I have an MVC Web application that generates Excel and PDF reports (using Crystal) using templates .xlt and .rpt, it generates the reports without a glitch when I place the templates in the web server itself but once I place the templates in a remote location then I get an Access Denied error which I found out through process monitor, screen shot below
When I manually browse the remote folder through explorer from the server its all OK and I can open the files I needed its just fires the access denied error when its the server reading the files. My web application is using the ApplicationPoolIdentity in Integrated Pipeline. Authentication is through impersonation and Windows Authentication. Whats even makes it confusing is that the User who runs the Excel templates is my self but I get the access denied, while user used in generating PDF is IIS Apppool.
Does anyone know how to resolve the access denied issue, I already tried putting all users full access on that folder but still it does not work.
ADDITIONAL INFO
I am using IIS 7.5, I also checked on the File Server where the share is, on the Event Logs the user registered is not me but with the following details
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x90eb7c7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: MYWEBSERVER
Source Network Address: 10.10.10.01
Source Port: 00000
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128
UPDATE
I need to use ApplicationPoolIdentity in this instance, so I am looking for a solution that can still use ApplicationPoolIdentity.
ANOTHER UPDATE
I tried #Davids suggestion below and now I get same error message
System.Runtime.InteropServices.COMException (0x800A03EC): Microsoft
Excel cannot access the file '\MyServer\Templates\MyTemplate.xlt'.
There are several possible reasons:
• The file name or path does not exist. • The file is being used by
another program. • The workbook you are trying to save has the same
name as a currently open workbook. at
Microsoft.Office.Interop.Excel.Workbooks.Open(String Filename, Object
UpdateLinks, Object ReadOnly, Object Format, Object Password, Object
WriteResPassword, Object IgnoreReadOnlyRecommended, Object Origin,
Object Delimiter, Object Editable, Object Notify, Object Converter,
Object AddToMru, Object Local, Object CorruptLoad) at
Ci.Infrastructure.Reporting.ReportProviderExcel.RunReport()
I believe your problem is because the application pool needs to be configured to run either as a domain account or network service account.
If you choose the latter you'll need to grant permissions to '<domainname>\<machinename>$' if you choose to run as a specific account then this is the user you will need to grant permissions to.
You've already granted everyone access, so it should just be a case of changing the app pool user, but once you have it working I recommend you restrict this to the specific account.
The following link will give you more information:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Related
I have an ASP.NET MVC 5 app hosted in IIS 10 on Windows 2016. Our sys admins have created a Managed Service Account (MSA) that is tied to this server and has read/write permissions to a folder on the network. I need to write PDFs to that folder from the web application using the MSA.
Currently, I'm simply trying to write a simple text file to the folder:
System.IO.File.WriteAllText(#"\\SomeUncPath\Reports\test.txt", "sample text");
The above produces this error, which is to be expected,
System.UnauthorizedAccessException: Access to the path '\SomeUncPath\Reports\test.txt' is denied.
I followed this video: https://www.youtube.com/watch?v=lBv81lwZgIo to no avail. It just caused the site to generate a 503 error.
Is it possible to write the files using C# impersonation, such as described in this article? But how do you impersonate an MSA, which has a password set by the system?
I tried the following code using the SimpleImpersonation:
var cred = new UserCredentials("myDomain", "someMsa$", "");
Impersonation.RunAsUser(cred, LogonType.Batch, () =>
{
System.IO.File.WriteAllText(#"\\SomeUncPath\Reports", "sample text");
}
);
The above throws this:
System.ArgumentException: Password cannot be empty or consist solely of whitespace characters. Parameter name: password
Update 1: The server is throwing the following error into the System log:
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
And these two warnings:
Application pool SomePool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
and
The identity of application pool SomePool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
I tried this and rebooted the server but the issue persists.
Update 2: If I give the app pool my credentials, the app loads without any issues. It's only on the MSA that it fails with the above error/warnings. What could be wrong with the MSA?
Update 3: The issue was how I was adding the MSA to the app pool. I needed to include my domain in the username: myDomain\someMsa$. Once I had that in, it worked like a charm!
The issue had to do with missing the domain when setting the MSA as the app pool identity. When adding it, I needed to set it as myDomain\someMsa$ instead of simply someMsa$. What's strange is how IIS didn't give an error, perhaps because the MSA account was considered both a local and domain account.
Also, in our case, we didn't need the "Log on as a batch" permission for the MSA. It worked fine without it.
I've used Azure File storage to configure a shared storage space that my Build Server has access to - https://azure.microsoft.com/en-us/blog/azure-file-storage-now-generally-available/
I used the following command to attach the space:
net use Z: \\portalxyz.file.core.windows.net\drops /u:portalxyz abcdef==
This works on both my Azure VMs (Build server included, with agents on it) and my local machine - I can see the drive and read/write to it.
However when I attempt a build after setting the drop location (in the build definition) to this share \\portalxyz.file.core.windows.net\drops, I get the following:
Exception Message: The user name or password is incorrect.
Looking at the exception details in the Event Log on the server, I can see that a service user is being used. I've logged into the machine as that user and mapped the space using the above command, but the error persists.
What am I doing wrong?
You Build Server needs to have the storage account key to access the Azure file share,
There are two options to achieve this
1) Create a system/service account using your Azure storage account name and key and then run the build server with this account
2) Use CMDKey to persistent the credential under current user context (refer to this blog for details)
To Set up a drop folder on a file share for your on-premises build controllers
You must be a member of the Administrators group on the computer where the drop folder resides.
More info about how to set up a drop folder on a file share from MSDN.
I simply have a web api application on IIS server that simply writes to text file on C:\FileStorage\test.txt however when I call this webservice I get the internal 500 error, after expanding the error,I get the following error, how do I grant write access to this web service on IIS server?
"ExceptionMessage": "Access to the path 'C:\\FileStorage\\test.txt' is denied.",
"ExceptionType": "System.UnauthorizedAccessException",
"StackTrace": " at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)\r\n at
Grant permissions for that folder to the application pool. So you'd go to the C:\FileStorage folder in Windows and edit permissions, and add IIS APPPOOL\appPoolNameHere as a user, then give it full permissions.
Hope that helps.
EDIT
Step by Step Instructions...
-Open Windows Explorer
-Browse to your folder
-Right click the folder and go to Properties
-On the Security tab click Edit
-Click Add
-Under Locations, make sure it is pointing at your local machine, not a domain
-For the object name, enter below but replace MyAppPool with the name of your application pool...
IIS APPPOOL\MyAppPool
-Set the permissions to Full, or just add Write, or whatever you need.
or you can repalce APPPOOL to the name of your server or computer and with the IIS_ISURS.
example:
yourserver\IIS_IUSRS
See this Screen Shot
I am trying to access files from the shared folder(ftp location) in Asp.net application. It is working fine from visual studio. When i deploy same in IIS 7 , i am getting the following error
"Logon failure: the user has not been granted the requested logon type at this computer."
Stack Trace:
[IOException: Logon failure: the user has not been granted the
requested logon type at this computer. ]
System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
+9723522 System.IO.FileSystemEnumerableIterator1.CommonInit() +245 System.IO.FileSystemEnumerableIterator1..ctor(String path, String
originalUserPath, String searchPattern, SearchOption searchOption,
SearchResultHandler`1 resultHandler) +556
System.IO.DirectoryInfo.InternalGetFiles(String searchPattern,
SearchOption searchOption) +64 System.IO.DirectoryInfo.GetFiles()
+14
......
My application pool is running in NETWORKSERVICE mode
To which user in IIS i need to give the permission for accessing this folder? is it IUSER or NT AUTHORITY\NETWORK SERVICE ? How can i identify the current running user in IIS?
The reason the connection is refused it most likely a Group Policy which disallows access to that service by the user running the IIS service.
I would not want to give any of those system users permission to access a network resource. Other computers could potentially connect as well.
Instead - make your program authenticate with a guest account or another account which you create and give the appropriate permissions.
I would say that it would be a more secure approach.
You may be trying to log on interactively to a computer you can only access over a network, or vice versa.
Change your logon location. Try to log on either locally (interactively) or remotely (over the network), as appropriate. You may want to ask the person who administers computer security to change the security database so you can log on either locally or remotely.
To debug - look at Environment.UserName at the moment of exception. It will be either user that initiated request OR anonymous user.
To fix: if local files - granting permissions may be ok. If remote and using user's impersonated account - need to impersonate with another account that have permissions on remote machine as you can't use already impersonating account to access remote resource ("NTLM one hop").
Note: make sure you review security requirements when allowing access to files.
Hello any body helpme in this problem
iam created a c# application in windows xp system under administatar account.
when iam running this it is working well and accesing sqldatabase.
Now the problem is iam created one account uder groups as a guest account.
the account name is TRMS Accont and now iam login from this account and run the already created c# application under admin account.First it is logined to application
now it is showing this kind of error
Login failed for user 'LENOVO\TRMS Account.
when iam debugging the error is
Warning 1 Could not read state file "obj\Debug\ResolveAssemblyReference.cache". Access to the path 'D:\aug\TRMSFrontEnd\Transaction\obj\Debug\ResolveAssemblyReference.cache' is denied. Transaction
Warning 2 Could not read state file "obj\Debug\Transaction.csproj.GenerateResource.Cache". Access to the path 'D:\aug\TRMSFrontEnd\Transaction\obj\Debug\Transaction.csproj.GenerateResource.Cache' is denied. Transaction
Warning 3 Could not write state file "obj\Debug\Transaction.csproj.GenerateResource.Cache". Access to the path 'D:\aug\TRMSFrontEnd\Transaction\obj\Debug\Transaction.csproj.GenerateResource.Cache' is denied. Transaction
Error 4 Could not write lines to file "obj\Debug\Transaction.csproj.FileListAbsolute.txt". Access to the path 'D:\aug\TRMSFrontEnd\Transaction\obj\Debug\Transaction.csproj.FileListAbsolute.txt' is denied. Transaction
Those errors clearly show that you don't have sufficient privileges to access specific files .
Try to Run the program as Administrator . See Run As Administrator