Configuring Web Deploy IIS User premissions - iis

I successfully configured IIS for Web Deploy and added a IIS Manager User.
The problem is when i try to publish, i get back error
Error 1 Web deployment task failed. (Unable to perform the operation
("Delete Directory") for the specified directory ("2_0_50727"). This
can occur if the server administrator has not authorized this
operation for the user credentials you are using. Learn more at:
http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_INSUFFICIENT_ACCESS_TO_SITE_FOLDER.) C:\Program
Files
(x86)\MSBuild\Microsoft\VisualStudio\v12.0\Web\Microsoft.Web.Publishing.targets 4270 5 WebAPI
Which shortly means, there are no premissions for user to handle root folder content. I couldn't figure out, who is the user, to give the permissions to.
The linked Microsoft page is telling, in most of the case, it's "Local Service", well it already has full control permissions. So i tried more "IUSR", "DefaultAppPool" - still not right ones. The temporary solution is to give permissions to "Everyone" and then it works... but who's the right user??

Did you add a rule (contentPath, createApp, dirPath, filePath, iisApp, runCommand) for your IIS Manager user in Manager Service Delegation?
And also I granted access to the site folder for LOCAL SERVICE because Web Management Service runs under this account and for NETWORK SERVICE because of Web Deployment Agent Service.

Right click the web site in IIS Manager and choose Deploy -> Configure Web Deploy Publishing. Choose your IIS-user and Setup, in order to give correct rights for publishing to that site.

Related

IIS write permissions to web root

I created IIS website with following setting (ApplicationPool account is named Fitko)
When I run website and submit form with image, application throw an error
UnauthorizedAccessException: Access to the path
'C:\IISWorkspace\Fitko\upload\instructors' is denied.
System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)
I gave full permissions to Fitko folder to these accounts
IUSR
Users
Administrators
network service
IIS AppPool\Fitko
yet still the UnauthorizedAccessException exception still throwing.
How can I give access permissions to IIS to write to the folder ?
I solve the issue by enabling windows authentication (I had Anonymous Authentication before, but probably it can be enabled together)
the setting is in
Web Project > Properties > Debug > Web Server Settings
and the flag seems to takes control even when the publish configuration is set to release.
In my opinion, the issue typically indicates a permission error of the specific folder.
What is your Application pool identity? try to right-click the folder and grant Everyone Account full access to the folder.
Besides, under certain cases, this might relate to our website framework technology.
https://github.com/stryker-mutator/stryker-net/issues/272
Feel free to let me know if the problem still exists.
In internet service manager right click on the default website, click on edit permission, click on the security tab the click on edit
Add built-in ISUR account to the website and give the appropriate access
and or add built in IIS_IUSERS account and do the same if the above does not work.

You do not have permission to view this directory or page

I have created a new MVC application with windows authentication and without doing any changes to application, I have deployed to Azure App Service.
When I browse the URL I am getting the message as "You do not have permission to view this directory or page.".
When I check the "DetailedErrors" folder, it was "IIS Detailed Error - 401.0 - Unauthorized".
I have referred many post with this issue. But none of the solution mentioned in the post solved my issue.
Please let me know what configuration I am missing.
Thanks
Windows authentication is not supported in App Service.
In order for IWA to work, the server would need to be AD joined.
You do not have that level of access in App Service.
https://devblogs.microsoft.com/premier-developer/moving-legacy-asp-net-apps-with-windows-authentication-to-azure-app-service-part-1/
You will have to migrate to e.g. Azure AD authentication or host the app on a platform that supports IWA.

Azure - customErrors="off" in web.config is not displaying detailed errors in Azure app (cloud service)

I have an app deployed to Azure and it uses ADFS (Active Directory Federated Services) for authentication.
When the user tries to navigate to the app on Azure, it redirects the user to the ADFS authentication page. User enters their credentials and clicks OK, and ADFS redirects the user to the landing page of my app.
Everything is working fine up to this point. I'm getting a generic server error on the app once the user hits the landing page. PROBLEM: I need to see the detailed errors. I try setting <customErrors="off" />, repackage my app and redeploy, but that doesn't give me detailed errors:
Here's what I've tried: I've tried packaging my app in Debug mode (after Release mode didn't work), I've edited both web.config's (in the root of the solution, as well as in the Views folder, just to cover all bases). Nothing worked.
What am I doing wrong?
A couple of things to try:
Are you SURE the customerErrors attribute is set correctly? The
Identity and Access tooling in Visual Studio seems to like to reset
that back to "Off" (every time you update via the tool).
Are you able to connect to the role instance via Remote Desktop? If
so, you could inspect the web.config settings for the site?
Browsing to the site from the server might also provide a more
friendly error message.
When you RDP into the cloud service, you can look at the Event
Viewer to see the detailed error messages.
I fixed this error by ftp'ing into my azure website and deleting the wwwroot folder and then publishing my website via visual studio.

IIS 7 and 503 error for file copy access denied problem

I'm running Windows 7 SP 1 and have just turned on IIS 7. Just trying to access the default page it creates I get a 503 error, and the application pool stops. I look in the event log and I find the error:
Windows cannot copy file \?\C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm to location \?\C:\Users\TEMP.IIS APPPOOL.000\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm. This error may be caused by network problems or insufficient security rights.
DETAIL - Access is denied.
I tried making the TEMP.IIS APPPOOOL.000 folder available to everyone. I tried making Users available to everyone. No luck, it still dies with the same error.
What is happening here, and how can it be fixed?
It sounds like you're having the same problem as details in this IIS.NET forums thread. You didn't mention if you have x64 Windows 7 or not. Suspect that your development machine is misconfigured somehow; sounds like the uninstallation and reinstallation of IIS7 would help/fix.
Suggested courses of action:
Open IIS and its Application Pools. Open "DefaultAppPool" and any other Application Pools in use.
Click Advanced Settings for each of these. Ensure the "Load User Profile" is set to 'False'
Also ensure that the "Set Application Pool Defaults" has the Load User Profile set to False."
I encountered the same problem in my development environment (Windows 8.1). Instead of disabling the load user profile as suggested by P.Campbell, I went ahead and changed the permission of the sqm file to allow modify accesses for IUSR, IIS_IUSRS and Network Service. In my case, the sqm file was not able to show me the file owner in which I taken over with my user account.
Basically, my problem was solved by giving the correct permission for both source and destination files/folders.
Found the answer here - http://forums.iis.net/p/1180636/1992024.aspx
Open IIS Manager
Find the App Pool that is causing the problem
Open Advanced Properties
Change 'Load User Profile' to false
Fixed!
After struggling with all these Application Pool issues in IIs, I found the problem and the solution. This may help you.
Each application pool on each website in Microsoft's Internet Information Server creates its own user account and folder under the "c:\Users" directory when the pool is created and first run. Its actually a virtual user account and should be named for the Application Pool assigned to your web application in IIs. In most development environments, its the default website or "DefaultAppPool". It uses this temporary user account to run the pool. Each website should have a named user pool account. This User folder is used by the pool and ASP.NET for caching and writing of file resources and other things used by IIs, ASP.NET, and this virtual account.
In some setups people are not seeing this folder but a "TEMP" folder (like you have) when the IIs web site is accessed and using the pool.
If you instead see a "TEMP" folder in the Users folder you have a broken application pool account in IIs and in the Registry. The pool is creating the TEMP folder as a backup for this virtual account, which might not have the right security setup. I had this exact scenario.
To fix it go to the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
See if you have a SID user account with the ".bak" extension for a DefaultAppPool user account. If so delete it and restart your PC. Test your website again, making sure its actually setup to use DefaulAppPool. It should now recreate the "DefaultAppPool" folder in Users, recreate the registry entry for DefaulAppPool user, and your error should go away.
You can delete the TEMP user folder at that point under the Users folder. (Keep in mind if your web app has been storing cached information critical to users of the website, some of that might have to be inserted into the new DefaultAppPool user folder. But for most of us, just delete it.)
I also found I had to add this kooky virtual application pool account to my local database so the worker process and app pool accnt could have the rights to grab data from SQL Server: Just go into SQL Server and under logins add "IIs AppPool\DefaultAppPool" and then assign it as a user to your databases.
(btw whomever dreamed up this virtual application pool account system is nuts....its way too complicated and convoluted to sort out)
After I did this, all my stack overflow errors went away in Visual Studio for my web application, all data connections fired perfectly, all write permission to the default User profile stored properly, and all the restarting and crashing of the Application Pool in IIs ended completely. :)

modify content of xml file from published code

I am trying to modify an xml file from my aspx code. The file is in another directory from my project like in D:\folder\file.xml When publishing my code and running it I am receiving an error as not to be able to access this directory, access in denied. Which user account shall I add to this folder in security option to be able to modify it. I tried adding IIS user but it does not seem to work. Any other workaround this ?
Check which identity that's associated with the application pool, and grant that user access to the folder.
You didn't specify which version of IIS you're using, but here's a decent article on how application pools work
I solved the issue finally..
In my pc I am using Win Xp and had to grant ASP.NET machine account user appropriate rights on the file while on the server that i am finally publishing the code I am using Windows Web Server 2008 and the matching ASP.NET Machine Account was Network Service i granted the same rights here and now i can modify the file successfully.
I am using IIS 7.5 on this machine.
I think your approach Tchami has the same idea. So I am marking it as the answer :) Thank you

Resources