I have two identical pieces of C# code that connects remotely to another server: one from console and the other from web application:
var mgr = ServerManager.OpenRemote(myServer)
The console one works fine. The other however fails with the following exception:
System.UnAuthorizedAccessException with this com-message: {"Retrieving the COM class factory for remote component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from machine failed due to the following error: 80070005 ."}
I have disabled the firewall on both servers and rebooted them.
Is there a way or a tool that will help me see how each connection played out like: what logins and access that both servers sent and received?
My attempt is not trapped in the IIS logs and event viewer.
I have tried to make fiddler listens, but it also didn't find anything.
The reason you're getting that exception is because the application pool identity doesn't have the enough rights. To use the Microsoft.Web.Administration managed API you need to be an administrator.
Also when you're using ServerManager.OpenRemote(), the account that your site runs under (be it the application pool identity or other account) would need to be a valid domain account with sufficient privileges.
Incidentally, the CLSID "2B72133B-3F5B-4602-8952-803546CE3344" is the class ID for the Microsoft.ApplicationHost.WritableAdminManager COM component that underpins the ServerManager managed API.
I would suggest that you use Process Monitor from SysInternals to watch what the web process is doing. The trick is going to be filtering the fire hose of info !!
Btw, I suspect it is an Application Pool Identity or DCOM permission problem.
Related
I am trying to run DotNetNuke application on the IIS of developer machine.
When the application starts it fails to connect to SQL server.
This error pops on event log:
source: SQLLocalDB 14.0
Windows API call WaitForMultipleObjects
returned error code: 575. Windows system error message is:
{Application Error} The application was unable to start correctly
(0x%lx). Click OK to close the application. Reported at line: 3714.
At the instance folder i found this or error.log file:
2020-04-08 18:43:59.07 spid52 Starting up database 'dnn_platform'.
2020-04-08 18:43:59.10 spid52 Parallel redo is started for database 'dnn_platform' with worker pool size [1].
2020-04-08 18:43:59.11 spid52 Parallel redo is shutdown for database 'dnn_platform' with worker pool size [1].
The application pool is set to load user profile.
The localDb instance folder has access to anyone write there.
I can't figure what is wrong.
My machine is a windows 10.
In order to access localDb service the user profile must be fully load.
Unfortunally, to fully enable user profile load on IIS it is needed to edit the applicationhost.config at C:\Windows\System32\inetsrv\config.
To do so :
create a new application pool by adding this too applicationhost.config
setProfileEnvironment can't be set by IIS Management console so that why you have to edit this file
On the IIS Management Console change the localDbCompatiblePool pool identity to make use of a local or network user
Still on IIS Management Console change your Web application or Site settings to use the localDbCompatiblePool application pool.
It maybe be possible to use an user created by Application Pool identity with some more tweaking but i was unable to find out.
Full details on this issue can be found here.
Our team has an ASP.NET Core Web Application which integrates Multisafepay payment provider (MSP). We use the .NET wrapper of MSP to communicate with the API of the payment provider. In some cases when we asking for the payment URL where the user can pay for his order we got an error code 9999 (unknown error). Mostly this happens after we restart our Web App in Azure or when it comes back from idle time.
I checked out the code of the MSP wrapper. It has some Trace.WriteLine statement in its code right where the error 9999 occurs. Is there any way to log the content of the trace in Azure?
I've tried almost everything. Modyfing the web.config, and adding trace listneres to it, turning on the Application Loggin and Log Stream in Azure, etc. but nothing worked.
I am getting error while publishing the 2013 workflow via designer. Also, under sharepoint designer if I try to delete any workflow then the page just refreshes and the workflow does not get deleted.
I checked the services.msc and found that the workflow backend service was stopped. (this happened as the password of the user under which this serivce was running had changed).
So, the network admin changed the service user to LOCAL SYSTEM and started the service.
Now, the workflow backend service is started. We have also ran the iisreset.
However, I am still getting the same error:-
System.IO.InvalidDataException: A response was returned that did not come from the Workflow Manager. Status code = 503: Service Unavailable
Service Unavailable
HTTP Error 503. The service is unavailable.
Client ActivityId : ee94689c-4e08-b055-fe9c-268d7a94
Please find attached snapshot.
Is the error as a result of the change in service user? Can you tell me what priviledges should the account running the workflow backend service must have?
UPDATE 1
We have tried to set the account to farm admin and also tried to set it to site admin. Now, for a new web application, I can delete workflows. However, for existing site, I am not able to delete the existing workflows.. Also, I am not able to publish workflows (present under new and previous sites) and the error is same as described earlier.
Open IIS and make sure identify of the WorkflowMgmtPool is correct, you can re-type the identify. Then make this pool is started.
Check and reenter credentials for:-
Open Services.msc, find Service Bus Message Broker service and Windows Fabric Host Service. Make sure they are running. If not, firstly, start Windows Fabric Host Service, then start Service Bus Message Broker service. If Service Bus Message Broker service is started, stop and re-start it.
Reference- this forum link
This error occur because you have not registered the workflow correctly. Re-register the workflow and it will get solved. Also make sure you have activated the App management Service in your site features.
http://designerworkflow.blogspot.in/
Workflow Manager CU2 to get to 1.0 Refresh in Web Platform installer worked first time for me!
http://support.microsoft.com/kb/2902007/en-us
I had this same issue.
I was able to resolve it by going to IIS on my application server, editing the identity on the Workflow Management Application Pool, saving it and restarting it. I also restarted the server.
I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.
Now I'm trying to use the same code in the context of my web application. It fails with the error
Error: Cannot read configuration file due to insufficient permissions
for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).
I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using
ManagementAuthorization.Grant(#"IIS AppPool\MyAppPool", "Default Web Site", false);
but I still get the same error.
What else should I try?
This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.
The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).
We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.
This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.
This is a technique known as sandboxing.
I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.
I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.
I'm trying to confirm my findings on permissions.
In order for the SharePoint object model to be accessed from a console application or for that matter a WinForm application, the user running the application must have db_admin permission to the content database for the web application in question.
In order to use Microsoft.SharePoint.Administration (like calling SPFarm.Local.Solutions.Add) inside an ASP.NET application the following must be true:
The call must be wrapped with RunWithElevatedPrivileges like the following:
SPSecurity.RunWithElevatedPrivileges(delegate() { code to run } );
The user accessing the ASP.NET page must be part of the Farm Adminstrators Group (the page is running under _layouts)
The user in the identity of the App Pool for the web application in question must also be in the Farm Adminstrators Group
Does this information look correct?
Yes but within the web service code you call the functional code using RunWithElevated Privileges this bypasses the identity you are running the web service as and instead uses the SPFarmAdmin user to execute the code.
Alternatively host the web service in an app pool which uses the same domain account as your central admin site, and allow anonymous access to the web service. This would be safe for internal use only and would mean that the web service always had elevated permissions.
Edit: Contrary to Michael's comment I have assumed that this app is not going to be run from within the SP farm.
I would not recommend this approach at all as it is an unupported method of using the SharePoint OM.
You are much better off writing a web service that sits on the SP farm and uses the OM, and then access the web service mehods to perform your required functionality.
You could also look at the out of the box sharepoint web services.
RunWithElevatedPrivileges will not work in your scenario I dont think as it requires a base indetity to fall back on which in the case of code executing on the SP farm is the SP App Pool identity which is usually a farm admin account.
I am happy to be corrected on all of this, but certainly in my environment it would not be wise to invest in a non-standard and unsupported approach to a problem.
Yes the web service will need proper access rights, but this is easier to control with a web service running locally.
However if as you say the apps are always running on the server then using RunWithElevatedPrivileges will solve any permissions issues as you are in effect running that code as an SPFarmAdmin (as long as the app pool identity is configured correctly).
Note: you could use this approach with either bespoke web services or client apps such as console applications or windows forms.
Apologies hobbyman, I never saw you reply.
If you use RunWithElevatedPermissions then it doesn't matter which user the web service runs as, because you are effectivley impersonating a farm admin account.
You could additionally do your own impersonation within the web service and impersonate any user you wish.
Essentially if the web service is running within a given application pool then the web service will run under the indentity which the app pool runs as. Does this clarify things?