I have a stand-alone IIS7 Server that is not joined to a domain and that is running an simple ASP.Net application. This application has an ActiveReports report that has an image control where I set the path of the image during run time to a network share on another server. When I run the application locally in Visual Studio on a desktop that is joined to the same domain as the network share, I am able to get the images, but when I deploy the application to the stand-alone IIS server and run it locally on the IIS server I am not able to get the images. I added permissions on the network share for the username and password of the login for the IIS server and I am able to navigate using Windows Explorer to the network share from the IIS server now, but I can't get the permissions right on IIS.
What is the correct way to set the permissions so that the application can access the image files on the network share?
When IIS access network resources it uses the security context (account) associated with the IIS process. This is primarily controlled by the Application Pool unless you are doing any kind of impersonation at the code level.
In order to correct you issue you'll probably need to make sure the application pool is running using a security account that has access to the network resource. Here are some links that may help
http://technet.microsoft.com/en-us/library/cc771170(v=WS.10).aspx
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Also, don't forget, if you are using windows file services for your network share there are two levels of permissions, those that are set at a share level and those that are set at the file level if using NTFS. Here is some info:
http://technet.microsoft.com/en-us/library/cc754178.aspx
One idea: on the IIS7 server, create a Virtual Directory that points to the share. When creating a Virtual Directory, IIS will let you enter credentials needed to access a share.
Then, you'll need your image paths to reference the share.
Related
I have existing .NET code that queries Active Directory once downloaded and running the .exe on a domain connected computer.
Could my .exe now run as a DDL in the Blazor browser (client-module) against the local domain and avoiding the downloading & running the .exe?
I know the sandboxed environment prevents native file system access, but would it prevent LDAP queries running?
The standard answer is no.
Blazor-in-the-Browser is held to the same limitations as JavaScript.
It's not a technical problem but a security issue.
You can of course use Blazor-on-the-Server, as long as that server has access to your AD.
Your users (on an intranet with good connections) won't notice the difference.
I have a windows service that polls a folder continuously for new files.For local directories this works fine.But when it comes to UNC Paths on another system in the same network,the service cannot access the folder it seems.I have refereed to this post https://serverfault.com/a/881272 ; it states that i need to run the service as the currently logged in user.How im i supposed to do that?
The path i wish to monitor using the service is
\DESKTOP-PC\Users\me\myfolder
Please advice
UPDATE:
I have developed the service using topshelf.I want to poll a folder on another local machine in the same network.I go to network places,double click on the computername,it asks for credentials,i enter the username and password of the remote computer i get access to the files on the system for that user(in explorer).
Now when i set the service to run as the local machine user under this machine,it cannot access the remote UNC Path that is accessible using explorer.I have tried installing it as the remote machine user,but it fails.
myService.exe install -username:DESKTOP-REMOTE\myname -password:mypassword
Open the Control Panel > Administrative Tools > Services window on
your Windows server.
Stop your windows service.
Open the Properties > Log On dialog.
Change the service user account to the target user account.
Start your service.
If you are developing the service in Visual Studio, and want to emulate a different account you can also press shift + right mouse click on devenv.exe and click on "run as different user".
Also make sure you are specifying the full path to the folder and that the account you use has full rights to the folder.
If you try to run your service under the desktop-remote\myname account you probably will fail. The local machine only likes accounts belonging to itself.
What I would do is to turn it around. Make the remote computer share a folder for your machine to poll. That way the remote machine has control over which data it is publishing, just like an object has its properties to private or public. If you are ok with having anyone who knows the address \\desktop-remote\my-not-so-secret-folder\ being able to read it, set it so anyone can read. If you are more secretive, suffix the folder with $ like so: \\desktop-remote\my-secret-folder$. Now it is not visble but still reachable.
You can also create a special account that has access to said folder.
Then you let your service run any account (with network access) of your choosing on your local machine. Let it try to connect to the remote folder with the special account.
(I have learned, the hard way, that reading a shared folder is slightly different between machines without domain and machines in a domain; the anyone-can-read does not work. At least in WindowsXP it was that way. I have since then not have the need to share a folder.)
HTH
When you set the service to run as the local system account, it cannot access the remote UNC Path that is accessible using explorer with local machine account.
Simply because the explorer manages logged on user credentials, so, you have added UNC path credentials to the LOGGED user only.
When you change it to Local System Account, the user credentials to the share is not stored.
Try to create a local user without password expiration and then enable it access to the Share.
All you will need to do is to setup windows service with this new account registered.
I was facing this problem with my UNC storage in the Azure cloud.
What worked is setting up the credentials in the windows credentials manager:
windows credential manager
You can get the connection string from the Azure portal.
This resolved our problem.
You can have a look at Impersonation. Also, if the service is running as a localuser, then it would help to create the same user with similar password on the machine where the folder resides.
Have a look here (the OP in this post is experiencing the same issue and he/she has given the shared folder “Everyone access to full control”.
https://serverfault.com/questions/177139/windows-service-cant-access-network-share
Goal:
I periodically upload new .exe file to windows server 2003 via FTP and I want to run it manually by hitting Url of a web site on same server. Exe needs to be run under an Admin account, and not the NETWORK SERVICE account.
What I achieved so far:
I have been able to successfully run applications like notepad under the Admin account on the server via a web request by using any of these:
PsExec,
.net process.Start() with credentials supplied to process.StartInfo and even
by impersonating admin and then using process.Start without credentials (http://www.f4cio.com/programmatically-impersonate-in-csharp)
The problem:
The above methods run my exe but Task Manager, or a call to System.Security.Principal.WindowsIdentity.GetCurrent().Name shows me that it is running under NETWORK SERVICE.
I suspect that this file has added security constraints because it arrived from ftp link. Checking run-as-administrator in properties of file is not an option because file will be replaced periodically and all needs to be automated. Also manual server configuration should be minimal or ideally non-existent. Code-only single-web-page solution is ideal. Editing both that asp.net web page and exe is ok. (I tried something with exe self-restarting).
Not sure about this, but I suspect this has to do with you website running under the NETWORK SERVICE user. Whatever privileges your website-user has, the same are probably granted / passed on as you try to run your executable.
Is this server on an internal network or protected in some other way? (I should hope so!). If so, you might try changing App Pool that the website is running under to an admin account (in IIS, right click the App Pool running the site, select Advanced Settings, and look for the Identity setting). If I'm right, that will allow you to run your executable as an admin too.
Be aware however, that this may increase the security risk of your setup: Allowing your site to run under an admin account means easier access to your entire server if anyone is able to penetrate whatever security measures you have in place. Make sure access to this server is tightly limited, and preferably, that it in turn does not have access to other systems, since that would in turn make them vulnerable by extension.
I am facing a strange issue with my site in IIS 7. I have 10 sites with different sub-domains hosted on IIS 7. I am using .NET framework 3.5 and SQL Server 2008 R2. Three sites I have configured on DefaultAppPool while for others I have created separate application pool for each and configured them with their specific.
I allows user to upload video, after upload completes I used to hint it (a process to make bit rates of video equal for on-line streaming on android) using MP4BOX - a command line interpreter, with server side code.
What issue I am facing is while using DefaultAppPool the MP4BOX works fine but when I configured site to its specific appPool, MP4BOX stops working. I have go through the settings but haven't find any issue. Can anyone help me to overcome this issue.
Awaiting for your valuable response.
Resolved it myself by assigning read/writes permission to the application pool to the directory.
After lots of research I have found that it was happening due to read/write permission of this exe to the specific directory. MP4BOX need to have read/write permission to create video file in the IIS directory. So I have added application pool as a user to the specific directory to which mp4box was accessing for read write.
I have a production website that sits on two servers that used local label files to drive their page labels (request going round robin between the two).
Users need the ability to upload new labels files, but once uploaded on one I need it also updated on the second website - this needs to be immediate. I was trying to use a shared folder on one of the servers, but even if I give it everyone full access i get the error "Exception message: Unable to find label folder at \\MACHINENAME\LabelFiles" when reading from the other server, I've also tried giving full permissions to "IIS AppPool\DefaultAppPool", but get the same issue.
I'm using IIS 7.5 on Windows Server 2008 R2
Question-
Is there a way to share a folder between the two sites?
Is there a better alternative solution?
Thanks
Both the websites should have a virtual folder pointing to the same physical folder, where the users can upload files.
Make sure also that the Anonymous access is disabled
One approach is to map the folder as a drive on each of the production machines, it should then be as simple as refereing to that particular drive letter.
This can be done by navigating to the folder in windows explorer, then clicking Map Network Drive.
I cannot guarantee this will work, buut it might be worth a go.
The IIS AppPool\DefaultAppPool user is a special account that is only local to the machine where it is being used. You cannot access network file shares with that account. You will either need to use the 'Network Service' account or a domain account as the app pool user.
Also, since you are load balancing this site between two servers, you might want to consider using some type of SAN or NAS storage that is shared between the two servers. Otherwise, you will need to come up with some kind of process to synchronize the file share on both servers.