I've setup a special user account for MSDeploy connections. The user is a member of the local Administrators group.
MSDeploy fails with ERROR_USER_UNAUTHORIZED when I use this account and yet it works fine with my own account, which is also an administrator, via a domain group.
In the IIS Management settings, this new website is not listed and so my account doesn't receive its rights via config, I believe its implicit via my admin rights. So why doesn't the dedicated account work?
What I'm learning, from day after day and $1000s worth of consultancy time, is that MSDeploy is another Microsoft over-complicated anti-pattern, we should stick to RoboCopy and not cave in to 'right way' BS.
Have you checked event log for MsDeploy? It could contain possible answer :).
I assume you are using Windows 2008 Server, not Windows 2012 Server?
Try specifying explicitly the authType=Basic token for the -dest parameter (or /A:Basic command line switch in case of .cmd deploy script). Though the documentation claims that WMSvc method uses by default basic authentication I've recently found this is not (always) true.
Related
I have created a Cloud project on VS 2012 with .net 4.5. This consists of two web roles, an API and an front end website.
I have followed the instructions here: http://msdn.microsoft.com/en-gb/library/windowsazure/gg443832.aspx in order to set up remote desktop, and deployed the service.
When I try to connect (I have double and triple checked the credentials), I get told that 'The credentials that were used to connect to did not work. Please enter new credentials.
My web roles are both operational, and I can visit them both in the browser.
I have tried waiting a while after deploying for changes to propagate, but this makes no difference. The only thing I can think of is that I have not done anything with certificates as of yet other than download the appropriate bits in order to deploy from visual studio. I can't find any documentation that says I need to though.
I have also tried out adding various domains to the username but nothing works.
Am I missing something, or is there a chance that there is a bug with azure at the moment?
EDIT: Have now tried deleting the cloud project from visual studio, deleting the cloud service in azure and redeploying with only a single web role. Still seeing the problem.
Just checking for completeness,
Did you use the button on the website for your first access?
http://blogs.msdn.com/b/avkashchauhan/archive/2011/04/03/how-to-login-into-windows-azure-virtual-machine-using-remote-desktop.aspx
On the other hand, this is the link that worked for us, it includes how to set up the cert needed too.
http://geekswithblogs.net/MagnusKarlsson/archive/2012/12/03/connect-to-running-web-role-from-remote-desktop-connection-and.aspx
I fixed this by removing the <Import moduleName="RemoteAccess" /> and <Import moduleName="RemoteForwarder" /> lines from the .csdef then removing all references to Microsoft.WindowsAzure.Plugins.RemoteAccess and Microsoft.WindowsAzure.Plugins.RemoteForwarder within the .cscfg files. I then was able to deploy and enable remote desktop access from the newer Azure portal.
After adding users to the Azure Active Directory Domain, (e.g. smith#mydomain.onmicorosft.com), I tried logging in as one of those users, but got "Your credentials did not work." After some trial and error, I found that I had to add the users (e.g. smith) as local users on the VMs. Once I did that, and assigned, passwords, the users could RDP in.
I've moved my codebase to a new directory and need to grant the IIS account read/write privileges on a few folders to allow access by the ASP.Net runtime. I believe NETWORKSERVICE is no longer used for this purpose (as mentioned in this earlier question:
ASP.Net which user account running Web Service on IIS 7?) but, try as I might I can't seem to be able to add the IISAppPool/IIS Worker Process the article links to.
I've found a MyDomain/IIS_WPG account but this isn't the one that is listed in Task Manager for the w3wp process. Can someone help?
UPDATE:
Even odder - the Application Pool for the website in question uses the LocalSystem identity which I thought would be able to access pretty much the entire machine. Is there something incorrect about my basic machine/Windows setup?
I've a feeling it's something to do with the permissions of the AppPool but as this app is hosted in Azure it's not possible to change that.
My code works in a console app and when the AppPool is set to run as a user (myself). It fails to run when the AppPool is set to run as ApplicationIdentity and when the service is hosted in Azure (I'll post the code if requested, but I don't think that's where the problem lies).
It doesn't matter whether I load the certificate from a store, from a file, or from a byte array. The results are the same.
I don't know what information will be helpful in diagnosing this but it appears that the chain/path doesn't load under the reduced privileges. Calling .Verify() returns true in the console app (and IIS running as my user) and false under ApplicationIdentity.
The certificate appears to load normally and contains a private key in both circumstances.
It turns out my problem was the same listed in this question. I needed to set my certificates up so that some of them were in the CA and Trust section so that the chain was built correctly.
I had all of the certificates installed but it would appear that the location of the certificate is important as well, and it was nothing to do with security or which user was logged on at all!
You can change almost anything in Azure. It is full IIS (if you are not upgrading from SDK 1.3 or earlier) by default. There are couple of options to try:
(This one is wrong! Noted by Steve Marx)Try jus trunning the application (in this case IIS AppPool) in Elevated mode. That will make AppPool running under "SYSTEM" account, instead of AppPoolIdentity. You can do that by adding a <runtime executionContext="elevated" /> element in your role definition in .CSDEF file.
You can enable remote desktop to all your roles. That will effectively create an account in your role instance and add it to the Administrators group. Then you can use a startup task and powershell script to change AppPool identity to use that account instead: A blog post by Wade Wegner on how to programatically change AppPool Identity.
Well, these all are ways to make your application pool runs in Elevated mode, but also show that you can do pretty much everything with IIS on your Windows Azure Instance. I suggest to use site runing in elevated mode only for testing purposes. First make your code run in restricted account on local IIS. Then see what you changed to make it wokrk locally and apply these changes on the Azure Web Role.
EDIT
Another thing to pay attention is that in order .Verify() to work, you must have the Root Certificate of the CA that issued the checked certificate, installed on the web role. This can be done via adding the Root CA Certificate as a "Service Certificate" from the management portal. Also, the CA that issued the checked certificated must be trusted.
I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.
Now I'm trying to use the same code in the context of my web application. It fails with the error
Error: Cannot read configuration file due to insufficient permissions
for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).
I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using
ManagementAuthorization.Grant(#"IIS AppPool\MyAppPool", "Default Web Site", false);
but I still get the same error.
What else should I try?
This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.
The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).
We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.
This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.
This is a technique known as sandboxing.
I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.
I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.
If yes, please give an example.
UPDATE:
I have a PowerShell script that iterates through all site collections within selected Web application and changes the siteCollection.Audit.AuditFlags property. It works fine on my development machine, but the siteCollection.Audit.Update() command fails with Access is denied error on the production server, even though I am trying to run it as a user who is a farm administrator.
Yes, it can.
[Microsoft.SharePoint.SPSecurity]::RunWithElevatedPrivileges({
$site = get-spsite "http://localhost/nonfarmadminsitecollection";
});
Be careful with that. Since you are impersonating the process account, you lose information about the user in the audit trails.
RunWithElevatedPrivs uses the application pool user on regular web apps, not farm admin. If the elevation happens on central administration, then it's a farm admin account. I assume you are doing this on regular webapps, so launch powershell as the app pool acount.
Run powershell as an administrator or as your webapp application pool user.