I'm building an ASP.NET application that requires printing using PrintDocument method:
PrintDocument.Print()
Printing works properly in development env with IIS express. when publishing it to an intranet IIS server, printing fails, which I think is caused by permission issue for aspnet working process.
I tried to do the following with no success:
I created an application pool in integrated pipeline mode for an admin local user with load user profile option set to true
I moved the application to the new created application pool
I added <identity impersonate="true" username="username" password="*****"/> in web.config file
An error appeared stating that: An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode so I added <validation validateIntegratedModeConfiguration="false"/> to <system.webServer> section.
Any help please?
I think you might be misunderstanding some fundamental concepts here. When you use PrintDocument.Print() you are printing on the server. When you deploy your application in IIS this printing will happen on the server computer that is hosting your application. The reason why you thought your code was working in IIS Express is because you were hosting your application on the same computer as the client browser that was testing it. Also you were running your application under your account which had a printer configured.
You cannot print directly to the client computer from a web application. That would be a big security issue. The best you could do is provide some HTML document using a print media CSS type. Then if the user decides, he might print it in his browser.
If on the other hand you want to print on some printer that is attached to your web server, you will need to configure the Application Pool in IIS to run under an identity that has a printer configured in its profile.
Hopefully I am understanding your question correctly, but I just had some confusion myself with this. Our setup at my work is Windows Server 2008 R2 with IIS 7.
We have a print server as well installed on the same box (not sure if it matters as this is not my area of expert).
Basically, viewing the installed printers using, PrinterSettings.InstalledPrinters I was able to see all the printer names installed on the server.
I attach a debugger to the application process to debug and I can just use the debugger to see this, otherwise you will have to run a loop to print through these. If you run this locally, you will see only the printers installed on your machine. If they are network printers, then the full path will be shown. So determine the path/name the server will recognize the printer as and then set that to the printer name explicitly using the,
PrinterSettings.PrinterName property of the PrintDocument class. This worked for me. Also, my application pool identity is set to NetworkService.
I think the original poster has gotten a lot of flack for their question. If you want to generate .PDFs using GhostScript, for example, you install a printer driver and create a printer for it. You can suppress the Saveas() dialog in many languages by providing one ahead of time. This was feasible in earlier versions of IIS (that may have been less secure), but is harder to do in IIS 8.
I think this issue is caused by IIS inhibiting access to the local printer queue. This is either caused by not being in the NT AUTHORITY\INTERACTIVE group at runtime, or because IIS will put the user, (whomever is running the app pool) in two groups: IIS APPPOOL\, and BUILTIN\IIS_IUSRS.
You can validate all this by looking at the thread permissions using a tool like Sys Internal's Process Explorer.
I have faced same issue and I found the following solution and it worked for me.
1 - Go to printer and setting of system
2 - Select Printer
3 - Go to Printer Properties
4 - Security
5 - Click on Add "IIS AppPool\DefaultAppPool" as object name and click on check name (Default Pool will be your Pool Name)
6 - Give permission Manage This Printer and Manage Document permission.
7 - Restart IIS
Related
Question edited to show some new screenshots of my attempt to give DefaultAppPool access to the database...(the rest of the question is the same, and unchanged):
The rest of the question, unchanged:
Database access was not a problem with the built-in IIS Express, because my program was running under the user logged into windows. I am new to Web Development.
With Windows Home, you are not allowed to use Windows Authentication--the option is not even present when you go to add\remove feature, and consensus is that you have to upgrade your OS for this to be available.
Hence, the program runs under the app pool account.
So I tried to go into SQL Server and give IIS APPPool\DefaultAppPool account access, but it would not let me.
So I went ahead and turned on impersonation, so that it will run under IUSR account, and I gave that account access to the database, as per screenshots.
But the program still crashes and reports that, "Login Failed..."
How do I run the program in IIS and not IIS Express?
As far as I know, there is no need to use impersonation to access the sql server. The reason why you get account not found error is you use the wrong application pool name.
If you type in the {yourcomputername}\DefaultAppPool, it is not regarded as the application pool identity.
You should use IIS AppPool\DefaultAppPool instead of the {yourcomputername}\DefaultAppPool.
Details, you could refer to below image:
I have a prototype .net web site that is on Windows 10, created using C#. I am using IIS on the same machine to deploy from Visual Studio 2017. It uses SQL Server for back-end data. The site only runs on intranet.
It deploys ok, I can see all the pages, from all three of my machines. But others cannot see anything. They get a run-time error, that does not say anything specific.
My machine was re-imaged and hence the need to redo this.
I looked at IIS log and it does not have any info. What else I can look into?
In web.config, turn off custom error mode to see detailed error message on the client:
How to set web.config file to show full error message
If it works locally and not remotely, it's likely a permissions error (accessing a resource that the client doesn't have access to), or maybe a pathing issue (you are referring somewhere to something by disk or UNC instead of URL, or to a domain that only makes sense to you, like localhost).
I have an ASP.net web application (C#) hosted by IIS on my server that connects with an Access database. It's important that I can have the database open in Access and still use the website at the same time.
I get the "Could not use file; file already in use" error whenever I try this. I've done a ton of research on this topic but nothing really seems to work.
I have modify permissions added for IUSR, NETWORK SERVICE and IIS_IUSRS for the folder containing the database. None of this seems to work.
Oddly enough, I tried hosting the website from my local machine and the solution above solved the issue, but it does not work when hosting the website from my server.
My website also chokes up when trying to do an INSERT statement even when the database is closed. I get the error "operation must use an updateable query"
Any thoughts? Thanks.
In regards to:
but it does not work when hosting the website from my server
I am not sure about the rest of your configuration, but this may shed some light onto why you are getting different behaviors on different systems:
You should enable the same permissions (for the Database folder) for the Identity under which the Application Pool you have configured for your Application in IIS.
Open your Server's IIS Management Console
See what the Application Pool is for your App
right click on the Application node:
'manage Application' >> 'Advanced Settings' >> Application Pool
Open Application Pools View: Find the App Pool
right Click the App Pool >> Advanced Settings
Look for the Identity value
That is the Identity you should replicate the permissions for as you did on your local machine's folders
P.S.: It is usually recommended that you configure/create a dedicated App pool for each of your applications.
Hope this helps resolve your issue.
I'm trying to use a network path (create directory, write and read files) from a Web Service in ASP.NET.
Everything works fine from my office where the network path is in the same LAN of my laptop, but when I try to connect to the network path through a VPN, the creation of a directory fails with "Access to path is denied" error.
The strange thing is that from Windows Explorer I can perfectly access such path, given my VPN credentials, that I stored in Windows Credentials Wallet.
I also tried to set my IIS App Pool Identity to 'Network Service' but no luck.
Can you help me please?
Thank you very much
EDIT:
When I try to execute a statement like
Directory.CreateDirectory(#"\\my\network\path");
from a simple console application project in my Visual Studio 2010 it works perfectly and the directory is created.
The problem is when I hit such a statement inside the business logic of my web service that is running under local IIS (and which I'm connected to via "Attach Process..." debug tool in VS2010)
I may not have all the details of what you're asking straight, but if you're running this service via Visual Studio and VPN, take a look at this great article, at CodeBetter.
runas /netonly /user:domain\username “C:\ProgramFiles\Path\to\your\visualstudio”
I don't have the computer I have this on in front of me, but I recall that I created a batch file and ran it to start VS and Sql Server Management Studio, and it works like a charm.
If I've misunderstood the issue, sorry for the noise.
Sounds like when you are running locally, your local domain account is the context under which everything is being ran. When running the console app, it is still running under your user context since you initiated the application. When running in IIS, you are correct in that the app-pool account is being used, and the networkservice account has some pretty low privileges.
Instead of using a highly privileged account (such as yours), would impersonation solve your issue? Any work that needs to be done over the VPN can "wrapped" in a context the appropriate permissions. Here is another SO article on using impersonation, which I have implemented for related things:
How do you do Impersonation in .NET?
See Matt Johnson's answer where he creates a custom Impersonation class. Use that in a using block, then do your network stuff. It uses the advapi32.dll with p/invoke to do this kind of user account voodoo. He put together a NuGet package as well which may save you some time:
https://www.nuget.org/packages/SimpleImpersonation
I am trying to get my silverlight application running with elevated privileges in browser. However, no matter what I do, it doesnt get elevated.
I have tried to add registry key AllowElevatedTrustAppsInBrowser (as DWORD with value 1), and signed the XAP file using VS 2012. I also came across a blog that mentioned the clientaccesspolicy.xml file, but I was not able to allow elevated privileges with this either. I put the xml file inside the web project hosting the html file that displays the XAP.
Has anyone actually managed to get this to run?
I also tried following this: http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2011/04/27/silverlight-5-beta-rough-notes-trusted-apps-in-the-browser.aspx but im unsure about where to run the commands he runs on windows.
There is a good summary on how to enable in-browser elevated trust by Mister Goodcat here, where he also provides some troubleshooting tips:
One thing to keep in mind is that even if your application runs as trusted in-browser app, it is still subject to the security restrictions the browser itself imposes. That means that its possibilities may be much more restricted than if they ran out of browser, for example by Internet Explorer's Protected Mode. In addition, the Silverlight runtime itself restricts use of certain features for in-browser trusted apps, for example you cannot use the Window class and/or create additional windows when you're running in the browser.
If none of the above applies to you and you still run into problems, one thing to do is check whether your certificate(s) have been installed correctly. There's a snap-in for the management console for this. Here is an article that describes how to get there (note that you should add a snap-in for your user account, not the computer account as in this description).
You can also check whether your registry key is actually and successfully queried, for example by using a tool like Process Monitor from the Sysinternals Suite. Watch for operations of type "ReqQueryValue" of your browser executable that access the key we created above, and make sure the Result is "SUCCESS".