We have a web services which runs on a windows server and we have images hosted on a Linux server (NAS Box). What we need to do is allow a VB.NET web service to write to the Linux server.
I understand that you have to grant the application pool access rights to the machine but I cant see any way to do this.
We are simply writing a byte array. At the moment we have granted everyone full rights but we still get the exception:
System.UnauthorizedAccessException: Access to the path '\****Some
Directory****' is denied.
Thanks for the help.
Related
I have inherited an IIS server running Windows Server 2012 and a bit of a novice with Microsoft server product.
One of the users is trying to execute CMD/Bat files to launch DNX web application through IIS. From what I understand, for IIS to run the script the user assigned to the application pool needs to be granted permissions to run bat/cmd files. These permissions need to be set to the user some how.
Having looked at the standard tools installed on the windows system (Computer Management > Local Users / Group) I have been unable to find any option to grant permissions.
I'm just wondering how secure this solution is? And how to grant the permissions to the user?
Things work a bit differently with ASP.NET Core 1/dnx. IIS only supposed to act as a reverse proxy - i.e. the ASP.NET Core application runs in a separate process and is using Kestrel web server as a host and IIS only forwards requests to the appliaction. Take a look at this article which explains how to publish ASP.NET Core 1 /dnx app to IIS.
Here is what happened. I run a web application on windows server 2008 R2. The app pool it uses runs under LocalSystem account. The application complained about "NT Authority\SYSTEM" not having access to my database, so i added that user to the database. It all worked fine until yesterday, when the application started complaining about "Development\MyMachineName$" not having access to my database. The app pool still is running under "LocalSystem" account. I am confused why is it now changed the identity.
While playing around i ended up removing my username from sql server security. My sql server 2012 instance is running in windows authentication mode. now i cant connect to the sql instance. to fix this found someone suggested to use "psexec -i -s ssms" to launch management studio under "NT Authority\System" account. when i tried this the management studio tries to log on with "Development\MyMachineName$" as well. i am now wondering what happened to "NT Authority\SYSTEM" identity.
Thanks in advance for the upcoming help :)
EDIT:
My SQL Server instance is on same machine as the web application. i.e. its a dev machine where is have iis and sql server running for development.
Lots of stuff going on here, so hopefully this will clarify things for you.
I run a web application on windows server 2008 R2. The app pool it
uses runs under LocalSystem account. The application complained about
"NT Authority\SYSTEM" not having access to my database, so i added
that user to the database.
If the database server is local to the IIS server, that's fine (though I would still use a domain account to run the app pool). If the database server is remote from the IIS Server then the "local system" pool with attempt to authenticate a network resource which will transition to using the computer account Domain\Computer$ (as would network service).
It all worked fine until yesterday, when the application started
complaining about "Development\MyMachineName$" not having access to my
database. The app pool still is running under "LocalSystem" account.
I can't tell from your question if these are the same server or not, more clarification would be needed.
While playing around i ended up removing my username from sql server
security. My sql server 2012 instance is running in windows
authentication mode. now i cant connect to the sql instance. to fix
this found someone suggested to use "psexec -i -s ssms" to launch
management studio under "NT Authority\System" account. when i tried
this the management studio tries to log on with
"Development\MyMachineName$" as well. i am now wondering what happened
to "NT Authority\SYSTEM" identity.
NT Authority\System is a special built in identity and does not traverse network resources, if it needs to it auths as the computer account Domain\Computer$. I don't know the whole setup from your text but for the psexec to work, it'd have to start ssms on the database server or it will continue to use the computer account. If you need access back, be a member of the server admins windows group and start SQL Server up in single user mode - connect with windows authentication (locally) and add your login back in.
We'd need a infrastructure diagram to get more into it, but the basics are:
Built in identities and accounts can't authenticate on a network unless they use the computer object.
Built in identities and accounts are only good for the server they are on and local to.
Giving permissions to anyone who could access that computer (through the computer object) is grossly over-provisioning permissions.
If you are running an application, the identity if yours so you could have been authenticating with your account the whole time testing. While individual threads can have different identities, most applications inherit the identity that spawned the process and in this case is most likely yours.
I think i figured it out. The reason was that when connection string uses computer name then it forwards "MACHINE$" as identity but when it is using localhost then it forwards "SYSTEM" as identity.
Basic Problem:
I have a web application that accesses a SQL Server database on the same machine. The web app runs under its own app pool - let us call it MyAppPool. If I goto advanced settings in IIS Manager, I can see that MyAppPool runs under ApplicationPoolIdentity. When I make requests to the web app, I can open task manager and verify that the username of w3wp.exe is MyAppPool. In SQL Server, I have added a Windows User IIS AppPool\MyAppPool and given it necessary permissions to read from db. The problem is that I am getting a login failed for DOMAIN\MACHINE$ when a logon is attempted to SQL Server. Its beyond me. Why is the app not logging on as IIS AppPool\MyAppPool?
Details:
I know variants of this question have been asked elsewhere, but I am really stuck without a solution. I experimented adding a <identity impersonate="true" /> to the web.config. If I do this, I get a login failed for NT AUTHORITY\IUSR. I have tried accessing the web app from the machine on which it is hosted and get same login error. I am running IIS8, Windows Server 2012, and SQL Server 2012.
Closest question I could find is Why is my MVC app trying to log into my DB as my machine, and not as the App Pool identity?, and the solutions provided do not work. I cannot change Integrated Security to be false (I had this thing running in the past). Quoting https://stackoverflow.com/a/15145488/147530:
ApplicationPoolIdentity uses IIS AppPool\ApplicationPool for local
access, but DOMAIN\MACHINE-NAME$ for remote access
sounds reasonable. Question is why is ApplicationPoolIdentity not using IIS AppPool\MyAppPool identity when db is hosted on same machine??
Quoting another SO post, IIS application using application pool identity loses primary token?:
This application also connects to a SQL Server database using
Integrated Security=true in the connection string. If the database is
local, then we see that IIS APPPOOL\OurAppPoolName is used to connect
to the database; if the database is remote, then the machine account
OURDOMAIN\ourwebserver$ is used.
This is the behavior I want, but not getting it, and that is what I am asking in this question - I don't want to give permissions to DOMAIN\MACHINE-NAME$ to log onto SQL Server. Quoting https://stackoverflow.com/a/15445280/147530:
I think that's a bad idea, however, because it authorizes any program
running as NetworkService to access the database - not just your web
applications.
I tried one more thing, which was to enable Windows Authentication on IIS8 using this link http://www.iis.net/learn/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2#ModulesinIIS85 but this has also not solved the problem.
Fixed this problem. In SSMS, there is a path machine -> security -> logins which contains users who can log onto the machine. I had not added the apppool to this list. I had only added the apppool to machine -> databases -> my database -> security -> users
After uninstalling an Oracle 10 client / security patch (don't know what triggerd it) I'm having trouble with users accessing our SSRS test server.
First thing that happened was that the SQL service and SSRS service refused to start under NT AUTHORITY\SYSTEM. When I changed that to local service both started...
I (as a domain admin) can access our reports but users (who are both browser / content manager on site settings & folder settings get:
Description: An error occurred while accessing the resources required to serve this
request. You might not have permission to view the requested resources.
Error message 401.3: You do not have permission to view this directory or page using the
credentials you supplied (access denied due to Access Control Lists). Ask the Web
server's administrator to give you access.
I'm almost at the point of restoring an image (don't prefer doing so since I've changed a lot since the image was made, yeah I know.. my mistake...), hope someone has a clue / idea?
Kind regards,
Mike
Solved!
After granting the appropriate AD group read & execute rights on
C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services the 401 disappeared!!
My users can connect to the report server and my .NET app can connect to the report service / asmx
Don't know what triggered it and why it's necessary to grant access on the file system but it's a quick relief compared to my alternatives..
Regards,
Mike
I have already created the program to restart a SQL database but it only works if the client has the rights. This is going to be done on a local network from a client computer when they can't get a person that has the password on the phone. Any thoughts I'm currently using the servicecontroller to start and stop database. When I don't have the rights I get a access denied error, or This operation might require other privileges. Not sure if impersonation would work since I don't have the userid and password.
Setup a service on an account with enough rights to do the restart and write another application that will communicate with that service and tell it to do the restart.
You said in a comment "If we could get connected to the server we wouldn't need to run this program."
There is no solution without some rights on the SQL Server box, be it using a web page, WMI, a local service, whatever.