I have to recycle IIS (version 7.5) application pool programatically using c#. When I try to get ApplicationPoolCollection using "ServerManager" class UnauthorizedAccessException raised.
I guess I have to use impersonation. But I don't know to use impersonation. And is there anyway to use impersonation with attribute instead of web.config?
To perform any administrative operations in IIS such as recycling application pools, starting and stopping sites, creating websites and so on, you need to run as administrator.
If you want to programmatically impersonate a user then you need to use the WindowsIdentity.Impersonate method.
There's a reasonably good snippet of sample code there to get you started.
Of course all the usual caveats apply here when it comes to storing credentials for highly privileged users in your web.config file (or hard coded).
Also if you're trying to debug code that accesses IIS programmatically using the managed ServerManager API then make sure you start Visual Studio by doing "Run As Administrator". You need to do this even if your own Windows account is a member of the Administrators group.
Related
I am trying to test my Web Service on an IIS instance on my local machine before I promote to a windows server 2008 environment. I get this when I attempt to browse to the service. I have created a custom application pool that this service will run under btw. So I am guessing that that application ID does not have permissions to access that folder etc... I get this little detail btw...
"This error occurs when there is a problem reading the configuration file for the Web server or Web application. In some cases, the event logs may contain more information about what caused this error."
I am thinking I need to give that application identity permissions, but I am unsure how to accomplish this.
Is there another way to get this done?
Not sure whether this is too late for you.
The IIS website is run by either USERS or IIS_IUSRS.
Try to do following:
From Windows Explorer
Right click on the folder pointed by the web
Go to security tab
Add computername\IIS_IUSRS or computername\USERS with Read permission.
1.Open IIS
2.On left side panel click on application pools
3.And go to its properties and change identity value from "ApplicationPoolIdentity" to "Local System".
I resolved the problem when i tried this.
I faced a similar issue on Windows 8.1. I fixed it by changing identity value from ApplicationPoolIdentity to Local System.
Check your sites Security -> Authentication feature. If anonymousAuthentication is enabled, click on the Edit link (in the Actions column) to see which identity is being used; if it is IUSR, make sure IUSR has FileSystem ACL privileges on the website's folder and files. If it set to 'ApplicationPoolIdentity' make sure group IIS_IUSRS has the same rights, because the 'ApplicationPoolIdentity' is dynamically added to the IIS_IUSRS group at runtime.
Modifying the application's identity setting from "ApplicationPoolIdentity" to "LocalSystem" on IIS(7) solved my issue. when adding permission to the IIS_IUSRS did not. I don't quite understand why though.
For me, I just transferred my files under c:\inetpub\wwwroot and the error is gone.
All I had to do was edit permissions for the virtual directory(application) in IIS 7.5 and add IUSR to the permissions. That fixed it.
If you chosen old version of .Net framework in application pool of IIS may sometimes cause this issue. So Try with higher .net framework version.
I've moved my codebase to a new directory and need to grant the IIS account read/write privileges on a few folders to allow access by the ASP.Net runtime. I believe NETWORKSERVICE is no longer used for this purpose (as mentioned in this earlier question:
ASP.Net which user account running Web Service on IIS 7?) but, try as I might I can't seem to be able to add the IISAppPool/IIS Worker Process the article links to.
I've found a MyDomain/IIS_WPG account but this isn't the one that is listed in Task Manager for the w3wp process. Can someone help?
UPDATE:
Even odder - the Application Pool for the website in question uses the LocalSystem identity which I thought would be able to access pretty much the entire machine. Is there something incorrect about my basic machine/Windows setup?
Using Coldfusion 8/9, how would I go about managing IIS7. For example:
I am building a website generator, when someone fills out a form, a website will be generated. A step in this process will be to create an IIS site with specific host headers/ip bindings. Another step may be to allow the user to upload a SSL certificate. That may not be possible, I am not sure. But I do know that there should be a way to interact with IIS7.
Fortunately ColdFusion 8 and 9 can instantiate .NET components, this means you can access the .NET managed-code IIS administration API's:
Using Microsoft .NET Assemblies
IIS7 ships with two .NET managed-code management API's:
Microsoft.Web.Administration
Microsoft.Web.Management
These reside in: c:\windows\system32\inetsrv.
Using this functionality you should be able to consume these API's via ColdFusion to create websites and manage IIS functionality.
If there are problems calling these API's directly (i.e. some item of data doesn't marshal back to ColdFusion properly) you could always wrap calls to these API's with your own .NET code.
For more information about creating and managing websites using the API's above refer to the following links:
IIS 7 Configuration Reference
Powerful Administration Tools
How to Use Microsoft.Web.Administration
Managed-Code API Reference (IIS 7)
It should also be noted that the Windows account the site runs under should be a member of the Administrators group to manage IIS via these API's.
If this was a public facing site then I'd split the application in two. Your public facing ColdFusion (running under a low privileged account) site collects information about the site to be created. Post this data as a task into a queue (can be as simple as a database) of some sort to be read by either a scheduled task or a Windows service (running as a highly privileged user) which picks these tasks off of the queue periodically (say once every 15 or 30 seconds).
This is known as 'sandboxing' and means that if your ColdFusion site is hijacked then it's not running under elevated rights and can't do much damage. All the highly privileged tasks are sandboxed in a process that isn't surfaced via the web.
For CF7, I guess you can invoke powershell script with cfexecute?
http://learn.iis.net/page.aspx/433/powershell-snap-in-creating-web-sites-web-applications-virtual-directories-and-application-pools/
How about: http://iisweb.riaforge.org/ and http://iisvdir.riaforge.org/ ??
I do not think that it is a beneficial way to do this. It just won't work.
I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.
Now I'm trying to use the same code in the context of my web application. It fails with the error
Error: Cannot read configuration file due to insufficient permissions
for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).
I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using
ManagementAuthorization.Grant(#"IIS AppPool\MyAppPool", "Default Web Site", false);
but I still get the same error.
What else should I try?
This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.
The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).
We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.
This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.
This is a technique known as sandboxing.
I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.
I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.
I'm trying to confirm my findings on permissions.
In order for the SharePoint object model to be accessed from a console application or for that matter a WinForm application, the user running the application must have db_admin permission to the content database for the web application in question.
In order to use Microsoft.SharePoint.Administration (like calling SPFarm.Local.Solutions.Add) inside an ASP.NET application the following must be true:
The call must be wrapped with RunWithElevatedPrivileges like the following:
SPSecurity.RunWithElevatedPrivileges(delegate() { code to run } );
The user accessing the ASP.NET page must be part of the Farm Adminstrators Group (the page is running under _layouts)
The user in the identity of the App Pool for the web application in question must also be in the Farm Adminstrators Group
Does this information look correct?
Yes but within the web service code you call the functional code using RunWithElevated Privileges this bypasses the identity you are running the web service as and instead uses the SPFarmAdmin user to execute the code.
Alternatively host the web service in an app pool which uses the same domain account as your central admin site, and allow anonymous access to the web service. This would be safe for internal use only and would mean that the web service always had elevated permissions.
Edit: Contrary to Michael's comment I have assumed that this app is not going to be run from within the SP farm.
I would not recommend this approach at all as it is an unupported method of using the SharePoint OM.
You are much better off writing a web service that sits on the SP farm and uses the OM, and then access the web service mehods to perform your required functionality.
You could also look at the out of the box sharepoint web services.
RunWithElevatedPrivileges will not work in your scenario I dont think as it requires a base indetity to fall back on which in the case of code executing on the SP farm is the SP App Pool identity which is usually a farm admin account.
I am happy to be corrected on all of this, but certainly in my environment it would not be wise to invest in a non-standard and unsupported approach to a problem.
Yes the web service will need proper access rights, but this is easier to control with a web service running locally.
However if as you say the apps are always running on the server then using RunWithElevatedPrivileges will solve any permissions issues as you are in effect running that code as an SPFarmAdmin (as long as the app pool identity is configured correctly).
Note: you could use this approach with either bespoke web services or client apps such as console applications or windows forms.
Apologies hobbyman, I never saw you reply.
If you use RunWithElevatedPermissions then it doesn't matter which user the web service runs as, because you are effectivley impersonating a farm admin account.
You could additionally do your own impersonation within the web service and impersonate any user you wish.
Essentially if the web service is running within a given application pool then the web service will run under the indentity which the app pool runs as. Does this clarify things?