Error: Writing IIS logs to SQL Server database via ODBC - iis

I am trying to get the IIS logs to the database. Followed the steps as given in this website http://blog.datacenterfromhell.net/2013/08/how-to-write-iis-logs-to-database-using.html
It doesn't seem to work, got an error in Windows event log..
EventID: 1016
Error: The World Wide Web Publishing Service (WWW Service) did not configure logging for site 1. The data field contains the error number.
Environment:
OS - Windows 7
DB - SQL Server 2008 R2 Express edition
Please help if you have encountered same error previously.
Thanks, Naveen
Steps added:
Step 1: Create DB
Create an empty database on any Microsoft SQL server. Make sure that the identity that used for the Application Pool which is serving the Web Site has write access to this database.
Step 2: Create a table using logtemp.sql script
In C:\Windows\System32\inetsrv\ you will find a script called logtemp.sql, use it to create a table in the database you just created.
Step 3: Create System DSN on the web server that points to the
Create a System DSN on the web server that points to the DB created in step 1.
I would recommend to use the identity of the IIS Application Pool to configure the ODBC connection, since this account will later also write the log data to the database. Let's call our DSN IISLoggingDSN.
In this post I explained how to create a System DSN.
Step 4: List ODBCLogging settings
Open elevated cmd and change directory to C:\Windows\System32\inetsrv>
To get a list of all ODBCLogging settings configured so far, run this command.
C:\Windows\System32\inetsrv> appcmd list config -section:ODBCLogging
This should be empty.
Step 5: Set the ODBCLogging settings
To setup a ODBCLogging connection, issue the following command:
appcmd set config -section:ODBCLogging -datasource:IISLoggingDSN -tableName:InternetLog -username:DOMAIN\IISLogsUser -password:P#SSwoRD$
Let me explain the switches:
-section: SectionName we want to configure
-datasource: the name of the DSN we configured in step 3.
-tableName: name of the table in the database
-username: Active Directory domain account that has permissions to write to the database
-password: password of this user, it will be stored encrypted in the config file
Step 6: Enable ODBCLogging for one web site
To enable the logging for a web site, run this command.
C:\Windows\System32\inetsrv> appcmd set sites "Default Web Site" -logFile.logFormat:Custom -logFile.customLogPluginClsid:{FF16065B-DE82-11CF-BC0A-00AA006111E0}
IMPORTANT: The customLogPluginClsid attribute must be set to "{FF16065B-DE82-11CF-BC0A-00AA006111E0}"
This ID I took from the Microsoft documentation. It defines that the custom format is ODBCLogging.
Let me declutter these switches as well:
-sites: the site that will write to the logs, I tested with "Default Web Site"
-logFile.logFormat: by configuring Custom we configure that custom format will be used
-logFile.customLogPluginClsid:{FF16065B-DE82-11CF-BC0A-00AA006111E0}: see above

Naveen, did you meet all prerequisites?
The IIS Web Site which should write its log to a database must be served by an Application Pool that is using an AD Domain account identity to run.
The same AD Domain account must have RW access to the DB that will be target for the IIS logs.
ODBC AND Custom Logging must be installed on the IIS server
I wrote this blog post some months ago. You may also reach out to me via the comments of the blog.

Related

UWP - Enable Private Network in ADAL Authentication

We are creating a UWP app using Xamarin forms and for Login purposes, ADAL has been used. Authentication has been happening successfully when we are connected to VPN. But when we try to run the same app in the Client network where we don’t require VPN, App is not showing ADAL IWA (Integrated Windows Authentication), instead, we are getting the Error message “We can't connect to the service you need right now. Check your network connection or try this again later.” I have attached an image for reference. On investigating further, we found an article about the same issue with the solution in the Microsoft forum (https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-uwp-considerations). The solution is to enable the Private Network in the Registry Editor in Authhost.exe in HKEY_LOCAL_MACHINE. On running the below command, we could be able to bypass the issue. But we don’t want to play on editing the registry on each end-user machine or device. So, we tried editing the registry programmatically inside the app, but we got a security exception.
Enabling Private Network Through Command Prompt:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\authhost.exe\EnablePrivateNetwork = 00000001
Error while trying to edit Registry Programmatically:
System.Security.SecurityException: 'Requested registry access is not
allowed.'
Reference for Editing Registry Programmatically:
https://codingvision.net/c-edit-registry-keys-or-values
So, we need to understand, what is the best way to address this issue?
I don't want to alter the Registry using the command prompt or
Registry Editor App.
Is it possible to enable private network via AD group policy or Windows OS Settings.
Any other possible way to Enable Private Network
Note:
The same code works fine with Android Environment. The problem is only with Windows.
• There is no group policy existent which changes this option in registry for the private network in ADAL authentication. But you surely can change this registry setting through group policy as it is the only solution to enable private network for ADAL authentication. To do this, please follow the steps below in group policy: -
a) Login to the Group policy server/domain controller and open the group policy management GUI, then select the default domain group policy and edit it.
b) Then go to ‘Computer Configuration --> Preferences-> Windows settings --> Registry --> New --> Registry Wizard’. The registry wizard opens and allows you to connect to the remote computer and select the appropriate registry key, i.e., ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\authhost.exe\EnablePrivateNetwork = 00000001’
c) Select the correct client system that has the above registry entry present in their system and then select it. Also, please note that the registry browser allows you to select the keys from the hives ‘HKEY_LOCAL_MACHINE’ and ‘HKEY_USERS’ only. Also, if the remote system is unable to connect from the registry finder, please ensure that the system is turned on, access is not blocked by firewall and the remote registry service is not stopped.
d) Once done, the above registry entry is imported into the Group policy console along with the desired path for that registry key in the workspace. Once done, the GPO should be deployed and, in this way, the registry key will be pushed and updated on all the client systems in that domain network.
• You will have to create a new Group policy object and select the appropriate OU from the Group policy server while deploying this registry key if you do not want to deploy it to all the domain networks.

Azure DevOps Manage IIS task deploy fails due to insufficent permissions yet account is in local admin group

After a successful build using a hosted VS2017 agent, I'm trying to deploy on-prem using an local hosted agent which was setup using a domain account which should have sufficient permissions as it is in the local admin group. As I was digging around on this issue elsewhere, one user re-installed their agent using NTATHORITY\SYSTEM and it worked.
I d'ont really need to create or stop\start the website, just deploy the recent build artifact.
What permissions should I check or should I use another task?
019-04-06T21:03:10.3898646Z ERROR ( message:Configuration error
2019-04-06T21:03:10.3899503Z
2019-04-06T21:03:10.3899791Z Filename: redirection.config
2019-04-06T21:03:10.3900026Z 2019-04-06T21:03:10.3900293Z Line
Number: 0 2019-04-06T21:03:10.3900530Z 2019-04-06T21:03:10.3900852Z
Description: Cannot read configuration file due to insufficient
permissions 2019-04-06T21:03:10.3901076Z 2019-04-06T21:03:10.3901333Z
. ) 2019-04-06T21:03:10.8135484Z ##[error]Process 'appcmd.exe' exited
with code '5'.
An agent is running under a user. The error means that your user doesn't have permissions to read/modify the redirection.config file that is necessary to manage IIS.
You have multiple options to solve this.
Change the user were the agent is running under. In example: NTATHORITY\SYSTEM
Give permissions to the user were your agent is running under to the folder C:\Windows\System32\inetsrv\config. If you want to create app pools or websites etc, modify permissions are of course needed.
When we install Azure agent as a service(In Windows, search for 'Services' and look for something like Azure Pipelines Agent..), by default it is logged on as 'Network Service'. Change it to 'Local System' and the pipeline should be able to run IIS related tasks/commands.

Deploy module works fine, but deploy individual menu item gives error

While deploying menu Item I receive an error:
Server was unable to process request. ---> Setup encountered an error during deployment of the Role Center and Enterprise Portal framework.
But deploying whole module works fine.
Also importing page gives an error as well as follows:
Server was unable to process request. ---> startIndex cannot be larger than length of string.
Parameter name: startIndex
I've full control permission on sharepoint on that particular URL.
Check your event log. I found that I was getting an error regarding write permissions to the root site.
"You need write permission to the root web site at ...."
Check to see what account is on the app pool in IIS Manager. You can open the site using that account and add your account

How do you setup an IIS Web App so it can access a network share without an AD?

I have three Windows Server 2012 R2 without any AD in a DMZ network. Two servers are front end web servers with ASP.NET and one have SQL Server and a network share that both front end servers use for shared data.
My problem is how do I configure the Application Pool identity and the Network Share so the ASP.NET application can read and write to the network share?
This is simple with an AD available when you can use domain accounts for the application pool identity but there is no AD available in this setup.
I will answer my own question since I succeeded to setup the server. This is what I did:
1) Create an account with the same username and password on all three servers. Make sure that does not expire or must be changed.
2) Create a Network Share and give the new account read/write rights. I also tested that I could connect from the front end servers using the new account to verify that no firewalls are in the way.
3) Included the user in the IIS_IUSRS group that indirectly gives it Logon as Batch Job rights.
4) Run the following command to grant rights to the user
aspnet_regiis -ga <your_app_pool_user>
See more: How To: Create a Service Account for an ASP.NET 2.0 Application (MSDN)
5) Restarted WAS and IIS to make sure the changes to the accounts group membership takes hold if tried to use the account.
C:> net stop was /y
C:> net start w3svc
6) Create an Application Pool and set the Identity.
This is the part where I got stuck with error messages when trying to set the identity.
From IIS Manager I got the following error dialog: "There was an error while performing this operation. Details: Value does not fall within the expected range."
Trying to set the App Pool identity from the command line I receive a similar error:
C:> appcmd set config /section:applicationPools
/[name='test-pool'].processModel.identityType:SpecificUser
/[name='test-pool'].processModel.userName:MyAccountName
/[name='test-pool'].processModel.password:P#ssw0rd
ERROR ( hresult:80070057, message:Failed to commit configuration changes.
The parameter is incorrect.
)
When I remove the last parameter, password, the command will succeed changing identity type and setting the username but I did never figure out why I could not set the password so I retorted to editing my applicationHost.config file directly. Unfortunately with the the password ending up in clear text.
<configuration>
...
<system.applicationHost>
<applicationPools>
...
<add name="test-pool" managedRuntimeVersion="v4.0">
<processModel identityType="SpecificUser"
userName="MyAccountName" password="P#ssw0rd" />
</add>
...
</applicationPools>
...
</system.applicationHost>
...
</configuration>
7) Finally I set my Web Application to use the application and it could access the Network Share without any issues.
I had the same problem but couldn't let the password in clear text so I dig a little further and found this article :
http://social.technet.microsoft.com/wiki/contents/articles/30344.custom-iis-app-pool-identity-value-does-not-fall-within-the-expected-range.aspx
The key step to diagnose is to look at the right events :
To figure out how to resolve this, I went into the event viewer. There was nothing in the Application log, so I headed down to Applications and Services Logs => Microsoft => Windows => IIS-Configuration. The logs in here are disabled by default, so they have to be enabled. (To do so, right click the log, and choose Enable log.) Once enabled, re-run the attempt to set the identity, and refresh the view (Actions pane or F5), and voila!, now we have some more information on the error. In the results were two Errors (event ID 42 and 43).
I had the same event errors as in the article :
ID 42: Failed to initialize the 'IISWASOnlyAesProvider' encryption
provider in
'\?\C:\windows\system32\inetsrv\config\applicationHost.config'.
Please check your configuration.
ID 43: Failed to encrypt attribute
'Microsoft.ApplicationHost.AesProtectedConfigurationProvider'.
Then I did the following :
restore an old version of the ConfigEncKey.key file (to c:\windows\System32\inetsrv\config )
replace the <configProtectedData><providers> section by an old one (in c:\windows\System32\inetsrv\config\applicationHost.config )
Then I can again set a custom identity to the application pool.
Had similar problem. Reinstalled the IIS Manager and got a new applicationHost.config
When I did the WinDiff on the new and old files I noticed that the SessionKey were different. Works now.
AesProvider and IISWASOnlyAesProvider

Web Deploy Impersonation (Management Service Delegation) does not work

I’m trying to use web deploy to deploy my dacpac package, which comes to executing some sql scripts.
I have local windows account called .\DeploymentService, which is in local Administrators group, which I want to own the database and execute scripts.
For that - I configure delegation accordingly - In Management Service Delegation I set "Specific User" for dbDacFx rule = .\DeploymentService providing password
I create according serveradmin login in SQL Server. My WMSvc executed under LOCAL SERVICE account.
I use the following command line parameters for deployment:
msdeploy.exe
-verb:sync
-source:dbDacFx="C:\Main\Src\Community.DB\bin\Debug\Community.DB.dacpac"
-dest:dbDacFx="Data Source=.;Database=CommunityInt; Integrated Security=true",computername=”https://Community02:8172/msdeploy.axd?site=Default
Web Site”,username=.\DeploymentService,password=*************,authType=basic
-allowuntrusted
I execute it on my PC, where destination is different PC.
However this fails with error “Invalid Handle” or “Class name not found” depending on do I have “Local service” login with public role in my SQL Server created.
Expected behavior:
When I set user name in Management Service Delegation to specific account, I expect MSDeploy to be executed under the account I specified.
Actual behavior:
I traced using SQL profiler in target environment and I found out that WMSvc executes msdeploy under its process account (LOCAL SERVICE) instead of .\DeploymentService, and that’s why script execution fails. If in SQL server I have LOCAL SERVICE account mapped to serveradmin role, then it works fine. If I execute WMSvc under .\DeploymentService account, it also works fine.
So basically there is NO WAY TO USE "User Name" in Management Service Delegation - It just does not matter what you set up there - it gives no effect.
Does any one know how to make that work?
Keywords: WebDeploy, WMSvc, dbDacFx, Impersonation, Delegation
Hey guys I'm sorry to hear that you are running into this issue. I wanted to let you know that we have a bug in the dbDacFx provider/MSDeploy which is preventing SQL Auth to work when used with the dbDacFx provider in WMSvc scenarios.
We have not yet received enough feedback regarding this to warrant servicing MSDeploy in order to unblock this. If you are impacted by this the best thing to do is to create an entry at http://aspnet.uservoice.com and vote it up. If we get enough votes then we can consider shipping an update to unblock this. Sorry for the bad news.

Resources