I'm getting the following exception using AWSSDK v 3.5.1.58:
The encrypted store is not available. This may be due to use of a non-Windows operating system or Windows Nano Server, or the current user account may not have its profile loaded.
This is due to the application unable to use crypt32.dll. Now this is strange since the file is in System32 running on Server 2019 and IIS 10. There's no real documentation around this. I'm using ADFS auth. FederatedAWSCredentials
This works fine on local dev, but not once deployed.
The file generating the error can be found here: https://github.com/aws/aws-sdk-net/blob/133eddb00a3fbd2ab395e01c3d84ac9fe1ff38b2/sdk/src/Core/Amazon.Util/Internal/SettingsManager.cs on line 213
So the issue was in IIS.
I was running the Application Pool as the user that needs to be authenticated, which is correct. But you also need to set the following:
Application Pool -> Advanced Settings -> Process Model -> Load User Profile = True
RDP to your server
and follow the steps in the image
Related
I'm in my way to use Always Encrypted on an existing .Net Framework 4.8 WebApi codebase. The solutions runs locally (for development) on IIS on ApplicationPoolIdentity (Windows 10).
I've set up a sql query which accesses a SQL Server database with an encrypted column.
I'm using VisualStudioCredential locally to access the key vault.
Running the same code from a simple console app works, but when running on IIS VisualStudioCredential cannot access the token provider file under C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json.
Indeed this file does not exists, it does exists in C:\Users\<my-username>\AppData\Local.IdentityService\AzureServiceAuth.
It tried running the pool under my own identity, but then it search the file C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json which does not exists.
Any suggestion on how to get it to work would be appreciated.
[Edit]
I have tried pretty much all the TokenCredential implementation available under Azure.Identity with no success. I think VisualStudioCredential is the way to go, but I'm open to other suggestions. Even an interactive prompt would be OK for me since it is for development purpose, but InteractiveBrowserCredential fails on the worker process.
The link posted by #LexLi in the comments explains the problem.
Azure.Identity.VisualStudioCredential cannot be used with ApplicationPoolIdentity on IIS. The pool must run under the developer's name.
I ended up configuring an application in azure AD for dev environments and using clientId/clientSecret.
I'm building an ASP.NET application that requires printing using PrintDocument method:
PrintDocument.Print()
Printing works properly in development env with IIS express. when publishing it to an intranet IIS server, printing fails, which I think is caused by permission issue for aspnet working process.
I tried to do the following with no success:
I created an application pool in integrated pipeline mode for an admin local user with load user profile option set to true
I moved the application to the new created application pool
I added <identity impersonate="true" username="username" password="*****"/> in web.config file
An error appeared stating that: An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode so I added <validation validateIntegratedModeConfiguration="false"/> to <system.webServer> section.
Any help please?
I think you might be misunderstanding some fundamental concepts here. When you use PrintDocument.Print() you are printing on the server. When you deploy your application in IIS this printing will happen on the server computer that is hosting your application. The reason why you thought your code was working in IIS Express is because you were hosting your application on the same computer as the client browser that was testing it. Also you were running your application under your account which had a printer configured.
You cannot print directly to the client computer from a web application. That would be a big security issue. The best you could do is provide some HTML document using a print media CSS type. Then if the user decides, he might print it in his browser.
If on the other hand you want to print on some printer that is attached to your web server, you will need to configure the Application Pool in IIS to run under an identity that has a printer configured in its profile.
Hopefully I am understanding your question correctly, but I just had some confusion myself with this. Our setup at my work is Windows Server 2008 R2 with IIS 7.
We have a print server as well installed on the same box (not sure if it matters as this is not my area of expert).
Basically, viewing the installed printers using, PrinterSettings.InstalledPrinters I was able to see all the printer names installed on the server.
I attach a debugger to the application process to debug and I can just use the debugger to see this, otherwise you will have to run a loop to print through these. If you run this locally, you will see only the printers installed on your machine. If they are network printers, then the full path will be shown. So determine the path/name the server will recognize the printer as and then set that to the printer name explicitly using the,
PrinterSettings.PrinterName property of the PrintDocument class. This worked for me. Also, my application pool identity is set to NetworkService.
I think the original poster has gotten a lot of flack for their question. If you want to generate .PDFs using GhostScript, for example, you install a printer driver and create a printer for it. You can suppress the Saveas() dialog in many languages by providing one ahead of time. This was feasible in earlier versions of IIS (that may have been less secure), but is harder to do in IIS 8.
I think this issue is caused by IIS inhibiting access to the local printer queue. This is either caused by not being in the NT AUTHORITY\INTERACTIVE group at runtime, or because IIS will put the user, (whomever is running the app pool) in two groups: IIS APPPOOL\, and BUILTIN\IIS_IUSRS.
You can validate all this by looking at the thread permissions using a tool like Sys Internal's Process Explorer.
I have faced same issue and I found the following solution and it worked for me.
1 - Go to printer and setting of system
2 - Select Printer
3 - Go to Printer Properties
4 - Security
5 - Click on Add "IIS AppPool\DefaultAppPool" as object name and click on check name (Default Pool will be your Pool Name)
6 - Give permission Manage This Printer and Manage Document permission.
7 - Restart IIS
I have an ASP.net web application (C#) hosted by IIS on my server that connects with an Access database. It's important that I can have the database open in Access and still use the website at the same time.
I get the "Could not use file; file already in use" error whenever I try this. I've done a ton of research on this topic but nothing really seems to work.
I have modify permissions added for IUSR, NETWORK SERVICE and IIS_IUSRS for the folder containing the database. None of this seems to work.
Oddly enough, I tried hosting the website from my local machine and the solution above solved the issue, but it does not work when hosting the website from my server.
My website also chokes up when trying to do an INSERT statement even when the database is closed. I get the error "operation must use an updateable query"
Any thoughts? Thanks.
In regards to:
but it does not work when hosting the website from my server
I am not sure about the rest of your configuration, but this may shed some light onto why you are getting different behaviors on different systems:
You should enable the same permissions (for the Database folder) for the Identity under which the Application Pool you have configured for your Application in IIS.
Open your Server's IIS Management Console
See what the Application Pool is for your App
right click on the Application node:
'manage Application' >> 'Advanced Settings' >> Application Pool
Open Application Pools View: Find the App Pool
right Click the App Pool >> Advanced Settings
Look for the Identity value
That is the Identity you should replicate the permissions for as you did on your local machine's folders
P.S.: It is usually recommended that you configure/create a dedicated App pool for each of your applications.
Hope this helps resolve your issue.
We are using ASP.NET Identity 3.
Our users are randomly getting signed out automatically. To reproduce this issue, I tried application restart, all users signed out, even those who had checked Remember me.
It only happens in Production, works fine on development environment.
Update:
We have only one server in production.
You will need to configure data protection in the production server. I assume that in your local machine the website runs as a local user so the registry hives can be created and read. While if you run it as a user without a local profile (default IIS app pool user option), it may not have the permission/s to create or read the keys required. You'll need to run this provisioning script in that case.
Have a good read about their guide on Publishing to IIS. That step is documented there.
The production machine might be using multiple servers. In that case, the server to which a user first connects might not be the same server to which that user later connects. In that case, if you are using session IDs, you must keep user sessions in sync across servers.
Long time reader, first time poster.
I'm developing a Windows Service in C# .Net 3.5 to perform Text to Speech operations.
I'm using System.Speech (Microsoft Speech API 3.x).
I deployed the service to a Win2008 x64 server and it's now throwing the following exception:
System.InvalidOperationException: No voice installed on the system or none available with the current security setting.
at System.Speech.Internal.Synthesis.VoiceSynthesis.Speak(Prompt prompt)
at System.Speech.Synthesis.SpeechSynthesizer.Speak(Prompt prompt)
at System.Speech.Synthesis.SpeechSynthesizer.Speak(String textToSpeak)
The service is running under a domain account. If I change the service to run under my own personal domain account (which has pretty high privileges), everything works perfectly (so a voice [Anna] is definitely installed). So I'm quite certain it's a security issue.
What permissions/modifications do I need to make to the other domain account to make this work?
And it needs to be this specific user because it's used for Windows auth for a MSSQL database.
Thanks in advance.
Simple fix: Grant read/write access to C:\windows\system32\config\systemprofile\appdata\roaming for the same user that the service is running under.
More Info: Tested on Windows 10 Framework 4.6.2: Microsoft Speech needs file read/write access to the "roaming" folder in order to create the ...\roaming\Microsoft\Speech folder to store files there.
If your service user is not a member of a group that has read/write access to the following registry keys, you may need to add these rights as well:
For the following, include WOW6432Node for 32 bit apps, leave it out for 64 bit apps
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SPEECH\Voices\Tokens(VOICE NAME)
Example: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SPEECH\Voices\Tokens\TTS_MS_EN-US_DAVID_11.0
and:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SPEECH\Voices\Tokens(VOICE NAME)\Attributes
Example:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SPEECH\Voices\Tokens\TTS_MS_EN-US_DAVID_11.0\Attributes
You may need to switch the owner of these registry keys away from TrustedInstaller to your user, or the administrators group , to make these changes
If your application runs under IIS, add the above rights for the application pool user.
In x64 OS, this is caused by AnyCPU build configuration. Switch to x86 build configuration and it should work.
i exited Visual Studio and reopened it after it saved, and the problem was solved.
Simply, run the app as "administrator". ;)