I have an ASP.NET application which I am testing on the ASP.NET Development server. The application is meant to download a file from an intranet sharepoint site. I am using WebClient.DownloadFile() for this purpose. But I am getting the following exception-
"The remote server returned an error: (401) Unauthorized."
The account with which I am logged into Windows while running the application has access to the resource which I want to download.
I tried ro run the application on IIS 7.5 as well, giving the application pool the required identity to download the file. But still got the same error.
Any idea what exactly is the problem and how to overcome it? Thanks in advance!
It's a problem with double hop delegation. Look at this: http://weblogs.asp.net/owscott/archive/2008/08/22/iis-windows-authentication-and-the-double-hop-issue.aspx
Assuming normal Windows (NTLM) authentication on SharePoint site.
Most likley you are hitting by design behavior "double hop delegation" sometimes called "one hop NTLM hell" - credentials passed from client (browser) to server (your ASP.Net application) can't be used outside of the box. As result your ASP.Net application autorizes as more or less anonymous user and can't authorize on SharePoint site.
Common way to solve it - have some sort of trusted account and run your site's code under that account. Than when accessing the site you run code under process' account (not impersonating the user). You'll need to review code to have reasonable security measures as bugs will allow anyone use your site to access SharePoint/other resources under that special account.
Problem got resolved by setting UseDefaultCredentials property of the WebClient to true
This is a Kerberos issue, as Kirill mentioned. Before you start setting SPNs and the like, please follow the advice on this link first.
I recently had a frustrating week of trying to get Kerberos to work on a locked down domain and at the end of it all I found all I had to do was set useAppPoolCredentials to true.
If that doesn't help, this link provided quite useful to me as well.
Good luck!
Related
I have an MVC web application that is supposed to allow users to download files that are stored as UNC paths in a database. These files can be in any number of locations on remote servers/shares.
E.g. Server 1 hosts the web application that is used to download a file stored on Server 2
I do not want to give permissions to these folders to the hosting service account, as the security should be dependent on what the user has access to. Therefore, I'm attempting to use Impersonation to retrieve the file.
When I debug on my local machine, everything works great. It impersonates my user and downloads the file.
When I deploy to my test server, I'm getting the following error:
Access to the path '\\Server2\SharedFolder\somefile.txt' is denied
I've tried various pieces from this Microsoft link, but am not having much luck.
Scenarios I've tried:
Just giving the permission to the service account of the AppPool works fine, but as I said, isn't ideal
Implementing the Impersonate a Specific User in Code from the above article, which works perfectly with a hard-coded user and password. This situation is also not ideal.
Implementing the Impersonate the Authenticating User in Code from the above article. This seems to be exactly what I need, but this is what generates the Access Denied error.
The Code that I want to work:
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext =
((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
//Code to read all bytes from the file path
impersonationContext.Undo();
I have logging, and System.Security.Principal.WindowsIdentity.GetCurrent().Name after the impersonation does return the intended user (my account instead of the service account), so it does appear to be working.
I thought maybe it was a double-hop thing, so I have also added SPNs for the server and the service account, making sure their Delegation in AD was set to allow for any service. That hasn't helped either.
This question seems to have the exact same problem as me, but there's no follow-up on what the final solution was. I did try the Process Monitor part, but it didn't help at all.
I'm at a loss to why Impersonation seems to be working, but I'm denied access to a file on a second server.
Update 1
I've played around more with my IIS settings and trying to get Kerberos properly set up. The only thing enabled in my IIS Authentication is "Windows Authentication".
When I spit out details after my Impersonate() call, I'm finding that ImpersonationLevel = Impersonation
Is that how it should be, or should that be returning Delegation ?
It would seem the issue was mostly due to my setup with Kerberos and SPNs. I undid all my settings and re-registered my service account, and the Impersonation ended up working properly.
The issue now is that it only seems to work with Internet Explorer. Chrome and MobileIron are doing something different that prevents the ImpersonationLevel of Delegation. That's a whole other question...
I've viewed a few of the other IIS reverse proxy with windows authentication posts on here and they don't seem to be what I'm trying to do. Hopefully someone will be able to help or spot what I'm not doing or doing wrong.
I've got a server which has a website running on port 80 which I need to present a number of other web applications on. I cannot create new hostnames so I created a virtual directory in the site which pointed to my web apps, however the root site is using .net2.0 app pool which must stay as .net2.0 whereas my ASP.NET MVC apps all need 4.0 app pools. As per the web.config inheritance problem this is not working and I cannot change the web.config in the root to ignore propagation to child web.configs - with me so far? ;-)
To cut a long story short I've now got a virtual directory in my port 80 site which is acting as a reverse proxy to another site on port 81 and this is working fine for anonymous connections. I've tested it with a simple HTML page and I can access it and the url re-writing is working on links in the HTML page, all good so far.
Now I need to enable windows authentication on the port 81 site, so I followed the instructions similar to what is in these links on MSDN site to configure SPN's for the domain account I'm using (DOMAIN\testaccount) and other IIS config's:-
link 1
link 2
The problem is that all I get now is the good old error message:-
Access is denied. Description: An error occurred while accessing the
resources required to serve this request. The server may not be
configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
-------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:4.0.30319;
ASP.NET Version:4.0.30319.34280
I've tried creating a test aspx page which just outputs the server variables to the response but even this is not working.
I can't find anything else to try, initially I thought I'd have to get Kerberos sorted to pass the details from virtual directory to site on port 81 but the MSDN posts say this is not needed, just the SPN's.
Anyone any ideas?
This turned out to be something very simple and me being dumb for not checking! :-)
I spent days trying to figure out why this wasn't working, not sure why I didn't try earlier but I changed the application pool it was running under to use .net2.0 and then my test aspx page worked!?!
Turns out in IIS manager if you click on the root server node itself that under 'ISAPI and CGI restrictions' feature settings that the .net4.0 DLL's were set to 'Not Allowed' but the .net2.0 DLL's were 'Allowed'! I just enabled the .net4.0 changed the application pool back and then voila it works.
When I try to execute this code:
SPSite siteCollection = new SPSite(#"http://sp-devxxx:10000/");
It throws the following error:
The Web application at
http://sp-devxxx:10000 could not be
found. Verify that you have typed the
URL correctly. If the URL should be
serving existing content, the system
administrator may need to add a new
request URL mapping to the intended
application.
I can hit this site from my web browser, it is compiling in x64, my account has read/write access to the content db, the code is running on the server that the site is running on and there exists an access mapping for this site. Why would it be throwing this error?
OK, after hours of pain i finally found the problem....
I had to add myself to the WSS_ADMIN_WPG group on the server. Hope this helps someone.
Change Target Platform to x64 as Sharepoint 2010 runs only in 64 bit mode
The account that is the identity of the app pool in my environment was already a member of WSS_ADMIN_WPG. I installed my web service locally. Using the external domain name such as
SPSite siteCollection = new SPSite(#"http://mydomain:123");
failed, reporting the same error as the poster (even though it is reachable from a browser on the same machine). The following worked
SPSite siteCollection = new SPSite(#"http://localhost");
I have yet to figure out why.
In a console application using visual studio 2012 it was changing the Target framework to 3.5 for me....
In my case, I re-opened Visual Studio 2012 running as Administrator, and the problem is solved.
Add-SPShellAdmin -UserName domain\username did the trick for me. The documentation says that it adds user to the SharePoint_Shell_Access role in the farm configuration database only, and also ensures the user is added to the WSS_Admin_WPG local group on each server in the farm.
In case the user's account is already a member of WSS_ADMIN_WPG and still the issue persists, As mentioned by Tim.
Try the following steps:
Go to Project Properties
Build Tab
Change the Platform Target value to Any CPU from the drop down.
It resolved the problem for our console Application.
Have you disabled the loopback check?
http://sptwentyten.wordpress.com/2010/03/06/disable-the-loopback-check-via-powershell/
http://www.jeremytaylor.net/2010/05/24/sharepoint-disable-loopback-check-disableloopbackcheck-dword-in-registry/
Try Logging on as the Farm Admin account. Or, granting the required SQL Server Roles to the account you are using.
I have a Web API on the SharePoint server that we use as a medium to get data from our own database. This Web API was attempting to open the website, and I was receiving the same error. I had to make sure that the Application Pool identity being used had access to open the website.
I set the identity of the Web API application pool to SharePointServerFarm, which is the identity that my SharePoint web applications use.
In my case, I needed to add the user db_owner permission to the SharePoint_Config, SharePoint_AdminContent and WSS_Content databases, following the suggestions in this blog.
I know this is an old and answered thread, but none of the above worked for me, and here's what did for future reference:
I have a windows forms application creating an instance of a sharepoint 2013 site and gives the mentioned error when trying to initialize the SPSite, after some search I've found the following reference that suggests (among other possible resolutions) the issue could happen when running the code on a machine different than the one running the actual Site, and yes it worked flawlessly when I moved the app to the other machine.
I know this is not a radical solution, but at least you know the issue.
reference:
Common issue: new SPSite API call returns "The Web application at http://server:port/ could not be found."
Had the same issue while running my code as "exe" file. Problem solved by running cmd as administrator. Hope this help someone.
I know it's quite long time ago, but in my case, I had to do 2 things:
give access to config db, user is programmatically able to open SPSite-object
Add-SPShellAdmin -username [domain]\[username]
give access to content db, user is programmatically able to open SPWeb-object
Add-SPShellAdmin -username [domain]\[username] -database [content db guid]
You can get the Guid of content db by running following Get-SPContentDatabase -webapplication [web application url]
You can find here the original answer of Timo Pitkäranta: https://blog.stefan-gossner.com/2011/09/18/common-issue-new-spsite-api-call-returns-the-web-application-at-httpserverport-could-not-be-found/
I have an ASP.NET application that runs under Classic .NET AppPool.
I'm trying to render a report hosted in Reporting Services in another machine, with the correct address and everything. But I keep getting the following error, which I just can't solve:
Cannot create a connection to data source 'MYDATASOURCE'. (rsErrorOpeningConnection) ---> Microsoft.Reporting.WebForms.ReportServerException: Login failed for user 'NT AUTHORITY\IUSR'.
I won't post any code, I'm simply calling the .Render() method through Microsoft.Reporting.WebForms.
Could it be a configuration or some special permission I have to grant to my code?
Any Help?
When I created something similar we set up a service account for the app pool the asp.net application to run as/under. Then gave that service account permissions to run the reports we wanted to display. I had to work with our DBA and System Engineers to set up the service accounts and permissions on the reporting server. But once that was all done it worked out slick. I am not sure it was all necessary, but that is how we did.
I am not a very experienced web developer, so I hope my terminology is correct and makes sense.
cheers
in your report manager grant sufficient permissions to this : NT AUTHORITY\NETWORK SERVICE
Granting permission directly on the database to the user NT AUTHORITY\IUSR solved the problem. I'm not very sure about security issues doing this, but thats another question.
Thanks.
You do not have permission to view this directory or page using the credentials you supplied.
It looks like you are trying to access files over network by IIS, however to do that, in network share you will need to add IUSER_ , IWAM_ or ASPNET user permissions as well.
I had the same problem, but neither giving access to Network Service, nor to IUSR helped me. I was trying to deploy an ASP.Net 4.0 web application with Forms Authentication on IIS7 on Windows Server 2008. What solved the problem was providing read and script permissions to the handlers, which can be accomplished by opening Handler Mappings and then selecting "Edit Feature Permissions" from the right menu.
Probably because you don't have permission... If this is unexpected, provide some more information and we can help.