I have inherited an IIS server running Windows Server 2012 and a bit of a novice with Microsoft server product.
One of the users is trying to execute CMD/Bat files to launch DNX web application through IIS. From what I understand, for IIS to run the script the user assigned to the application pool needs to be granted permissions to run bat/cmd files. These permissions need to be set to the user some how.
Having looked at the standard tools installed on the windows system (Computer Management > Local Users / Group) I have been unable to find any option to grant permissions.
I'm just wondering how secure this solution is? And how to grant the permissions to the user?
Things work a bit differently with ASP.NET Core 1/dnx. IIS only supposed to act as a reverse proxy - i.e. the ASP.NET Core application runs in a separate process and is using Kestrel web server as a host and IIS only forwards requests to the appliaction. Take a look at this article which explains how to publish ASP.NET Core 1 /dnx app to IIS.
Related
I am starting to write an open source application which is intended to be deployed on premises with MS SQL Server as backend. Now I was wondering how to go about deploying the application and the SQL Server backend.
For MSSQL there is a pretty clear installation path but I was wondering how I could create an easy installer for the web application. The idea is to copy the website to some location, start it and then call a special installation controller where the user could specify a database user with elevated privileges (such as the 'sa' user). The website should then create some database users, views and tables on that database and perform the initial setup. Additionally, it should also modify the configuration of the website to use the correct database user.
Of course, other ideas are welcome as well. How do you handle the deployment of a website for a small company which doesn't have dedicated IT staff.
Basic Problem:
I have a web application that accesses a SQL Server database on the same machine. The web app runs under its own app pool - let us call it MyAppPool. If I goto advanced settings in IIS Manager, I can see that MyAppPool runs under ApplicationPoolIdentity. When I make requests to the web app, I can open task manager and verify that the username of w3wp.exe is MyAppPool. In SQL Server, I have added a Windows User IIS AppPool\MyAppPool and given it necessary permissions to read from db. The problem is that I am getting a login failed for DOMAIN\MACHINE$ when a logon is attempted to SQL Server. Its beyond me. Why is the app not logging on as IIS AppPool\MyAppPool?
Details:
I know variants of this question have been asked elsewhere, but I am really stuck without a solution. I experimented adding a <identity impersonate="true" /> to the web.config. If I do this, I get a login failed for NT AUTHORITY\IUSR. I have tried accessing the web app from the machine on which it is hosted and get same login error. I am running IIS8, Windows Server 2012, and SQL Server 2012.
Closest question I could find is Why is my MVC app trying to log into my DB as my machine, and not as the App Pool identity?, and the solutions provided do not work. I cannot change Integrated Security to be false (I had this thing running in the past). Quoting https://stackoverflow.com/a/15145488/147530:
ApplicationPoolIdentity uses IIS AppPool\ApplicationPool for local
access, but DOMAIN\MACHINE-NAME$ for remote access
sounds reasonable. Question is why is ApplicationPoolIdentity not using IIS AppPool\MyAppPool identity when db is hosted on same machine??
Quoting another SO post, IIS application using application pool identity loses primary token?:
This application also connects to a SQL Server database using
Integrated Security=true in the connection string. If the database is
local, then we see that IIS APPPOOL\OurAppPoolName is used to connect
to the database; if the database is remote, then the machine account
OURDOMAIN\ourwebserver$ is used.
This is the behavior I want, but not getting it, and that is what I am asking in this question - I don't want to give permissions to DOMAIN\MACHINE-NAME$ to log onto SQL Server. Quoting https://stackoverflow.com/a/15445280/147530:
I think that's a bad idea, however, because it authorizes any program
running as NetworkService to access the database - not just your web
applications.
I tried one more thing, which was to enable Windows Authentication on IIS8 using this link http://www.iis.net/learn/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2#ModulesinIIS85 but this has also not solved the problem.
Fixed this problem. In SSMS, there is a path machine -> security -> logins which contains users who can log onto the machine. I had not added the apppool to this list. I had only added the apppool to machine -> databases -> my database -> security -> users
We have a web services which runs on a windows server and we have images hosted on a Linux server (NAS Box). What we need to do is allow a VB.NET web service to write to the Linux server.
I understand that you have to grant the application pool access rights to the machine but I cant see any way to do this.
We are simply writing a byte array. At the moment we have granted everyone full rights but we still get the exception:
System.UnauthorizedAccessException: Access to the path '\****Some
Directory****' is denied.
Thanks for the help.
To deploy via web deploy to IIS7 from Tfs Build - does the user tfs build is running under need to be administrator on the destination server?
I am working with MVC 4 .net app.
Requiring administrator access is the default, but MSDeploy supports non-administrator deployments as long as you're only deploying files, ACLs and database changes. If you need you deploy IIS settings, you'll still need administrator access.
There are instructions on configuring non-admin deployments on iis.net
I have an ASP.NET application which needs to connect to Analysis Services database.
All components are on the same machine:
Web application
IIS
Visual Studio 2008
SQL Server 2008
My domain account (DOMAINNAME\MyWindowsUsername) is an administrator on the SQL Server and also in "Administrators" group on the local machine.
Web application uses Windows Authentication and identity impersonate="true".
My IIS Windows Authentication settings (I have also tried other combinations but no success...):
Extended Protection: Off
Enable Kernel-mode authentication: true
Enables Providers: NTLM
When I use web application on ASP.NET Development Server (deployed from Visual Studio) then everything works ok. My domain account and corresponding database roles are recognized correctly, and security is working as defined in database roles.
But, when I deploy the same web application (without any changes in code) to IIS I get error (in browser):
An error was encountered in the transport layer.
The peer prematurely closed the connection.
In SQL Profiler (for IIS case when connection fails) I get only these two events:
Audit Login MyWindowsUsername DOMAINNAME
Audit Logout MyWindowsUsername DOMAINNAME
It seems Analysis Services recognizes the impersonated account, but still the connection breaks.
I have noticed that ASP.NET Development Server runs under DOMAINNAME\MyWindowsUsername while IIS under LocalSystem (the default setting). I tried to play with the accounts, adding various system/network account as Analyis Services administrators (just to understand the logic behind this), but also with no success (always the same error).
You must use delegation to pass on the user credential from the web browser to SSAS,
http://msdn.microsoft.com/en-us/library/ff647404.aspx
ASP.NET Development Server simply runs under your log on account, which prevents you from noticing this issue earlier.