i can deploy an app using Azure service extension in visual studio code which also creates web.config file and the app works fine, but when i try to upload the ZIP file using ZIPdeployUI and manually add the web.config the app throws an error "You do not have permission to view this directory or page". The difference is using Visual studio code the files are uploaded straight into /wwwroot folder and with ZipdeployUI it creates another folder that was zipped on local system.
You do not have permission to view this directory or page.
That is basically a hint that Azure encounter an error while running your web app. Since it's in production, it does not show any useful error messages. For testing/debugging purposes you can turn on the Azure detailed messaging, and turn it back off when it's ready for production. To do so, you have to follow these two steps,
Log in to Azure > App Services (left side menu) > Your Web App > App Service logs (search box is at the top if you can't find it), then turn on Detailed Error Messages or turn on all of the logging options, up to you.
Now add the following in your Web Config file,
In your Web Config file add <customErrors mode="Off" /> BEFORE system.web closing tag, </system.web>. Similarly, add <httpErrors errorMode="Detailed"></httpErrors> BEFORE </system.webServer>. Finally, upload the Web Config to Azure and cross your fingers.
If you follow the steps correctly, that will show the error messages in detail which takes you to figure out the issue.
Few Error Cases-Resolutions were:
You do not... this directory... this error comes when you have restricted IP on IIS Config. Check your web.config file and add your IP address in security section like:
<security>
<ipSecurity allowUnlisted="false">
<clear />
<add ipAddress="192.168.250.70" allowed="true" />
</ipSecurity >
</security>
Remove it if you do not want to restrict any IP address.
Check the zip is unpacked in the path Site>wwwroot>, else try restarting your function or web app.
You might need to tweak this depending on how your application structure looks like after the build like site\wwwroot\dist\, but if you have the app name in the folder structure, you might need to: site\wwwroot\dist\<app-name>\
Sometimes azure active directory authentication was created by Function App / Authentication automatically like (MS Graph - User.Read, Azure Service Management -user_impersonation). If yes, removing those will work to access the directory.
Related
We've recently switched to using Azure package deployment for our sites (https://github.com/Azure/app-service-announcements/issues/84) - and it's great! It's a great feature which has radically simplified our deployments. However we have a second site which will not run when packaged (but does run when not packaged).
We followed the standard procedure for setting a site to run from a package;
created the folder /data/SitePackages from ftp,
drop the package in there along with the packagename.txt file
set the App config setting WEBSITE_RUN_FROM_PACKAGE=1
However we receive "You do not have permission to view this directory or page." on the homepage, and any other subsequent page we receive "The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.". It's as though the site isn't loading the package at all? Azure Log stream show's "HTTP Error 401.3 - Unauthorized" on the home page and a standard 404 for anything else.
From the Azure portal, if i click console and ls to see a directory listing of the files it thinks it's running all I see is a single file;
FAILED TO DOWNLOAD ZIP FILE.txt
Turns out this was the azure portal not loading the package. Looking at our TeamCity setup, the step which generates the "packagename.txt" file has a typo, so the zip file Azure was trying to load did not exist.
Background
I have an Azure 'App Service' resource and a linked 'Application Insights' resource. They're linked via the App Service's Settings -> Applications settings -> Application settings (key-value table) where I have the following settings:
APPINSIGHTS_INSTRUMENTATIONKEY = <my application insights instrumentation key>
APPINSIGHTS_JAVASCRIPT_ENABLED = true
My application is a static file application at the root / (site\wwwroot) but also has 2 Asp.NET applications at 2 different virtual directories:
/app1 (site\app1)
/app2 (site\app2)
Problem
The overview page shows data for something called 'Metrics' with requests, data, etc. (first image) however when I attempt to access Application Insights, no data appears (second image).
Attemps
I've tried to follow these two guides for activating app insight for static page applications:
http://apmtips.com/blog/2014/12/02/tracking-static-content-with-application-insights-httpmodule/
http://blog.tylerdoerksen.ca/posts/2018/03/AppInsights-Static-Content
However I get an error due to the misisng DLLs in the root Bin folder.
I tried variations of:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"> <!-- With and without 'runAllManagedModulesForAllRequests'. -->
<add name="ApplicationInsightsWebTracking"
type="Microsoft.ApplicationInsights.Extensibility.Web.RequestTracking.WebRequestTrackingModule, Microsoft.ApplicationInsights.Extensibility.Web"
preCondition="managedHandler" /> <!-- With and without 'preCondition="managedHandler"'. -->
<!-- And -->
<add name="ApplicationInsightsWebTracking"
type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web"
preCondition="managedHandler"/> <!-- With and without 'preCondition="managedHandler"'. -->
</modules>
</system.webServer>
According to the second article, these missing DLLs should be automatically loaded by Azure once it knows that it's connected to AppInsight.
If you are using Azure Web Apps. Add the Applications Insights Extension to the Web App. This will add the proper DLLs to the Bin directory of your site.
I tried to follow the instructions under 'Monitor a live Azure web app' but the documentation seems incomplete.
Questions
Why is data showing in the overview of the App Service but not AppInsight?
Is it possible to view website telemetry in AppInsight for my static file application at root /?
1.Why is data showing in the overview of the App Service but not AppInsight?
It should be a configure issue. You can configure it as below:
step 1:
In visual studio, right click your project name, and in the context menu, select "Configure Application Insights".
step 2:
In the following screen, click "Get started".
step 3:
In the following screen, configure your own settings(for Resource, you can create a new or use an existing one).
Then click "Register", and wait for it completes.
step 4:
If some error occurs, just fix it by tips on the screen. like below:
When you have done the above steps, you should see data in App insight(it may take a few minutes for data to display).
2.Is it possible to view website telemetry in AppInsight for my static file application at root /?
Yes, you can view website telemetry in AppInsight for static file application at root /.
step 1:
In the Web.config, find the <system.webServer> node, and then in the <modules> node, add runAllManagedModulesForAllRequests="true", like below:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="TelemetryCorrelationHttpModule" />
<add name="TelemetryCorrelationHttpModule" type="Microsoft.AspNet.TelemetryCorrelation.TelemetryCorrelationHttpModule, Microsoft.AspNet.TelemetryCorrelation" preCondition="integratedMode,managedHandler" />
<remove name="ApplicationInsightsWebTracking" />
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
</modules>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
step 2:
Publish web site to azure.
step 3:
Launch the website to the static file, here I used test4.html for example.
step 4:
Go to azure portal -> your application sights -> Overview section, select a chart like "Server requests"(if no data, please wait for a while).
step 5:
You can see such request "GET /test4.html".
I was recently having a problem with a site and the stack trace was implying that the connectionstring was null. This is after i moved (i.e. cut the node out of the xml file, pasted it into portal) the connstr from web.config to azure portal, so the connstr wasn't referenced the web config at all
In a video blog, Scott Hanselman talked about the portal settings overriding the web.config ones, but there was never any detail on what whether the key had to be present in the deployed web config for the azure portal value to be applied
This raises a query in my mind - if a setting isn't in the web.config at all (i.e. there is no xml node saying <add key="blah" value="debugblah" />), will the setting in the portal work?
if a setting isn't in the web.config at all (i.e. there is no xml node saying <add key="blah" value="debugblah" />), will the setting in the portal work?
The short answer is Yes. To simple test it, you could using following code.
public ActionResult Index()
{
string appSetting1 = ConfigurationManager.AppSettings["setting1"];
string connectionString1 = ConfigurationManager.ConnectionStrings["connectionString1"]?.ConnectionString;
return Content(string.Format("appSetting1:{0},connectionString1:{1}", appSetting1, connectionString1));
}
After added parameters in Azure portal, we could get the app setting and connection string from ConfigurationManager.
Here is the result from index page.
appSetting1:setting1Value,connectionString1:connectionString1Value
There is an exception when we use connection string for Entity Framework. A connection string for EF will contain a providerName attribute which can't be set in Azure portal. So if we need a connection string setting with providerName, we need to configure the connection string in config file.
<add name="DataContext" connectionString="dummy" providerName="System.Data.EntityClient" />
is it a xdt:Transform=“SetAttributes”, a xdt:Transform=“Insert” or hybrid?
It is a hybrid
or, possibly
Portal does a remove, followed by an insert
Which means:
If the setting is only configured in portal.azure.com then your app will see the value set in portal.azure.com
If the setting is only configured in the web.config file in the wwwroot folder, then your app will see the value set in the web.config file
If the setting is configured in both portal.azure.com AND the web.config file, then the app will see the value set in portal.azure.com
So don't worry if you upload your debug/dev configs to a live site, if the portal settings contain the live settings details :)
Thanks to Amor for the method used to verify this
Yes, it will work.
The setting does not have to be present in the web.config file. If it is present in the Web App's Connection Strings or Application Settings (set in the portal or via AzureRM), then it will be visible to the application.
I have a project which I plan to open-source at some point. Currently I keep all of my API keys in a class which is not checked in - I have just linked the project to Azure but the API key class not being present causes the deployment to fail.
How can I hide secret API keys in a public project and still have it deploy to Azure?
I have read quite a few posts (this one for instance) but cannot find a solution that allows me to do what I want - does anyone know what I should do here? Is it possible?
For an Azure Web App, you can specify config values on the Configure tab in the portal (under "app settings"). These will override values specified in your Web.config file.
This means you can leave these settings out of your public repository.
For developing locally, you can put the settings in a separate XML file. To do this, update the appSettings in your Web.config like this:
<appSettings file="mysettings.xml" />
Then create mysettings.xml and put your actual settings in a new <appSettings> element there.
You can then add mysettings.xml to your .gitignore file so it won't be checked in to your public repository.
Azure doesn't mind that your mysettings.xml file doesn't exist, and will pick up the settings you specify in the portal instead.
I have three Windows Server 2012 R2 without any AD in a DMZ network. Two servers are front end web servers with ASP.NET and one have SQL Server and a network share that both front end servers use for shared data.
My problem is how do I configure the Application Pool identity and the Network Share so the ASP.NET application can read and write to the network share?
This is simple with an AD available when you can use domain accounts for the application pool identity but there is no AD available in this setup.
I will answer my own question since I succeeded to setup the server. This is what I did:
1) Create an account with the same username and password on all three servers. Make sure that does not expire or must be changed.
2) Create a Network Share and give the new account read/write rights. I also tested that I could connect from the front end servers using the new account to verify that no firewalls are in the way.
3) Included the user in the IIS_IUSRS group that indirectly gives it Logon as Batch Job rights.
4) Run the following command to grant rights to the user
aspnet_regiis -ga <your_app_pool_user>
See more: How To: Create a Service Account for an ASP.NET 2.0 Application (MSDN)
5) Restarted WAS and IIS to make sure the changes to the accounts group membership takes hold if tried to use the account.
C:> net stop was /y
C:> net start w3svc
6) Create an Application Pool and set the Identity.
This is the part where I got stuck with error messages when trying to set the identity.
From IIS Manager I got the following error dialog: "There was an error while performing this operation. Details: Value does not fall within the expected range."
Trying to set the App Pool identity from the command line I receive a similar error:
C:> appcmd set config /section:applicationPools
/[name='test-pool'].processModel.identityType:SpecificUser
/[name='test-pool'].processModel.userName:MyAccountName
/[name='test-pool'].processModel.password:P#ssw0rd
ERROR ( hresult:80070057, message:Failed to commit configuration changes.
The parameter is incorrect.
)
When I remove the last parameter, password, the command will succeed changing identity type and setting the username but I did never figure out why I could not set the password so I retorted to editing my applicationHost.config file directly. Unfortunately with the the password ending up in clear text.
<configuration>
...
<system.applicationHost>
<applicationPools>
...
<add name="test-pool" managedRuntimeVersion="v4.0">
<processModel identityType="SpecificUser"
userName="MyAccountName" password="P#ssw0rd" />
</add>
...
</applicationPools>
...
</system.applicationHost>
...
</configuration>
7) Finally I set my Web Application to use the application and it could access the Network Share without any issues.
I had the same problem but couldn't let the password in clear text so I dig a little further and found this article :
http://social.technet.microsoft.com/wiki/contents/articles/30344.custom-iis-app-pool-identity-value-does-not-fall-within-the-expected-range.aspx
The key step to diagnose is to look at the right events :
To figure out how to resolve this, I went into the event viewer. There was nothing in the Application log, so I headed down to Applications and Services Logs => Microsoft => Windows => IIS-Configuration. The logs in here are disabled by default, so they have to be enabled. (To do so, right click the log, and choose Enable log.) Once enabled, re-run the attempt to set the identity, and refresh the view (Actions pane or F5), and voila!, now we have some more information on the error. In the results were two Errors (event ID 42 and 43).
I had the same event errors as in the article :
ID 42: Failed to initialize the 'IISWASOnlyAesProvider' encryption
provider in
'\?\C:\windows\system32\inetsrv\config\applicationHost.config'.
Please check your configuration.
ID 43: Failed to encrypt attribute
'Microsoft.ApplicationHost.AesProtectedConfigurationProvider'.
Then I did the following :
restore an old version of the ConfigEncKey.key file (to c:\windows\System32\inetsrv\config )
replace the <configProtectedData><providers> section by an old one (in c:\windows\System32\inetsrv\config\applicationHost.config )
Then I can again set a custom identity to the application pool.
Had similar problem. Reinstalled the IIS Manager and got a new applicationHost.config
When I did the WinDiff on the new and old files I noticed that the SessionKey were different. Works now.
AesProvider and IISWASOnlyAesProvider