Access denied to write a file with my C # WCF webService - c#

I hosted a WCF web Service on my server Windows 2008 R2.
Everything works perfectly on my localhost project Visual Studio 2012.
However, once deployed on my server. My application throws an exception when my WCF trying to save an XML file in the C:\.
I immediately think it came from a permissions problem. I've tried adding rights in writings on the user IUSR but it changed nothing. I even tried to apply all the rights to the user "Everyone". But without success!
An idea ? thanks
Here's screenshots of on the configuration of my project:
Code that throws the exception:
XmlTextWriter myXmlTextWriter = new XmlTextWriter("c:/world.xml", null);

Why are you saving to the root drive folder? What happens when you try and save to for example C:\Stuff?
If this isn't running as something like Network Service I would hazard a guess it's because of something like UAC which will prevent you from writing to certain places considered restricted.

Related

ASP.NET website deploys but only I can see

I have a prototype .net web site that is on Windows 10, created using C#. I am using IIS on the same machine to deploy from Visual Studio 2017. It uses SQL Server for back-end data. The site only runs on intranet.
It deploys ok, I can see all the pages, from all three of my machines. But others cannot see anything. They get a run-time error, that does not say anything specific.
My machine was re-imaged and hence the need to redo this.
I looked at IIS log and it does not have any info. What else I can look into?
In web.config, turn off custom error mode to see detailed error message on the client:
How to set web.config file to show full error message
If it works locally and not remotely, it's likely a permissions error (accessing a resource that the client doesn't have access to), or maybe a pathing issue (you are referring somewhere to something by disk or UNC instead of URL, or to a domain that only makes sense to you, like localhost).

Cant write to log file in IIS 7.5

I have a web service in .Net 4.0. I'm deploying said web service to two IIS servers each running IIS 7.5 Both servers are setup to us the Network Service account. The code is deployed to a physical disk on the servers. It attempts to write to a log file also on a local physical disk. The Network System user has full control permissions on the local directory. When the service starts, first thing it does is write an entry to the log file. This works fine on server A, but not on server B.
Can anyone give me a suggestion on where I might look for something that is actively denying file IO on IIS server?
The specific error message is Exception Details: System.IO.FileNotFoundException: Could not find file 'D:\Data\Logs\CDelivery.log'. I can assure you the file is in fact present, and this works just fine on server A.
P.S. I also tried this solution, but the IE Enhanced Security Configuration is already set to "OFF" for both Admins and Users IIS 7.5 App Pool write permissions denied
Found the problem. My code to writetolog is in a static class and I was accessing resources before locking them properly. Since the writetolog function is my generic error handler (among other things) the unhandled exception within it was causing w3pw.exe (and kernalbase.dll) to blow up.
Had to do a good bit of digging to find it because "Can't find file x" was not actually the problem at all. Terrible error message.

Cannot programmatically access network path through VPN

I'm trying to use a network path (create directory, write and read files) from a Web Service in ASP.NET.
Everything works fine from my office where the network path is in the same LAN of my laptop, but when I try to connect to the network path through a VPN, the creation of a directory fails with "Access to path is denied" error.
The strange thing is that from Windows Explorer I can perfectly access such path, given my VPN credentials, that I stored in Windows Credentials Wallet.
I also tried to set my IIS App Pool Identity to 'Network Service' but no luck.
Can you help me please?
Thank you very much
EDIT:
When I try to execute a statement like
Directory.CreateDirectory(#"\\my\network\path");
from a simple console application project in my Visual Studio 2010 it works perfectly and the directory is created.
The problem is when I hit such a statement inside the business logic of my web service that is running under local IIS (and which I'm connected to via "Attach Process..." debug tool in VS2010)
I may not have all the details of what you're asking straight, but if you're running this service via Visual Studio and VPN, take a look at this great article, at CodeBetter.
runas /netonly /user:domain\username “C:\ProgramFiles\Path\to\your\visualstudio”
I don't have the computer I have this on in front of me, but I recall that I created a batch file and ran it to start VS and Sql Server Management Studio, and it works like a charm.
If I've misunderstood the issue, sorry for the noise.
Sounds like when you are running locally, your local domain account is the context under which everything is being ran. When running the console app, it is still running under your user context since you initiated the application. When running in IIS, you are correct in that the app-pool account is being used, and the networkservice account has some pretty low privileges.
Instead of using a highly privileged account (such as yours), would impersonation solve your issue? Any work that needs to be done over the VPN can "wrapped" in a context the appropriate permissions. Here is another SO article on using impersonation, which I have implemented for related things:
How do you do Impersonation in .NET?
See Matt Johnson's answer where he creates a custom Impersonation class. Use that in a using block, then do your network stuff. It uses the advapi32.dll with p/invoke to do this kind of user account voodoo. He put together a NuGet package as well which may save you some time:
https://www.nuget.org/packages/SimpleImpersonation

Access to a Sharepoint Remote Folder from C#

I have developed an ASP.NET MVC 3 which must access to a SharePoint Remote Folder.
To do that, during the development, before to run the Visual Studio Development Server, I try to access to the remote folder. Then, I must introduce the credentials of the user who has permission to see the remote resource. After this, using the following code:
string path = #"\\tests.sharepoint.es\folder1";
DirectoryInfo di = new DirectoryInfo(path);
DirectoryInfo[] dis = di.GetDirectories();
The access to the folder is successful. However, this fails when I executed my web application from the IIS, getting the next error:
Access to the path '\tests.sharepoint.es\folder1\' is denied.
Even if I set for the Application Pool the same user that runs the Visual Studio Development Server, it continues failing.
I have identified that the users who runs the World Wide Web Publish Service (W3SVC) is SYSTEM (an account who obviously doesn't have permission to access to the folder) but I can't change this and I am not sure if this causes the problem.
Also, I have read some posts about using SPSecurity.RunWithElevatedPrivileges but I can't use it because my IIS server doesn't have Sharepoint installed (it is in another machine) and therefore, I can't use Microsoft.Sharepoint.dll as far as I know.
UPDATE: When I try to access to the resource using my windows explorer, I have read that OS uses WebDav instead of NetBios. Can IIS use this protocol to access to the resource?
If you really need to access remote resource with Windows permissions from Windows web server (or any other server that impersonates remote client) than you must run such code under account directly signed in on the server box. This is caused by "NTLM one hop" policy - user's credentials can be used only on machine user directly signed in to or machine user directly communicates to (and not on third one that this second machine tries to connect to).
Safest approach is to run process under account that have access to remote resource and run code in that process. You can run IIS process under such account, but you may need to revert impersonation back to process if running code during requests.
You can also directly impersonate particular user but you'll need to have plain text login information. This is most likely against security policy for most companies.
Note: you very well may end up building anonymization proxy - be very careful to understand what it means to access remote resource under account different from actual user's account.
Fortunately, I have found how to resolve the access problem.
I have used the solution described in this post.
My code seems like this:
PinvokeWindowsNetworking.connectToRemote(#"\\tests.sharepoint.es\folder1", "domain\user", "password");
//manage files and folders of my remote resource
//...
PinvokeWindowsNetworking.disconnectRemote(#"\\tests.sharepoint.es\folder1");

Reading Files On Network From IIS7.5

I have a WCF Service running on Windows Server 2008 R2 Enterprise. The IIS Version is 7.5. One of the methods in the service reads from a file on the network. It's failing when it tries to do this, but I can't log a proper error to find out why. My guess is that this is a permissions issue, but not being savvy with IIS, I don't know where to start.
The site running my service is using an App Pool with NetwrokService as the Identity. I have tried other built-in accounts, but I get the same problem. When looking at the running processes in Task Manager, I see w3wp.exe is running under the NetworkService account - which is how the App Pool is configured.
I'm trying to reach a share such as: \Machine1\SharedFiles\MyFile.txt. I can access this same share easily from file explorer so I know it's valid. Every other part of the service runs as expected which leads me to believe my IIS configuration is fine - other than possibly a permission setting that allows reading of files on other machines.
Anyone have any idea what I am doing wrong?
Thanks,
Start here:
http://learn.iis.net/page.aspx/624/application-pool-identities/
It is a permission issue. The share, and the files within it, need to grant access to the IIS servers machine account.

Categories