.
Suggested courses of action:
Open IIS and its Application Pools. Open "DefaultAppPool" and any other Application Pools in use.
Click Advanced Settings for each of these. Ensure the "Load User Profile" is set to 'False'
Also ensure that the "Set Application Pool Defaults" has the Load User Profile set to False."
I encountered the same problem in my development environment (Windows 8.1). Instead of disabling the load user profile as suggested by P.Campbell, I went ahead and changed the permission of the sqm file to allow modify accesses for IUSR, IIS_IUSRS and Network Service. In my case, the sqm file was not able to show me the file owner in which I taken over with my user account.
Basically, my problem was solved by giving the correct permission for both source and destination files/folders.
Found the answer here - http://forums.iis.net/p/1180636/1992024.aspx
Open IIS Manager
Find the App Pool that is causing the problem
Open Advanced Properties
Change 'Load User Profile' to false
Fixed!
After struggling with all these Application Pool issues in IIs, I found the problem and the solution. This may help you.
Each application pool on each website in Microsoft's Internet Information Server creates its own user account and folder under the "c:\Users" directory when the pool is created and first run. Its actually a virtual user account and should be named for the Application Pool assigned to your web application in IIs. In most development environments, its the default website or "DefaultAppPool". It uses this temporary user account to run the pool. Each website should have a named user pool account. This User folder is used by the pool and ASP.NET for caching and writing of file resources and other things used by IIs, ASP.NET, and this virtual account.
In some setups people are not seeing this folder but a "TEMP" folder (like you have) when the IIs web site is accessed and using the pool.
If you instead see a "TEMP" folder in the Users folder you have a broken application pool account in IIs and in the Registry. The pool is creating the TEMP folder as a backup for this virtual account, which might not have the right security setup. I had this exact scenario.
To fix it go to the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
See if you have a SID user account with the ".bak" extension for a DefaultAppPool user account. If so delete it and restart your PC. Test your website again, making sure its actually setup to use DefaulAppPool. It should now recreate the "DefaultAppPool" folder in Users, recreate the registry entry for DefaulAppPool user, and your error should go away.
You can delete the TEMP user folder at that point under the Users folder. (Keep in mind if your web app has been storing cached information critical to users of the website, some of that might have to be inserted into the new DefaultAppPool user folder. But for most of us, just delete it.)
I also found I had to add this kooky virtual application pool account to my local database so the worker process and app pool accnt could have the rights to grab data from SQL Server: Just go into SQL Server and under logins add "IIs AppPool\DefaultAppPool" and then assign it as a user to your databases.
(btw whomever dreamed up this virtual application pool account system is nuts....its way too complicated and convoluted to sort out)
After I did this, all my stack overflow errors went away in Visual Studio for my web application, all data connections fired perfectly, all write permission to the default User profile stored properly, and all the restarting and crashing of the Application Pool in IIs ended completely. :)
I'm going to reset IIS through a batch file. Using iisreset utility, as the batch file will be used by others who may log in the domain without the administrator account of the target server. How can I make the batch script running with proper permission? Thanks in advance!
And I also don't want to prompt the user to type in username/password as the batch file will be called by other programs.
Problem 1: Resetting remotely from batch. I prefer sc.exe
Example
sc \\webserver stop w3svc
sc \\webserver start w3svc
SC is not as heavy as IISRESET. Actually, I prefer to use WMI to recycle application pools, but that is tricky to do through batch
Problem 2: Allow users who are not Administrators on the target server to reset IIS.
You are either going to have to grant these users (or their group) permissions to control the services or store credentials somewhere. To grant the minimum permissions, see this KB -- a lot of work.
If you don't grant those executing the batch permission to restart services, see Rusell's answer -- create a WCF service.
You could create a windows service (using .net WCF for example) that executes this command. Then the service can run using credentials with administrator access.
Your other programs can call this service remotely.
"iisreset computername" will reset the IIS server if they have admin rights on computername. While I'm not sure how to change the user account in a batch file, this could be a security issue as batch files (as I'm sure you are aware) are stored in plain text.
PS. This would probably be better on ServerFault