Hi Im working on a system where the user can store important information on a website.
Using Ws2012, and IIS8
Im using EFS to encrypt the data in normal files.
It need to be secure from the Admin on the server. (at least make it difficult to get the information)
The files need to be en/decryptet in-flight.
It's actually working fine. Just by setting the folder as EFS and then the files saved by IIS are encryptet and the Admin cant get the content.
So far so good.
Problem: But if the IIS is reinstalled, or the server needs to be rebuild/reinstalled then the files are not avalible for the "new" IIS, as the certificate is different.
Normally I can login as a user and backup the EFS certificte, but how do i do this with IIS.
The idea is to have only one Admin (super trusted) to export the certificate and keep it safe. So all the "normal" admins cant get to it.
So after a rebuild of the server the certificate can be reinstalled and the new IIS can access the files Again.
I have looked at several ways to get the certificate, but all explanations / examples uses a local logged in user, and not a "service" user like the IIS uses.
There could be 2 ways:
One is when creating the site, a certificate would be installed for the IIS to use. This way export is not nessesery, and all sites uses the same certificate. But How?
Second way is to export the certificate the IIS uses, but How?
Hopefully this is a simple task, i just can't find it.
Regards
Jesper
Related
When I go to enable Shared Configuration in IIS 10 on Server 2022 and point it to my configuration folder and enter the encryption key the interface just hangs. There are no entries in event viewer to give any indication what happened. I have to kill off the IIS Mgr process. The server I used to "export" the config is also IIS 10 but on server 2019, in case that matters.
As a test I tried exporting the config on the Server 2022 host and pointing Shared Configuration to that and it worked fine. So there must be something about the config export from the other server it doesn't like. I've ensured that all the same IIS features are installed on both servers. Same SSL certificates are available and the same wwwroot is available.
Any ideas what might be going on? Thanks.
OK I figured this out and wanted to report back in case anyone else has this issue down the road. Through more troubleshooting I traced the issue down to the configEncKeyAes.key file that's generated when you export your IIS config using the tool in the IIS Shared Configuration window.
I found that if I exported the config on the destination server and just used the key file generated and retained the configuration files from the source server the Shared Configuration would finally apply without freezing. All sites came over as expected. The only issue is any credentials saved in the config (e.g. custom AppPool credentials) could not be decrypted and had to be reset. This made sense since I was using a different key file than the one generated with the original export on the source server.
This led me to the site below that talked about the need to export the IIS WAS and Configuration Keys from the source server and import them on any other IIS nodes at play. Doing so immediately fixed the issue and the shared configuration applied without issue and the embedded credentials I had on a couple sites carried over as well.
https://byronpate.com/2014/08/troubleshooting-iis-shared-configuration/
I've read several articles about deploying Shared Configuration and none of them mention this seemingly necessary step. But I'm finding that documentation and support around this feature leaves much to be desired.
I have spent 12 hours on this, tried everything that I have read about, but I cannot get a new server farm we have,the website to write to a shared folder.
I have set the application pools, even temporarily (just to try it out) to admin accounts and even set the folder to be available for "everyone".
We have a network specialist who cannot figure it out either, in his favour he does not understand IIS very well and keeps away from it, but at the end of the day, its just a User account and permissions as far as I can see and I have set up the exact same website on a previous W2012 server and IIS 8.5, 7.5 and 6 without major issues (abeit registering 32bit DLLs in a 64bit environment) but all that has gone well and no issue (except for reading and writing to a shared folder).
SO breaking it down to its simplest form, I used a simple FSO script to write a text file in the shared folder, this clearly came back with "Permission denied line X".
Running the script through cscript as a VBS file, it works, running it through IIS. No chance.
Im not going to give up, but running as the top admin login (I had the network guy use HIS identity in the application pool) its not happening.
32bit has been enabled, yes, folder permissions set, yes.
Im at my wits end with the thing. Anything to suggest, I would be happy to listen and try.
Thanks all.
Update: I can write to the same MACHINE as IIS, any folder as long as I set the appropriate permissions. The difference between from this shared folder (I am working on a server farm, I forgot to mention that) is - when you do the security, locations "IIS AppPool\poolidentity" to add the user, it works on the same server, when I try to add that user on the shared folder on the networked server, that user does not appear - does this give any clues?
Ok - for me, after all the right things that I had done, was something I had not tried.
Select the site in IIS, so you sell all the icons for ASP, Authentication, Autohorization Rules, CGI etc.. - select the Authentication and Open Feature
You will see Anonymous Authentication (Enabled), ASP.NET Impersonation (Disabled), Basic Authentication (Disabled) and so on.
Select the Anonymous Authentication, right click Edit - by default it was set to "Specific User" IUSR - now for me, that did not work - so clicked on Application Pool Identity and boom, now its working.
Hope that helps someone else.
Asking here because I have scoured the web and haven't found a tutorial that is simple enough for me to understand. I am trying to create a local web server with https so that I can access the camera stream from my phone. For my web server I am using Node.js on a windows machine. I am accessing my web server from my phone using my computers local IP address. I don't have a domain name. I'm not trying to make a fully fledged website, just a demo for a hackathon.
I have tried LetsEncrypt but during the setup for win-acme, it asks for stuff like what kind of certificate I want to create and what is the web root, and I'm not sure what to put there (localhost? my ip address?). When I try to follow the instructions on this SO question, I tried the command
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"
but I don't know where the .key and .crt files went. Can anybody provide a simple and easy to understand tutorial on what to do? This is my second time running into this problem and it seems like nobody around me knows how to solve it either.
This post needs help from experienced iis administrators, but must be explained in details for EXTREME newbies.
What I am doing:
I have two computers, both running Windows 10. One is a desktop and one is a laptop.
iis is enabled on both computers. Each computer can access the iis web server from the other and pull up a page from the other - using the ip address.
There is no DNS or host files being used (this is by ip address only), nor do I want to use any sort of naming.
Both computers are running an identical website, and the website files are in a different directory than the default. The structure is like this:
C:\inetpub\ROOT\myWebsite\myIndex.html
web.config
Changes I've made - now a few problems.
On both computers I have deleted the DefaultAppPool and the default website that comes installed with iis. This has not stopped the website from completely working, so adding that back seems unlikely to fix my problem.
I have deleted my application pool and website from iis (never deleting the actual files from the file system) several times, and added it several times. Each time I do this, my site comes back, but with the same problem I am having.
I have deleted all of the default documents, and the only default document listed in iis is myIndex.html.
myIndex.html initially displays a graphic image (using the standard tag), and this image comes up. Sort of. See explanation below.
The problem I am having
Before I started this project, I had iis working on the desktop with the default site and app pool and simply added some of my own files with really simple text content and some pics. I had replaced the default iis splash image with my own image, and all that worked with no problem.
the image that comes up is a link to another page that has a list of links to other stuff in my website. It all works no problem there.
Now, with the setup I have now, on the desktop I was originally using (in the paragraph above) if I pull up my website locally, myIndex.html loads in the browser and my image comes up, and everything works fine.
The same is true on the laptop, when I access the site locally.
However, if I attempt to access the desktop site (using its ip address) from the laptop, it pulls up the old splash image from the default site I deleted.( I left those files there even though I deleted the site from within iis). All those files are in the default location C:\inetpub\wwwroot.
If I move those files to another directory, thus leaving C:\inetpub\wwwroot completely empty, then when I access the site on the desktop (via the ip address) from the laptop, my new site comes up without a problem.
While it seems I may have solved my problem by moving the file from the previous project, doing that does not teach me how iis is actually working, and why files from a website that no longer exists in iis are still being accessed from remote computers.
So, please teach me something about the internal workings of iis, and how it chooses to access the different application pools and websites.
Again, please word your answers for complete newbies, because I know a little but not enough to get real technical.
I have been reading posts on stackexchange.com and other sites; links to microsoft docs etc. That's not helping as those docs are expecting too much prerequisite knowledge, and speaking in terms that are not really explaining things in a way I can understand.
You have described several different problems. I will try to address each of them (contrary to S/O recommendations).
First, when you make changes, and they don't seem to show up, it is usually because of caching. IIS always wants to cache files/configs. So does your web browser. So, to force an accurate test, you need to dump your browser cache and cycle IIS (to make sure it drops its cache and loads new files and configs). Start there.
Second, IIS is designed for settings inheritance. Which means, each app and each folder will inherit settings and permissions from the parent, unless you override them. Overriding them can be done by files and/or IIS configs (application vs folder). The IIS configs are the stronger of the two.
Also, the IIS config for "default files" might have come into-play for your test. If you didn't set up MyIndex.html as the top-most default file, then IIS would look for other files first. In fact, if you don't have MyIndex.html in the list of default files, IIS would have to depend on your app to choose that as a default page (MVC routing, etc).
I've setup a UNC share for IIS shared config using a specific AD service account and set to FULL CONTROL. I've also exported the config from one IIS server and set-up an additional IIS server to point to the share. When I open the applicationhost.config for example on the UNC share and remove an application pool, I can see the entry also remove in both IIS servers.
So I know:
1) I can export to the share with the specific service account
2) Both IIS servers can read the config when I edit manually
3) However when I remove an app pool from one of the IIS servers through the manager I get the above error.
I've tried using the process monitor utility to see what account is being used to write to the config and it seems it is my own AD user account rather than the shared service account. I know IIS Manager has my username e.g. ROOT\MYNAME logged on, but I wouldn't have thought it would use this to write changes to the shared config. Surely it would use the service account?
Does anyone know how to prevent this error? Why does the shared config and tied service account not come into play when making changes on one of the servers?
So, IMHO, this error is a red herring. I was publishing to a server and got a message saying I was out of space. So, I logged in, realized there was a bit of cruft in extra apps published in IIS, we didn't need. I right clicked and tried to remove one. I got the same error as you.
Having done some manual changes to applicationHost, I thought it "might be me" but it seemed very odd that editing this file would cause such a thing. However, I had recently learned that windows does some funky 32 vs 64bit machinations with this file (google it).
Deciding I had better things to do, I asked our IT to add space to the VM and guess what? I am no able to remove these apps. My guess is that I was at the end of the line on space and the backend management of these special files was not completing and throwing this not-so-helpful exception.
I'm not a 100% about this. For full disclosure, I will add that updates had been applied recently, but I'm pretty confident that this is a possible solution.