Serve static files from network share as gmsa - iis

I am trying to serve static files from a file server running Windows Server 2016. I would like to use a group managed service account for the connection.
I have attempted configuring IIS on Windows Server 2012 to use the gmsa. The Test-ADServiceAccount cmdlet returns True for the gmsa I am attempting to use on the IIS host. I have gone under the basic settings option of the IIS site configuration and used the "connect as" button and set it to the gmsa account with no password. The prompt then says "Connect as 'gmsa-foo$'". However, when I attempt to press "ok", I get an error that the specified password is invalid.
Can I use a gmsa to allow access to the remotely hosted static files that I want to serve? Do I need to use a particular version of Windows Server to do so?

Make sure you added the gMSA account in the application pool identity.
It should be noted that this account may show unexpected behavior in IIS manager. For example, if you click on “Basic Settings” for an application that uses this account for its application pool, “Test Settings” may give you an error indicating “the user name or password is incorrect”. Usually, this can be ignored. Browsing any page in the application would be a better test – as long as you don’t receive a 503 response, the application pool username/password is fine.
You could get more information from the below document:
Windows Server 2012: Group Managed Service Accounts

Related

Issues in IIS Manager

I am using IIS Manager in window 10,
I need to host my ASP .NET web Form project in iis and access from other devices in same network.
i add new website and provide physical path.
the ip access from the computer but cannot able to access from other device in same network.
It Shows:
While Authentication file.
The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again.
As far as I know, this is IIS warning when you click test in the binding window.
By default, IIS will use identity to access the protected files.With psasthrough
authentication like impersonation, IIS will attempt to use the actual identity of the user when accessing protected resources.
If user doesn't auth, it will use application pool identity to access the resources.
In my opinion, it is just a warning not a error.

Configuring Integrated Security using IIS Application Pool Identity accounts for SQL Server 2008

I have the following configuration for a web site:
Two Web front-ends (e.g. machine names: WFE1 & WFE2) 1 SQ
One SQL Server Database cluster (e.g. machine name: DBCluster)
All machines are in the same domain (e.g. MyDomain) running Windows 2008 R2 Enterprise and SQL Server 2008 R2.
I am in the process of deploying a web application that uses the Application Pool Identity. I have named the pool MyWebApp, which translates to the name, [IIS APPPOOL\MyWebApp]. When I try adding this user to SQL Server I get an error:
Windows NT user or group 'IIS APPPOOL\MyWebApp' not found. Check the name again.
The script that I have used to create the account in SQL Server is:
CREATE LOGIN [IIS APPPOOL\MyWebApp]
FROM WINDOWS WITH DEFAULT_DATABASE=[MyDatabase], DEFAULT_LANGUAGE=[us_english]
GO
I imagine the problem is occuring because the IIS account is a local account which is not visible to the SQL Server box.
Can someone please shed some light on how this problem can be resolved? Is using a domain account my only option or can I still get the application pool accounts to work?
I imagine the problem is occuring because the IIS account is a local account which is not visible to the SQL Server box.
That's exactly the problem. The IIS AppPool account only exists on the web server. If you were able to add this account to SQL Server, you would be authorizing an IIS AppPool that is running on the same machine as SQL Server. (I suspect it might still fail.)
The most secure solution would probably be to do as you say - create an account on the domain, give that account appropriate permissions on the database, and run the AppPool using that account's credentials.
However, if you'd still like to do it, you need to authorize the computer that the AppPool is running on - ie, DOMAINNAME\ComputerName$ (note the $ at the end).
Take a look at this article for more information (specifically, the section titled Accessing the Network).
I think that's a bad idea, however, because it authorizes any program running as NetworkService to access the database - not just your web applications.

ERROR_USER_UNAUTHORIZED when deploy to IIS 7.5 when using IIS manager user

I'm trying to deploy from a teamcity server to my iis server but I get unauthorized when I use an IIS Manager user set up in IIS. If I use a Windows account it works just fine. Am I missing something?
I thought it was enough to create an IIS Manager User in ISS, or do I have to add that user to the domain or server I'm trying to deploy to?
In the Management Service Delegation I have added two rules, it could probably be combined into one. The first rule is for contentPath and iisApp and the second is for createApp. Both rules are run as an administrator user. I have added that all users (*) are allowed to execute the rule.
Is it something else I need to enable on the target server for it to work with IIS Manager Users?
I get the following message in my event viewer:
IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED
Only Windows Administrators are allowed to connect using a server connection.
Other users should use the 'Connect To Site or Application' task to be able to connect.
Process:WMSvc
Ok, I've been looking for an answer for some time and couldn't find it... but of course I figure it out myself as soon as I post the question here. The answer to my problem was that I have to add the IIS Manager User to the site which I want to deploy to. So if I selected the sites and then opened up the "IIS Manager Permissions" and added my user it all started working just as expected.

401.1 Error when accessing virtual directory pointing to network share

IIS5 is running on SERVER1.
One of the virtual directories in IIS, myfiles, is pointing to "A shared location on another computer", //SERVER2/myfilesshare
When I try to access the page:
http://SERVER1/myfiles
... I get the error:
You are not authorized to view this page
HTTP 401.1 - Unauthorized: Logon Failed
Internet Information Services
I have triple-checked the "Connect As..." settings in IIS. The credentials I'm using to access the share are correct-- they work when connect to the share in Windows Explorer, but not through the IIS virtual directory.
I've tried granting full permission to Everyone on the folder in SERVER2, but no luck.
Any thoughts?
This was how I solved my problem, might help you.
By default, IIS uses local user called IUSR for virtual directories when using anonymous authentication. It does not use application identity, which should be obvious, if you use procmon.
How can you force it to use application identity?
Easy, under IIS manager:
1) go to Authentication
2) Edit "Anonymous authentication"
3) Select "Application pool identity"
4) Restart IIS & it should work.
The same accomplished with PS: Set-WebConfigurationProperty -filter /system.WebServer/security/authentication/AnonymousAuthentication -name username -value ""
This link contains the pros/cons: http://blogs.technet.com/b/tristank/archive/2011/12/22/iusr-vs-application-pool-identity-why-use-either.aspx
Permission issues can be tricky. Try running filemon on the 'other computer' It can be downloaded over here: http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
(it's not a big application just a tiny lightweight tool)
After you've started filemon, stop the monitor process (I believe it's turned on by default when you start the application), clear the logged data, create a filter for the folder you have trouble getting access to. Start the monitor process. Request your webpage. Stop the monitor process and look for "access denied" messages in filemon. When found, filemon will also mention the name of the actual user which is trying to get access. This might help you to get to a solution.
Btw when using Windows Server 2008 you will need processmon instead: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Imagine a scenario where for whatever reason you want to have your IIS Server access a Share on a File server and they are not on the same domain.
If you can follow and get this to work for you (I have done it Win2008-R1 32-bit File Server and Win2008-R2 64-bit with IIS 7), then you should be in good shape for any scenario.
Same name local account on both servers with same password
On IIS, use aspnet_regiis -ga MyAccount to give local account access to IIS guts
Now use that as the Application Pool Identity of the Website
Using Local Security Policy (Admin Tools) enable trust for delegation for local account
Restart IIS server
On File Server, use Local Security Policy to enable access from network for local account
Create Share granting desired permissions to local account (also Security tab permissions as needed)
Open up File & Print Sharing ports on both (as restrictive as possible) to point where it works for you when you are using Windows Explorer between the two
Back to IIS, create Virtual Directory using UNC path to Shared folder from File Server
Just use Pass-through authentication (which would use your local account)
You can tell Anonymous Authentication setting of the Virtual Directory to use Application Pool Identity as well
Use something that will test/verify. The key really is trust for delegation using a Service Account (domain or otherwise), and having IIS use the account you want it to use instead of Local Server or Network Service.
This took me all day to figure out. Various threads in StackOverflow and other Internet sources helped point me to various resources me but didn't find my exact answer anywhere. Hopefully next person stuck with this problem will get a speed boost on the path to resolving with my description of what worked for me.
try enabling windows authentication on the virtual directory security tab (in IIS).

Add user to SQL Server 2008 - permission denied

I have recently had some problems that I think might be helped by debugging my ASP.NET MVC application in IIS instead of with the default ASP.NET Development Server. However, when I try this the application can't access the database server (MS SQL Server 2008 Express) - it works fine on the Development Server though.
The error I get is
Cannot open database 'myDbName' requested by the login. The login failed.
Login failed for user 'NT INSTANCE/NETWORK SERVICE'.
I assume it worked before because the development server accessed the database through my user account, and not via the network service like IIS.
I tried adding the user NETWORK SERVICE to the database, but it turns out I don't have the user privileges to do so - it doesn't matter that my Windows account that I log on to the server with is admin, or that I run the program in an administrator context. I just can't add another user to the DB.
How do I solve this problem?
You could change the user that IIS runs under: it's a setting in the properties for the ApplicationPool that your web site's running under.
We do this all the time as it gives us better control over user access - that NT INSTANCE/NETWORK SERVICE account's a bit too magic for my liking...
NETWORK SERVICE is a special account. If your database server is on another machine from your IIS server, you need to add the account:
\$ as a user for the database. So if you're on a IIS Server called LISA on the SPRINGFIELD network, you would need to grant access to SPRINGFIELD\LISA$ to your database. Note the dollar sign which denotes your user as a machine account and not an actual person.
If your database server and your IIS server are one and the same, grant access to the account "NT AUTHORITY\NETWORK SERVICE". That's the whole name of the account. And that should work.
Are you running a non-english Operation System?
For some reasons, the account name of "NT Authority\Network Service" has been localized in other languages.
Sadly, a lot of programs have the account name hard coded to the english name, and won't find the Network Service when running on foreign versions of Windows.

Resources