I am running a intranet website on IIS. Now my task is to access a folder with a normal href="" outside of the wwwroot folder. I think this isn't possible, so I tried to symlink the folder. I successfully created a symlink to the folder. But now I get the error message: "401 not authorized: Access denied due to invalid notifying informations".
Any ideas?
All help is highly appreciated!
Thanks guys!
First of all don't use symlinks, just add a virtual directory to your site that points to the external folder.
Once you've done that you then need to ensure that the user the site is running under, usually the "Application Pool Identity" has the correct permissions to access your external folder. One of my previous answers explains how to do this:
How to apply Application Pool Identity permissions
Related
After a successful build using a hosted VS2017 agent, I'm trying to deploy on-prem using an local hosted agent which was setup using a domain account which should have sufficient permissions as it is in the local admin group. As I was digging around on this issue elsewhere, one user re-installed their agent using NTATHORITY\SYSTEM and it worked.
I d'ont really need to create or stop\start the website, just deploy the recent build artifact.
What permissions should I check or should I use another task?
019-04-06T21:03:10.3898646Z ERROR ( message:Configuration error
2019-04-06T21:03:10.3899503Z
2019-04-06T21:03:10.3899791Z Filename: redirection.config
2019-04-06T21:03:10.3900026Z 2019-04-06T21:03:10.3900293Z Line
Number: 0 2019-04-06T21:03:10.3900530Z 2019-04-06T21:03:10.3900852Z
Description: Cannot read configuration file due to insufficient
permissions 2019-04-06T21:03:10.3901076Z 2019-04-06T21:03:10.3901333Z
. ) 2019-04-06T21:03:10.8135484Z ##[error]Process 'appcmd.exe' exited
with code '5'.
An agent is running under a user. The error means that your user doesn't have permissions to read/modify the redirection.config file that is necessary to manage IIS.
You have multiple options to solve this.
Change the user were the agent is running under. In example: NTATHORITY\SYSTEM
Give permissions to the user were your agent is running under to the folder C:\Windows\System32\inetsrv\config. If you want to create app pools or websites etc, modify permissions are of course needed.
When we install Azure agent as a service(In Windows, search for 'Services' and look for something like Azure Pipelines Agent..), by default it is logged on as 'Network Service'. Change it to 'Local System' and the pipeline should be able to run IIS related tasks/commands.
As the title suggests I am receiving an error "Cannot read configuration file" when attempting to read a JPG file from an Azure File share mounted on a VM (from within Azure network) through a virtual directory from within IIS 7.5
This points to a permission problem - I created a local user on the web server matching the username and set the password to the Access Key of the storage service on Azure (the same credentials to access/mount the file storage share).
I set this on the app pool the vdir runs under aswell as the virtual directory properties "Physical Path Credentials" - both still return the following error:
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Detailed Error Information:
Module
IIS Web Core
Notification
BeginRequest
Handler
Not yet determined
Error Code
0x80070003
Config Error
Cannot read configuration file
Config File
\?\X:\web.config
Requested URL
http://localhost:80/myvdir/1.jpg
Physical Path
X:\1.jpg
Logon Method
Not yet determined
Logon User
Not yet determined
Config Source:
-1:
0:
So either the credentials i'm using do not match the UNC credentials or IIS does not support this.
Anyone have any ideas?
UPDATE - 2016-15-18
Solved
Thanks to Simon W and Forester123
The issue was due to the following missing steps:
When adding the local user I failed to add this user to the IIS_IUSRS group
Using the drive letter at the start of the physical path for the application. You must use the UNC path \myaccount.file.core.windows.net\sharename you cannot use a drive letter e.g. X:\
This URL (provided by Simon W) was invaluable http://blogs.iis.net/davidso/azurefile
Trying to use a mapped drive is likely your issue. Take a look at how this is achieved using a UNC instead: http://blogs.iis.net/davidso/azurefile
You need to specify the UNC path of your file share as the Physical Path property:
\\<your_storage_account>.file.core.windows.net\<your_share>
Using mapped drive will just give the error you encountered. Mapped drive is only for the local user session. See below test:
I'm trying to import a site into a new VM. This vm only has the demo corporate site.
I get an error when click Import Site or Object. The event log has two entries.
Both have the following statement: Message: Access to the path 'C:\inetpub\wwwroot\Kentico9\CMS\App_Data\Persistent\import_315c65f4-dc91-4175-a4e5-fdad1601727d_settings.dat' is denied.
I check permissions in to the Kentio9 VM and they match my DEV which doesn't have this issue. I didn't set up DEV, but i can't see why my new QA VM, which seems to have the same folder permissions doesn't work.
We have a service level account for connecting to the DB, all through the application pool. Could there be something on the account settings?
What kind of Identity is the Application pool are you using for this site? What about if you set it to ApplicationPoolIdentity and then grant permissions to IIS_IUSRS for your Kentico root folder?
Additionally you can try checking the disk permissions problems documentation page.
I'm interested in load balancing 2+ Windows VMs in Azure. My primary requirement, though, is that an 'uploads' folder would need to be consistent between each VM. Files in this folder are FTPed by our admin users, and they would then need to select these files in a C# MVC Web app. As you may connect through FTP to one VM, but a Web connection might be to another, the uploads have to be centralised.
It looked as if the new Azure Files, currently in Preview, would help, in that they let me set up a shared drive that each of the VMs could access. My thought was that FileZilla Server would allow FTPing up to this shared 'drive', and the Web app would access it to show the contents.
I've signed up to the Azure Files Preview, and set up the share, persistently mapping it to Drive Z for the sake of experimentation. I've also created a new user and made sure they too have persistent mapping to this same drive as Z.
But I can't seem to do anything with this outside of the Remote Desktop. FileZilla, despite having its Service set to log on using this new account, won't show the contents of this drive, or write anything to it. Likewise my Web App isn't able to access the file contents, despite switching Passthrough Authentication to this new account for the virtual folder.
Does anyone know any way of accessing this drive either through the network path or drive letter? Is this just not possible with Azure Files as they are? Are there any other solutions to sharing some blobs across VMs, but treating it as a local drive or network share?
[UPDATE]
This might help. Having set up the share, and used cmdkey and net use while in a cmd prompt runas a specially created user (as suggested in http://blogs.msdn.com/b/windowsazurestorage/archive/2014/05/27/persisting-connections-to-microsoft-azure-files.aspx), if I point a virtual folder in IIS to this share, using the specific account created, and Test Connection, I get:
Test: Authentication (green tick; "The specified user credentials are valid")
Test: Authorization (red cross; "The path does not exist or environment variables in the path could not be expanded to verify whether it exists.")
While still in a runas cmd prompt, I can access the share, so it's not a specific permissions issue. It just seems to be that IIS cannot use that user to access the share, for some reason. The limitation of Azure Files is that I cannot specifically grant any kinds of permissions on the folder within that share.
What worked for me is the following:
Create a new account
Set the IIS App Pool Identity to a this specific user
Set the IIS App Pool Load User Profile property to true
start a cmd promt as this user (runas)
do cmdkey and net use (with /persistent:true switch), as you described
create IIS Virtual Diretory with physical path set to UNC share path (not the mapped drive)
A little PowerShell snippet for point 5:
$share = "your-storage-account.file.core.windows.net\yoursharename"
$usr = "your-storage-account"
$key = "your-storage-key"
#store credentials for the network share - must be done for the user that will run the app pool
cmdkey /add:subclub.file.core.windows.net\images /user:$usr /pass:$key
net use z: "\\$share" /user:$usr $key /persistent:yes
The answers here proved helpful.
Setup
Create a new user {appuser}
Open a command windows as the user
runas /user:{appuser} cmd.exe
In the new {appuser} cmd window use
cmdkey /add:{storage-account}.file.core.windows.net
/user:{storage-account} /pass:{account-key}
Set the IIS Application pool to use {appuser}
4b. Set LoadUserProfile to true
Notice no need for the net use. Don't need the mapped drive.
Code
Now here's the key piece. From your app you must write to the UNC path.
\{storage-account}.file.core.windows.net\
ex.
File.WriteAllText("\\\\{storage-account}.file.core.windows.net\\share\test.txt", "contents goes here");
I just down loaded Azure SDK and created my firest WCF Service Role clicked on F5 but it goes to 127.0.0.1:81 and says
403 Access denied - forbidden ....
thanks for your advice.
As pointed out by Julien, please type the complete address. Otherwise IIS thinks you’re requesting the directory to list files, which by default is not allowed.
Try 127.0.0.1:81/Service1.svc ;)
Change Service1 by the name of your project