I have spent 12 hours on this, tried everything that I have read about, but I cannot get a new server farm we have,the website to write to a shared folder.
I have set the application pools, even temporarily (just to try it out) to admin accounts and even set the folder to be available for "everyone".
We have a network specialist who cannot figure it out either, in his favour he does not understand IIS very well and keeps away from it, but at the end of the day, its just a User account and permissions as far as I can see and I have set up the exact same website on a previous W2012 server and IIS 8.5, 7.5 and 6 without major issues (abeit registering 32bit DLLs in a 64bit environment) but all that has gone well and no issue (except for reading and writing to a shared folder).
SO breaking it down to its simplest form, I used a simple FSO script to write a text file in the shared folder, this clearly came back with "Permission denied line X".
Running the script through cscript as a VBS file, it works, running it through IIS. No chance.
Im not going to give up, but running as the top admin login (I had the network guy use HIS identity in the application pool) its not happening.
32bit has been enabled, yes, folder permissions set, yes.
Im at my wits end with the thing. Anything to suggest, I would be happy to listen and try.
Thanks all.
Update: I can write to the same MACHINE as IIS, any folder as long as I set the appropriate permissions. The difference between from this shared folder (I am working on a server farm, I forgot to mention that) is - when you do the security, locations "IIS AppPool\poolidentity" to add the user, it works on the same server, when I try to add that user on the shared folder on the networked server, that user does not appear - does this give any clues?
Ok - for me, after all the right things that I had done, was something I had not tried.
Select the site in IIS, so you sell all the icons for ASP, Authentication, Autohorization Rules, CGI etc.. - select the Authentication and Open Feature
You will see Anonymous Authentication (Enabled), ASP.NET Impersonation (Disabled), Basic Authentication (Disabled) and so on.
Select the Anonymous Authentication, right click Edit - by default it was set to "Specific User" IUSR - now for me, that did not work - so clicked on Application Pool Identity and boom, now its working.
Hope that helps someone else.
Related
I wrote a classic ASP script (.asp) for a customer a while back. it was running on IIS v6.1 Windows 2003. The customer contacted me and said they had a catastrophic server failure and restored from backup but my script isn't running now. I logged onto their server to check it out and IIS is serving the file (I am prompted to save when I browse to the script) but not executing the script.
Several people's hands were in the server before they called me, I think this is probably a simple config setting someone tried before they figured out how to enable the "ASP" web server roll feature. But for the life of me I can't figure out how they did it. this is obviously not the default behavior. If I was trying to get this behavior I would add the .asp extension to the MIME types, but I checked and it isn't there.
What could cause IIS to serve the source of the ASP script without executing it?
Based on your question I am assuming your restored server is also windows server 2003 ... in that case you will go to the file\folder and the permissions and select execute permission to enable a server side script processor to handle that request. Been almost a decade that I have touched a 2003 server so I can’t give you the exact steps ... but, you want to enable script permissions on that folder(I think, don’t remember if it’s granular enough to drill down to a file). Also, why on earth are they still running server 2003? Is that version even supported yet?
If it’s IIS 7, you want to make sure your app pool is in Classic ASP mode first off. Then go to site and then the handler mapping section, click edit and configure it that way.
When working on a project that uses IIS (not IIS Express) for local development, what permissions are actually required under window 8? I don't want to run as admin all the time...the first error message I get when running using the Local User Account (LUA) was about Metabase (probably a misnomer, as changing the permissions on that gave the same error message until the config files in inetsrv/config were also available). Now it builds, but then gives an error message "Unable to start debugging on web server. IIS does not list a web site that matches the launched URL".
The blog https://blogs.msdn.microsoft.com/jaredpar/2005/02/04/myth-creating-web-applications-with-visual-studio-requires-admin-privileges/ while old, at least hints that it should be possible to manually give myself (or a group that I create) the right permissions. Just need to figure out what those permissions are...
To run VS against IIS you need to run VS elevated (the process needs admin permissions).
From a non-admin account you could run VS "As Administrator", you will also need to do this with the tools necessary to configure IIS.
However I've never tried that, rather I run with a non-elevated admin account so any file changes from within an elevated VS are fully accessible to non-elevated processes.
Additional: note, VS really only needs the Debug Any Process privilege, but giving that one privilege gives the ability to gain all others (with some effort) going through the work to limit the VS process to just that one difference seems pointless.
I've setup a UNC share for IIS shared config using a specific AD service account and set to FULL CONTROL. I've also exported the config from one IIS server and set-up an additional IIS server to point to the share. When I open the applicationhost.config for example on the UNC share and remove an application pool, I can see the entry also remove in both IIS servers.
So I know:
1) I can export to the share with the specific service account
2) Both IIS servers can read the config when I edit manually
3) However when I remove an app pool from one of the IIS servers through the manager I get the above error.
I've tried using the process monitor utility to see what account is being used to write to the config and it seems it is my own AD user account rather than the shared service account. I know IIS Manager has my username e.g. ROOT\MYNAME logged on, but I wouldn't have thought it would use this to write changes to the shared config. Surely it would use the service account?
Does anyone know how to prevent this error? Why does the shared config and tied service account not come into play when making changes on one of the servers?
So, IMHO, this error is a red herring. I was publishing to a server and got a message saying I was out of space. So, I logged in, realized there was a bit of cruft in extra apps published in IIS, we didn't need. I right clicked and tried to remove one. I got the same error as you.
Having done some manual changes to applicationHost, I thought it "might be me" but it seemed very odd that editing this file would cause such a thing. However, I had recently learned that windows does some funky 32 vs 64bit machinations with this file (google it).
Deciding I had better things to do, I asked our IT to add space to the VM and guess what? I am no able to remove these apps. My guess is that I was at the end of the line on space and the backend management of these special files was not completing and throwing this not-so-helpful exception.
I'm not a 100% about this. For full disclosure, I will add that updates had been applied recently, but I'm pretty confident that this is a possible solution.
I have deployed a web site to a Win 2008 Web server with IIS7. The site works fine on a Win 2003 Standard server with IIS6. On the 2008 box, whenever I request a page (htm or aspx) from a folder named Reports, I get challenged with the Windows Authentication dialog box.
I have Anonymous Authentication and Forms Authentication enabled on the site. I applied Full Control permissions to the root of the site for both NETWORK SERVICE and IIS_IUSRS, but that hasn't make a difference.
Like a previous post already mentioned, here are the detailed steps to fix this:)
If there is a folder in the application named "Reports" and SQL Server Reporting Services are installedon the server, then Reporting Services Virtual Directory folder that is also named "Reports" will be in conflict with the application "Reports" folder.
To fix this open Reporting Services Configuration Manager (Start->All Programs->MS SQL Server->Configuraton Tools) and change the Virtual Directory under the "Report Manager URL" in the menu on the left.
Did you install MSSQL Reporting Services on your new machine? It'll use the Reports folder for the reporting toolkit (default setting) and under MSSQL 2008 you can't enable anonymous Access out of the box.
whats is the authentication mode in your web.config, verify that is not in Windows
<authentication mode="Windows" />
also be sure to disable integrated windows authentication in iis
You could try running FileMon from SysInternals to see if it is the file system that is sending back the "access denied".
Quote from another forum that solved this issue for me:
"SQL Server Reporting Services creates a folder called Reports by default if you install it on IIS. If you install SQL 2008 then Reporting Services doesn't need to use IIS and instead will try to reserve the URL with the HTTP.Sys service.
I believe this is the cause of the conflict you are seeing. What you could try is changing the URL that Reporting Services uses via the SQL Server Reporting Services Configuration Manager."
Well speaking on the same subject here, yesterday I was deploying my application on Windows Server 2008 running IIS7 w/MSSQL 2008 on there too. In my website's tree structure I had a folder named Reports that had a subfolder in it, and then the actual pages. It looked like this "Reports/SalaryReports/SalaryReport.aspx" The interesting thing was that when I clicked on a hyperlink to go to "Reports/SalaryReports/SalaryReport.aspx" I got a username/password prompt from my server. This did not happen on the VS development server when I ran the application on the development machine. So I was like hmm? I looked at the code-behind in SalaryReport.aspx and did not find anything unusual. So then I put a Default.aspx directly in the Reports folder (thinking maybe it was something wrong with the authentication going two nodes down from the root to get to SalaryReport.aspx) but the server still requested username/password even though there was no security settings applied to this new Default.aspx. So I figured it must be that the folder is named "Reports", so I renamed it to "Reports1" and bigno! Everything worked!....I will still look further in this issue today, but it seems that either an IIS 7 HttpModule (not one of mine) is trying to "reserve" the folder that is named "Reports" for itself or something else...I'll look into the SQL Server Reporting services as the above post mentioned...
Anyways, just wanted to share:)
I'm supposing you don't have a SQL Reporting Services running on the same server:
1 - Give rights to user "IUSR" and the user that's running your application pool.
2 - Overwrite child folder permissions and ownership.
2 - Check if there's a web.config file on that folder setting different access rules.
Okay, so I'm running a small test webserver on my private network. I've got a machine running Windows 2000 Pro, and I'm trying to run an ASP.NET app through IIS.
I wrote it so that the webpage would use the registry to store certain settings (connection strings, potentially volatile locations of other web services, paths in the local filesystem where certain information is stored etc...) Of course, it worked fine when testing with VStudio.NET 2005, because the user running the app has elevated privileges. However, running it on IIS I get a "Access to the registry key 'HKEY_LOCAL_MACHINE\Software' is denied.", which suggests the IIS user doesn't have read access to that part of the registry (I only do reads through the website itself, never writes).
I was like "okay, simple enough, I'll just go give that user rights to that part of the registry through regedit." The problem is, I don't see an option anywhere in regedit to change security settings... at all. Which got me thinking... I don't think I've ever actually had to change security settings for registry hives/keys before, and I don't think I know how to do it.
Half an hour of searching the web later, I haven't found any usable information on this subject. What I'm wondering is... how DO you change security rights to portions of the registry? I'm stumped, and it seems my ability to find the answer on Google is failing me utterly... and since I just signed up here, I figured I'd see if anyone here knew. =)
If your having touble with RegEdit in Windows 2000 you can try the following:
Copy the Windows XP RegEdt32.exe to the Windows 2000 Machine
Using a Windows XP Machine, connect to the Windows 2000 registry remotely: File > Connect Network Registry
You can set permissions at the folder level for which you want to grant user permissions read/write access.
In your case, right click on the "Software" folder and select "Permissions".
You'll probably know the rest from there.
EDIT: If you still run into issues, you may want to modify your web.config file and use impersonation to have your web application run as a certain user account. Then you can put a tighter reign on the controls.
RegEdt32.exe will allow you to set permissions to registry keys.
Simply right click on a Key (Folder) and click Permissions, then you can edit the permissions as you would an file system folder.
I did so, assuming that a Security setting would be available. I didn't see any "Security" option when I right-clicked on the Key. =( I triple-checked just to make sure... and I just tried it on my XP machine, and it does indeed have the "Permissions" section... but the Windows 2000 machine doesn't. (how's that for wierd?)
In my searching, I found:
http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_21563044.html
Which notes that RegEdit for Windows 2000 doesn't have the Security/Permissions settings... but it proposes no solution to the problem. (Whoever asked the question was using Windows XP so he was okay... but in my case, it's 2000)
Is there any way to make it happen specifically in 2000?
EDIT: Ahhhh... if worse come to worse, I suppose I can do the impersonation as mentioned below... though if I can't set security settings for the registry in 2000, I'm left with making that user have Administrative access (I assume?) to actually get those rights, which sadly defeats the purpose. =(
Oh, let me try that! I didn't realize you could remotely connect to another registry.
(EDIT: I was wrong, it did work... it just took several minutes to respond to my request to change permissions remotely)
The remote connection idea did it! You're good! Thanks so much for your help! I never realized you could remote connect with RegEdit... you learn something new every day, they say! =) Thanks again for your assistance! =)
On another note though, about copying the XP version of RegEdit to Windows 2000... is that safe? I figured they would be coded in such a way as to be incompatible... but I could be assuming too much. =)
Just use RegEdt32.exe instead of Regedit.exe.
Go to the desired key or folder, then open the security menu and click on 'permissions'.