Is there a way to set up a user group that has permissions to administrate IIS services (use the IIS plugin in MMC) without being a 'Administrator' on the box?
Unfortunately, if it's IIS6, then you need to be local admin. If it's IIS7 then things are significantly more granular. If you're planning to move to IIS7 (or currently use it) then there's a good blog post here that takes you through it.
Related
I run in to this block many times to figure out a way to share cpanel access with another user without having to give them my cpanel admin username/password. Is there a way to create an additional cpanel users. In this case its godaddy.com but I am wondering in general as well.
That way I do not have to share my own access.
Thanks.
As far as I know there is no other way (at least at this moment). This is a cpanel feature that would be available in WHM version 64.x
You can read more details here:
https://features.cpanel.net/topic/multiple-cpanel-logins-cpanel-subusers
For every account in cpanel environment it creates just a single user to access the cpanel administration portal , you can allocate multiple user for it.
However with FTP you can grant the access to the data if needed by creating multiple FTP user account.
As you said you are using shared hosting and in shared hosting you can not create another cpanel username/password.
But, my friend you can do one thing to (that is allow some limited access) you can create ftp account as number of ftp account allowed by hosting provider.
Your user can add/update/delete file for particular assigned directory.
Thanks
Hope! this will help you
I'm trying to simply run a local website which has sime basic HTML files using IIS.
Through the IIS Manager I have created a new website and have set the physical path to the directory with the HTML files.
However when I input the physical path I get the following warning:
The server is configured to use pass-through authentication with a
built-in account to access the specified physical path. However, IIS
Manager cannot verify whether the built-in account has access. Make
sure that the application pool identity has Read access to the
physical path. If this server is joined to a domain, and the
application pool identity is NetworkService or LocalSystem, verify
that \$ has Read access to the physical path.
Then test these settings again.
Now, when I navigate to the site through localhost I get the following Unauthorized error:
You do not have permission to view this directory or page because of
the access control list (ACL) configuration or encryption settings for
this resource on the Web server.
What's going on here? When I right click my folder I seem to have given access to everyone. I haven't made any specific IIS changes so what could be the issue here?
EDIT:
MAN I cannot believe this. My case is so simple (I just wanna display some HTML files on localhost) which should require ZERO configuration at all. Yet IIS fails to meet the demand.
EDIT: I think everyone should have permission to my folder. Here's a picture of the permissions screen for the folder:
Working with a set of server protocols is different than adding files to a share. In this case, you're going to want to open IIS and navigate to the website you added it as.
There, you'll see a variety of icons, some under the heading of ASP.NET, some under IIS. The first heading you'll see under IIS is Authentication. That's the one you want. If this is strictly internal/for learning, go ahead and enable Anonymous Authentication. It's not safe, but it'll get you in the right place to start googling around.
I have a GWT webapp running on tomcat 7 on RedHat. All clients reside within intranet and use IE7 from XP machines to access the webapp.
The new requirement is to setup per user log. If user claims he did something wrong because of webapp, the admin should be able to check webapp responses for that request. Another requirement(a very nice to have feature) is to avoid login/password screen and use domain username instead.
I think I can ask my admin to setup Integrated Windows Authentication for Tomcat http://www.tomcatexpert.com/blog/2011/06/22/windows-authentication-apache-tomcat. Once IWA is implemented on Tomcat I expect I will be able to access username with HTTPServletRequest.getRemoteUser() from my webapp.
Am I right in my assumption?
Is there a simpler way than that?
The integration of a Java container such as Tomcat with a Windows Domain through IWA, SPNEGO, Kerberos etc. can be a very complicated task and the Tomcat instructions that you point to may or may not work the first time and may also require changes to the way your Windows environment is configured.
Once that integration is working, your web application will need to specify auth constraints in web.xml to protect part or whole of the webapp. Although it may not prompt for user id if the Windows authentication set up is working seamlessly, it is necessary for the configuration to be there before getRemoteUser will return anything inside your application.
I've got a little server plugging along, with IIS and some other stuff. Is it possible to allow a second user access to the IIS Manager, with the ability to create and edit sites, but keep the two accounts' sites separate?
I'm not worried about security between the two accounts, just separating the two account's sites for neatness and so that one user doesn't accidentally change something tied to the other account. At the moment I have two users part of the administrators group, and if I open IIS Manager with either one they both show all the sites.
A similar question has already been asked: how to create hidden web site on IIS
Can you please expand the answer of that thread?
Update 1
Connecting to sites remotely would allow the other sites to appear hidden as you would only see the connecting site. See: How to use Internet Information Services (IIS) 7 Manager to connect remotely to your website.
Update 0
As for hiding sites and other features, check out: What is administration.config for IIS?
One little known feature of IIS7 is that it's UI is entirely extensible! This means that anyone can write a C# assembly and get it displayed through the IIS Manager UI. The possibilities here are endless, anything from someone writing a new certificate management system, a website provisioning system, etc.
I haven't found documentation stating that the actual sites can be hidden but it sounds like it should be possible.
An Overview of Feature Delegation in IIS 7.0 may also provide the ability to hide sites.
Other links:
How do I hide 'non-delegated' features in IIS 7?
Based on your description, Microsoft's documentation on Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) might prove helpful. For instance:
Allow an IIS Manager User Account to Connect to a Site or an Application (IIS 7)
Note: For IIS Manager users to connect to sites and applications for which you grant permission, you must configure the management service to accept connections from users who have IIS Manager credentials. For more information about how to configure the management service, see Configuring the Management Service in IIS 7.
Configuring Permissions for IIS Manager Users and Windows Users (IIS 7) - Emphasis added.
Use the IIS Manager Permissions feature to allow users to connect to sites and applications in IIS Manager. Remove a user account when you no longer want the user to configure delegated features in a site or an application.
Permitted users can configure delegated features in any sites or applications for which you grant them permission. Users can be either IIS Manager users, which are credentials created in IIS Manager by using the IIS Manager Users feature, or Windows users and groups on the local computer or on the domain to which the computer belongs.
IIS5 is running on SERVER1.
One of the virtual directories in IIS, myfiles, is pointing to "A shared location on another computer", //SERVER2/myfilesshare
When I try to access the page:
http://SERVER1/myfiles
... I get the error:
You are not authorized to view this page
HTTP 401.1 - Unauthorized: Logon Failed
Internet Information Services
I have triple-checked the "Connect As..." settings in IIS. The credentials I'm using to access the share are correct-- they work when connect to the share in Windows Explorer, but not through the IIS virtual directory.
I've tried granting full permission to Everyone on the folder in SERVER2, but no luck.
Any thoughts?
This was how I solved my problem, might help you.
By default, IIS uses local user called IUSR for virtual directories when using anonymous authentication. It does not use application identity, which should be obvious, if you use procmon.
How can you force it to use application identity?
Easy, under IIS manager:
1) go to Authentication
2) Edit "Anonymous authentication"
3) Select "Application pool identity"
4) Restart IIS & it should work.
The same accomplished with PS: Set-WebConfigurationProperty -filter /system.WebServer/security/authentication/AnonymousAuthentication -name username -value ""
This link contains the pros/cons: http://blogs.technet.com/b/tristank/archive/2011/12/22/iusr-vs-application-pool-identity-why-use-either.aspx
Permission issues can be tricky. Try running filemon on the 'other computer' It can be downloaded over here: http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
(it's not a big application just a tiny lightweight tool)
After you've started filemon, stop the monitor process (I believe it's turned on by default when you start the application), clear the logged data, create a filter for the folder you have trouble getting access to. Start the monitor process. Request your webpage. Stop the monitor process and look for "access denied" messages in filemon. When found, filemon will also mention the name of the actual user which is trying to get access. This might help you to get to a solution.
Btw when using Windows Server 2008 you will need processmon instead: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Imagine a scenario where for whatever reason you want to have your IIS Server access a Share on a File server and they are not on the same domain.
If you can follow and get this to work for you (I have done it Win2008-R1 32-bit File Server and Win2008-R2 64-bit with IIS 7), then you should be in good shape for any scenario.
Same name local account on both servers with same password
On IIS, use aspnet_regiis -ga MyAccount to give local account access to IIS guts
Now use that as the Application Pool Identity of the Website
Using Local Security Policy (Admin Tools) enable trust for delegation for local account
Restart IIS server
On File Server, use Local Security Policy to enable access from network for local account
Create Share granting desired permissions to local account (also Security tab permissions as needed)
Open up File & Print Sharing ports on both (as restrictive as possible) to point where it works for you when you are using Windows Explorer between the two
Back to IIS, create Virtual Directory using UNC path to Shared folder from File Server
Just use Pass-through authentication (which would use your local account)
You can tell Anonymous Authentication setting of the Virtual Directory to use Application Pool Identity as well
Use something that will test/verify. The key really is trust for delegation using a Service Account (domain or otherwise), and having IIS use the account you want it to use instead of Local Server or Network Service.
This took me all day to figure out. Various threads in StackOverflow and other Internet sources helped point me to various resources me but didn't find my exact answer anywhere. Hopefully next person stuck with this problem will get a speed boost on the path to resolving with my description of what worked for me.
try enabling windows authentication on the virtual directory security tab (in IIS).