I need to get my dev machine to read a certificate from the local machine store
to do this I need to run winhttpcertcfg.exe and specify the account I want to elevate
What would this account be for IIS express?
(For IIS it would be the IWAM_MachineName)
thanks a lot
IIS Express runs as your user account. When installed, you should find an IISExpress folder in your My Documents folder.
Related
I have an IIS box on windows server 2012 and I want to mirror image the same settings, application pools, web sites and other configurations in another server that is also windows server 2012.
How Can I do that?
Is there any possibility to automate this process as I have to do this process very repetitively?
To Backup and Restore IIS configuration to Another Server you could try below steps:
1)if you configured the certificate with old iis site you need to Backup (export) of IIS certificates.
2)open the command prompt as administrator and create IIS configuration backup on the first server by using below command:
cd c:\Windows\system32\inetsrv
appcmd add backup srviis1-backup-2019
srviis1-backup-2019 this is a backup folder name.
After the command has been executed, a folder with your backup name appears in c:\Windows\system32\inetsrv\backup. Here is its contents for my simple website:
administration.config
applicationHost.config
MBSchema.xml
MetaBase.xml
redirection.config
3)Copy the backup folder to the same directory c:\windows\system32\backup on another server.
To display the list of all available backups, run the following command:
appcmd list backup
4)Recover IIS configuration from this backup:
appcmd restore backup srviis1-backup-2019
The list of restrictions and important issues:
The same IIS version has to be used on both servers
If any application pool is run not from the integrated accounts, they
have to be available on another server as well
Before recovery, you should export and migrate all current
certificates to the new server
I found a really genuine and effective way of migrating IIS(complete web application with all settings). It does not depend on IIS version also.
There is an API web deploy api that we can use to do this. We can do this using command line arguments or an IIS extension is also available for the same that will ease your IIS migration.
It can migrate
IIS Websites
Application Pools
Server certificates
Settings of application pools
Settings of websites
Authentication modes
MIME types
Directory Browsing
Output caching
Web binaries
And other related stuff and iis settings can be migrated using web deploy.
Go through https://www.microsoft.com/en-us/download/details.aspx?id=39277
and download web deploy for your IIS.
In IIS, I have a web service which runs under an application pool which has the identity of a user that has access to a drive on a remote machine. In this way, when the web service runs and it tries access the remote machine to read a file, we do not get any invalid authorization errors.
I have now written my first Node.js app but I am not sure how to allow access to a file stream from the app to the remote machine. I have the unc path name to the remote machine's file I want to read but I am not sure if I have to pass in the credentials of the user to access the file or I have to run the Node.js app under certain credentials.
Any clues?
I know there is node for IIS, but is there another way of doing this without IIS.
Update:
Just ran my app under my user account and this account is configured to allow access to a remote machine and I have access to the remote machine without changing my code (in other words just using the Unc path directly). However, how can I do this using another user's credentials (i.e. impersonation in Node.js?)
Node does not handle impersonation like .NET applications do, since NodeJS is not Windows specific, so it does not know about the windows way of handling rights and elevation.
But that is not a problem. I have used the following technique on large financial networks.
As you pointed out yourself, the best solution is to have a dedicated user account for your nodeJS application with sufficient rights to access the UNC, but with no other rights. Then when you run the application, run it as this user.
Let me suggest that your setup a service to run the nodejs application and in the service specify the user account. This makes it much easier and safer. If you application is ever hacked, the hacker will not be able to escape the restrictions of the account.
Everything I've found via search on this talks about Read/Write for local drives only (typically C) and what I am having trouble with is getting the same Read/Write access for an application pool to a non-local drive, specifically a share on the file server.
We've set the Application pool to run the anonymous user under a domain account that we have explicitly verified has full control of the file share and yet the web app that use the application pool is unable to access this non-local share. It can however access a local copy of the shared folder if we copy the folder from the file server to the local drive.
This is a third party app and we'eve followed all the instructions from the vendor and so far this is unresolved. Their support is looking at this but I don't believe they have any idea on what's wrong. This same web app works fine with the same file server share when the web app is running under IIS6 on another sever so its something with IIS7.5. I figure its got to be something particular to IIS7.5 that is not in IIS6 that is the key.
Ideas?
FYI - The application pool is already set to classic mode.
I think that you will have to see the permission that you have. In iss7.5 you have the aplication pool running with an account, It can be a ApplicationpoolIdnetity, or a real one. if you want to access the share the application pool identity has to have rights to do so, or you can impersonate a user and then use the permission that user has to copy to the shared folder, i prefere to use the impersonate, only when is necessary i do the impersonate and do whatever i most do.
I use windows xp and IIS 5 for web development. For database connection the credentials are set up as Integrated Security. It works fine our our DEV server (IIS 6) where they have configured the App Pool to run under the context of a domain account which has dbo access on the database. I myself also have dbo access in the database.
But when I run from my localhost the database connection failed (under Integrated Security=true) saying user '' has no previleged. So its passing a blank string as user instead of my logged in domain accountj ("domainname\myname"). How do I configure my localhost IIS so that it passed my logged in domain account as a user to the sql server? Basically I'm trying to silumate the apppool on IIS-5in my local machine.
I tried changing the "Log on as" on World wide web services & IIS Admin on my local machine services console, restarted it and did an IISRESET. Nothing seems to fix the problem.
Also I tried putting my domain user name (domainname\username) and password in the connection string by removing integreated security=true. Still that also not works
I am an administrator on my local machine. I tried different things like making aspnet user an administrator,log as as service etc etc with no luck
Please advice me how to configure IIS5 to run under a different account. thanks in advance
You need to set the user for anonymous login to be the domain account. I forget what tab it is on but it is there somewhere.
I think this link will point you in the correct direction
http://support.microsoft.com/kb/310344
Use IIS Express -- it is IIS7 for XP.
IIS5 is running on SERVER1.
One of the virtual directories in IIS, myfiles, is pointing to "A shared location on another computer", //SERVER2/myfilesshare
When I try to access the page:
http://SERVER1/myfiles
... I get the error:
You are not authorized to view this page
HTTP 401.1 - Unauthorized: Logon Failed
Internet Information Services
I have triple-checked the "Connect As..." settings in IIS. The credentials I'm using to access the share are correct-- they work when connect to the share in Windows Explorer, but not through the IIS virtual directory.
I've tried granting full permission to Everyone on the folder in SERVER2, but no luck.
Any thoughts?
This was how I solved my problem, might help you.
By default, IIS uses local user called IUSR for virtual directories when using anonymous authentication. It does not use application identity, which should be obvious, if you use procmon.
How can you force it to use application identity?
Easy, under IIS manager:
1) go to Authentication
2) Edit "Anonymous authentication"
3) Select "Application pool identity"
4) Restart IIS & it should work.
The same accomplished with PS: Set-WebConfigurationProperty -filter /system.WebServer/security/authentication/AnonymousAuthentication -name username -value ""
This link contains the pros/cons: http://blogs.technet.com/b/tristank/archive/2011/12/22/iusr-vs-application-pool-identity-why-use-either.aspx
Permission issues can be tricky. Try running filemon on the 'other computer' It can be downloaded over here: http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
(it's not a big application just a tiny lightweight tool)
After you've started filemon, stop the monitor process (I believe it's turned on by default when you start the application), clear the logged data, create a filter for the folder you have trouble getting access to. Start the monitor process. Request your webpage. Stop the monitor process and look for "access denied" messages in filemon. When found, filemon will also mention the name of the actual user which is trying to get access. This might help you to get to a solution.
Btw when using Windows Server 2008 you will need processmon instead: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Imagine a scenario where for whatever reason you want to have your IIS Server access a Share on a File server and they are not on the same domain.
If you can follow and get this to work for you (I have done it Win2008-R1 32-bit File Server and Win2008-R2 64-bit with IIS 7), then you should be in good shape for any scenario.
Same name local account on both servers with same password
On IIS, use aspnet_regiis -ga MyAccount to give local account access to IIS guts
Now use that as the Application Pool Identity of the Website
Using Local Security Policy (Admin Tools) enable trust for delegation for local account
Restart IIS server
On File Server, use Local Security Policy to enable access from network for local account
Create Share granting desired permissions to local account (also Security tab permissions as needed)
Open up File & Print Sharing ports on both (as restrictive as possible) to point where it works for you when you are using Windows Explorer between the two
Back to IIS, create Virtual Directory using UNC path to Shared folder from File Server
Just use Pass-through authentication (which would use your local account)
You can tell Anonymous Authentication setting of the Virtual Directory to use Application Pool Identity as well
Use something that will test/verify. The key really is trust for delegation using a Service Account (domain or otherwise), and having IIS use the account you want it to use instead of Local Server or Network Service.
This took me all day to figure out. Various threads in StackOverflow and other Internet sources helped point me to various resources me but didn't find my exact answer anywhere. Hopefully next person stuck with this problem will get a speed boost on the path to resolving with my description of what worked for me.
try enabling windows authentication on the virtual directory security tab (in IIS).