Okay, so I'm running a small test webserver on my private network. I've got a machine running Windows 2000 Pro, and I'm trying to run an ASP.NET app through IIS.
I wrote it so that the webpage would use the registry to store certain settings (connection strings, potentially volatile locations of other web services, paths in the local filesystem where certain information is stored etc...) Of course, it worked fine when testing with VStudio.NET 2005, because the user running the app has elevated privileges. However, running it on IIS I get a "Access to the registry key 'HKEY_LOCAL_MACHINE\Software' is denied.", which suggests the IIS user doesn't have read access to that part of the registry (I only do reads through the website itself, never writes).
I was like "okay, simple enough, I'll just go give that user rights to that part of the registry through regedit." The problem is, I don't see an option anywhere in regedit to change security settings... at all. Which got me thinking... I don't think I've ever actually had to change security settings for registry hives/keys before, and I don't think I know how to do it.
Half an hour of searching the web later, I haven't found any usable information on this subject. What I'm wondering is... how DO you change security rights to portions of the registry? I'm stumped, and it seems my ability to find the answer on Google is failing me utterly... and since I just signed up here, I figured I'd see if anyone here knew. =)
If your having touble with RegEdit in Windows 2000 you can try the following:
Copy the Windows XP RegEdt32.exe to the Windows 2000 Machine
Using a Windows XP Machine, connect to the Windows 2000 registry remotely: File > Connect Network Registry
You can set permissions at the folder level for which you want to grant user permissions read/write access.
In your case, right click on the "Software" folder and select "Permissions".
You'll probably know the rest from there.
EDIT: If you still run into issues, you may want to modify your web.config file and use impersonation to have your web application run as a certain user account. Then you can put a tighter reign on the controls.
RegEdt32.exe will allow you to set permissions to registry keys.
Simply right click on a Key (Folder) and click Permissions, then you can edit the permissions as you would an file system folder.
I did so, assuming that a Security setting would be available. I didn't see any "Security" option when I right-clicked on the Key. =( I triple-checked just to make sure... and I just tried it on my XP machine, and it does indeed have the "Permissions" section... but the Windows 2000 machine doesn't. (how's that for wierd?)
In my searching, I found:
http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_21563044.html
Which notes that RegEdit for Windows 2000 doesn't have the Security/Permissions settings... but it proposes no solution to the problem. (Whoever asked the question was using Windows XP so he was okay... but in my case, it's 2000)
Is there any way to make it happen specifically in 2000?
EDIT: Ahhhh... if worse come to worse, I suppose I can do the impersonation as mentioned below... though if I can't set security settings for the registry in 2000, I'm left with making that user have Administrative access (I assume?) to actually get those rights, which sadly defeats the purpose. =(
Oh, let me try that! I didn't realize you could remotely connect to another registry.
(EDIT: I was wrong, it did work... it just took several minutes to respond to my request to change permissions remotely)
The remote connection idea did it! You're good! Thanks so much for your help! I never realized you could remote connect with RegEdit... you learn something new every day, they say! =) Thanks again for your assistance! =)
On another note though, about copying the XP version of RegEdit to Windows 2000... is that safe? I figured they would be coded in such a way as to be incompatible... but I could be assuming too much. =)
Just use RegEdt32.exe instead of Regedit.exe.
Go to the desired key or folder, then open the security menu and click on 'permissions'.
Related
Help! The folder C:\ProgramData\Microsoft\Crypto\SystemKeys is growing out of control. It is doing this on some of our servers and some desktops. We are a medium to small business and use Active Directory (not Azure AD). I've heard that this folder is used by IIS, SQL Server, Remote Desktop Licence Server (maybe other things too?). My guess is it has something to do with Remote Desktop as I've not seen this problem with any computer that hasn't been using Remote Desktop. I've heard that some of the keys in this folder are important so you can't just delete it. Anyone have any idea what to do to get it to stop, what causes it, or how to clean it up?
Here my file properties:
Thank you for any help.
I found an answer to this question. Turns out in my case it was because of an application writing to this directory. Contacted them and they are implementing a fix in the next release (October 2021). In the mean time, I've deleted the extra keys in the folder. So far no issues.
I have spent 12 hours on this, tried everything that I have read about, but I cannot get a new server farm we have,the website to write to a shared folder.
I have set the application pools, even temporarily (just to try it out) to admin accounts and even set the folder to be available for "everyone".
We have a network specialist who cannot figure it out either, in his favour he does not understand IIS very well and keeps away from it, but at the end of the day, its just a User account and permissions as far as I can see and I have set up the exact same website on a previous W2012 server and IIS 8.5, 7.5 and 6 without major issues (abeit registering 32bit DLLs in a 64bit environment) but all that has gone well and no issue (except for reading and writing to a shared folder).
SO breaking it down to its simplest form, I used a simple FSO script to write a text file in the shared folder, this clearly came back with "Permission denied line X".
Running the script through cscript as a VBS file, it works, running it through IIS. No chance.
Im not going to give up, but running as the top admin login (I had the network guy use HIS identity in the application pool) its not happening.
32bit has been enabled, yes, folder permissions set, yes.
Im at my wits end with the thing. Anything to suggest, I would be happy to listen and try.
Thanks all.
Update: I can write to the same MACHINE as IIS, any folder as long as I set the appropriate permissions. The difference between from this shared folder (I am working on a server farm, I forgot to mention that) is - when you do the security, locations "IIS AppPool\poolidentity" to add the user, it works on the same server, when I try to add that user on the shared folder on the networked server, that user does not appear - does this give any clues?
Ok - for me, after all the right things that I had done, was something I had not tried.
Select the site in IIS, so you sell all the icons for ASP, Authentication, Autohorization Rules, CGI etc.. - select the Authentication and Open Feature
You will see Anonymous Authentication (Enabled), ASP.NET Impersonation (Disabled), Basic Authentication (Disabled) and so on.
Select the Anonymous Authentication, right click Edit - by default it was set to "Specific User" IUSR - now for me, that did not work - so clicked on Application Pool Identity and boom, now its working.
Hope that helps someone else.
I have recently deployed a fubu mvc application to windows azure. Everything works except when the pipeline tries to find the view to render. This all works correctly on my local machine.
So I am wondering: does the process on the Azure box have rights to read/scan files on disk?
Any suggestions to fix it are welcome though.
EDIT:
As part of the deployment there is a stage that azure goes through called "Preparing files for eployment". I checked on the log and my view was not in there
So I changed copy to output as true and it worked
It depends a bit on where you are trying to read and how you have configured your roles. By default, the code will run as a very low privilege user that only has R/W to the code directory (and any LocalResource(s) defined by the user). However, you can run your code as SYSTEM, in which case you can R/W anywhere (you might still have to take ownership, but you are all powerful as SYSTEM).
If your views are defined as part of your package and uploaded, the code should have permission to view it. I am curious as why you think this is a permission issue right now. Do you see an error that indicates that, or are you guessing it? If I had to guess, my first thought would be your views didn't get packaged correctly and are not on the VM. You can confirm they are there either by RDP or by cracking open the package and snooping around.
I'm struggling with the following error when starting up sqlplus as my regular user - say "scott".
$ sqlplus
SP2-1503: Unable to initialize Oracle call interface
SP2-0152: ORACLE may not be functioning properly
Environment is:
Oracle 11.2.0.2
OpenSuse Linux 11.1 (64bit)
Misc other detail:
Oracle installed and running on localhost
No tnsnames issues as can run sqlplus as oracle admin user
Database up and listener started (11.2.0.2 install).
user scott in database admin group (/etc/group)
user scott references correct 11.2.0.2 installation
This is most bizarre as I can happily run sqlplus as the oracle user (say "oraadmin") and user scott is registered in the oracle admin group. Additionally, I had no such problems with my previous Oracle install (10.2.0.7). My ~scott's $ORACLE_HOME references the 11.2.0.2 installation.
Comparing my 11.2.0.2 and 10.2.0.7 environments, I've noticed several libraries (including $ORACLE_HOME/lib/libsqlplus.so) have group read-only permissions (744) so have chmod'ded these.
Other than that, my $ORACLE_HOME/lib, $ORACLE_HOME/bin, $ORACLE_HOME/oracore and $ORACLE_HOME/rdbms all seem reasonable with sensible permissons.
N.B: There's a plethora of stuff on-line but, as is often the case, there's a lot of case-specific issues and mainly around different versions of Windows. Focusing mainly on comparing my envs. Besides, as far as I can tell, this question doesn't yet exist on SO so could be useful to start collating answers by environment. I'll report back any sensible findings.
If it is Windows 7, You can right click on SQL Plus or whatever software you using, I use Crystal Reports.
so to you would have to right click and Run as Administrator.
it fixed for me.
Fixed my particular issue...
User scott's $PATH still contained the ora11.1.0.7 bin. So, on starting sqlplus, I was running the ora11.1.0.7 sqlplus client against the 11.2.0.2 server. Think there may be more to it than that (i.e. I'd probably expect that client to work with that server) but that is the hub of the problem.
In my defence, my.bashrc sets the $PATH correctly so not yet sure what preempts it with the 11.1.0.7 version. Guess the sensible rule of thumb is to add my $ORACLE_HOME/bin to the front of the $PATH to ensure mine is found first, despite what else is set by whatever other environment config, as in
export PATH=$ORACLE_HOME/bin:$PATH
Yours, a little embarrassed but hopefully will be of help again to someone.
Some of the more useful sites...
Various Windows environments:
https://forums.oracle.com/forums/thread.jspa?threadID=338426
https://www.administrator.de/Zugriff_auf_OracleDB_(10i)_per_sql_plus_von_WTS_2003_(Servicepack_2).html
http://www.orafaq.com/forum/t/100549/2/
Linux environments:
http://databaseoracle.blogspot.com/2006/11/permitting-user-on-unix-linux-to-use.html
In Windows i found the solution ---
Assign the "Create global objects" user right to the non-Administrator account.
Go to Administrative Tools, and then click Local Security Policy.
Expand Local Policies, and then click User Rights Assignment.
In the right pane, double-click Create global objects.
In the Local Security Policy Setting dialog box, click Add.
In the Select Users or Group dialog box, click the user account that you want to add, click Add, and then click OK.
Click OK.
I'm working on a DCOM application with the server and client on two machines, both of which are running WinXP with Service Pack 2. On both machines, I'm logged in with the same username and password.
When the client on one machine calls CoCreateInstanceEx, asking the other machine to start up the server application, it returns E_ACCESSDENIED.
I tried going into the server app's component properties in dcomcnfg and giving full permisions to everyone for everything, but that didn't help.
What do I need to do to allow this call to succeed?
Update: When the server app is running on a Windows 2000 box, I do not get this error; CoCreateInstanceEx returns S_OK.
Right, so if your Authentication level is set to Default. What is the authentication level set to in the Default Settings? Just out of interest. (although the fact that it works to a 2000 box probably makes that redundant)
EDIT:
Also: I seem to remember doing a lot of rebooting when I used to play/work with DCOM so maybe a quick reboot of both machines when you're happy with the dcomcnfg settings wouldn't go amis either.
If the PCs aren't both members of the same domain, you need to also given launch & access permissions to "ANONYMOUS LOGON". "Everyone" does not include this.
Three things to check:
1) Go back to dcomcnfg and make try making sure that not just the access security but also the "launch permissions" section contains the appropriate security users or groups.
2) Ensure that the Authentication Level is set to something else other than "None"
3) Also check that the location on disk that the component is located is actually accessible to the account configured in the security permissions you set.
EDIT:
One more: Are you calling CoInitialiseSecurity() first too? That rings a bell!
EDIT2:
Based on your update: Try dropping the firewalls completely on both XP machines and see if that makes a difference. You may need to let DCOM through explicitly.
What is the flavor of your Windows 2000 box, btw? Professional, Server, Adv Server...
Also, is there a difference between domain membership between the two (one on a domain, the other not, different domains, etc...?)
One more thing - DCOM errors will appear in the System event log at times - especially for object creation - did you check there for clues?
I had the exact same problem.
The problem happens in machines that have XP SP2+ OS or newer.
I solved it using the following steps:
Verify that both client and server computers are on the same domain.
You need to use the same user in both computers, or, if you want to use different users in client and server you need to make sure that both client and server users have privliges on both computers (in particular - make sure that they are members of Distributed COM users group.
open Componenet services MMC (run dcomcnfg).
Go to My Computer->Properties->Default Properties and make sure that Default Impersenation Level is "Identify"
Go to COM Security tab, in both in Access permissions and Launch and activation permissions go to Edit Limits, and add Local and Remote access permissions to the client and server users of your COM application
Make sure that you have a firewall exception in port 135 for your application...
I hope this helps you!