Is it necessary to restart IIS in order to ensure that changes to azman.xml are picked up, or will IIS figure out that the permissions in azman.xml have been changed?
You don't say how you're using AzMan. Are you using it as a Role Management Provider?
At any rate, you (almost) never have to fully restart IIS; just recycle the app pool.
But to answer your question (assuming you did mean Authorization Store Role Provider), IIS (actually, the provider) should check for changes according to your setting for the CacheRefreshInterval property. The default is 60 minutes.
Related
I'm trying to make a service to more easily configure configuration values on Azure applications. Right now, if I want to change a setting that it the same over 7 different environments, I have to change it in 7 different .cscfg files.
My thought is I can create a webservice, that the application will query for its configuration values. The webservice will look in a storage place, like Azure Tables, and return the correct configuration values.
I've been able to integrate this into a deployment script pretty easily (package the app, get the settings, change the cscfg file, deploy). The problem with that is every time you want to change a setting, you have to redeploy.
Finally the question - Is there a way I can retrieve the configuration settings after the application starts, on role start? It would of course need a base set of settings for the app to start. Retrieving the settings from the web service on application start would be good. Any way that I don't have to redeploy the application and that it will retrieve them automatically will work.
Thanks in advance!
Just use the .cscfg for the minimum set (common to all environment) of configurable settings. The use your web services for rest of the configurations. And don't modify your .cscfg. Just have a settings provider that retrieves settings from web service (via polling or message signalling - pub/sub model). And have a reinitialize settings procedure in place for this settings provider and all the services/components that rely on configurable settings.
I've created an IIS administration tool designed to create new applications, assign them to a new AppPool, and add required folder ACLs for the identity associated with that AppPool. According to this article, Whenever a new Application Pool is created, the IIS management process creates a security identifier (SID) that represents the name of the Application Pool itself.
But that doesn't appear to be the case on my Windows 8 Pro machine (IIS8). The SID is only being created once an application associated with the AppPool starts. This is making the task of setting folder ACLs quite difficult, the application needs to start before the AppPool identity is created, but the application won't work unless the ACLs are set... chicken and the egg.
What's going on here? Is there a bug on my Win8 machine? Is this Win8 / IIS8 behaviour in general? I'm having no issues on Server 2008 R2 (IIS 7.5), where it does create the AppPool identity SID as soon as the AppPool is created in IIS.
I'm aware there is an indeterminate delay between the time the AppPool is created and the SID is created. This is generally less than a second. In this instance, the delay appears indefinite (several minutes later, the SID still does not exist).
It would seem that the SID is only created once the process is running. I have a related problem where the registry hive under HKEY_USERS completely disappears after a reboot. Tests indicate that the registry hive returns fully intact as soon as my web service starts (i.e. on first request) with the same SID and contents fully restored, so I guess that once you have obtained the SID for the first time you can use it for the same purposes even if it doesn't yet exist after a restart. Getting the security system to believe you havn't made a mistake with naming may still be an issue though.
I've a feeling it's something to do with the permissions of the AppPool but as this app is hosted in Azure it's not possible to change that.
My code works in a console app and when the AppPool is set to run as a user (myself). It fails to run when the AppPool is set to run as ApplicationIdentity and when the service is hosted in Azure (I'll post the code if requested, but I don't think that's where the problem lies).
It doesn't matter whether I load the certificate from a store, from a file, or from a byte array. The results are the same.
I don't know what information will be helpful in diagnosing this but it appears that the chain/path doesn't load under the reduced privileges. Calling .Verify() returns true in the console app (and IIS running as my user) and false under ApplicationIdentity.
The certificate appears to load normally and contains a private key in both circumstances.
It turns out my problem was the same listed in this question. I needed to set my certificates up so that some of them were in the CA and Trust section so that the chain was built correctly.
I had all of the certificates installed but it would appear that the location of the certificate is important as well, and it was nothing to do with security or which user was logged on at all!
You can change almost anything in Azure. It is full IIS (if you are not upgrading from SDK 1.3 or earlier) by default. There are couple of options to try:
(This one is wrong! Noted by Steve Marx)Try jus trunning the application (in this case IIS AppPool) in Elevated mode. That will make AppPool running under "SYSTEM" account, instead of AppPoolIdentity. You can do that by adding a <runtime executionContext="elevated" /> element in your role definition in .CSDEF file.
You can enable remote desktop to all your roles. That will effectively create an account in your role instance and add it to the Administrators group. Then you can use a startup task and powershell script to change AppPool identity to use that account instead: A blog post by Wade Wegner on how to programatically change AppPool Identity.
Well, these all are ways to make your application pool runs in Elevated mode, but also show that you can do pretty much everything with IIS on your Windows Azure Instance. I suggest to use site runing in elevated mode only for testing purposes. First make your code run in restricted account on local IIS. Then see what you changed to make it wokrk locally and apply these changes on the Azure Web Role.
EDIT
Another thing to pay attention is that in order .Verify() to work, you must have the Root Certificate of the CA that issued the checked certificate, installed on the web role. This can be done via adding the Root CA Certificate as a "Service Certificate" from the management portal. Also, the CA that issued the checked certificated must be trusted.
I have to recycle IIS (version 7.5) application pool programatically using c#. When I try to get ApplicationPoolCollection using "ServerManager" class UnauthorizedAccessException raised.
I guess I have to use impersonation. But I don't know to use impersonation. And is there anyway to use impersonation with attribute instead of web.config?
To perform any administrative operations in IIS such as recycling application pools, starting and stopping sites, creating websites and so on, you need to run as administrator.
If you want to programmatically impersonate a user then you need to use the WindowsIdentity.Impersonate method.
There's a reasonably good snippet of sample code there to get you started.
Of course all the usual caveats apply here when it comes to storing credentials for highly privileged users in your web.config file (or hard coded).
Also if you're trying to debug code that accesses IIS programmatically using the managed ServerManager API then make sure you start Visual Studio by doing "Run As Administrator". You need to do this even if your own Windows account is a member of the Administrators group.
I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.
Now I'm trying to use the same code in the context of my web application. It fails with the error
Error: Cannot read configuration file due to insufficient permissions
for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).
I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using
ManagementAuthorization.Grant(#"IIS AppPool\MyAppPool", "Default Web Site", false);
but I still get the same error.
What else should I try?
This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.
The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).
We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.
This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.
This is a technique known as sandboxing.
I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.
I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.