Run .exe from PHP in IIS Server? - c#

I am trying to run an .exe of an application, which I have done in C #, from PHP on an IIS server and it doesn't work. I tried with exec, with shell_exec and with system.
I copy my current script:

When I monitor system() run in IIS. I also notice that IIS is running php application with IIS application pool identity. Have you ever tried to grant application pool identity(IIS Apppool\apppool name) read permission to access the application PrueDBF.ex?
I think MS process monitor would help you check read/write status. It would probably help you find the root cause.
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

Related

ASP.net: Could not use <database file>; file already in use

I have an ASP.net web application (C#) hosted by IIS on my server that connects with an Access database. It's important that I can have the database open in Access and still use the website at the same time.
I get the "Could not use file; file already in use" error whenever I try this. I've done a ton of research on this topic but nothing really seems to work.
I have modify permissions added for IUSR, NETWORK SERVICE and IIS_IUSRS for the folder containing the database. None of this seems to work.
Oddly enough, I tried hosting the website from my local machine and the solution above solved the issue, but it does not work when hosting the website from my server.
My website also chokes up when trying to do an INSERT statement even when the database is closed. I get the error "operation must use an updateable query"
Any thoughts? Thanks.
In regards to:
but it does not work when hosting the website from my server
I am not sure about the rest of your configuration, but this may shed some light onto why you are getting different behaviors on different systems:
You should enable the same permissions (for the Database folder) for the Identity under which the Application Pool you have configured for your Application in IIS.
Open your Server's IIS Management Console
See what the Application Pool is for your App
right click on the Application node:
'manage Application' >> 'Advanced Settings' >> Application Pool
Open Application Pools View: Find the App Pool
right Click the App Pool >> Advanced Settings
Look for the Identity value
That is the Identity you should replicate the permissions for as you did on your local machine's folders
P.S.: It is usually recommended that you configure/create a dedicated App pool for each of your applications.
Hope this helps resolve your issue.

Cannot programmatically access network path through VPN

I'm trying to use a network path (create directory, write and read files) from a Web Service in ASP.NET.
Everything works fine from my office where the network path is in the same LAN of my laptop, but when I try to connect to the network path through a VPN, the creation of a directory fails with "Access to path is denied" error.
The strange thing is that from Windows Explorer I can perfectly access such path, given my VPN credentials, that I stored in Windows Credentials Wallet.
I also tried to set my IIS App Pool Identity to 'Network Service' but no luck.
Can you help me please?
Thank you very much
EDIT:
When I try to execute a statement like
Directory.CreateDirectory(#"\\my\network\path");
from a simple console application project in my Visual Studio 2010 it works perfectly and the directory is created.
The problem is when I hit such a statement inside the business logic of my web service that is running under local IIS (and which I'm connected to via "Attach Process..." debug tool in VS2010)
I may not have all the details of what you're asking straight, but if you're running this service via Visual Studio and VPN, take a look at this great article, at CodeBetter.
runas /netonly /user:domain\username “C:\ProgramFiles\Path\to\your\visualstudio”
I don't have the computer I have this on in front of me, but I recall that I created a batch file and ran it to start VS and Sql Server Management Studio, and it works like a charm.
If I've misunderstood the issue, sorry for the noise.
Sounds like when you are running locally, your local domain account is the context under which everything is being ran. When running the console app, it is still running under your user context since you initiated the application. When running in IIS, you are correct in that the app-pool account is being used, and the networkservice account has some pretty low privileges.
Instead of using a highly privileged account (such as yours), would impersonation solve your issue? Any work that needs to be done over the VPN can "wrapped" in a context the appropriate permissions. Here is another SO article on using impersonation, which I have implemented for related things:
How do you do Impersonation in .NET?
See Matt Johnson's answer where he creates a custom Impersonation class. Use that in a using block, then do your network stuff. It uses the advapi32.dll with p/invoke to do this kind of user account voodoo. He put together a NuGet package as well which may save you some time:
https://www.nuget.org/packages/SimpleImpersonation

Powershell Permissions not working remotely

Have the same issue as here:
Run PowerShell script from ASP.NET
I am trying to run powershell scripts on the server through an asp.net webpage. It works on the local server but does not work remotely. Remotely it returns nothing as if the script worked.
I tried modifying the permissions with icacls.exe
icalc.exe c:\test.ps1 /grant "IIS AppPool\DefaultAppPool:(OI)(CI)F"
This had no effect. When I read what the permissions are:
icalcs c:\test.ps1
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
I always get the same return even after I try and modify it. Where is IIS AppPool\DefaultAppPool?
Update
I have been using a script that just opens notepad for testing. When I run this locally notepad pops up. Remotely nothing seems to happen, but then I noticed in task manager there were tons of instances of notepad running. So it would seem that it is working but not how I expected. The end function I am trying accomplish is to add minimal remote capabilities. I also play movies off of my webserver and it would be nice to be able to remote some functions through my existing web interface. So the scripts would have to run on the current user. I suppose this may be better suited using WCF or another type of architecture, but it would be nice just to use my web interface for everything.
Make sure that PowerShell script execution has been updated on the remote server to allow script execution. If the web server runs as 32-bit then fire up an x86 PowerShell console on the machine in elevated (admin) mode and execute:
Set-ExecutionPolicy RemoteSigned
If the web page runs as 64-bit then do the same using a 64-bit elevated PowerShell console.

Remote PowerShell sessions from C# under ApplicationPoolIdentity

Using a Library I found from Microsoft, I have been attempting (with C#) to provision email accounts for my users with Live#Edu and the library uses remote PowerShell sessions to do this. I have wrapped the PowerShell calls with a using() { } block that impersonates a local administrator account. When I run the code on my own development machine it works great and provisions the account on Live#Edu, yet when I run the same code on the production server I get an Access is Denied error from PowerShell.
What I just noticed is if I change the IIS Application Pool user on the server to my own domain account everything works fine on the production server, but leaving it as ApplicationPoolIdentity does not work. So it appears that even though in my code I impersonate a local administrator, those credentials are not being passed on to the PowerShell session. Oddly enough, when the scripts run on my own machine, also under ApplicationPoolIdentity, there is no problem and that leads me to believe that the script is actually running under my own account on my machine (and I am a local administrator).
I did have the code spit out the value of $env:username and it gave me the machine name and I was expecting it to give me the actual username it runs under since that is what I get when I type that command directly into a PowerShell window.
When logged in to the remote server interactively using the credentials that I have been impersonating in code, I can manually type all of the PowerShell cmdlts into a PowerShell window and they work fine.
I don't want to have my IIS Application Pool always running under an administrator account as that sees foolish so is there a way of running the PowerShell script as an administrator that goes further than the current impersonation that I am doing?
UPDATE:
There was an odd thing that happened that sees to work as a solution for me. After deploying my code to the server I created added a local administrator account. I then went to the IIS Application Pool and changed the owner from ApplicationPoolIdentity to the admin account I just created. After that the page would work fine to run the PowerShell script. I already knew this from before, but didn't want to have IIS using an admin account. I then proceeded to set the Application Pool back to ApplicationPoolIdentity and removed the Local Admin account and the page still works!? I restarted IIS, and the Web Server itself, and everything works. All I can think is that moving the Application Pool over to an Admin account changed some attribute in the App pool permanently. I have now put a modified question on ServerFault.
Turns out the issue had to do with the Load User Profile option in the IIS App Pool for my app being set to False on the server (False is the default for Windows Server 2008). After reading up on this property I am not entirely sure why this matters for my scenario, but that was the one setting different in IIS on my local machine from what the Web Server had. Now all the PowerShell calls work flawlessly on the server.

Reading Files On Network From IIS7.5

I have a WCF Service running on Windows Server 2008 R2 Enterprise. The IIS Version is 7.5. One of the methods in the service reads from a file on the network. It's failing when it tries to do this, but I can't log a proper error to find out why. My guess is that this is a permissions issue, but not being savvy with IIS, I don't know where to start.
The site running my service is using an App Pool with NetwrokService as the Identity. I have tried other built-in accounts, but I get the same problem. When looking at the running processes in Task Manager, I see w3wp.exe is running under the NetworkService account - which is how the App Pool is configured.
I'm trying to reach a share such as: \Machine1\SharedFiles\MyFile.txt. I can access this same share easily from file explorer so I know it's valid. Every other part of the service runs as expected which leads me to believe my IIS configuration is fine - other than possibly a permission setting that allows reading of files on other machines.
Anyone have any idea what I am doing wrong?
Thanks,
Start here:
http://learn.iis.net/page.aspx/624/application-pool-identities/
It is a permission issue. The share, and the files within it, need to grant access to the IIS servers machine account.

Categories