I am trying to modify an xml file from my aspx code. The file is in another directory from my project like in D:\folder\file.xml When publishing my code and running it I am receiving an error as not to be able to access this directory, access in denied. Which user account shall I add to this folder in security option to be able to modify it. I tried adding IIS user but it does not seem to work. Any other workaround this ?
Check which identity that's associated with the application pool, and grant that user access to the folder.
You didn't specify which version of IIS you're using, but here's a decent article on how application pools work
I solved the issue finally..
In my pc I am using Win Xp and had to grant ASP.NET machine account user appropriate rights on the file while on the server that i am finally publishing the code I am using Windows Web Server 2008 and the matching ASP.NET Machine Account was Network Service i granted the same rights here and now i can modify the file successfully.
I am using IIS 7.5 on this machine.
I think your approach Tchami has the same idea. So I am marking it as the answer :) Thank you
Related
I am trying to test my Web Service on an IIS instance on my local machine before I promote to a windows server 2008 environment. I get this when I attempt to browse to the service. I have created a custom application pool that this service will run under btw. So I am guessing that that application ID does not have permissions to access that folder etc... I get this little detail btw...
"This error occurs when there is a problem reading the configuration file for the Web server or Web application. In some cases, the event logs may contain more information about what caused this error."
I am thinking I need to give that application identity permissions, but I am unsure how to accomplish this.
Is there another way to get this done?
Not sure whether this is too late for you.
The IIS website is run by either USERS or IIS_IUSRS.
Try to do following:
From Windows Explorer
Right click on the folder pointed by the web
Go to security tab
Add computername\IIS_IUSRS or computername\USERS with Read permission.
1.Open IIS
2.On left side panel click on application pools
3.And go to its properties and change identity value from "ApplicationPoolIdentity" to "Local System".
I resolved the problem when i tried this.
I faced a similar issue on Windows 8.1. I fixed it by changing identity value from ApplicationPoolIdentity to Local System.
Check your sites Security -> Authentication feature. If anonymousAuthentication is enabled, click on the Edit link (in the Actions column) to see which identity is being used; if it is IUSR, make sure IUSR has FileSystem ACL privileges on the website's folder and files. If it set to 'ApplicationPoolIdentity' make sure group IIS_IUSRS has the same rights, because the 'ApplicationPoolIdentity' is dynamically added to the IIS_IUSRS group at runtime.
Modifying the application's identity setting from "ApplicationPoolIdentity" to "LocalSystem" on IIS(7) solved my issue. when adding permission to the IIS_IUSRS did not. I don't quite understand why though.
For me, I just transferred my files under c:\inetpub\wwwroot and the error is gone.
All I had to do was edit permissions for the virtual directory(application) in IIS 7.5 and add IUSR to the permissions. That fixed it.
If you chosen old version of .Net framework in application pool of IIS may sometimes cause this issue. So Try with higher .net framework version.
I'm running Windows 7 SP 1 and have just turned on IIS 7. Just trying to access the default page it creates I get a 503 error, and the application pool stops. I look in the event log and I find the error:
Windows cannot copy file \?\C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm to location \?\C:\Users\TEMP.IIS APPPOOL.000\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm. This error may be caused by network problems or insufficient security rights.
DETAIL - Access is denied.
I tried making the TEMP.IIS APPPOOOL.000 folder available to everyone. I tried making Users available to everyone. No luck, it still dies with the same error.
What is happening here, and how can it be fixed?
It sounds like you're having the same problem as details in this IIS.NET forums thread. You didn't mention if you have x64 Windows 7 or not. Suspect that your development machine is misconfigured somehow; sounds like the uninstallation and reinstallation of IIS7 would help/fix.
Suggested courses of action:
Open IIS and its Application Pools. Open "DefaultAppPool" and any other Application Pools in use.
Click Advanced Settings for each of these. Ensure the "Load User Profile" is set to 'False'
Also ensure that the "Set Application Pool Defaults" has the Load User Profile set to False."
I encountered the same problem in my development environment (Windows 8.1). Instead of disabling the load user profile as suggested by P.Campbell, I went ahead and changed the permission of the sqm file to allow modify accesses for IUSR, IIS_IUSRS and Network Service. In my case, the sqm file was not able to show me the file owner in which I taken over with my user account.
Basically, my problem was solved by giving the correct permission for both source and destination files/folders.
Found the answer here - http://forums.iis.net/p/1180636/1992024.aspx
Open IIS Manager
Find the App Pool that is causing the problem
Open Advanced Properties
Change 'Load User Profile' to false
Fixed!
After struggling with all these Application Pool issues in IIs, I found the problem and the solution. This may help you.
Each application pool on each website in Microsoft's Internet Information Server creates its own user account and folder under the "c:\Users" directory when the pool is created and first run. Its actually a virtual user account and should be named for the Application Pool assigned to your web application in IIs. In most development environments, its the default website or "DefaultAppPool". It uses this temporary user account to run the pool. Each website should have a named user pool account. This User folder is used by the pool and ASP.NET for caching and writing of file resources and other things used by IIs, ASP.NET, and this virtual account.
In some setups people are not seeing this folder but a "TEMP" folder (like you have) when the IIs web site is accessed and using the pool.
If you instead see a "TEMP" folder in the Users folder you have a broken application pool account in IIs and in the Registry. The pool is creating the TEMP folder as a backup for this virtual account, which might not have the right security setup. I had this exact scenario.
To fix it go to the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
See if you have a SID user account with the ".bak" extension for a DefaultAppPool user account. If so delete it and restart your PC. Test your website again, making sure its actually setup to use DefaulAppPool. It should now recreate the "DefaultAppPool" folder in Users, recreate the registry entry for DefaulAppPool user, and your error should go away.
You can delete the TEMP user folder at that point under the Users folder. (Keep in mind if your web app has been storing cached information critical to users of the website, some of that might have to be inserted into the new DefaultAppPool user folder. But for most of us, just delete it.)
I also found I had to add this kooky virtual application pool account to my local database so the worker process and app pool accnt could have the rights to grab data from SQL Server: Just go into SQL Server and under logins add "IIs AppPool\DefaultAppPool" and then assign it as a user to your databases.
(btw whomever dreamed up this virtual application pool account system is nuts....its way too complicated and convoluted to sort out)
After I did this, all my stack overflow errors went away in Visual Studio for my web application, all data connections fired perfectly, all write permission to the default User profile stored properly, and all the restarting and crashing of the Application Pool in IIs ended completely. :)
Preparing for the migration of asp-application with Windows 2000 (web1) on Windows 2003 (web2).
On the old server has a folder to share documents, use for imports and exports (\ \ web1 \ folder). I want to provide access to the same folder access asp-application with the new server.
Configuration IIS: anonymous access is allowed, including checking windows. Pool started under the Network Service.
But there is no access.
And there is an interesting fact: if handled locally with the new server as http://localhost, you have access (impersonation works), if handled as http://web2, then there is no access. Error:
Microsoft VBScript runtime error Error '800a0046 '
Permission denied
We some changed security settings, local IE 6 - earned through http://web2 too, but in other browsers (like Opera) does not work. On other machines does not work either.
Put utility procmon from SysInternal. It shows that in both cases is an appeal to the resource, in both cases is impersonation, all the same, but in one case, SUCCESS, and the other ACCESS DENIED.
The entire security system of this application is based on the rights of NTFS, so you can not disable impersonation.
I'm newby in classic asp. I can not understand this case.
Classic ASP does not run under Application Pool account, credentials provided in IIS Anonimous Authenctication tab used instead, usually it is IUSR_MACHINENAME.
Looks like the anonymous authentication fails and Windows authentication used, this is the reason it works locally and in IE which supports Windows authentication by default.
UPDATE: Check this article: How to troubleshoot Kerberos-related issues in IIS
UPDATE 2: Also this can help you diagnose what's going on on IIS side: Authentication and Access Control Diagnostics
I guess the simplest way to access share is to add read permission to Guests group.
you can change the user of the anonymous authentication to be the app pool user , i tested it and it works !
go to iis -> web site \ virtual directory -> authentication -> choose anonymous -> edit -> change user identity to application pool user
screenshot:
I'm creating a website in IIS 7.5 (with Windows 7) that needs to be able to create further websites. I've written code that uses Microsoft.Web.Administration to create the website programmatically, and this works fine when I run it as administrator.
Now I'm trying to use the same code in the context of my web application. It fails with the error
Error: Cannot read configuration file due to insufficient permissions
for the file redirection.config (which I understand is located in %WinDir%/System32/inetsrv/config).
I've tried creating a new apppool for this specific website, running under the IIS AppPool[AppPoolName] identity. I've then tried to grant that identity permission to edit the IIS config using
ManagementAuthorization.Grant(#"IIS AppPool\MyAppPool", "Default Web Site", false);
but I still get the same error.
What else should I try?
This probably isn't the wisest approach from a security viewpoint. If this site is hijacked then your attackers will be able to interfere with those files (to no good purpose) or even just delete them.
The way we approached this was to separate website creation tasks into a windows service running with the correct rights to perform these activities. In this service is a remoting end point (although these days you'd probably want to use WCF).
We then created a proxy assembly that is signed and registered in the GAC (it would also need to be marked with the APTCA attribute if you're running at less than Full Trust). This assembly passes on the relevant calls to the remoting endpoint in the windows service from the admin web app/service.
This allows us to run the admin site at least privilege and in partial trust mode. The scope of what can be done by way of site admin tasks is narrowed somewhat by whatever functionality is exposed in the windows service application.
This is a technique known as sandboxing.
I've found a way to do it, but I would very much like to hear expert opinion on whether this is a wise thing to do.
I granted Modify and Write permissions for the IIS AppPool\MyAppPool account to %WinDir%/System32/inetsrv/config and the three .config files inside it.
I want to create a web part which will contain a button, on click of that button I want to access the network folder and apply the business logic such as create a file/folder, delete a file/folder e.t.c.
I do have created such kind of web part but it's giving error like "Could not find a part of the path '\comp01\ibc'" while accessing the network folder. I am using a name space System.IO for file related activities. I found a weird behavior like this web part works fine on another wss server.
Is share point requires any kind of privileges to access the network folder?
I am using a windows authentication not forms based authentication.
Please help me in this regard.
Where are you trying to Create the Folder in the SharePoint Server or a Different Server?. Check if you are accessing the path using UNC \ format, make sure that the permission has been configured. Also there is a chance that impersonation is not configured to have rights to create the folder, check the App Pool User account permission. Finally you can try to run the code with elevated permission ( have this as last option)