I know that the particular issue appears when you run Domino as a service that runs as local account or different user. However here I'm running it with user rights as a normal application. Then I start the agent from server console: tell amgr run etc.
I'm trying to enumerate available drives in two ways - as Filesystem roots using Java functionality and using Windows specific wmic. The relevant code is:
System.out.println("os:"+System.getProperty("os.name") + " user:" + System.getProperty("user.name"));
File[] roots = File.listRoots();
for (File root : roots) {
if (root.canWrite()) {
System.out.println("[rw] " + root.getPath());
} else {
System.out.println("[ro] " + root.getPath());
}
}
Process process = Runtime.getRuntime().exec(
new String[] { "wmic", "logicaldisk", "get",
"deviceid,volumename,volumeserialnumber" });
process.getOutputStream().close();
BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()));
String line = null;
while ((line = reader.readLine()) != null) {
System.out.println(line);
}
reader.close();
Running if from client (or simply from a standalone Java application) I get all drives:
os:Windows 7 user:normunds
[rw] C:\
[ro] D:\
[rw] N:\
[rw] W:\
DeviceID VolumeName VolumeSerialNumber
C: Acer 12857911
D:
N: video EE1C7944
W: DB_70 18389143
Where N: 'video' is a mapped share on network drive.
However when I'm running it on the server (same PC) I get only the local ones, not the remote smb drive:
19.11.2013 23:00:42 Agent Manager: Agent printing: os:Windows 7 user:normunds
19.11.2013 23:00:42 Agent Manager: Agent printing: [rw] C:\
19.11.2013 23:00:42 Agent Manager: Agent printing: [ro] D:\
19.11.2013 23:00:42 Agent Manager: Agent printing: [rw] W:\
19.11.2013 23:00:42 Agent Manager: Agent printing: DeviceID VolumeName VolumeSerialNumber
19.11.2013 23:00:42 Agent Manager: Agent printing: C: Acer 12857911
19.11.2013 23:00:42 Agent Manager: Agent printing: D:
19.11.2013 23:00:42 Agent Manager: Agent printing: W: DB_70 18389143
Notice the user name, the code is running under my name; at least that's what Java thinks. I cannot figure out what causes the problem.
I even tried to write another version of this by calling Windows API method from LotusScript code:
Declare Private Function GetLogicalDriveStrings Lib "kernel32" Alias "GetLogicalDriveStringsA" (Byval nBufferLength As Long, Byval lpBuffer As String) As Long
with the same result - from client it works and returns all drives, on the server it misses. I guess one more step would be to ask Windows API the user name. Update: just did it, it also returns "normunds".
Any ideas of how to approach this issue?
Edited: What I think is happening is that Domino runs servertasks as separate processes impersonating the user that the server has been started with. In this way it closes down access to remote resources that would have been available if it ran servertasks with delegation level (of impersonation).
Now can this situation be changed by modifying some security policies or registry? As far as I understand network access in this situation happens as NullSession (anonymous user), so I assume one solution would be to enable share access by anonymous on remote end and allow NullSession to access this share locally. Edited: does not seem to help either :-/
Other, pretty wild solution, would be to log in from the agent using LogonUser Windows API to log in the same user again but with full rights (not sure if this is feasible and even if it is, imo it means to store somewhere username/password :-) And yes, it would limit us to the LotusScript solution, unless we want to install JNI wrapper; all this should actually sit in XPage (the agent is just an example of the problem)
Third solution would be to use UNC pathes instead of mapped drives and access the path with appropriate username/password (or anonymously + allowing NullSession access), but this solution kind of beats my purpose to discover the mapped drives and do this or that depending on which ones are available.
the problem is due to the way a network drive is mapped on a Windows Server.
A background service cannot access a network drive by definition since the object is mapped at the moment of interactive logon.
Official Microsoft documentation:
http://support.microsoft.com/kb/180362
More information can be found here:
Map a network drive to be used by a service
I have developed several windows services in the past and this was a constraint to be kept under control.
I hope this helps in some way.
Cheers
Maurizio
Related
Long shot I guess, with the lack of real information that I am offering at this stage. I'll gladly offer up some more details on how to reproduce the issue - but wanted some fast feedback to see if there was a gotcha somewhere I was missing.
I've a simple ServiceStack hello world application, in which I'm playing with the Facebook Auth Provider:
Vanilla ServiceStack
Vanilla Facebook Auth Proivider
Vanilla User Session
Vanilla OrmLite User Repository
Vanilla OrmLite MySql Db Factory
When debugging on my local machine - on Windows 7 (and 8); everything works a treat. The service launches, the database tables are created and I can login via Facebook and records are inserted to the relevant tables.
When running the service on Ubuntu inside a Vagrant Box (running in Virtual Box as the provider for virtualization, hosted on nginx with mono-fastcgi) - the service launches correctly and I can see that the tables are created in the MySql database. When I hit /auth/facebook I am correctly forwarded to Facebook - but I hit an error when the callback to the service occurs.
This is the current output:
[Auth: 07/30/2013 13:02:47]: [REQUEST: {provider:facebook}] System.NullReferenceException: Object reference not set to an instance of an object at
ServiceStack.ServiceInterface.Auth.FacebookAuthProvider.Authenticate (ServiceStack.ServiceInterface.IServiceBase,ServiceStack.ServiceInterface.Auth.IAuthSession,ServiceStack.ServiceInterface.Auth.Auth) <0x0061e> at
ServiceStack.ServiceInterface.Auth.AuthService.Authenticate (ServiceStack.ServiceInterface.Auth.Auth,string,ServiceStack.ServiceInterface.Auth.IAuthSession,ServiceStack.ServiceInterface.Auth.IAuthProvider) <0x000a7> at
ServiceStack.ServiceInterface.Auth.AuthService.Post (ServiceStack.ServiceInterface.Auth.Auth) <0x00303> at
ServiceStack.ServiceInterface.Auth.AuthService.Get (ServiceStack.ServiceInterface.Auth.Auth) <0x00013> at (wrapper dynamic-method) object.lambda_method (System.Runtime.CompilerServices.Closure,object,object) <0x0004f> at
ServiceStack.ServiceHost.ServiceRunner`1<ServiceStack.ServiceInterface.Auth.Auth>.Execute (ServiceStack.ServiceHost.IRequestContext,object,ServiceStack.ServiceInterface.Auth.Auth) <0x00416>
It is clearly reaching the Service (which I'm accessing via localhost:8080 which maps through to the guest machine on port 80); as the error is wrapped nicely in ServiceStack output.
I don't suppose anyone has any clues?
Okay after an evening of investigation - I've found the root cause.
Line 51 of FacebookAuthProvider.cs calls off to Line 28 of WebRequestExtensions.cs - which in turn calls Line 227 of WebRequestExtensions.cs.
This method call fails at line 255-ish - essentially because Mono by default doesn't trust any SSL certificates by default: as explained here..
Instead of figuring out the correct configuration for Mono - I've taken the nasty route (for the time being at least); of using the following line in my AppHostBase.Configure implementation:
F#
System.Net.ServicePointManager.ServerCertificateValidationCallback <- new RemoteCertificateValidationCallback(fun _ _ _ _ -> true)
C#
System.Net.ServicePointManager.ServerCertificateValidationCallback += (a, b, c, d) => { return true; };
I am now up and running (like a fully-operational Death Star).
I am trying to execute this command from a web application on sourceServer:
var mgr = ServerManager.OpenRemote(destServer)
but I receive this error:
UnAuthorized access wth a detail error: "Retrieving the COM class factory for remote component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from machine failed due to the following error: 80070005"
I have full administrative rights on both servers.
I can issue that command from a console application no problem, but when I try it from the web application, I get the error!
I have tried enabling the remote management checkbox and started teh remote access auto connection manager and also tried updating the load user profile on the applicaiton pool from false to true.
I have searched so much to the point that all of my links are pink in color!
Any input is greatly appreciated.
I've decided to ditch the use of ServerManager.OpenRemote() and use the DirectoryEntry way:
DirectoryEntry root = new DirectoryEntry("IIS://server/W3SVC", username, password)
it is much simpler and straightforward.
I'm running into a problem with getting SSL to work in the Development Fabric. I'm running a clean install of Windows 8 Pro with Visual Studio 2012 Ultimate and the October 2012 Azure SDK for .NET. IIS8 is not installed, only IIS Express, which claims to support HTTPS so I'm hoping that's not the issue.
Running VS 12 as administrator, I've created a blank VS solution, added a new (.NET 4.5) cloud service with a new ASP.NET MVC 4 Internet web application project, and hit F5. Everything works fine. Then, when I add an SSL certificate to the web role and replace the HTTP endpoint (port 80) with an HTTPS endpoint (port 443, with the certificate), hitting F5 produces the following error message:
Windows Azure Tools for Microsoft Visual Studio
There was an error attaching the debugger to the role instance 'deployment18(32).WindowsAzureCloudService.Mvc4WebRole_IN_0' with Process Id: 4892'. Unable to attach. Access is denied.
Note, the last part ("Access is denied") comes in a few variations, a particularly pleasant one being "Catastrophic failure". :)
The only message in the VS Output window ('General' output) is:
Windows Azure Tools: Warning: Remapping private port 443 to 444 in role 'Mvc4WebRole' to avoid conflict during emulation.
The Compute Emulator UI is not much help; just before the instance disappears, this is the only console output that I get consistently (sometimes other messages appear, but sporadically every few runs; I'm not sure how to capture these):
[fabric] Role Instance: deployment18(33).WindowsAzureCloudService.Mvc4WebRole.0
[fabric] Role state Unknown
[fabric] Role state Suspended
[fabric] Role state Busy
[fabric] Role state Unhealthy
[fabric] Role state Stopped
The certificate was obtained from a CA and properly imported into the Local Machine/Personal/Certificates store as a .pfx with private key, extended properties, and marked as exportable, for what it's worth.
When I attempt to publish the service to Azure, I get one build (validation) warning about the database connection string (which I assume is irrelevant):
The connection string 'DefaultConnection' is using a local database '(LocalDb)\v11.0' in project 'Mvc4WebRole'. This connection string will not work when you run this application in Windows Azure. To access a different database, you should update the connection string in the web.config file.
Probably more important, the deployment actually fails with the following history in the Windows Azure Activity Log window:
9:00:25 AM - Warning: There are package validation warnings.
9:00:25 AM - Preparing deployment for WindowsAzureCloudService - 1/3/2013 8:59:55 AM with Subscription ID '<...>' using Service Management URL 'https://management.core.windows.net/'...
9:00:25 AM - Connecting...
9:00:26 AM - Object reference not set to an instance of an object.
9:00:26 AM - Deployment failed with a fatal error
Can someone help me troubleshoot this issue? I've rebooted a few times. ;)
Thanks in advance!
EDIT (Jan. 3, 4:44 PM): I have a few ideas that might help me make progress, but some are pretty drastic so any advice would be appreciated:
Is there a way to capture all the output from the Compute Emulator (Dev Fabric) to a log file so I can review it? (System.Diagnostic.Trace calls from my service won't help, since I don't even get as far as the RoleEntryPoint when using HTTPS!) I figured this out; see next edit.
That null pointer exception during the Azure deployment has me worried. Is it worthwhile to try reinstalling the Azure SDK, and if so, how should I go about doing a clean install of it?
Has anyone seen a problem of this sort disappear when switching to using full IIS for the emulator? (That seems unlikely since IIS vs. IIS Express should have no relevance to the Azure deployment.)
EDIT (Jan. 4, 10:15 AM): Bad news: I tried the suggestion to grant Read access to the certificates, but it didn't help in my case. Good news: I managed to capture one of those sporadic messages in the Compute Emulator UI before it shut down; it was a bit of info from some diagnostics. Not helpful in and of itself, but it revealed where the Development Fabric was storing its temporary files:
[Diagnostics] Information: C:\Users\Lars\AppData\Local\dftmp\Resources\0005155d-4592-40f4-812e-18793b26576c\directory\DiagnosticStore\Monitor
The GUID portion gets recreated for every deployment, and it is deleted when the deployment goes away (as it always does in my case). But in the parent directory ('dftmp'), there are a few helpful directories that I then monitored during a new deployment: DevFCLogs, DFAgentLogs, and IISConfiguratorLogs. I guess that answers the first question I had yesterday! :)
DFAgentLogs\DFAgent.log: (41KB) No useful information. A bunch of "Failure to read pipe" messages and failures to get the role/deployment instance ID, which I assume are just noise.
DevFCLogs\DevFabric--2013.01.04--<...>.log: (510 KB) No useful information. I skimmed the file and also searched for 'error', 'failure', 'not found', 'certificate', and 'Mvc4WebRole_IN_0'; none of those showed any hints of what was going on.
IISConfiguratorLogs\IISConfigurator.log: (6 KB) Now we're making progress!! :) Can someone tell me what this means? (In the meantime, I'm off ILSpy-hunting... fun fun...)
IISConfigurator Information: 0 : [00006356:00000005, 2013/01/04 16:07:08.915] Using IIS Express appdomain
(...)
IISConfigurator Information: 0 : [00006356:00000005, 2013/01/04 16:07:08.936] Adding binding 127.255.0.0:444: to site deployment18(40).WindowsAzureCloudService.Mvc4WebRole_IN_0_Web
IISConfigurator Information: 0 : [00006356:00000005, 2013/01/04 16:07:10.484] Caught exception
IISConfigurator Information: 0 : [00006356:00000005, 2013/01/04 16:07:10.487] Exception:System.Runtime.InteropServices.COMException (0x800401F3): Invalid class string (Exception from HRESULT: 0x800401F3 (CO_E_CLASSSTRING))
Server stack trace:
at Microsoft.Web.Administration.Interop.IAppHostProperty.get_Value()
at Microsoft.Web.Administration.ConfigurationElement.GetPropertyValue(IAppHostProperty property)
at Microsoft.Web.Administration.Binding.get_CertificateHash()
at Microsoft.Web.Administration.BindingCollection.Add(Binding binding)
at Microsoft.WindowsAzure.ServiceRuntime.IISConfigurator.WasManager.DeploySite(String roleId, WASite roleSite, String appPoolName, String sitePath, String iisLogsRootFolder, String failedRequestLogsRootFolder, List1 bindings, List1 protocols, FileManager fileManager, WAAppPool defaultAppPoolSettings, String roleGuid, String& appPoolSid, List`1 appPoolsAdded, String configPath)
EDIT (Jan. 4, 11 AM): ILSpy wasn't much help; the exception is being thrown at an interop point (we knew that already) while trying to get the hash of a certificate in order to set up the binding (we knew that too). Does anyone know what COM object would need to be registered in order to get a certificate hash for a binding in Microsoft.Web.Administration? Or how I could intercept the interop call to find out? Bonus points if you can tell me why this is happening in the first place. :)
I've had similar problem on two computers. On both cases installing IIS solved the problem.
It seems to be enough to just install the IIS (via add/remove Windows components). You don't need to start using it. The installation changes something and after that my IIS Express started working again with HTTPS from Visual Studio.
There is a discussion on similar issue on MSDN Social:
http://social.msdn.microsoft.com/Forums/nl-NL/windowsazuredevelopment/thread/ad362016-16f6-459a-8022-9307aa5f910e
And the issue has been also raised on Microsoft connect:
https://connect.microsoft.com/VisualStudio/feedback/details/758533
In my case the error in the log files was:
IISConfigurator Information: 0 : [00007644:00000007, 2013.01.17
00:39:18.523] Exception:System.Runtime.InteropServices.COMException
(0x800401F3): Invalid class string (Exception from HRESULT: 0x800401F3
(CO_E_CLASSSTRING))
I found the log files from C:\Users\\AppData\Local\dftmp\IISConfiguratorLogs directory.
When running locally with a private key cert for SSL, you'll need to give the user the emulator app is running under access to the private key. Open mmc.exe and add the Certificates >> Local Computer Snap-In to view your certificate. Right Click on the certificate, then All Tasks >> Manage Private Keys - then add IUSR and Network Service with at least read access.
For deployment to azure, you'll need to upload the certificate to the Cloud Service and make sure the certificate is valid for the domain.
Follow step 11 from http://www.microsoft.com/en-us/download/details.aspx?id=35448. From this SO post
My computer is connected to a domain, but when I go to create a public queue:
MessageQueue.Create(#".\testqueue");
I get this error:
A workgroup installation computer does
not support the operation.
Why might MSMQ think I'm on a workgroup computer?
I know this is late, and there is already an accepted answer, but I just had this issue and it was resolved by changing the format of the queue string.
When my queue name was this, I got the workgroup error:
".\QueueName"
When I changed it to a more formal version, there was no error and sending to the queue worked:
"FormatName:DIRECT=OS:ComputerName\private$\QueueName"
Just in case someone else comes across this post, now they have something else to try...
I got the same problem and solved it by changing it to #".\private$\QueueName"
Being part of a domain is a pre-cursor for installing MSMQ in AD-integrated mode.
It doesn't guarantee MSMQ IS installed in AD-integrated mode.
MSMQ will install in workgroup mode if:
AD integration was not selected as a setup option
AD integration was selected but failed to initialise; check event logs
Yes, the workgroup name is confusing in a domain member situation.
I was facing the same problem, take a look at solution below. I don't know the reason but creating queue in this manner works perfectly.
private MessageQueue messageQueue;
public const string DEFAULT_QUEUE_NAME = "newQueue";
public const string QUEUENAME_PREFIX = ".\\Private$\\";
public static string QueueName
{
get
{
string result = string.Format("{0}{1}", QUEUENAME_PREFIX, DEFAULT_QUEUE_NAME);
return result;
}
}
public void SendMessage()
{
string queuePath = QueueName;
MessageQueue messageQueue = MessageQueue.Create(queuePath);
messageQueue.Send("msg");
}
you can create queue for receiving message in the same manner.
Adding for documentation purpose... I was getting error "A workgroup installation computer does not support the operation" while trying to access transactional dead letter queue and it was due to not specifying the machine name. I was using period to denote computer name. e.g. "FORMATNAME:DIRECT=OS:.\SYSTEM$;DEADXACT". It does not work even with using complete format name. Problem solved after replacing the period with computer name. Below is the working code.
using (var queue = new MessageQueue($#"FORMATNAME:DIRECT=OS:{Environment.MachineName}\SYSTEM$;DEADXACT"))
{
queue.Purge();
}
It is possible that MSMQ installed in your machine as a guest user or another user so remove it from machine and install it with administrative permission.
On the server I was having trouble running MSMQ and getting different kinds of errors, including the error asked in the question.
A workgroup installation computer does not support the operation
What worked for me was not fiddling with Server Manager, but reinstalling MSMQ using Powershell.
Remove-WindowsFeature Msmq; Add-WindowsFeature MsMq
These two cmdlets can be run in a Powershell console running as Administrator. At least it fixed the error for me, but this will install the entire Msmq feature, including subfeatures.
i got this error while debugging a web site from visual studio (2015).
restarting the iisexpress solved this...
I am attempting to obtain a data feed from yahoo finance. I am doing this with the following code:
System.Net.WebRequest request = System.Net.WebRequest.Create(http://download.finance.yahoo.com/download/quotes.csv?format=sl&ext=.csv&symbols=^ftse,^ftmc,^ftas,^ftt1x,^dJA);
request.UseDefaultCredentials = true;
// set properties of the request
using (System.Net.WebResponse response = request.GetResponse())
{
using (System.IO.StreamReader reader = new System.IO.StreamReader(response.GetResponseStream()))
{
return reader.ReadToEnd();
}
}
I have placed this code into a console application and, using Console.WriteLine on the output I receive the information I require. I have used the 'Run as..' command to execute this using a specific domain account.
When I use this code from within a Page load I receive the following error message "No connection could be made because the target machine actively refused it 76.13.114.90:80".
This seems to suggest that the call is reaching yahoo (is this true?) and that there is something missing.
This would suggest there is an identity difference in the calls between the console application and application pool.
Environment is: Windows Server 2003, IIS 6.0, .net 4.0
"Target machine actively refused it" indicates that the TCP connection itself is not succeeding. This could be due to the fact that the Proxy settings when run under IIS are not the same as those that apply when you run in the console.
You can fix this by setting a WebProxy on your request, that points to the proxy server being used in the environment.
Yes, an active refusal is indication that the target machine is receiving the request and the information in the headers is either incorrect or insufficient to process the request. It is entirely possible that if you had to run this call using a "run as" command in console that the application pool's identity user does not have the appropriate permission or username. You can attempt to change the identity user to this specific domain account to see if that alleviates the problem, but you may have to isolate this particular function into its own application pool in order to protect the rest of the website from having this specification.