I am developing an asp.net c# web-application to sign PDF files on the server side. I am using a USB Token to sign the PDF file. When i developed on the development box, I can able to sign the document. But when the same code is hosted on IIS , I cannot able to sign the document. I am not getting any exception too. The error provided is An Internal error occurred.
I got stuck on this stage. Please help me on this issue.
Its look like permission related issue, you could try to use the different application pool account like network service or custom account which user has full access control permission or try to give IIS_IUSRS and IUSR permissions to the USB.
you can capture some data using process monitor.
to set application pool identity in iis please follow the below steps:
1)open iis manager.
2)select the application pool and click on the advanced setting from the action pane.
3)click on the identity.
4)in application pool identity windows click the custom account radio button and set username and password or select built-in account like network service from the drop-down.
to set application pool permission use IIS AppPool\apppool name.
Related
I have an intranet web application developed using C# and .NET and it is hosted on our own internal webserver running IIS 8.5.
I have it set up the application pool to use the built in account ApplicationPoolIdentity and this works fine.
However I need the application to be able to browse a network drive so I have changed the application pool to use a custom account that has access to the network drive. I know it has access as I am using my login details here.
But when I browse to the website I get the following error
Service Unavailable
HTTP Error 503. The service is unavailable.
When I recycle the application pool with these new settings I get the following error:
There was an error while performing this operation Details The object
identifier does not represent a valid object. (Exception from HRESULT:
0x800710D8)
I have also tried using the server admin account but I get the same error messages.
Thanks
Edit
The following message is in the event log
The identity of application pool TestApplicationPool is invalid. The
user name or password that is specified for the identity may be
incorrect, or the user may not have batch logon rights. If the
identity is not corrected, the application pool will be disabled when
the application pool receives its first request. If batch logon
rights are causing the problem, the identity in the IIS configuration
store must be changed after rights have been granted before Windows
Process Activation Service (WAS) can retry the logon. If the identity
remains invalid after the first request for the application pool is
processed, the application pool will be disabled. The data field
contains the error number.
Try granting the user account permissions to access the required asp files and folders, from a command prompt
aspnet_regiis -ga "Domain\SomeAccount"
https://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.100).aspx
Also allow the account to logon as a service:
Start -> Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment -> Log on as a service
Also add the account to the IIS_WPG Group
In the Computer Management screen, under System Tools, expand Local Users and Groups, and then click Groups.
Right-click the IIS_WPG group, and then click Add to Group.
In the IIS_WPG Properties dialog box, click Add.
https://msdn.microsoft.com/en-us/library/aa544832(v=cs.70).aspx
The group is called IIS_IUSRS in newer versions of IIS.
You may also need the following:
Access this computer from the network
Adjust memory quotas for a process
Allow log on locally
Bypass traverse checking
Generate security audit details
Impersonate a client after authentication
Log on as a batch job
Log on as a service
Replace a process level token
Don't forget to remove the custom account from the "Guests" group in Local Users and Groups
I have deployed an asp.net mvc web application on IIS 8 server inside an virtual machine (Windows server 2012 R2).
An azure file storage is mapped as network drive in this virtual machine Windows server 2012 R2.
Now my asp.net mvc web application needs to read the files and folders of this mapped drive by C# System.IO code. By default IIS is not allowed to access mapped drives.
That's why the web application is throwing System.IO exception
"Could not find the specified path Z:\"
. I also tried to pass "\\\\{storage-name}.file.core.windows.net\\{fileshare-name}
but still no success.
Can some one guide me with correct configurations and settings which I should do inside IIS and web application?
Finally, I succeeded to access the mapped network drive through IIS Server.
I performed following steps.
Create a new user account on VM.
The user name for this new account will be the Storage Account Name
The password for this user will be Storage account key which ends with "=="
After creating this new user account I changed the account type for this user to Administrator
Go to My Computer OR This PC
Attach the network drive with the help of Map network drive.. option.
Open IIS Manager window, go to Application Pools
Select the application pool which is being used by your web application (in my case it was DefaultAppPool and click on Advanced Settings... from right side pane.
Change the Identity for this application pool with newly created user account name and password.
Set Load User Profile to true.
Click OK to save changes.
Click on Recycle link from right side pane to refresh the selected application pool.
Now select your web application which is under Default We Site.
Click on Basic Settings... to open Edit Site dialog box.
Make sure that the Application Pool name is correct.
Click on Connect as... button and select Specific user radio button and then set the credentials with this newly created User name (Storage account name) and password (Storage account key).
That's it. Now you can simply write standard C# IO code to access the directory and files of mapped drive. Here is a sample example.
var allDirs = Directory.GetDirectories("\\\\<storageaccountname>.file.core.windows.net\\<storagefileshare>");
ViewBag.Items = allDirs;
Make sure that you access the files and folders by UNC path format only, just like I have done in above code.
I am trying to deploy an ASP.NET application on Windows Server 2012 (with IIS 8) but I'm getting an http error 503 when using the ApplicationPoolIdentity or a custom account, but not with NetworkService.
In order to narrow down the problem I set up a simple one page html application under the Default Web Site. This exhibits the same behaviour. I've given the custom account and the application pool identity full permissions on the application folder(s).
I've also checked the Windows event log and get this error: the worker process failed to initialize correctly the data is the error. 05000780. The application pool is stopped each time I try to browse the site (using applicationpoolidentity).
Have you made sure that the filesystem location has permissions for the user that you're trying to use?
NetworkService often has the correct permissions, but a new account most likely won't.
I changed the custom account to "Logon as a batch job" and all is now working.
The following post may look same but I was unable to correct the problem after attempting all the solutions provided as answers.
(Login failed for user 'DOMAIN\MACHINENAME$')
MY PROBLEM
I am deploying a asp.net web-app with forms authentication enabled on my IIS7 dev server in a Windows Network. My SQL Server is deployed on a remote box, in the same network, with necessary TCP ports opened for remote connections. All the domain users have been given access to necessary databases in SQL server.
Now when I try to run my web-app, following error comes up:
Login failed for user 'DOMAIN\MachineName$'.
I have already given adequate permissions to NT AUTHORITY\NETWORK SERVICE in my SQL server.
I don't want to give any permission to 'DOMAIN\MachineName$' in the SQL server as the developers keep changing the machine names for various test purposes.
The connecting string I am using is:
"Server=SQL-SERVER;Initial Catalog=MyDatabase;Integrated Security=SSPI;Persist Security Info=False"
SQL Provider is System.Data.SqlClient
Anonymous and Form authentication are enabled as my web-app contains login.aspx.
The point is that whenever you use NT AUTHORITY\NETWORK SERVICE as your application pool user, the system translates this in the network to DOMAIN\MachineName$.
What we do is to use the user name of the developer to connect to the machine by setting the username of the application pool to the developer's name.
I also encounter same problem in my intranet environment. The solution is simple yet hard to grab the idea. Usually, The IT Security In-charge will give you active directory service account to log in to your database. You can manage to log in with ssms but it fails in IIS because IIS choose to connect with domain/computername. So set custom account and fill in your domain/username and password.
In IIS Manager, select the application pool that your web app uses or
create a new one if you use the default one.
Click on “Advanced Settings” in the right Actions bar. Under Process Model, click on
the “Identity” value and select “Custom account”.
Click on the “Edit” and enter domain/user name and password for user account.
If you enter all information correctly, the pop-up will be closed successfully
without any error messages.
After that stop your Web Site.
Back again to your application pool and click on the “Recycle”.
Start your Web Site.
And that's it. you web application will successfully connect from IIS.
I'm trying to develop an intranet app/website that uses Windows authentication.
I'd like to test it with multiple users, for roles etc.
At the moment I'm only using my own domain account. Is there a way I could simulate different users for the site?
As a picture is worth a thousand words here it goes how to do it in IE based on 2GDev's comment copied here for clarity:
Go to Internet Options => Security => Local Intranet => Custom Level
and change the User Authentication to "Prompt for username and
password"
Click OK then Apply. Close the browser. Reopen it and point it to the website's URL you want to debug. You should happily see the login prompt where you can login with a different User account to simulate concurrency for example (this is what I'm doing right now here):
When you use Windows Authentication you can change your identity by running the browser as another user.
In windows, go to the browser exe (or a shortcut), right-click on the icon and select "Run as.." from the menu. This will prompt you to specify the username and password to run the account under.
Provided the identity you specify has access to the machine you are running on, the browser will then be running "as" identity specified. If you browse to a site using Windows Authentication, it will authenticate using the identity specified, instead of your own.
Use Impersonation...
From MSDN
Impersonation
An ASP.NET application can use impersonation to perform operations and
access resources with the security context of the authenticated client
or of a specific Windows account.
And in your web.config
<identity impersonate="true" username="TestUser" password="P#ssw0rd" />
How about to install and run the Virtual PC with some ready for download installed systems from MS ?
By running a virtual pc on your computer you can emulate connections to your pc and at the same time, its looks like a diferent computer, with diferent Ip.
In my case, there are db tables with users and their properties. In users table got login field (Domain/UserName). Also got custom Identity and Principal, which using this table to authenticate user in global.asax autherticate_request method.
To simulate different users in debug mode, there is special control rendered in master page (or layout page for mvc). It contain select box with all users, and apply button.
On server side after apply button click in session pushed emulated user login and sending refresh to response.
So in next authenticate event occured checking for emulated user login in session and if it exists then authenticate continues based on emulateded login.
Bad side: need sync service to always have actual user table based on current AD.