I have a .net/C# application when launched on a test server running VMWARE / Windows Server 2008, receives a USERPROFILE Environment Variable pointing to C:\windows\system32\config\systemprofile, but other applications seemingly built in a similar fashion inhert the correct value of C:\Users\{username}.
A slight twist - the application receives the correct value when run locally on my development machine. So I'm thinking this is a profile/registry issue with some combination of setting in my app.
The issues is manifested when you attempt to open an OpenFileDialog or similar. You get the exception "Location is not available: C:\Windows\system32\config\systemprofile\Desktop refers to a location that is unavailable..."
Any ideas?
UPDATE: The application is WPF running web services against IIS via WCF. Locally in development I am using IISExpress. I've found that after touching the WCF services in the client, the application inherits the APPDATA and USERPROFILE of the IIS AppPool the services are running under. If I adjust the AppPool values to use my user account instead of ApplicationPoolDefault and set LoadUserProfile = true - things work. Obviously this is a bad thing. As an alternative, I cache off the environment variables when the WPF app runs, and after it initially connects to WCF, I reset the variables. This appears to get around the issue but I'd like to solve it a better way but I have no idea what is influencing this behavior in WCF and my IIS Services.
It might have to deal with what account the web app is running under in IIS. You can change it from the default "Network Service" account to an actual user account.
Related
I have two applications: one is WebAPI REST Service written on .NET 4.5, and another one is its client application written on .NET Core 2. There's a windows authentication enabled on the service side. Client one makes simple GET call using HttpClient with HttpClientHandler loaded with credentials from configuration, it is some service account. Very basic stuff that can easily be googled in tons of examples, there's nothing fancy there at all.
When this call is performed from my local dev laptop to DEV server then everything works as expected: user provided in the client's configuration gets authenticated successfully on the service and is able to perform whatever operations he is allowed to perform.
It also works fine if I perform this call from the browser (Chrome) - it asks me for credentials and then returns result that perfectly correlates with whatever credentials I put there. It works this way with both remote and local services.
However, if I run the service locally on my laptop (local IIS Server, not an Express one) and call is performed using localhost address then I observe strange behavior: windows authentication seems to work as well, but the user that service authenticates is not the one from client's configuration. Instead, it is my AD account with which I have logged on interactively in windows (btw, it's win 10 ent x64).
Of course, I've verified five times every single config setting and runtime value in my applications, all settings on local and dev server's IIS, on web application and IIS Server level and app pools used for apps. Everything I see looks good - except it behaves differently when on localhost. Also, I googled every question that I could imagine but still can't seem to find an explanation to this behavior.
So, why HttpClient uses my account on the localhost instead of explicitly provided credentials? What am I missing here?
I'm trying to use a network path (create directory, write and read files) from a Web Service in ASP.NET.
Everything works fine from my office where the network path is in the same LAN of my laptop, but when I try to connect to the network path through a VPN, the creation of a directory fails with "Access to path is denied" error.
The strange thing is that from Windows Explorer I can perfectly access such path, given my VPN credentials, that I stored in Windows Credentials Wallet.
I also tried to set my IIS App Pool Identity to 'Network Service' but no luck.
Can you help me please?
Thank you very much
EDIT:
When I try to execute a statement like
Directory.CreateDirectory(#"\\my\network\path");
from a simple console application project in my Visual Studio 2010 it works perfectly and the directory is created.
The problem is when I hit such a statement inside the business logic of my web service that is running under local IIS (and which I'm connected to via "Attach Process..." debug tool in VS2010)
I may not have all the details of what you're asking straight, but if you're running this service via Visual Studio and VPN, take a look at this great article, at CodeBetter.
runas /netonly /user:domain\username “C:\ProgramFiles\Path\to\your\visualstudio”
I don't have the computer I have this on in front of me, but I recall that I created a batch file and ran it to start VS and Sql Server Management Studio, and it works like a charm.
If I've misunderstood the issue, sorry for the noise.
Sounds like when you are running locally, your local domain account is the context under which everything is being ran. When running the console app, it is still running under your user context since you initiated the application. When running in IIS, you are correct in that the app-pool account is being used, and the networkservice account has some pretty low privileges.
Instead of using a highly privileged account (such as yours), would impersonation solve your issue? Any work that needs to be done over the VPN can "wrapped" in a context the appropriate permissions. Here is another SO article on using impersonation, which I have implemented for related things:
How do you do Impersonation in .NET?
See Matt Johnson's answer where he creates a custom Impersonation class. Use that in a using block, then do your network stuff. It uses the advapi32.dll with p/invoke to do this kind of user account voodoo. He put together a NuGet package as well which may save you some time:
https://www.nuget.org/packages/SimpleImpersonation
I'm making an application in C# with VS 2012 that checks a database every 15 seconds and perform some actions when it finds data. Right now I've created a Console Application so I can debug it easely but during relese this application needs to run in a IIS server.
How can I do that? I've read this question but it looks like some sort of workaround because to run it I need to perform these steps. Right now I'm reading the docs about Windows Service Application, Is this the right way?
EDIT Sorry but I've never used Windows server before, so as people pointed out IIS is only a web server, the thing I need to do is run my application in a Windows Server environment
IIS is a web-server and accordingly it should be used for hosting web applications.
Develop a windows service which does the job of checking the database in intervals and invoke a web service (which you can host in IIS)
If your application is performing some data query and manipulation on the server then I would recommend the approach to host it in a windows service.
Some advantages to this are:
The service will start and run independently of a user logging into the server.
You can configure the service to recover should it experience an exception (ideally not!).
The service will start automatically (if configured) when the server restarts.
You can configure which user group (or user) the service should run under so you have a more granual approach to security.
As it's running as a seperate process, you can monitor its memory and processor utilisation.
Debugging is slightly more cumbersome but not difficult, one approach I've used is to install the service locally, start it and then attach to it via the debugger. This question describes another approach I've also used.
WCF Service
I am developing a WCF Service and it needs to communicate with a com application running on the system.
I have tested the service with ASP.net development server it works fine. now when i run it from IIS the service can't communicate with the com application.
Issue is IIS runs in a different user account 'Application pool', than the one user is logged in. The COM file run on the user account user is logged in. So the that is the reason they have issue communication. Or at least that what i think.
What i did was i created a new application pool in IIS and in advance setting i changed the process model identity to local system. but it did not work....
i need ideas how to make the make the com and the service to run in the same account.
Any idea will be much appropriated.
IIS not only runs under a separate account, but also runs under a separate login session that is completely separated from the interactive users session. The COM object must be possible to invoke without a user even being logged on if you are to use from IIS.
I have a WCF Service running on Windows Server 2008 R2 Enterprise. The IIS Version is 7.5. One of the methods in the service reads from a file on the network. It's failing when it tries to do this, but I can't log a proper error to find out why. My guess is that this is a permissions issue, but not being savvy with IIS, I don't know where to start.
The site running my service is using an App Pool with NetwrokService as the Identity. I have tried other built-in accounts, but I get the same problem. When looking at the running processes in Task Manager, I see w3wp.exe is running under the NetworkService account - which is how the App Pool is configured.
I'm trying to reach a share such as: \Machine1\SharedFiles\MyFile.txt. I can access this same share easily from file explorer so I know it's valid. Every other part of the service runs as expected which leads me to believe my IIS configuration is fine - other than possibly a permission setting that allows reading of files on other machines.
Anyone have any idea what I am doing wrong?
Thanks,
Start here:
http://learn.iis.net/page.aspx/624/application-pool-identities/
It is a permission issue. The share, and the files within it, need to grant access to the IIS servers machine account.