I have recently deployed a fubu mvc application to windows azure. Everything works except when the pipeline tries to find the view to render. This all works correctly on my local machine.
So I am wondering: does the process on the Azure box have rights to read/scan files on disk?
Any suggestions to fix it are welcome though.
EDIT:
As part of the deployment there is a stage that azure goes through called "Preparing files for eployment". I checked on the log and my view was not in there
So I changed copy to output as true and it worked
It depends a bit on where you are trying to read and how you have configured your roles. By default, the code will run as a very low privilege user that only has R/W to the code directory (and any LocalResource(s) defined by the user). However, you can run your code as SYSTEM, in which case you can R/W anywhere (you might still have to take ownership, but you are all powerful as SYSTEM).
If your views are defined as part of your package and uploaded, the code should have permission to view it. I am curious as why you think this is a permission issue right now. Do you see an error that indicates that, or are you guessing it? If I had to guess, my first thought would be your views didn't get packaged correctly and are not on the VM. You can confirm they are there either by RDP or by cracking open the package and snooping around.
Related
An automated Windows update this morning left my Windows Server 2012 R2 Classic Virtual Machine on Azure in a semi-crashed state. The VM is a web server, and all the files and applications in it are still accessible via the browser. In other words, IIS and a number of other services are still running. Unfortunately, however, the VM is not accessible via Remote Desktop and is unresponsive to commands from the Azure management interface on the portal.azure.com website.
This type of error is quite common and can be found reported on many other websites. The error has been happening to Windows users (not just Windows Server) for many years already, and none of the solutions online will work for Azure users, because they involve restarting from a CD, pressing shift-f8 during boot, issuing DOS commands, restoring from backup, or unchecking certain properties in VMWare or other software.
Does anybody have a real solution for this problem on Microsoft Azure?
After struggling with this for weeks, I think I was able to fix this with the help of Microsoft support! I decide to post the solution here in case it can help someone in the future. Here are the three things that you need to do to fix this:
1-Restore the VM from a backup prior to the crash. The VM with the "Undoing Changes" crash is pretty much toast at this point. Now, proceed to steps 2 and 3 to ensure that the next batch of Windows Updates won't crash it again!
2-On your new VM, ensure that the Environment Variables for TEMP and TMP both point to C:\Windows\TEMP. In my case, they were both pointing to a temporary folder in the logged in user's profile.
3-Ensure that C:\Windows\TEMP is always empty. I achieved this by setting up a scheduled task that runs a simple BAT file that deletes all files and folders inside of the C:\Windows\TEMP once a day. I spoke with a Microsoft representative who said that even though you may have plenty of hard drive space in your C:\ drive, the Windows TEMP folder is really not supposed to get much bigger than 500MB. When it gets very large you may have some issues with Windows Updates (mine was just under 500MB when the updates were failing).
I would recommend contacting Azure support as something may have to be done by an engineer to fix the issue and unfortunately classic VMs don't have the redeploy feature.
I've added only InboundPort 3389 RPD, and works well now.
I've setup a UNC share for IIS shared config using a specific AD service account and set to FULL CONTROL. I've also exported the config from one IIS server and set-up an additional IIS server to point to the share. When I open the applicationhost.config for example on the UNC share and remove an application pool, I can see the entry also remove in both IIS servers.
So I know:
1) I can export to the share with the specific service account
2) Both IIS servers can read the config when I edit manually
3) However when I remove an app pool from one of the IIS servers through the manager I get the above error.
I've tried using the process monitor utility to see what account is being used to write to the config and it seems it is my own AD user account rather than the shared service account. I know IIS Manager has my username e.g. ROOT\MYNAME logged on, but I wouldn't have thought it would use this to write changes to the shared config. Surely it would use the service account?
Does anyone know how to prevent this error? Why does the shared config and tied service account not come into play when making changes on one of the servers?
So, IMHO, this error is a red herring. I was publishing to a server and got a message saying I was out of space. So, I logged in, realized there was a bit of cruft in extra apps published in IIS, we didn't need. I right clicked and tried to remove one. I got the same error as you.
Having done some manual changes to applicationHost, I thought it "might be me" but it seemed very odd that editing this file would cause such a thing. However, I had recently learned that windows does some funky 32 vs 64bit machinations with this file (google it).
Deciding I had better things to do, I asked our IT to add space to the VM and guess what? I am no able to remove these apps. My guess is that I was at the end of the line on space and the backend management of these special files was not completing and throwing this not-so-helpful exception.
I'm not a 100% about this. For full disclosure, I will add that updates had been applied recently, but I'm pretty confident that this is a possible solution.
I have been looking at an issue for a week straight and have been unable to figure it out and I am desperate for the fix.
On a client site, we have two environments: UAT and PROD. UAT works perfect (Please keep this in mind). We are now trying to deploy the solution to PROD but certain parts of the solution are not working.
We have developed an asp.net application that we provide to clients to allow them to invoke SSIS packages (there are a couple of drop downs that they first select then click a button named "invoke").
When the user clicks the Invoke button, a batch file named InvokeSSIS.bat is called that assembles a command line call to dtexec with the appropriate parameters.
I'm having a problem with a particular package that is responsible for calling an executable which generates a spreadsheet that i will be importing into my system.
The executable is on an mapped H:\ drive.
I have modified the InvokeSSIS.bat batch file to capture the command the batch file is generating. If I execute this command from the command line, it works perfectly. From the webapp Invoker, it executes the package but the tasks responsible for calling the executable doesn't execute as the entire package takes only 1 second to complete (whereas it should take about a minute.)
The executable DOES have a GUI, but it is NOT interactive. This is because when you call the GUI with specific parameters, it automatically runs in batch mode and executes a macro used to generate the desired spreadsheet.
I know this is ok because it works on the UAT server AND it works from the command line!
I have checked the permissions on the executable (bu right-clicking the executable and clicking properties.) I have granted Full Control on the executable to the same user specified as the identity tab of the application pool i am using.
Can someone please help me? As I said I am dying over here!
Please let me know if you have any ideas or what other info you need.
Environment (both UAT and PROD)
OS: Windows Server 2003
IIS 6
asp.net 2.0
SQL Server 2008
Thanks!
Steve
You can't use a mapped drive with IIS.
You must use the \\servername syntax to reach files on other systems.
I agree with user544284 that this is at least in part a mapping issue. I'll ignore for a minute the complete insanity of having a web application call a batch file to start an executable that's on a remote network drive through a drive letter mapping.
Most likely the UAT box has something set up that maps that drive letter for you which Prod is missing.
The only other possibility is a security violation is occurring. Running .exe's from a network drive is generally frowned on. Do the two environments have the exact same version of windows? Are they configured the same with regards to UAC? Any differences here are going to be important.
Which brings up an interesting thought. I wonder if someone logged in to the UAT server using the same account credentials the app pool is using and added the ip address of the machine where the exe lives to the list of "Local Intranet" sites... Or, if they installed SSIS on the UAT server itself.
Just because YOU can log in to the server and run it on the command line means nothing. You have to find out if the drive letter is mapped at all for the user that the web app is running under and whether that user has the required security bits and whether the local OS will allow it regardless.
Okay, I can't ignore it: hairbrained is the nicest adjective I can come up with for this "architecture". Do yourself a favor and go back to the drawing board on this one. It has the word "brittle" written all over it, as you have already found. Instead of building out a batch file to call dtexec, just do it directly either by something like this or this.
I am having a huge problem with the eventlog on my server. Right let me first of all explain the setup.
I have a domain setup with 2 computers
One computer is running IIS the other is a workstation. The IIS is running Win2k3 the workstation Win XP.
The IIS computer is hosting a website which uses Windows Impersonation and tries to log an entry to the eventlog for a custom log file called MyApp and a custom event source MySource
I have a domain user called MyUser who is just a member of Domain Users.
Single Sign On is working 100% because I can write out the logged in user to the page fine.
When I visit the IIS page from the workstation I get one of the following messages (sometimes I get the first sometimes the second)
1) The handle is invalid
2) Cannot open log for source 'MySource'. You may not have write access.
So to try and fix this I have tried all of the following:
Granted the Everyone user FullControl to C:\windows\system32\config\MyApp.evt file
Granted the everyone user FullControl to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
In the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\MyApp\CustomSD I appended the following string (A;;0x0002;;;AU), (the reason for this can be read here http://fgheysels.blogspot.com/2008/01/cannot-open-log-for-source-0-on-windows.html)
I am now totally out of ideas of how to fix this. Has anyone else come across this and have you tried anything else.
The error, as you seem to have found already, relates to writing to event sources or creating them. I would suggest you try the following.
You did not indicate if the event source exists in the registry or weather the .evt files ware created by the system or if you put them on the machine, so it is hard to determine at which point you are stuck.
You also did not mention if this works on some developer's machine, in which case you can compare the registries and even create the keys manually if you have to.
Have a look under ...\Eventlog if a key for your log has been created (MyApp?).
Have a look in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\MyApp.
There should be a key called Sources. Does your source appear in here?
If these entries do not exist the error is that your user does not have permissions to create the custom log and source.
In the error message it should indicate a ThreadIdentity parameter, which should indicate which user account it is attempting to use to do this. You can also open the permissions to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog and query the "Effective Permissions" for this particular user to ensure it effectively really has full control.
Try granting full control to the entire directory C:\windows\system32\config\ and not just the .evt file as the system needs to create some additional files here as well.
Lastly you can try and enable anonymous access to the website and run it as the machine/Domain administrator user once so all the keys get created before setting it back to the way you like it. You could also try enabling impersonation in the web.config file to ensure that it is not running without a windows identity. These ones you should all be able to undo once the correct keys and files have been created.
Let us know what you find after this and we can take it further.
Well after many hrs of trying to solve this I appear to have a solution which works.
First of all I had to allow the Authenticated Users group write access to the event log. I advice you backup your registry before continuing.
Run regedit
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Open the subkey which matches the EventLog you are writing to (so I will pick Application)
On the right you will see the registry strings, locate one called CustomSD
Right click and modify it.
Append to the end (A;;0x2;;;AU) (I will explain this later)
Save the changes (I don't know if you need to reboot or not)
So that will mean Authenticated Users can write to the Application event log. I needed to apply one more change.
Open the Domain GPO or local computer GPO
Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights > Assignments > Manage auditing and security log
Go to its Properties window
Select Define these policy settings
Add the Administrator group
Add the Authenticated Users group
Save and do a gpupdate /force for the affected computer.
That is the only way I could get it to allow my website users to write to the event log.
I mentioned in part 1 step 6 I would explain the string we added. Please see this page for more details http://support.microsoft.com/kb/323076
Okay, so I'm running a small test webserver on my private network. I've got a machine running Windows 2000 Pro, and I'm trying to run an ASP.NET app through IIS.
I wrote it so that the webpage would use the registry to store certain settings (connection strings, potentially volatile locations of other web services, paths in the local filesystem where certain information is stored etc...) Of course, it worked fine when testing with VStudio.NET 2005, because the user running the app has elevated privileges. However, running it on IIS I get a "Access to the registry key 'HKEY_LOCAL_MACHINE\Software' is denied.", which suggests the IIS user doesn't have read access to that part of the registry (I only do reads through the website itself, never writes).
I was like "okay, simple enough, I'll just go give that user rights to that part of the registry through regedit." The problem is, I don't see an option anywhere in regedit to change security settings... at all. Which got me thinking... I don't think I've ever actually had to change security settings for registry hives/keys before, and I don't think I know how to do it.
Half an hour of searching the web later, I haven't found any usable information on this subject. What I'm wondering is... how DO you change security rights to portions of the registry? I'm stumped, and it seems my ability to find the answer on Google is failing me utterly... and since I just signed up here, I figured I'd see if anyone here knew. =)
If your having touble with RegEdit in Windows 2000 you can try the following:
Copy the Windows XP RegEdt32.exe to the Windows 2000 Machine
Using a Windows XP Machine, connect to the Windows 2000 registry remotely: File > Connect Network Registry
You can set permissions at the folder level for which you want to grant user permissions read/write access.
In your case, right click on the "Software" folder and select "Permissions".
You'll probably know the rest from there.
EDIT: If you still run into issues, you may want to modify your web.config file and use impersonation to have your web application run as a certain user account. Then you can put a tighter reign on the controls.
RegEdt32.exe will allow you to set permissions to registry keys.
Simply right click on a Key (Folder) and click Permissions, then you can edit the permissions as you would an file system folder.
I did so, assuming that a Security setting would be available. I didn't see any "Security" option when I right-clicked on the Key. =( I triple-checked just to make sure... and I just tried it on my XP machine, and it does indeed have the "Permissions" section... but the Windows 2000 machine doesn't. (how's that for wierd?)
In my searching, I found:
http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_21563044.html
Which notes that RegEdit for Windows 2000 doesn't have the Security/Permissions settings... but it proposes no solution to the problem. (Whoever asked the question was using Windows XP so he was okay... but in my case, it's 2000)
Is there any way to make it happen specifically in 2000?
EDIT: Ahhhh... if worse come to worse, I suppose I can do the impersonation as mentioned below... though if I can't set security settings for the registry in 2000, I'm left with making that user have Administrative access (I assume?) to actually get those rights, which sadly defeats the purpose. =(
Oh, let me try that! I didn't realize you could remotely connect to another registry.
(EDIT: I was wrong, it did work... it just took several minutes to respond to my request to change permissions remotely)
The remote connection idea did it! You're good! Thanks so much for your help! I never realized you could remote connect with RegEdit... you learn something new every day, they say! =) Thanks again for your assistance! =)
On another note though, about copying the XP version of RegEdit to Windows 2000... is that safe? I figured they would be coded in such a way as to be incompatible... but I could be assuming too much. =)
Just use RegEdt32.exe instead of Regedit.exe.
Go to the desired key or folder, then open the security menu and click on 'permissions'.