I posted a question because I needed help.
Security Settings (secpol.msc) - Local Policy - User Rights Assignment - Change the system time
The default member of the above item is "Administrators, LOCAL SERVICE".
I deleted "LOCAL SERVICE" from the "Change the system time" item according to the work instruction, but it was restored again.
Is there a way to enable deletion or prevent "LOCAL SERVICE" from changing the system time?
thanks.
"NT AUTHORITY" or "NT SERVICE/LOCAL SERVICE" is a system builtin SID. Its capibility cannot be disabled by user but hard-coded in kernel. Try to add a new user to limit a "more danger service" or simply create virtual service account(https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10))
Related
Attempting to "Generate SAS and connection string" in Azure Shared access signature. The following message is present "Some routing options are disabled because the endpoints are not published." The button "Generate SAS and connection string" is inactive. Is the button inactive because the endpoints are not published? There is one endpoint (ITLLCGlobal (ITLLCGlobal/ITLLCGlobal), service endpoint NQUEUE). If this is the cause how do I publish the endpoint?
You can enable it by selecting one of the resource types. Services, Container, object
In Shared access signature, make sure you have selected an "Allowed resoure type"
Either service, container or object.
That is all it took for me. I needed to do anything under Firewalls and Virtual networks yet.
Gina
I also run into the issue. I solved it by selecting one or more 'Allowed Resource Type'
My role was set to "owner" but needed to be set to the "storage blob data owner". I thought that owner granted all access but it does not. Once I changed to the correct role the routing options became active and changed to the correct option automatically.
How do I create a new user that can login to my Azure VM as an administrator? My top google search result mentions Active Directory. This particular machine is not on a domain. I tried creating the user under computer management and I get an unknown error and there is nothing helpful in the Event Viewer.
I also tried adding a user from the Azure Portal under Access Control for my VM instance and see a message that reads "No Virtual Machines In This Subscription Can Be Assigned Access".
Creating a user under the computer management worked for me
I just done it by login to the VM where I want the another account:
NB: these instruction are for Win Server 2012 R2 based VMs
login to the VM by using an existing admin account
Hit start and type "create an account"
click on Add a user account
Enter username & password (password should met the complexity requirements)
Hit next and you will see a message stating the user has been created
if required, the account type can be changed to admin
Hit search and type Change Account Type
choose the account
select administrator or standard
hit change account type
and you are done :)
When I try to create a new Azure Redis Cache and choose a location I just get a "There are no locations available." message.1 Setting everything else first still results in the same error. Refreshing the page doesn't resolve the issue. The problem occurs in both IE and Chrome.
Thanks for reporting this. It seems to be a bug in the portal. I can reproduce it if I click "Location" immediately after the "New Redis Cache" blade opens. However, if I wait a few seconds before clicking "Location", it doesn't repro.
As a workaround, if you close and reopen the "Location" blade it should populate correctly.
We will also work on fixing this in the portal.
Finally, for any issues with Azure Redis Cache you can contact us via email at azurecache#microsoft.com.
After working with the Azure team via email we were able to narrow down the problem and find a workaround.
There are 3 problems at work here that result in my symptoms:
The various New blades in the portal will default you to a disabled subscription. I believe they currently default to the first subscription (oldest) which may not be an active subscription. This results in the default behavior upon choosing a blade to be that of no-subscription.
The New Redis Cache blade will only show locations if you have selected a valid (not disabled) subscription. This behavior differs from the other New blades (such as Create VM) which will show you locations even if you have a disabled subscription selected.
Changing the resource group will automatically change the subscription and lock it, but changing the subscription in this way will not trigger an update to the blade. This means that the locations don't get updated for the new subscription because the subscription-changed-event (made up name) was not fired. In my case, I was always changing the subscription by way of changing the resource group, so I was never able to set the location.
The workaround:
Simply change to an active subscription before choosing a resource group. This will cause the locations list to be updated, and you can then choose a resource group after.
I have three Windows Server 2012 R2 without any AD in a DMZ network. Two servers are front end web servers with ASP.NET and one have SQL Server and a network share that both front end servers use for shared data.
My problem is how do I configure the Application Pool identity and the Network Share so the ASP.NET application can read and write to the network share?
This is simple with an AD available when you can use domain accounts for the application pool identity but there is no AD available in this setup.
I will answer my own question since I succeeded to setup the server. This is what I did:
1) Create an account with the same username and password on all three servers. Make sure that does not expire or must be changed.
2) Create a Network Share and give the new account read/write rights. I also tested that I could connect from the front end servers using the new account to verify that no firewalls are in the way.
3) Included the user in the IIS_IUSRS group that indirectly gives it Logon as Batch Job rights.
4) Run the following command to grant rights to the user
aspnet_regiis -ga <your_app_pool_user>
See more: How To: Create a Service Account for an ASP.NET 2.0 Application (MSDN)
5) Restarted WAS and IIS to make sure the changes to the accounts group membership takes hold if tried to use the account.
C:> net stop was /y
C:> net start w3svc
6) Create an Application Pool and set the Identity.
This is the part where I got stuck with error messages when trying to set the identity.
From IIS Manager I got the following error dialog: "There was an error while performing this operation. Details: Value does not fall within the expected range."
Trying to set the App Pool identity from the command line I receive a similar error:
C:> appcmd set config /section:applicationPools
/[name='test-pool'].processModel.identityType:SpecificUser
/[name='test-pool'].processModel.userName:MyAccountName
/[name='test-pool'].processModel.password:P#ssw0rd
ERROR ( hresult:80070057, message:Failed to commit configuration changes.
The parameter is incorrect.
)
When I remove the last parameter, password, the command will succeed changing identity type and setting the username but I did never figure out why I could not set the password so I retorted to editing my applicationHost.config file directly. Unfortunately with the the password ending up in clear text.
<configuration>
...
<system.applicationHost>
<applicationPools>
...
<add name="test-pool" managedRuntimeVersion="v4.0">
<processModel identityType="SpecificUser"
userName="MyAccountName" password="P#ssw0rd" />
</add>
...
</applicationPools>
...
</system.applicationHost>
...
</configuration>
7) Finally I set my Web Application to use the application and it could access the Network Share without any issues.
I had the same problem but couldn't let the password in clear text so I dig a little further and found this article :
http://social.technet.microsoft.com/wiki/contents/articles/30344.custom-iis-app-pool-identity-value-does-not-fall-within-the-expected-range.aspx
The key step to diagnose is to look at the right events :
To figure out how to resolve this, I went into the event viewer. There was nothing in the Application log, so I headed down to Applications and Services Logs => Microsoft => Windows => IIS-Configuration. The logs in here are disabled by default, so they have to be enabled. (To do so, right click the log, and choose Enable log.) Once enabled, re-run the attempt to set the identity, and refresh the view (Actions pane or F5), and voila!, now we have some more information on the error. In the results were two Errors (event ID 42 and 43).
I had the same event errors as in the article :
ID 42: Failed to initialize the 'IISWASOnlyAesProvider' encryption
provider in
'\?\C:\windows\system32\inetsrv\config\applicationHost.config'.
Please check your configuration.
ID 43: Failed to encrypt attribute
'Microsoft.ApplicationHost.AesProtectedConfigurationProvider'.
Then I did the following :
restore an old version of the ConfigEncKey.key file (to c:\windows\System32\inetsrv\config )
replace the <configProtectedData><providers> section by an old one (in c:\windows\System32\inetsrv\config\applicationHost.config )
Then I can again set a custom identity to the application pool.
Had similar problem. Reinstalled the IIS Manager and got a new applicationHost.config
When I did the WinDiff on the new and old files I noticed that the SessionKey were different. Works now.
AesProvider and IISWASOnlyAesProvider
I’m trying to use web deploy to deploy my dacpac package, which comes to executing some sql scripts.
I have local windows account called .\DeploymentService, which is in local Administrators group, which I want to own the database and execute scripts.
For that - I configure delegation accordingly - In Management Service Delegation I set "Specific User" for dbDacFx rule = .\DeploymentService providing password
I create according serveradmin login in SQL Server. My WMSvc executed under LOCAL SERVICE account.
I use the following command line parameters for deployment:
msdeploy.exe
-verb:sync
-source:dbDacFx="C:\Main\Src\Community.DB\bin\Debug\Community.DB.dacpac"
-dest:dbDacFx="Data Source=.;Database=CommunityInt; Integrated Security=true",computername=”https://Community02:8172/msdeploy.axd?site=Default
Web Site”,username=.\DeploymentService,password=*************,authType=basic
-allowuntrusted
I execute it on my PC, where destination is different PC.
However this fails with error “Invalid Handle” or “Class name not found” depending on do I have “Local service” login with public role in my SQL Server created.
Expected behavior:
When I set user name in Management Service Delegation to specific account, I expect MSDeploy to be executed under the account I specified.
Actual behavior:
I traced using SQL profiler in target environment and I found out that WMSvc executes msdeploy under its process account (LOCAL SERVICE) instead of .\DeploymentService, and that’s why script execution fails. If in SQL server I have LOCAL SERVICE account mapped to serveradmin role, then it works fine. If I execute WMSvc under .\DeploymentService account, it also works fine.
So basically there is NO WAY TO USE "User Name" in Management Service Delegation - It just does not matter what you set up there - it gives no effect.
Does any one know how to make that work?
Keywords: WebDeploy, WMSvc, dbDacFx, Impersonation, Delegation
Hey guys I'm sorry to hear that you are running into this issue. I wanted to let you know that we have a bug in the dbDacFx provider/MSDeploy which is preventing SQL Auth to work when used with the dbDacFx provider in WMSvc scenarios.
We have not yet received enough feedback regarding this to warrant servicing MSDeploy in order to unblock this. If you are impacted by this the best thing to do is to create an entry at http://aspnet.uservoice.com and vote it up. If we get enough votes then we can consider shipping an update to unblock this. Sorry for the bad news.