I want to create symlinks with a web application which is running in IIS 7.5. However during the creation the following error message appears:
A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)
System.Runtime.InteropServices.COMException (0x80070522): A required privilege is not held by the client. (Exception from HRESULT: 0x80070522) at
System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtrerrorInfo) at Uploader.SaveToDisk()
I have modified the "Local Policies / User Rights Assignment / Create symbolic links" to Everyone with secpol.msc but this modification didn't solve the problem.
Does anyone have encountered the same problem before or has any advice where to look for?
I solved this issue by changing the user used by IIS for Anonymous Authentication from IUSR to a user in the Administrators group.
To change this go to IIS / Authentication / Anonymous Authentication / Edit
I did this on my development machine. This is probably not the way to do it on a production server.
Related
I am hosting a site on IIS 10.0 on my local network with anonymous authentication as the only enabled option. Previously, only the computer hosting the site could login and every other computer on the network was blocked entirely.
Then, I disabled the firewall on the necessary port, but that lead to other devices on the network being prompted for credentials.
Then, I went to inetpub\wwwroot and it wasn't shared, so I shared read permissions with IIS_IUSRS and under the security tab it now has "read & execute," "List folder contents," and "read" checked.
Now other devices are still prompted for credentials AND the very computer that hosts it is denied access. Not even prompted for credentials, just given the IIS error page for 401.3.
Every resource I've found says the security tab is all I need. What am I missing? I can't just continue developing without this, as I'm developing with PHP and so I need an actual server running this.
Anonymous Auth works on IIS is by assigning a user to the incoming request. This is configured under the authentications options. If you check the applicationHost.config, you would see something like this:
<authentication>
<anonymousAuthentication enabled="true" userName="IUSR" />
</authentication>
This is the UI.
There is another factor that comes into play, which is the Application Pool Identity. To check whether this is a permissions issue. Change the application Pool identity to Local System.
If the above works, then it is definitely a permissions issue.
To investigate this you can run procmon.exe. Add a filter on RESULT for ACCESS DENIED and then proceed further.
There is a blogpost which talks about troubleshooting 401.3 errors using Procmon. Here is the link: https://blogs.msdn.microsoft.com/webtopics/2009/06/25/troubleshooting-http-401-3-errors-with-process-monitor/
I get the following error:
Microsoft VBScript runtime error '800a0046' Permission denied
When running a classic asp application.
The error is here: (in the CreateTextFile line)
Dim myFSO
set myFSO = Server.CreateObject("Scripting.FileSystemObject")
myFSO.CreateTextFile(fName)
I know I can get around this problem by giving "Full control" to the "Everyone" user. This is a publicly accessible folder on our server, so I worry that this is a security risk?
I would prefer to be able to give full permission to someone like "IIS_IUSRS", but this doesn't work. It's as if it's a different user being used for this.
Is this a security risk? Anyone know what I should be doing?
You should either find the anonymous user of your specific website and give write access to that specific user or set the application pool identity of the website to Local System so that the website would have permission.
To find your IUSR also known as the anonymous user in IIS7, open your website in IIS in Features View and go to Authentication and edit Anonymous Authentication.
I am hosting my web application on windows server 2008 with IIS 7.5,
I have 2 web applications:
1. the first one is the core sso (Single Sign-on) service with a login page.
2. another web application is hosted on the same web server which use the first app for sso.
I am using the WIF RTM to implementation the sso,
usually, it is running good without any problem, the user can login throw the sso and redirect back the start page.
but when I login throw the sso first, then restart the IIS, if I come back to the second application and refresh the page, I got the following error:
Server Error in '/' Application.
Key not valid for use in specified state.
Description: An unhandled
exception occurred during the
execution of the current web request.
Please review the stack trace for more
information about the error and where
it originated in the code.
Exception Details:
System.Security.Cryptography.CryptographicException:
Key not valid for use in specified
state.
Source Error: An unhandled exception
was generated during the execution of
the current web request. Information
regarding the origin and location of
the exception can be identified using
the exception stack trace below.
Stack Trace:
[CryptographicException: Key not valid
for use in specified state. ]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[]
encryptedData, Byte[] optionalEntropy,
DataProtectionScope scope) +425
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[]
encoded) +59
[InvalidOperationException: ID1073: A
CryptographicException occurred when
attempting to decrypt the cookie using
the ProtectedData API (see inner
exception for details). If you are
using IIS 7.5, this could be due to
the loadUserProfile setting on the
Application Pool being set to false. ]
Microsoft.IdentityModel.Web.ProtectedDataCookieTransform.Decode(Byte[]
encoded) +151
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[]
cookie, Boolean outbound) +109
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader
reader, SecurityTokenResolver
tokenResolver) +634
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[]
token, SecurityTokenResolver
tokenResolver) +105
Microsoft.IdentityModel.Web.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[]
sessionCookie) +239
Microsoft.IdentityModel.Web.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken&
sessionToken) +59
Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object
sender, EventArgs eventArgs) +52
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+68 System.Web.HttpApplication.ExecuteStep(IExecutionStep
step, Boolean& completedSynchronously)
+75
________________________________________ Version Information: Microsoft .NET
Framework Version:2.0.50727.4927;
ASP.NET Version:2.0.50727.4927
the user session are stored by using SQLServer session mode, I am using a special database for this.
I have tried a lot and I cannot re-procedure this problem on my local computer (Windows7).
did anyone have similar experience? can you tell me how to solve this problem?
I finally solve this problem by change the application pool user to a local user.
the problem is probably caused by the sso is hosted on a 64bit OS, this problem does not exist if I host the sso on a 32bit computer (even I use a domain user for the application pool).
Now I use ApplicationPoolIdentity or NetWork Service, the exception disappeared after I restart IIS.
Thanks all you guys and I am so glad to share my solution with you.
There seems to be some kind of security issue when you have several apps sharing the same domain on Win Server 2008 with IIS 7.5
If you have urls http://ourdomain.com/app1 and http://ourdomain.com/app2 you can sign in on one app with WIF but when you access the other app you get this error. This is because the Cookie is for the domain but if it´s created by app1 then app2 can't access it.
So the solution is to either do as Aaron and use a specific user that has access rights or as we did, separate the apps on two different domains ie http://app1domain.com/ and http://app2domain.com/.
This could well be because your application pool user has no persistent user profile. To rectify this you can just run something as that user:
runas /user:<domain>\<user> cmd
And this will create the profile. Subsequently the data should be decryptable after restarting IIS.
A developer posts their code from a staging site (which requires authentication) to the live public site (which should not) and suddenly the live site is requiring authentication (which is not good).
They don't have permissions to change any settings on the server(s) and there is no call from the code on the live site to anything on the staging site, that I can locate. (No forgotten calls to an image on the staging site or anything)
Can the group think of some file that might have been removed/changed that could cause this to happen? I checked this question as well - [HTTP Authentication in ASP Classic via IIS] - but none of those methods are being used.
App is Classic ASP, IIS6.0 server.
Security Settings - Anonymous Access permitted on the live site. Account for anonymous internet users allowed read access to the directory where the site is located - user is unable to change directory or site permissions on the server.
Thanks!
Did the files retain their security permissions from the folder they were copied from? Reset the permissions on the files.
Are you using a four-part URL to get to the site (http://www.somesite.com/)? That will default to the Internet zone and not intranet, prompting for authentication.
User will get challenged when Anonymous Access is turned off in IIS. What are the security settings? Without that information, we will not be able to help much.
My Sharepoint 2007 web part executes code to start a K2 workflow process. The workflow server resides on another server.
When my code executes, I get the following error:
"24408 K2:NT AUTHORITY\ANONYMOUS LOGON from 172.172.172.172:1721 does not have rights to Start Process MyProject\MyProcessName"
I'm sure this is a general IIS delegation problem (not K2 specific), but I'm not sure how to go about solving it. Why does Sharepoint try to connect to the other server as AnonymousLogon when it should be impersonating the current domain user?
Notes:
- My Sharepoint AppPool identity is a domain user (not Network Service).
- ASP.NET impersonation is enabled.
What you are trying to do is called delegation and not impersonation. Impersonation is only on the local server. There are many thing that have to be right for delegation to work.
A place to start would be Kerberos authentication and troubleshooting delegation issues
David Wang blog is a very useful resource on thous issues.
You should also head over to K2 Underground, there is a plethora of information about how to get Kerberos delegation working with their product. The install guide that comes with K2 also has step by step instructions on how to install K2 & configure it to work with Kerberos.