IIS 7.5 - Access to the Path ... is Denied - iis-7.5

I am trying to access a static file on a Novell file server.
The drives are mapped on the IIS box. The application is using the the default application pool.
The path (not shown in Title above) is : \cms1\vol4\cms\008\docs\008\2011\Nov\0224294.pdf
If I enter the above path from the command line on the IIS box, it opens the PDF just fine. When accessed via IIS, I receive the error shown in the Title above.
I have researched numerous threads looking for an answer. Most of them suggest changing the properties of the application pool. I have modified it to use my User ID and Password, and confirmed this is the case by checking w3wp.exe, and it shows as running with my user ID. Any thoughts would be appreciated.
Thanks in advance!

Does your server have CIFS enabled? If it is just using NCP, then is Client32 installed on that machine so that NCP access will be enabled?
If you enable CIFS on the Netware or OES server then there is no need for Client32 on the IIS server. In either case, the service needs to try to connect to the share as a user with sufficient rights. I imagine the IIS_IUSRS account is not existing in the eDirectory tree.

Related

IIS on windows 10 application pool keeps stopping

I am having an issue with IIS resulting in the app pool stopping, so I am getting a 503 error
Event Viewer reports
Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly.
DETAIL - Access is denied.
Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
I believe this may be because I followed instructions I found on google to clear down files from AppData amongst other place, last week when C: became full (bad move ). Sadly, there is no backup to reinstate the lost files. I expect I have removed an account or permissions somehow.
I have tried setting Load User Profile to False and also setting Identity to LocalSystem but not allowed these settings in the app pool
I was hoping to reinstall IIS but cannot find a solution for that. Does anyone please have advice?

IIS Application Using Shared Folder in VirtualBox VM

I've got a VirtualBox VM running Windows Server 2008 R2. The server is configured as a domain controller.
I've got source code on my web application on the host machine. I shared a folder to the guest VM that contains the source code. I configured an IIS application on the Guest machine and pointed it to the share (\VBOXSVR\code).
When I run the application, I get the following message:
Module: IIS Web Core
Notification: BeginRequest
Handler: Not yet determined
Error Code: 0x80070001
Config Error: Cannot read configuration file
Config File: \?\UNC\VBOXSVR\code\web.config
I've verified that the user account the app pool is running under can access the Share. Any ideas on how to fix this?
I had a very similar issue when setting up a vagrant box for Windows 2012 R2 with IIS for development purposes. From what I remember I was able to use the following as a workaround, but not something I would want to implement in a production environment:
Make C:\vagrant a network share and set the permissions to be
accessible by the user running IIS \\localhost\vagrant.
Set the webroot for site to be the network share \\localhost\vagrant
In theory the following may work for your situation:
Create a symlink to the network share, IE: mklink /j "\\VBOXSVR\code" C:\code\
Make C:\code a network share accessible by IIS, \\localhost\code
Make sure the user running IIS will have permissions to the network share
Set the webroot for the site in IIS to the network share, \\localhost\code
(Optional) I added an entry into the host file (C:\Windows\System32\drivers\etc\host) for localhost. This appeared to improve performance, but it should not be necessary.
Hopefully this will point you in the right direction.
There seems to be an issue with the way Virtualbox shares the folders between Host and Guest. As I discovered when doing this with a Vagrant setup, if you manually create a UNC share on the Host, connect to that share on the Guest and point IIS at it things go along smoothly.
Note that if you are using Application Pools you should ensure the user assigned to the pool can access the share.
If you want to see what a couple of Powershell scripts looks like to automate the process, take a look in the scripts dir of https://github.com/mefellows/vagrant-smb-plugin.
Alternatively, you could use the rsync synced-folder type which has the advantage of much better performance. You could create a local Windows VM with Packer (example templates).
After spending a couple of hours on this issue I finally managed to make it work. Configure your application pool identity to Guest user. If you do this everything will work as expected.
I have a setup in which the host os has the code and a virtualbox vm with IIS configured served that code from a shared folder (vbox shared folder). Everything works as expected.

IIS Shared config - applicationHost.config Error: Cannot write configuration file due to insufficient permissions

I've setup a UNC share for IIS shared config using a specific AD service account and set to FULL CONTROL. I've also exported the config from one IIS server and set-up an additional IIS server to point to the share. When I open the applicationhost.config for example on the UNC share and remove an application pool, I can see the entry also remove in both IIS servers.
So I know:
1) I can export to the share with the specific service account
2) Both IIS servers can read the config when I edit manually
3) However when I remove an app pool from one of the IIS servers through the manager I get the above error.
I've tried using the process monitor utility to see what account is being used to write to the config and it seems it is my own AD user account rather than the shared service account. I know IIS Manager has my username e.g. ROOT\MYNAME logged on, but I wouldn't have thought it would use this to write changes to the shared config. Surely it would use the service account?
Does anyone know how to prevent this error? Why does the shared config and tied service account not come into play when making changes on one of the servers?
So, IMHO, this error is a red herring. I was publishing to a server and got a message saying I was out of space. So, I logged in, realized there was a bit of cruft in extra apps published in IIS, we didn't need. I right clicked and tried to remove one. I got the same error as you.
Having done some manual changes to applicationHost, I thought it "might be me" but it seemed very odd that editing this file would cause such a thing. However, I had recently learned that windows does some funky 32 vs 64bit machinations with this file (google it).
Deciding I had better things to do, I asked our IT to add space to the VM and guess what? I am no able to remove these apps. My guess is that I was at the end of the line on space and the backend management of these special files was not completing and throwing this not-so-helpful exception.
I'm not a 100% about this. For full disclosure, I will add that updates had been applied recently, but I'm pretty confident that this is a possible solution.

IIS 7.5 HTTP 500.19 Internal Server Error Config invalid

I am using Windows 2008 R2 with IIS 7.5 and have mapped the source of my website to a network drive. When I do, the below error occurs. When pointing to the local c: drive the website works.
Error Summary
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Detailed Error Information
Module IIS Web Core
Notification Unknown
Handler Not yet determined
Error Code 0x80070003
Config Error Cannot read configuration file
Config File \\?\H:\ExcelAutomation\1.0\src\docs\web.config
Requested URL http://vmwws085381.msad.ms.com:80/index.html
Physical Path
Logon Method Not yet determined
Logon User Not yet determined
Config Source
-1:
0:
The solution for me was to open up IIS, click on my site, and under Advanced Settings change the physical path to the network share like \\server\share\.. instead of using the mapped drive.
Original source that helped me arrive to this solution is here: http://forums.iis.net/t/1157959.aspx
Another cause is not having the URL Rewrite Module installed if your web-app references this in the associated Web.config file – this is detailed in this Stack Overflow Question
The IIS server and the server with the shared folder must each have an account with the exact same username and password. Make sure this account has "Read & Execute", "List folder contents", and "Read" access to the shared folder.
Connect within IIS using UNC. (E.g., add a virtual directory to the site; enter an Alias; enter the physical path as \servername\foldername; click "Connect As..."; choose "Specific User"; click "Set..."; enter the user name and password referenced in step 1.) Current versions of IIS do not support mapped drives. Don't waste your time trying to make them work.
Also, make a big mental (or written) note for yourself and other administrators: If you ever change the password for that account, do it on both servers and within the IIS connection.
For someone who is getting this error on your local system, it can happen when you share code across multiple servers or copy an existing project to a new location and it's virtual directory path still refers to an older path.
This happened to me as I was sharing a project on a Google drive and was accessing it from 2 different systems. (I know, Should've used version control system)
Solution:
Right click on the project >> Web >> Create virtual directory
It will probably show a prompt. Select Yes and you are done.
The main reason behind this error is the physical path i.e web site folder cannot be under the users folder, desktop folder, or any related folder. If it's there, move it or place it on other drive and try again.

How to view Windows Event Log remotely with limited privileges

To debug some code, I would like to view the Windows event log of a remote machine (target is Windows2003). With mmc.exe I can add the event log for a remote machine, but only if I have sufficient permissions. For this remote machine, they do not want to give me permissions to log in remotely (or admin privileges for that matter). Is there a specific permission I can be given to view the event log and not much else?
On newer Windows versions (Windows 7, Windows Server 2008...) you can simply add the corresponding account to the built-in group Event Log Readers.
Source: Jane Lewis's Weblog on TechNet, Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
This source also describes an alternative if you need more fine-grained control.
(The OP asked for Windows 2003, where this method doesn't work, but as Windows Server 2003 is no longer supported, people might be interested in this method.)
For the security log, users need the privilege "Manage auditing and security log"
For the system and applciation logs you should be able to read them as just a guest unless they have set the RestrictGuestAZccess value under the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application
One Option is to get a local ID that is on the remote local admin group.
Next, from your system, map to a drive on the remote server using the new remote local ID.
Create a new MMC from the Windows Run start menu - by typing in MMC /a
Add the EventView Snap-in
When it prompts you for local or remote server - put in the Host name of the server that you mapped to.
Tip: Windows uses established secure connection - if it can. Hence the map a drive trick work VERY well.
Please Note: I use this trick with WMI query(s) - hence the query never fails do to a timeout issue.
Joshua Flanagan outlined a process to delegate rights through modifying the security descriptor of the event logs.
Please add the domain user (without admin rights) to the "Event Log Readers" group on the target server. Then, from the source server, you can use the standard user credentials to access and read the event logs on the target.
If you could enable web access to the server then you could use an eventlog viewer page that I published a while ago. This would allow the administrators to run the website with just enough permissions to see the eventlog without granting you an account to login...

Resources