401 - Unauthorized IIS 7.5 on UNC application website - iis

I'm running win server 2008 R2 with IIS 7.5
I have an application under a website that only has anonymous authentication enabled.
The application points to a shared UNC drive.
I've created a IUSRDomain Domain account and both servers are on the same domain.
The application pool Identity is using the IUSRDomain account.
the UNC Share and File permission both give full control to the IUSRDomain account.
However when i try to make any changes to the IIS application settings, i get an error message that says:
There was an error while performing
this operation.
Filename: \?\UNC\\share\webapp\web.config Error:
Cannot write configuration file due to
insufficient permissions
And when i try to browse an html test page i get:
401 - Unauthorized: Access is denied
due to invalid credentials. You do not
have permission to view this directory
or page using the credentials that you
supplied.
IIS log file says:
/webapp/test.html - 80 -
xxx.xxx.xxx.xxx
Mozilla/5.0+(Windows;+U;+Windows+NT+6.1;+en-US)+AppleWebKit/534.7+(KHTML,+like+Gecko)+Chrome/7.0.517.44+Safari/534.7 401 3 1326 22
Edit: Also i have other applications under the same website that are configured the same way and work fine.

You need to be sure that the account that is used to connect to the UNC path has write access to the web.config file on the network share.
IIS7 configuration saves/updates information to the web.config file, thus the error message.
Also, if your application needs to run in full trust, you will want to use CASPOL to modify the trust permissions to allow your app to run in full trust. (.NET 2.0)

Related

File Table (SQL Server 2016) FILESTREAM permissions lost in IIS

I am trying to store images in a FileTable that is accessible from a website.
According to my understanding, the FileTable needs "SELECT" granted to the account running ApplicationPool that the website runs in.
Example of what I have:
IIS (6.2)
Application pool user : Domain\Bob.
SQL Server login Domain\Bob
Database has Domain\Bob in db_owner group. I explicitly granted Domain\Bob select on the file table also.
DB.dbo.FileStream_FileTable is \\DEV\FileStream_FileTable\
IIS has SiteA
SiteA has virtual directory Image targeting \\127.0.0.1\DEV\FileStream_FileTable\
If I look at the IIS authentication, IIS errors saying insufficient permission to access web.config - but there is no web.config.
On the server, running Internet Explorer, referencing an image as \\127.0.0.1\DEV\FileStream_FileTable\<...>\Image1.jpg it resolves to the jpg.
On the server, running Internet Explorer, referencing an image as HTTP://127.0.0.1/SiteA/Image/Image1.jpg, IE errors (same error as the authentication error)...
Config Error
Cannot read configuration file due to insufficient permissions
Config File
\?\UNC\127.0.0.1\dev\ItemImage\web.config
There IS no config file.
I have tried specifying the Windows user (Domain\Bob) context when accessing the virtual folder "Images" targetting \127.0.0.1\DEV\Filestream_FileTable
and also not specifying the windows credential...
I do not understand why the Image is visible using the UNC path in Internet Explorer (it must authenticate my context as having select on the filestream_filetable table) but not when using the context specifying a Windows context of a user who also has select on the table, in IIS.
NOTE: As an experiment, I modified the user, in IIS, used to access the share to Administrator. Then the IIS site resolved the image.
(Virtual directory targetting the \\servername\sql_instance_filestream_handle\directory\tablename)
The Windows User Domain\Bob has full rights on database - database owner.
There is another user's question, Access to SQL Server FileTable from IIS, that has servername in file share being a potential issue if the IIS and SQL server is on the same host, which I have taken into consideration.
I have added Domain\Bob to IIS_ISURS group...
What is Domain\Bob not a member of that grants access?
I can't very well make all my IIS shares accessing with Administrator accounts!
In some case, IIS will try to create web.config if the UNC path just return access denied error. If IIS failed to create web.config, It will also fail to access web.config with 500.19.
So please ensure your Application pool identity is set to a domain account who have read/write permission to access the folder.
Then please try to set Anonymous authentication->edit..->Application pool identity.
The Windows user Domain\Bob was not a login in the DEV sql instance.
Creating a sql login solved it. blush
Database level had the user, yes, but the SQL server didn't have a login.
facepalm

IIS giving 503 error while using ApplicationPoolIdentity

We are recently observing a very weird issue in IIS. This is the new Windows 2012 R2. We have installed all the component of IIS and trying to host default website on port 80.
Whenever we are trying to access the default web page of IIS, I am seeing "HTTP Error 503. The service is unavailable" error. While troubleshooting more, have observed that IIS Application pool is getting stopped and in the event logs we are seeing following error.
"The identity of application pool DefaultAppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives it first request"
DefaulAppPool identity is ApplicationPoolIdentity.
As of now tried with following options but no luck. Note that same configuration is working on another server and I am unable to find out any difference on both the servers. IIS version is 8.5
Logon batch rights provided to IIS AppPool\DefaultAppPool as well as for IIS_IUSRS
Executed aspnet_regiis -ga "IIS AppPool\DefaultAppPool" for .NET folders
Full rights of WebSite root directory to IIS AppPool\DefaultAppPool
Reinstallation of IIS
Load User Profile : False / True with ApplicationPoolIdentity
Force update of Group policy post changin logon batch through gpupdate /force
Full Control to
a) HKLM\SOFTWARE\Microsoft\SystemCertificates\
b) HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\
c) HKLM\System\CurrentControlSet\services\eventlog\Security\
d) access to C:\Windows\SysWOW64\config\systemprofile\AppData\
Do anyone have any idea in this?

Move teamlab from a server to another and got a security error

I have teamlab running very well on a godaddy virtual dedicated server and I am now moving to Azure VM server, I copied all teamlab files to this new server and ran the teamlab service, but when I open the website I get this error:
Security Exception
Description: The application attempted to perform an operation not
allowed by the security policy. To grant this application the
required permission please contact your system administrator or change
the application's trust level in the configuration file.
Exception Details: System.Security.SecurityException: Invalid username
or password.
I compared all IIS config on both servers and they are both the same now, what should I check else to run this?
Note old server IIS7.5 new server IIS8

Accessing a file on the server from my asp.net web application

In my asp.net web application I am trying to retrieve images from a shared network folder. When I put this website live in IIS, I am getting an error that "Access to the path is denied" when I try to access the network folder. What is considered the user that IIS uses, and how would I grant permissions to the network folder?
Thank you.
The issue is because your application pool identity or the user that IIS is using to run the worker process does not have permissions on the network path.
You may want to grant this user permission on the network path. However, if you are using IIS AppPoolIdentity that is not possible as they are built-in account per machine. As is the same with any buit-in account.
I would advice you to use a network account and give that account appropriate permissions on both IIS and the network share.
You may have to add this user to the IUSR group.

Creating a virtual directory to a non-local (remote) folder in IIS 6

I have a shared folder on a server that contains some files I want to be able to serve through IIS on a separate server.
I created a virtual directory pointing to the the shared folder in IIS, and have it use windows authentication.
The shared folder has "Everyone" set to have read permissions. When I try to open a file through localhost on the iis server, everything loads correctly, however when I substitute localhost with the actual name of my iis server it brings up an error
You do not have permission to view this directory or page due to the access
control list (ACL) that is configured for this resource on the Web server.
I opened up process monitor and saw I was getting Access Denied when the Network Service account (the account my app pool is set to run as) was being denied read permissions to the virtual directory. I implicitly added network service to the security permissions with read and write permissions and I still get the same error.
Any ideas what I could be doing wrong?

Resources