I am trying out Windows Containers based on microsoft/dotnet35 image on Windows Server 2016 TP5 for my Web App. I need to set up App-pool Identity to specific user, but I am getting an error. when running below command inside a Windows Container.
C:\>%windir%\system32\inetsrv\appcmd set apppool /apppool.name:spark /processModel.identityType:SpecificUser /processModel.username:Domain\username /processModel.password:test
APPPOOL object "spark" changed ERROR ( hresult:80090016,
message:Failed to commit configuration changes. Keyset does not exist
)
I can not connect to my database without setting this up as I am using Windows Authentication.
Please help.
Regards
After searching around I finally found the issue. The error was gone after I ran below command,
%windir%\system32\inetsrv\iissetup.exe /install SharedLibraries
Related
I've developing an asp.net core application to tun on a web far, and I'm using "AddDataProtection" to protect for key encryption at rest like, the documentation recommends, but when I deploy my application and run directly from IIS with AppPool identity, the key is never created and I get errors on the DpapiNG windows logs.
My code is the following:
services.AddDataProtection(opt => opt.ApplicationDiscriminator = ApplicationConfig.dataProtectionApplicationDiscriminator)
.PersistKeysToFileSystem(new DirectoryInfo(encKeyPath))
.ProtectKeysWithDpapiNG(string.Format("CERTIFICATE=HashId:{0}", ApplicationConfig.dataProtectionCertThumbprint),
flags: DpapiNGProtectionDescriptorFlags.None);
Debugging from visual studio, everything runs fine, but I'm running VS under administrator rights, so permission is not an issue here.
I've tried adding permissions to the AppPool App user to the private key it self directly from MMC, but it did not worked, and even gave permission on the full path to the location were the keys should be created like stated here https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview (check first comment) but also it did not worked.
I was only able to make it work by setting the AppPool to run with the identity of an Administrator, but clearly this is a no go, I just wanted to make sure this was a permission issue somewhere.
Is anybody facing the same issue that is able to help?
Regards,
André
Most likely your issue is you are trying to store your keys somewhere in a folder path that you are cobbling together (or even by using the default path that AddDataProtection provides) that uses an environment path such as %LOCALAPPDATA%. Example: "%LOCALAPPDATA%\ASP.NET\DataProtection-Keys".
Usually, by default IIS DOES NOT set up your app pool accounts with environment path variables such as %LOCALAPPDATA%. The value ends up being blank and your app then tries to write keys to the wrong folder (such as \ASP.NET\DataProtection-Keys instead of %LOCALAPPDATA%\ASP.NET\DataProtection-Keys).
Fix: Within %WINDIR%\System32\inetsrv\config\applicationHost.config set setProfileEnvironment=true. I think you have to restart IIS as well.
Note: I've found several questions similar on here, but the one's that were resolved did not work for me. So I thought I'd open a new question.
I rebooted our server 2012 box, which hosts our new .net applications. After doing so, I started receiving a 503 error. Upon investigation, it seemed like an identity problem.
Before going much further, I should state that this account has worked for several months now. I've rebooted before, and everything started fine.
So I'm getting the (quite common) 5059, 5057, and 5021 errors in the log. They boil down to this:
The identity of application pool SVFileUpload is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
I thought I would just ensure the password and account were correct, so I go to the application pool, select identity-> custom and ensure it's set up right. I get an error:
There was an error while performing this operation. Details: Keyset does not exist (Exception from HRESULT: 0x80090016)
This was strange to me, so I tried setting the app pool to a built in account, and it worked fine. I get this error anytime I try to set to a custom account. Also, no app pools that are using custom accounts will run.
I googled a bit, unsure which error was the one I needed to track. I have tried:
registering the account on the command line via the aspnet_ tool
Making sure the user was in the IIS_IUSRS group
changing the permissions on C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys file(s)
adding a completely new user and trying to set an app pool to that users account
There was a couple other random things I tried from googling but I don't remember.
This error doesn't make sense to me, and it seems random. I need help figuring out 1) why I can't set an app pool to a custom account and 2) why the identity isn't working for my applications anymore
-Edit
I recently removed and re-added the user account I've been working with. I think that solves that problem. The problem remaining is I can't update the application pool because of the "keyset does not exist" error.
I found a couple of links that led me to a solution.
In c:\windows\system32\inetsrv\config\applicationHost.config I removed all the configProtectedData entries.
Then I removed everything in %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys
I ran iissetup.exe /install SharedLibraries from the inetsrv directory, which resulted in a "Failed = 0x80070005"
I then was able to set up my application pools as if nothing happened.
See also https://techcommunity.microsoft.com/t5/IIS-Support-Blog/Keyset-does-not-exist-exception-from-HRESULT-0x8009000D-or-or/ba-p/342955 for a more detailed explanation
I ran the iisreset command and my problem was sovled
I had the same error-message because my user was not member of the "Local Administrators" group.
I was able to connect to the server because I was member of the "Remote Desktop Users" group.
I was able to open IIS Management and to change settings, but when I clicked on the "OK" or "Save" button - I got the "Keyset does not exist" - error message.
So my advice - check if you are an administrator.
I tried to change the Identity of Application Pool on a remote server and it failed with the above error.
I RDP into the remote machine and then tried to update the Identity using local IIS Manager and it worked.
For anyone on Windows server 2008 stumbling into this error:
this may occur when you are managing the IIS instance from another server using the remote management feature ('connect to another computer').
I resolved by managing the IIS instance from the server itself.
https://support.microsoft.com/en-hk/help/977754/-keyset-does-not-exist-error-message-when-you-try-to-change-the-identi
Since I am working on a fresh server I was able to uninstall the IIS Windows Feature and then re-add it.
I was able to change the App Pool Identity after that with no issues.
delete the rsa found here C:\Users\usernamn\AppData\Roaming\Microsoft\Crypto\RSA
MAKE A BACKUP JUST TO BE SURE WORKED FOR ME
I'm trying to build a Web Deploy package via msbuild on a new machine and it's not working. It builds fine on other machines, but here I get the following vague error:
...\Microsoft.Web.Publishing.targets(2767,5): error : Filename: redirection.config
...\Microsoft.Web.Publishing.targets(2767,5): error : Error: Cannot read configuration file
...\Microsoft.Web.Publishing.targets(2767,5): error :
...\Microsoft.Web.Publishing.targets(2767,5): error : Unknown error (0x80005000)
I'm not sure what 'redirection.config' is, and the line reference to the .targets file doesn't help at all.
How can I fix this?
redirection.config is a file that lives in the IIS configuration directory, typically %SystemRoot%\System32\inetsrv\config. Here are two possibilities:
The account building your project doesn't have access to the IIS config dir. This might happen if you have an automated build identity with special permissions, or you if you need to start Visual Studio as an administrator.
You don't have IIS installed at all on the new machine. Check to be sure the IIS config directory, and redirection.config in particular, even exist. If not, you'll need to install IIS.
If you receive this error when deploying with Release Managment (via IISConfig.exe) be sure that the deployment agent service account is in the local Administrators group. You may need to restart the deployment agent service.
Similar Issue resolved below - Might help
Insufficient Permissions Problems with MSDeploy and TFS Build 2010
For me, simply running visual studio as admin gave it the elevated permissions it needed to operate against this folder.
May work for others.
I got this error when I tried to use a relative path for the contentPath setting. I fixed it by settings the contentPath to the full path of the folder. Without the full path, the contentPath provider thinks it is a site path or application path and looks for it in in the IIS configuration.
This error just appeared to me when my C# project was referencing the Microsoft.Web.Administration, Version=7.9.0.0 assembly. It looks like this assembly only works with IIS Express. For IIS, we must use Microsoft.Web.Administration, Version=7.0.0.0.
After hours of testing and troubleshooting this problem turned out to be an issue with the users profile.
This was found by logging in as myself and I didn't receive the same issue.
To fix this issue:
Log into the machine as an administrator and delete the contents of the corrupt profile from C:\Users (or rename the folder to username.OLD)
Open up the registry and navigate here – HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\ProfileList
Find the corrupt profile and rename this to .OLD or remove it.
You can read more about it at this article.
As this is high in search engines when looking for this error, I'll post my solution.
I used Azure Pipelines to release the app to IIS and had this error. My issue was that I mistakenly used Build Agent job instead of Deployment Group job when configuring the release pipeline.
On server 2012 this error can be caused by UAC which needs to be disabled via the registry.
This article explains why...
https://social.technet.microsoft.com/wiki/contents/articles/13953.windows-server-2012-deactivating-uac.aspx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
change DWORD "EnableLUA" from 1 to 0
I'm trying to do msdeploy of a MVC app to a windows7 box, running on command-line. And kept getting this error:
Error Code: ERROR_DESTINATION_NOT_REACHABLE
More Information: Could not connect to the destination computer ("192.168.xxx.xxx"
). On the destination computer, make sure that Web Deploy is installed and that
the required process ("The Web Management Service") is started.
Error: The remote server returned an error: (404) Not Found.
Error count: 1.
I've verified both Wmsvc (seems this is being used) and MsDepSvc are running. And firewall are disabled. In the browser when I visit https://192.168.xxx.xxx:8172/msdeploy.axd, I got a Server Error 404, seems a bit further than where the command-line stopped.
Most of instructions on setting up IIS7 and Web deployment I could find online is for MS Servers. Both my local machine and the Windows7 machine has the same version of Msdeploy installed.
I had exactly the same issue with a VM on Azure, and the solution was to enable first the IIS Management Service and then install Web Deploy (I used Web Platform Installer). Seems that the installation order matters. You can find a blog entry I wrote about this here http://davidjrh.intelequia.com/2012/10/configurando-web-platform-installer-y.html
For non-server operating systems (i.e. Windows 7) the Web Deploy publish via Web Management Service is not supported. Instead you will have to use the Remote Agent Service, this is an admin only publishing service. You can find more info at http://technet.microsoft.com/en-us/library/dd569059(v=WS.10).aspx.
I had the same issue using MSDeploy to deploy my web application to remote IIS 7.5 web server running windows 7. I have just figured out how to fix the problem today after reading Sayed's post, so I wanna post my solution here for anyone who would run into this problem like me. Try this:
Enable IIS Management Service (in control panel >> add or remove features >> add or remove windows features)
Install Web Deploy (http://www.iis.net/downloads/microsoft/web-deploy)
Open cmd with Administrative privilege, type “net start msdepsvc” to start the “Web Deploy Agent Service”.
Check this link in your browser: http://serveraddress/MsDeployAgentService/, if it prompts for username and password, MsDeployAgentService is running on server, go to the next step.
In VS, type in http://serveraddress/MsDeployAgentService/ in Service URL while creating publish, instead of https://serveraddress:8172/MsDeploy.axd, and click test connection. It should be ok now.
After checking the Management Service and Web Deploy 3.0 were correctly installed, I found that (from VS2012 at least) the Service URL seems to matter here too, attempting to publish to any of the following did not work for me:
FQDN (localmachine.domain.local)
Domain IP Address (172.22.xxx.xxx)
Loop-back IP (127.0.0.1)
Whereas the following DID work:
localhost
NetBIOS name (localmachine)
I have set up a cruisecontrol.net build server. When running it in console mode it works fine, but when trying to run it as a windows service it doesn't work. The log file shows the following message:
ThoughtWorks.CruiseControl.Core.CruiseControlException:
Source control operation failed: No VSS database (srcsafe.ini) found.
Use the SSDIR environment variable or run netsetup.
The ssdir is set in ccnet.config, so what am I missing here?
Not sure if it's applicable but when I had problems switching between the Console version and the Service version it was down to access rights for the user I was starting the service as.
Perhaps the Service does not have access rights to the srcsafe.ini file and your account does(assuming that's what your using to run the console).
Apologies if I'm way off the mark, just trying to help!
I ran into similar issues when setting up our CI environment at work. If you can get log-in permissions for the service account you are using, you can log in as that account and run CC.NET via the console and debug your issues.