I have installed and configured BizTalk and followed the Warehouse tutorial. I am now trying to use the BAM portal as BizTalk seems to be processing my documents, but they are just disappearing into the ether rather than arriving at either of my destination end points.
The error I am getting is "HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers."
I have tried all of the authentication methods, given "Everyone" read/write/execute privilege on the portal directory (this is just a stand alone vm on my pc!) but I can't get past this problem. I am not an IIS expert, so this is probably a simple fix, but I am darned if I can see what it is.
Windows Server 2016, SQL Server 2016, IIS Version 10.0.14393, BizTalk Server Version 3.12.774.0 (BizTalk 2016)
EDIT
I enabled Anonymous Authentication and disabled ASP.NET Impersonation. This changed the error to "Access is denied". This would tend to indicate that the application is happy with Anonymous Authentication, but something is wrong with the permissions on the actual folder. I have again checked, including the two sub-sites and everyone has all permissions on all the folders (I know this is overkill, but I am just trying to get this working).
This was a very simple fix in the end. Windows Authentication was not available as an option, so I installed this and now I can get to the page.
Related
I got a new computer and I'm trying to publish my website through web deploy in Visual Studio from the new computer but it keeps saying failed due to unauthorized user. I'm using the same visual studio account, the same password. Everything else is identical to what it looks like in the old computer.
Is there something on the azure website that I need to update to allow a new computer to publish? Is the password different from the username/password I login to get into azure portal? There seem to be a lot more **** in my old computer's password input than what's required. I just assumed that it at some point did that for security purposes.
This is the error I get when going to Settings in the publishing window in Visual Studio and when I click Validate Connection:
Connect to the remote computer ("website name" using the Web
Management Service, but could not authorize. Make sure that you are
using the correct user name and password, that the site you are
connecting to exists, and the credentials represent a user who has
permissions to access the site. Learn more at:
http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.
The remote server returned an error: (401) Unauthorized.
Is there something on the azure website that I need to update to allow a new computer to publish?
No.
Is the password different from the username/password I login to get into azure portal?
Its not different. Its the same.
I have noticed that sometimes, even with everything being correct from our side, VS web deploy to Azure simply may not work. It could a simple connection issue from VS to Azure, in terms of authentication and no fault of yours.
I don't know why VS is giving authentication error, but as an alternative, you could, deploy your site locally to a folder in Visual Studio. Then, deploy the site manually to your site via FTP.
https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-deploy
In the long run, you will come to trust FTP deploy than VS deploy which is simply too much of a hassle.
I'm having a pretty strange issue with Azure tools for VS 2013 (version 2.6). Whenever I try to sign in to my Azure subscription (e.g. from Server explorer or creating a new web role project) I get the following error:
Server Explorer
An error occurred during the sign in process: User 'foo#gmail.com' returned by service does not match user 'bar#outlook.com' in the request
OK
My subscription owned by 'bar#outlook.com' and I can perfectly fine sign in either to management portal in a browser (IE, Spartan and Chrome) - as well as in the Power Shell. Tried everything - cleaning up browser caches/cookies, resetting IE settings, playing with different IE security settings - nothign works.
Any help is appreciated - this issue drives me crazy.
P.S. I'm on Windows 10...
I had the same problem. Imported the certificate manually and everything worked ok: https://social.technet.microsoft.com/Forums/en-US/9cdafeb4-f459-436d-b2b8-9bc5c01f0df1/azure-tools-for-vs-cant-sign-in-to-subscription?forum=windowsazuredevelopment
I had this issue, to resolve it I:
Added 'foo#gmail.com' as an alias in my 'bar#outlook.com' Microsoft account, via account.live.com
Made the 'foo#gmail.com' email address the primary alias for my Microsoft account
I could then log in successfully in to Azure by pressing the Connect to Microsoft Azure button in the toolbar of the Server Explorer in Visual Studio 2013 and see all of my websites under the App Service node.
(When I'd used the certificate method described in the other post and Microsoft documentation I'd been able to see all my sql databases etc. but not the websites.)
Once I'd done all that I then switched my primary alias back to 'bar#outlook.com' and server explorer carried on working.
NB: If you're experimenting with this beware that there is a limit on how many times you can switch your primary.. as I have just discovered.. and now my primary is stuck on the wrong email address for a week.
NB2: If your connecting in order to be able to remote debug the website, then this can still be done by going to Visual Studio>Main Menu>Debug>Attach To Process, and then enter the URL of the site (without the http bit, e.g. mysite.azurewebsites.net) as the Qualifier and then attach to the w3wp.exe process.
I am having the exact same issue. It seems that the Azure sign-in in Visual Studio is redirecting to our organizational Single Sign-On instead of the Microsoft one. I have managed to work around this problem by using a Microsoft account that is not tied to my organization:
Create new Microsoft account or use an existing account not associated with your organization
In https://manage.windowsazure.com select Subscriptions/Manage Administrators
Choose Add+ and add the new Microsoft account as administrator to your subscription
Log on to Azure using the new account from Visual Studio
/Morten
I changed my Microsoft account's email address and had this problem. Adding an alias did not help.
The problem is to do with the Azure Active Directory Library for DotNet. For whatever dumb reason, they throw an exception when Azure returns an ID different than the one requested (if the server isn't crying about it, why make up an error and make the client deal with it?).
Since Azures's support was no help, I had to build a custom copy of the ADAL with that moronic exception removed and an assembly version matching the one used in VS2013 (2.11). Also importantly, disable strong name verification for the custom assembly.
Preparing for the migration of asp-application with Windows 2000 (web1) on Windows 2003 (web2).
On the old server has a folder to share documents, use for imports and exports (\ \ web1 \ folder). I want to provide access to the same folder access asp-application with the new server.
Configuration IIS: anonymous access is allowed, including checking windows. Pool started under the Network Service.
But there is no access.
And there is an interesting fact: if handled locally with the new server as http://localhost, you have access (impersonation works), if handled as http://web2, then there is no access. Error:
Microsoft VBScript runtime error Error '800a0046 '
Permission denied
We some changed security settings, local IE 6 - earned through http://web2 too, but in other browsers (like Opera) does not work. On other machines does not work either.
Put utility procmon from SysInternal. It shows that in both cases is an appeal to the resource, in both cases is impersonation, all the same, but in one case, SUCCESS, and the other ACCESS DENIED.
The entire security system of this application is based on the rights of NTFS, so you can not disable impersonation.
I'm newby in classic asp. I can not understand this case.
Classic ASP does not run under Application Pool account, credentials provided in IIS Anonimous Authenctication tab used instead, usually it is IUSR_MACHINENAME.
Looks like the anonymous authentication fails and Windows authentication used, this is the reason it works locally and in IE which supports Windows authentication by default.
UPDATE: Check this article: How to troubleshoot Kerberos-related issues in IIS
UPDATE 2: Also this can help you diagnose what's going on on IIS side: Authentication and Access Control Diagnostics
I guess the simplest way to access share is to add read permission to Guests group.
you can change the user of the anonymous authentication to be the app pool user , i tested it and it works !
go to iis -> web site \ virtual directory -> authentication -> choose anonymous -> edit -> change user identity to application pool user
screenshot:
I am trying to modify an xml file from my aspx code. The file is in another directory from my project like in D:\folder\file.xml When publishing my code and running it I am receiving an error as not to be able to access this directory, access in denied. Which user account shall I add to this folder in security option to be able to modify it. I tried adding IIS user but it does not seem to work. Any other workaround this ?
Check which identity that's associated with the application pool, and grant that user access to the folder.
You didn't specify which version of IIS you're using, but here's a decent article on how application pools work
I solved the issue finally..
In my pc I am using Win Xp and had to grant ASP.NET machine account user appropriate rights on the file while on the server that i am finally publishing the code I am using Windows Web Server 2008 and the matching ASP.NET Machine Account was Network Service i granted the same rights here and now i can modify the file successfully.
I am using IIS 7.5 on this machine.
I think your approach Tchami has the same idea. So I am marking it as the answer :) Thank you
I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.
Now I'm trying to use the same code in the context of my web application. It fails with the error
Error: Cannot read configuration file due to insufficient permissions
for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).
I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using
ManagementAuthorization.Grant(#"IIS AppPool\MyAppPool", "Default Web Site", false);
but I still get the same error.
What else should I try?
This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.
The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).
We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.
This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.
This is a technique known as sandboxing.
I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.
I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.