I hosted a site called Paris on an IIS-server (Windows Server 2019), which have have 2 web applications
webParkingQueryApi
webParkingQueryApp
The file explorer path look like this:
Paris/ParkingQueryWebApi
Paris/ParkingQueryWebApp
Both application use the same AppPool, and both are .Net 4.6 Framework applications (one web API and one Web application).
AppPool: Name: Paris | Managed Pipeline: Integrated | .NET CLR version : 4.0 | Identity : {a service account in the AD}
Authentication Paris : anonymous. ParkingQueryWebApp : basic.
Problem: When I open webParkingQueryApp in browser all static files return "Internal Server Error".
Both applications work fine in my development server, but not in production.
I added permissions to the Service Account, DefaultAppPool, and Users so they can read, write and modify the Paris directory.
The Event Viewer throws an security warning when I refresh the site. It says : "A privileged service was called.", and it mentions Process Name: C:\Program Files\Google\Chrome\Application\chrome.exe. The security Id is my Windows account that I use to log into production.
EDIT
After I activated "Failed Request Tracing Rules" in IIS-manager and looked in the log files I found this error:
<RenderingInfo Culture="sv-SE">
<Opcode>MODULE_SET_RESPONSE_ERROR_STATUS</Opcode>
<Keywords>
<Keyword>RequestNotifications</Keyword>
</Keywords>
<freb:Description Data="Notification">AUTHENTICATE_REQUEST</freb:Description>
<freb:Description Data="ErrorCode">Either a required impersonation level was not provided, or the provided impersonation level is invalid.
(0x80070542)</freb:Description>
</RenderingInfo>
EDIT 2022-02-04
The static files return this information:
HTTP Error 500.0 | Module: IIS Web Core | Notification:
AuthenticateRequest | Handler: StaticFile | Error Code:0x80070542 |
Logon method: basic | Logon user: {my Windows account}.
Related
I have an application that calls a wcf service, the application uses windows authentication and anonymous access is disabled. I am still getting the error in accessing the service:
'The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'.' '
The odd part is that it is working fine in IE11 and chrome (v83), this issue is appearing on Windows 10 1809 version only.
Attaching screenshots from my IIS below.
Can anyone suggest what could be the possible issue?
try to set the below setting in iis:
open iis, Select Website
Select ‘Configuration Editor’
Select
‘system.webServer/security/authentication/windowsAuthentication’
useAppPoolCredential to True
Make sure both WCF and the .net application URL using the same protocol.
set the application pool user to the domain account.
at client configuration set below code:
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
you could refer below link for more detail:L
401 Client 'Negotiate', Server 'Negotiate,NTLM' When Calling WCF Server to Server
I'm trying to create a function that will allow a user to reset/recycle an application pool on demand in order to reload updated IIS site settings, however I'm running into a permissions issue anytime I try to use a ServerManager function.
ServerManager serverManager = new ServerManager();
ApplicationPool appPool = serverManager.ApplicationPools[site_list.SelectedValue];
if (appPool != null) {
if (appPool.State == ObjectState.Stopped) {
appPool.Start();
} else {
appPool.Recycle();
}
}
Any time I run the code, I get the following error:
Filename: redirection.config Error: Cannot read configuration file due
to insufficient permissions
Description: An unhandled exception occurred during the execution of
the current web request. Please review the stack trace for more
information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Filename:
redirection.config Error: Cannot read configuration file due to
insufficient permissions
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and
the configured application pool identity on IIS 7.5) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
To grant ASP.NET access to a file, right-click the file in File
Explorer, choose "Properties" and select the Security tab. Click "Add"
to add the appropriate user or group. Highlight the ASP.NET account,
and check the boxes for the desired access.
I've tried granting read permissions to the redirection.config file to any/all of the following users with no change:
ASPNET
NETWORK SERVICE
IUSR
IIS_IUSRS
Anyone happen to have any insight on how to recycle an AppPool through code?
I can get it work when I set application pool identity to LocalSystem and anonymous authentication->Edit->Use application pool identity.
I think if you don't want to use LocalSystem, then you have to grant special permission for C:\Windows\System32\inetsrv\config folder and your application root folder. It will also reduce the security of your computer.
Microsoft Process monitor could help you grant NTFS permission. You could add a filter for "process name=w3wp.exe" and "result=access denied".
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Good day!
I am working on moving files via Azure Data Factory from on-prem file store and/or ftp site to Azure Blob storage using Copy Data activity. When setting security access, I am using credential manager. However, when clicking 'Set credential' a string 'Preparing...' shows for a split moment, and then nothing happens and box is left blank. What is exactly credentials manager? Is is a separate application, which needs to be installed or Windows credentials manager available via Administrative tools? I used IE for this. In Chrome it tries to install ClickOnce app, which fails to install with this error log (googling it reveals nothing). Does anyone know the solution?
IDENTITIES
Deployment Identity : CredentialsManager.application, Version=1.1.6273.1, Culture=neutral, PublicKeyToken=c3bce3770c238a49, processorArchitecture=msil
APPLICATION SUMMARY
* Online only application.
* Trust url parameter is set.
ERROR SUMMARY
Below is a summary of the errors, details of these errors are listed later in the log.
* Activation of C:\Users\YToropov\Downloads\CredentialsManager.application resulted in exception. Following failure messages were detected:
+ Deployment and application do not have matching security zones.
COMPONENT STORE TRANSACTION FAILURE SUMMARY
No transaction error was detected.
WARNINGS
There were no warnings during this operation.
OPERATION PROGRESS STATUS
* [4/5/2017 5:50:08 AM] : Activation of C:\Users\YToropov\Downloads\CredentialsManager.application has started.
* [4/5/2017 5:50:08 AM] : Processing of deployment manifest has successfully completed.
* [4/5/2017 5:50:08 AM] : Installation of the application has started.
ERROR DETAILS
Following errors were detected during this operation.
* [4/5/2017 5:50:08 AM] System.Deployment.Application.InvalidDeploymentException (Zone)
- Deployment and application do not have matching security zones.
- Source: System.Deployment
- Stack trace:
at System.Deployment.Application.DownloadManager.DownloadApplicationManifest(AssemblyManifest deploymentManifest, String targetDir, Uri deploymentUri, IDownloadNotification notification, DownloadOptions options, Uri& appSourceUri, String& appManifestPath)
at System.Deployment.Application.ApplicationActivator.DownloadApplication(SubscriptionState subState, ActivationDescription actDesc, Int64 transactionId, TempDirectory& downloadTemp)
at System.Deployment.Application.ApplicationActivator.InstallApplication(SubscriptionState& subState, ActivationDescription actDesc)
at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
COMPONENT STORE TRANSACTION DETAILS
No transaction information is available.
You may need to clean this folder and try again by using IE11.
C:\Users{account}\AppData\Local\Apps\2.0
if it still not work, you may need to reset the internet options.
Instead of trying to use the credentials manager, can I suggest you create your data factory in Visual Studio. Then simply deploy it to Azure with different sets of configuration files.
Check out this blog post on how.
https://www.purplefrogsystems.com/paul/2017/01/using-azure-data-factory-configuration-files/
This way credentials do not need to be copied into any portal blades and can be handled using other tools. Plus source controlled.
The JSON strings will also be masked if viewed via the Author and Deploy blade.
Plus any changes can be dealt with locally and your on prem linked service in ADF just redeployed.
Hope this helps.
The credential manager is a .NET ClickOnce application running on your OnPrem machine. When using the credential manager to set the username/password, it directly talks to the Gateway so there is no username/password data transfer over the wire. If you use "by web browser" option, the encrypted username/password will be transferred over the wire with a post request and then gets pushed to Gateway. In both options credentials are encrypted, but the Credential Manages saves the roundtrip through public network.
The reason why you get this error is because Chrome by default does not support the .NET ClickOnce application. It should work if you are using IE or Edge.
For this to work on Chrome, you can add an extention to enable ClickOnce application support in Chrome, like the below one
https://chrome.google.com/webstore/detail/meta4-clickonce-launcher/jkncabbipkgbconhaajbapbhokpbgkdc?hl=en
Solution: Clear the oneClick cache and try to install the application again. Here is the way to clear oneClick cache
From command line run: rundll32 dfshim CleanOnlineAppCache
If it doesn’t work, delete the real folder:
Windows Vista/7/8/10
C:\users[username]\AppData\Local\Apps\2.0\
Windows XP/2003
C:\Documents and Settings\username\LocalSettings\Apps\2.0\
for more information, you can look at this. it may be helpful.
http://codeketchup.blogspot.sg/2013/06/how-to-fix-deployment-and-application.html
======================================================
security zone
i use Windows XP_SP_3 and IIS 5 (local host), build site with asp.net4 and use this code:
Application appClass = new Application();
Document wordDoc = appClass.Documents.Add(Server.MapPath("~") + #"Files\tmp.docx");
wordDoc.SaveAs(#"e:\hp\Files\" + TextBox1.Text + ".docx");
wordDoc.Close();
if run site with VS2010, its OK. but if run with IIS 5 (Local Host), show this error:
Retrieving the COM class factory for component with CLSID {000209FF-0000-0000-C000-000000000046} failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Retrieving the COM class factory for component with CLSID {000209FF-0000-0000-C000-000000000046} failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
I open Component Service > Computer > right click in My Computer > choose Properties > COM Sucrity > Launch and Activation... > Edit Default > Add > Advanced >
i not Find User IIS (IIS_IUSRS). so Choose ASP.NET and ok and Check Local Launch & Remote Launch & Local Activation & Remote Activation.
rest System and run site with iis5 again. but show error previous again!
Goto Control panel -> Administrative Tools -> Component
Services
Expand Tree by clicking on Component Services ->
Computers -> My Computer -> DCOM Config
Search CLSId
00020906-0000-0000-C000-000000000046 (which is for word application)
Note: If Search CLSId not finds then search by "Windows Word Application".
By selecting
00020906-0000-0000-C000-000000000046 this CLSId now right click on Properties
In the Propeties area, click on Security TAB.
Select Customize option from all (Launch and Activations
Permissions, Access Pemissions, Configuration Permissions).
Add new name as NETWORK SERVICE in all, and Allow all permissions for
this name.
Go to Identity TAB in the same properties area, select
option as a This user and then add username (which is
administrator of this machine) and password. Click on Apply, Ok.
Refresh Component Services and check your application is working
fine or not.
Start Internet Information Services (IIS).
Right-click your application's virtual directory, and then click Properties.
Click the Directory Security tab.
Under Anonymous access and authentication control, click Edit.
Make sure the Anonymous access check box is not selected and that Integrated Windows authentication is the only selected check box.
Configure ASP.NET to use Windows authentication with impersonation, use the following configuration
...
<authentication mode="Windows"/>
<identity impersonate="true"/>
...
I try to push/sync a IIS Site from a Win2003 Server to another.
This is my command:
msdeploy -verb:sync -source:metakey=lm/w3svc/68512112 -dest:metakey=lm/w3svc/68512112,computername=backup-09,username=Administrator,password=PASSWORD -whatif > msdeploysync.log
I also tried the following
msdeploy -verb:sync -source:metakey=lm/w3svc/68512112 -dest:metakey=lm/w3svc/68512112,computername=backup-09,username=BACKUP-09\Administrator,password=PASSWORD -whatif > msdeploysync.log
I also tried
msdeploy -verb:sync -source:metakey=lm/w3svc/68512112 -dest:metakey=lm/w3svc/68512112,computername=backup-09,username=Administrator#BACKUP-09,password=PASSWORD -whatif > msdeploysync.log
This is the error:
Fatal: Request to remote agent URL 'http://backup-09/MSDEPLOYAGENTSERVICE'
failed.
Fatal: The remote server returned an error: (401) Unauthorized.
Fatal count: 1
I did run msdeploy/cmd as an
administrator.
I did try to access
http://backup-09/MSDEPLOYAGENTSERVICE,
it asked for my permissions, I
entered the credentials above, it
worked (empty site displayed).
This is Beta 2 of MSDeploy
Can anyone help me?
I now even set up a domain controller for all the servers... still the same issues, whether I'm logged in as a domain controller, supply the local accounts, all variations trigger a 401
Note that there is a bug in Web Deploy 2.0 (even the refresh) that does not allow users within the admin group to authenticate. Only domain admins and the administrator account itself can authenticate to web deploy. See the ERROR_USER_NOT_ADMIN error code on the following page: http://learn.iis.net/page.aspx/1023/web-deploy-error-codes/
Msdeploy appears to use NTLM authentication by default, even if userName and password are present. To enable the correct processing of "userName" and "password", append the following to the relevant source: or dest: parameters: ",authType=basic"
I got this error because UAC was turned on (Windows Server 2008).
Need to turn off UAC for remote connections:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy=1
This key helped me on another server (Windows Server 2012):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server\WindowsAuthenticationEnabled=1
Michael12345 suggested it here: https://stackoverflow.com/a/15059759/991267
This is a really old question, but I may have found an answer.
I was getting the 401 Unauthorized error message, but still able to login using the account specified in the call to MSDeploy, as described in the question.
In my case, the problem was solved by giving the deploy account admin privileges on the machine being deployed too.
(I see that you were using an account called Administrator, so this might not be the case for you - but I had the same symptoms so wanted to post anyway).
I've just experienced a 401 and ERROR_USER_NOT_ADMIN. In my case, the problem was I was using a hostname set in my hosts file (also in the hosts file on the destination machine) for the computerName setting to the -dest: parameter. NTLM was trying to treat this host name as the domain part of the username (e.g. hostname\userName). Changing this to the IP address or or real machine name fixed the issue.
I did not have this type of error before but in Visual Studio 2015 Update 3 when create a new ASP.NET Core application the default publish profile does not work.
I did find a solution. For me adding the
<AuthType>NTLM</AuthType>
line in the .pubxml file fixed the issue.