I hosted a StreamInsight server to windows service. The windows service run with LocalSystem.
In OnNext() method, I have code access to server
using (
var server =
Server.Connect(
new EndpointAddress(#StreamInsightConfiguration.Default.StreamInsightServiceHostURL))
)
{
var application = server.Applications[StreamInsightConfiguration.Default.StreamInsightApplicationName];
return application;
}
At line server.Applications[StreamInsightConfiguration.Default.StreamInsightApplicationName]; I received a message Access is denied.
I also add NT\SYSTEM to StreamInsightUsers$Default group.
How to fix this problem ?
If a user is logged in while the account is being added to the group, the user must log off and then log on again in order for the group membership to become effective. Users that are not members of this group will receive "access denied" errors when attempting to connect to the server’s Web service endpoint in the Event Flow Debugger and other client programs.
Courtesy:- https://msdn.microsoft.com/en-us/library/ee378749(v=sql.111).aspx
Related
I have an ASP.NET MVC 5 app hosted in IIS 10 on Windows 2016. Our sys admins have created a Managed Service Account (MSA) that is tied to this server and has read/write permissions to a folder on the network. I need to write PDFs to that folder from the web application using the MSA.
Currently, I'm simply trying to write a simple text file to the folder:
System.IO.File.WriteAllText(#"\\SomeUncPath\Reports\test.txt", "sample text");
The above produces this error, which is to be expected,
System.UnauthorizedAccessException: Access to the path '\SomeUncPath\Reports\test.txt' is denied.
I followed this video: https://www.youtube.com/watch?v=lBv81lwZgIo to no avail. It just caused the site to generate a 503 error.
Is it possible to write the files using C# impersonation, such as described in this article? But how do you impersonate an MSA, which has a password set by the system?
I tried the following code using the SimpleImpersonation:
var cred = new UserCredentials("myDomain", "someMsa$", "");
Impersonation.RunAsUser(cred, LogonType.Batch, () =>
{
System.IO.File.WriteAllText(#"\\SomeUncPath\Reports", "sample text");
}
);
The above throws this:
System.ArgumentException: Password cannot be empty or consist solely of whitespace characters. Parameter name: password
Update 1: The server is throwing the following error into the System log:
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
And these two warnings:
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
and
The identity of application pool SomePool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
I tried this and rebooted the server but the issue persists.
Update 2: If I give the app pool my credentials, the app loads without any issues. It's only on the MSA that it fails with the above error/warnings. What could be wrong with the MSA?
Update 3: The issue was how I was adding the MSA to the app pool. I needed to include my domain in the username: myDomain\someMsa$. Once I had that in, it worked like a charm!
The issue had to do with missing the domain when setting the MSA as the app pool identity. When adding it, I needed to set it as myDomain\someMsa$ instead of simply someMsa$. What's strange is how IIS didn't give an error, perhaps because the MSA account was considered both a local and domain account.
Also, in our case, we didn't need the "Log on as a batch" permission for the MSA. It worked fine without it.
I have an interactive windows service which run on a Local System account and with Interact with desktop checkbox checked(this is mandatory for my project as my service needs to invoke .exe with UI ). I am getting an exception as Access denied while writing to network drive. I am passing the UNC path from config file. i tried giving full control access to anonymous user on the folder which i want to access but its still not working. i cannot run my windows service under Network service account or under any other account as suggested in some other posts because i want it interact with desktop check box checked. is there any way to achieve this?
Edit: UNC path of network drive: //server/ABC/pqr
my service should create .txt file in pqr folder. should have access to delete it afterwords too.
i have tried creating anonymous user for pqr folder and giving it full control but still i am getting access denied exception. as i mentioned before i cannot run it under any other account other than local system account because it will automatically disable interact with desktop option in the properties of that service. is there any way to make it run under Network Service Account and still keep it interactive(interact with desktop option checked in the properties of service)?
Try using the following nugget package named SimpleImpersonation
This way you could wrap the code you use to access your remote file location like this:
using (Impersonation.LogonUser(domain, username, password, logonType))
{
// do whatever you want as this user.
}
It worked for me. I used it to turn on and turn off a windows service remotely. Like this:
await Task.Factory.StartNew(() =>
{
using (
Impersonation.LogonUser(serviceInfo.Domain, serviceInfo.User, serviceInfo.Pswd,
Environment.MachineName.Equals(serviceInfo.ComputerName,
StringComparison.InvariantCultureIgnoreCase)
? LogonType.Network
: LogonType.Interactive))
{
var service = new ServiceController(serviceInfo.ServiceName, serviceInfo.ComputerName);
if (service.Status == ServiceControllerStatus.Stopped)
{
service.Start();
service.WaitForStatus(ServiceControllerStatus.Running, TimeSpan.FromSeconds(60));
}
else
{
service.Stop();
service.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(60));
}
}
});
(the snippet was taken from the project site)
The goal is to have a web user interface with the option to create new site collections with new Content Database.
With the admin user I can manually in the CA create new Content Databases. I can also create a new site collection in this content database.
The idea was to create an event receiver (C#). If the user adds data to a table, the mentioned actions are to be executed.
Experiments:
a) Console application - works!
using (SPSite site = new SPSite("http://sp2013")) {
using (SPWeb spWeb = site.OpenWeb()) {
SPWebApplication elevatedWebApp = spWeb.Site.WebApplication;
elevatedWebApp.ContentDatabases.Add("sp2013", "WSS_Content_80_" + DateTime.Now.ToString("yyyymmddhhMMss"), null, null, 10, 15, 0);
}
}
b) Event Receiver - Only create site collections works, creation of content databases does not work! Error: Access Denied.
c) Web Service - Does not work! Error: Access Denied.
So, why do I get the error Access Denied when I can create site collections, but only content databases creation not go?
Finally I executed PS Script - but this also doesn´t work.
# AUTHOR: Paul Kotlyar
# CONTACT: unclepaul84#gmail.com
# DESCRIPTION: sets an option on content web service that allows updating of SP Administration objects such as SPJobDefinition from content web applications
function Set-RemoteAdministratorAccessDenied-False()
{
# load sharepoint api libs
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint") > $null
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Administration") > $null
# get content web service
$contentService = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
# turn off remote administration security
$contentService.RemoteAdministratorAccessDenied = $false
# update the web service
$contentService.Update()
}
Maybe somebody knows a solution?
I asked the same question in Stackexchange.
This is a permissions problem, but not for clients account. The client user is irrelevant. The problem is that for content database creation your code need farm administrator privileges. However, running code with elevated privileges is insufficient, because when you execute code in this way, SharePoint impersonate with application pool user of correspondent web application.
If the app pool user for "http://sp2013" do not have farm admin privileges, you cannot create content database with an event receiver (maybe for this reason you have an Access Denied error for your event receiver and your webservice code). The problem is giving farm admin privileges to an app pool or service user it's a very bad idea.
I recommend to you implement this solution as timer job. You can create a SharePoint farm solution, and make a timer job, because normally timer jobs are executed with a farm admin account. In this way, you could create a content database.
I developed a window service app which runs on the SP server that copy files from the Safe to the SP.
The service is running under a app user which is administrator on the SP server and is site collection administrator on the site it is trying to access.
When I run the service I am receiving an “SQL database login failed. Additional error information from SQL Server is included below. Login failed for user “
I can access the site through the browser with the specified user.
I am not getting this error when I ran the service under my user (I am administrator on the server and site collection administrator on the site)
The error occurred on the following line:
Using(SPsite site = new SPSite(<the url to the site>)
{
}
I added The user as administrator to the DB server and the problem was solved.
I have created a C# web service using visual studio to stop the windows service 'Simple Mail Transfer Protocol (SMTP)' called SMTPSVC.
The following is the web method to do it:
[WebMethod]
public string StopService()
{
String status = "";
try
{
ServiceController scAlerter = new ServiceController("SMTPSVC");
Console.WriteLine(scAlerter.DisplayName);
Console.WriteLine(scAlerter.CanStop);
scAlerter.Stop();
Console.WriteLine("Service stopped");
status = "STOPPED";
}
catch (Exception e)
{
Console.WriteLine("Exception caught here" + e.ToString());
status = "Exception" + e.ToString();
}
return status;
}
I published this web service in my IIS 5.1 server. When I invoked the service it is throwing the following 'Access Denied' exception
<?xml version="1.0" encoding="utf-8" ?>
<string xmlns="http://y-square.org/">
ExceptionSystem.InvalidOperationException: Cannot open SMTPSVC service on
computer '.'. ---> System.ComponentModel.Win32Exception: Access is denied
--- End of inner exception stack trace --- at
System.ServiceProcess.ServiceController.GetServiceHandle(Int32 desiredAccess)
at System.ServiceProcess.ServiceController.Stop() at Service.RestartService()
in c:\Inetpub\wwwroot\RestartService\App_Code\Service.cs:line 38
</string>
By default the service is using the user account IUSER_system-name and I have added this user account into system Administrators group and also added ASPNET user account in Administrator group.
I was able to stop/start this windows service from C# standalone program successfully.
Can you kindly let me know what is the problem? Any permission settings or IIS user access rights shall I need to change in order to run this?
Also let me know which user account this C# service would use to stop the Windows Service?
Your help is much appreciated.
Thanks in advance,
Yogi
The IUSER_machinename (IUSER for short, in the following) account is, for good reasons, a relatively limited account, with little more privilege than a guest account. It isn't allowed to start and stop Windows services, or even to interrogate them (to get their status etc).
When run in the context of a stand-alone exe, the logic above is successful because the underlying account is [probably] you who is likely a member of the Administrators group, or a rather powerful account at any rate.
The easy, but unrecommended way out of this situation, is to give the IUSER account more privileges. Just to try add this account to the Administrators group, bam!, it will work (but will also introduce some potentially dangerous security hole).
A better approach is to make the explicit list of the particular Windows services that will be allowed to managed by way of IIS, and to set their individual service security descriptor to so that the IUSER account (or another account/group created for the occasion) be allowed to start and/or stop them as desired.
The difficulty in implementing this approach is that, to my knowledge, there's no GUI or intuitive admin tool to inspect and alter the services' security descriptor: you need to use sd and "learn" the SDDL language. Here are a few pointers to do so
MSDN Best practices and guidance for writers of service discretionary access control lists
sc sdshow command
sc sdset command