I have an application developed using ASP.NET Web API deployed to a site in IIS. Recently the application began crashing during initialization due to an exception saying that it could not access a particular folder (where it writes logs to). The app pool being used by the site uses a domain account and I verified that that account has full permissions on the folder, just as it always has. What wound up fixing the problem for me was to specify the username and password of a user who has access to the folder in the site's Physical Path Credentials field. Previously this had been set to "Application user (pass-through authentication)".
What could have changed in the application or IIS configuration to suddenly require this field to be set?
It turns out that this came down to a permissions issue. Write permissions on the folder for IIS_IUSRS got changed from Allow to Deny. After switching that back to Allow, I can remove the Physical Path Credentials setting.
Related
I am using asp.net mvc4 application. where I have custom code which upload the files in specific folder of my application. this code has option to delete files(uploaded on that) folder.
I don’t have that code so I want to change permission of that folder so that it will not allow to delete files from that location via web application.windows its self send error for permission.
I have deny delete permission for the networksservices but not working.
now this is working for already images available in this folder. But now problem is when I am uploading new images it is allowing to delete a image means security permission hasn't applied to new images. why?
How/Which user should I assigned permission deny of delete?
It seems that the user account under which your web site is running isn't networkservices.
If your application is hosted in IIS, you need to find the Application Pool for your web site and then check the user account used by this application pool. So check the properties of your web site on IIS, see the application pool name and then go to the Application Pools node in IIS console tree, find the application name and check its properties to find the related user.
I'm trying to delete a user profile folder suing C# and ASP.net, when i do this through windows UI i get a UAC prompt which is fine.
I wish to this programmatically using ASP.net & C# .
The objective is for admin users to launch a webform and do this remotely on workstation but i'm currently getting permission errors.
(im running visual studio as admin in my debugging environment to delete local users)
{"Access to the path 'C:\Users\nzsp2013admin\AppData\Local\Microsoft\Windows\Application ..... is denied."}
code:
var dir = new DirectoryInfo("C:\Users\nzsp2013admin");
dir.Attributes = dir.Attributes & ~FileAttributes.ReadOnly;
dir.Delete(true); // true => recursive delete
This has to do with the permissions which are configured in IIS.
Every ASP.NET application that you run in IIS will be run using an identity that can be managed in the Application Pools section in IIS Manager.
By default, each Application Pool that is created (including the default one) will have permissions within a limited scope.
If I'm honest, the phrase Application Pool makes things sound more complicated than what they actually are. An application pool is just an identity exactly like the one that you use to sign on to your PC, and in your case an identity with normal user permissions is attempting to perform an action that requires a set of higher permissions.
To resolve this, open up IIS.
Click on Application Pools
Select the Application Pool that your web application is running under
Click on Advanced Settings
Click on identity and select Custom identity
Enter the credentials of an account that has administrative privileges.
However, I do have to warn you that you could be opening yourself up to a wide range of security concerns and that there are alternatives such as adding explicit permissions to specific directories that include the identity which the ASP.NET application is running from.
I used this approach and it works very well. With this approach you dont use an account with high level privileges all the time just when required and not for the application execution.
Try to use a domain account and add privileges to the folder or lacation you required. And share the folder so you can use an unc path.
Accessing a Shared File (UNC) From a Remote, Non-Trusted Domain With Credentials
You could use code impersonation:
http://csharptuning.blogspot.com/2007/06/impersonation-in-c.html
http://www.codeproject.com/Articles/14358/User-Impersonation-in-NET
regardless, whomever you use as the impersonation must be able to read/write to the location. We use this method in applications for delete/create folder across network but in theory, you should be able to wrap this around any piece of code, check to see if the user is an admin, and if so use the impersonated user to delete the folder, or however you prefer to do it.
Also, I noticed you mention that you are wanting to do it remotely, but your examples have the local path.
You may also find this useful: Deleting Windows user accounts remotely WCF and C#
We have a customer with multiple servers. Let's say the important ones are ServerX - their current production web server, ServerY - their share server, and ServerZ - their new web server they are trying to move to. Today, the .net application on ServerX uses an IIS7 virtual directory to point to a share folder on ServerY. I set up ServerZ's IIS virtual directory as exactly as I could to look the same (same Physical Path, Credentials, Logon type). But the Fileupload.SaveAs(...) method keeps failing with the message "System.UnauthorizedAccessException: Access to the path '\[ServerY][Share]\file.png' is denied."
I have checked permissions. Both ServerX and ServerZ's apppool identity is network service. The share was set up with full access to "Everyone." I even specified Network Service and the Credentials account to have access. The folder is not read only and, again, the site running on ServerX operates saves fine.
To add to my confusion, the application on ServerZ can read and open files from the virtual directory. It only has issue when I try to save a new one. And when logged into ServerZ with the Credentials used for the Virtual Directory, I can create/save files.
I should specify two more things:
I had to do some work to get ServerZ on Active Directory. Maybe I missed something in that step that would only affect the application?
Both ServerY and ServerZ are Server 2012 instances. ServerX is Server 2008.
Let me know if you have any other questions or suggestions. Thank you
I am using a Tree View Directory browser in my application. I am using
DirectoryInfo.GetDirectories()
DirectoryInfo.Getfiles()
My requirement is that I need to browse the server folders from client with this. I am able to access shared drives also from the same machine. I hosted the site in IIS6 in a virtual directory. When I try to access the shared drive from the client I dont find it. Do we have to do something in IIS? I tried giving IdentityImpersonate="true" but still getting same problem.
This is a double hop problem. The IIS server would have to do delegation to move your credentials across 2 hops, (your machine to IIS - IIS to file share). Configuring delegation is a tricky process, but I haven't tried in a while, maybe the diagnostics have improved. Normally you follow the delegation instructions and still get access denied.
The easier solution is to use explicit credentials to go from IIS to the file share. The down side to this is that you have to specify username and password of a windows account somewhere in your web.config or source code.
I have created a sample ASP.NET website and hosted it in IIS 6.0 . It is working fine , if the identity of the defalut app pool is "local system". But when i changed the identity with some other configurable user id then it is showing as "Service Unavailable".
The following message is found in the event viewver.
"The identity of application pool 'DefaultAppPool' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled."
Either the credentials provided for the user is not valid, or the user does not have the needed permissions.
I believe there is a security group on the machine called IIS_WPG that is created when Asp.net is installed, add the user to this group, it should give them the needed permissions.
Message is self-explanatory. The selected user id isn't valid - probably due to insufficient privaledges to run the service.
The user identity you use needs to have fairly significant rights to operate. At a minimum the user needs to have read/execute permission on the root directory of the folder. This user should also have read/write/execute permission on the Temporary Asp.Net Files folder located within the %SystemRoot%/Microsoft.Net/Framework/ folder.
FYI,
In a development environment you can use the default app pool to create your web applications.
In production environment you want to use lusrmgr.msc (Server 2008/R2/7 Ultimate and Pro) to create new users (and their credentials) on the machine and assign the users to the right group (IIS_IUSRS).
Also once you have created the user, you will want to give it access to your data source back-end (if sql is running on the same machine and using windows authentication to access SQL).
Check Application Pools which assign Site on IIS, probably it is stopped.