I'm using a WCF service that is running on an IIS 7.5 (W2k8 R2). I use this service for getting quota information about the space of a specified web site on the same IIS.
So I do have the WCF service acting as server and a local web app acting as client. The client now asks the server for the quota of a web site folder. To do so the server should use the FsrmQuotaManager. But when the service is referencing the quota manager I get an 0x80070005 (Access denied). The web service runs in it's own AppPool with the ApplicationPoolIdentity.
I always got DistributedCOM errors (10016) in the event log saying that The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{90DCAB7F-347C-4BFC-B543-540326305FBE} and APPID {FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
to the user MYDOMAIN\someUsername SID (S-1-5-21-1477432904-898564541-3754644009-3102) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool. So I already managed to add permission for this user (or better the group that user is in) in the ComponentServices as I often read when searching the Internet. Now I don't get that error in the event viewer anymore but when I'm referencing the FsrmQuotaManager in the services code I'm still getting the exception.
Does anyone have a clue about that? I'm really stuck at this for quite some days and I'm running out of ideas. Using the Process Monitordoesn't help.
We finally solved it.
We had to impersonate around the creation of the FsrmQuotaManager object with a local administrator account. Using this we could also remove the the permission previously added in the ComponentServices.
Related
I need to access a web API to access a different computer which is in a local network. For that purpose I publish that API and hosted by IIS. my computer and the other computer (which is going to access the API) pinged without any error and also I already accessed this API through the other computer successfully. but unfortunately today on words I could not be able to access it.
this is the error that occurred:
I tried lot of things according to the following order, but it doesn't work out.
Added runAllManagedModulesForAllRequests="true" to my web.config(in web API publish folder).
Read,write,modify permissions to Network Service,IUSR,IIS_IUSRS.
Disable virus guard firewall.
This error will appear in the other computer (which I am using to access the API).
Please be noted: I able to access this API yesterday, But today onwards I could not be able to access it.
Is your API running in your local machine?
if not check your apppoolidentity.
did you changed LAN PasswordToday?
I wrote a C# WCF server and I am trying to get it up in IIS but everything I try to go to my endpoint I get this error:
I checked the Permissions on the site and I have Authenticated Users others:
so I am not sure what to do now...
I imagine that the root of the problem is that you are trying to create an application on the server that points to files on your own computer using a Remote Desktop Connection drive share. The \\?\UNC\tsclient\C\... path is a dead giveaway.
This is a definite no. You cannot run a web service this way. The tsclient path is specific to your individual connection and will not work from any other context. Any other user account - including the service account that the IIS instance is running from - will not be able to access those files.
To resolve this issue you need to copy the files from your machine to a location on the server and recreate the IIS application entry, referencing the location on the server. You might still need to monkey with the security on the server-local folder.
My setup
ServerA is running a web app on IIS 7 using a local IIS Application
Pool identity.
ServerB is running MSMQ, hosting a private queue
we'll call MyQueue
Using the Message Queueing snap-in on ServerB, I have configured MyQueue to grant Full Control to the ServerA's domain account (ServerA$) as well as the ANONYMOUS LOGON user
What I Want To Happen
I want the web app on ServerA to send a message to MyQueue on ServerB
What is Actually Happening
The message never shows up on ServerB and I get no error message. I have turned on negative source journaling and can see that I'm getting an "Access Denied" error in the dead letter queue.
If I grant Full Control to Everyone, then the message shows up, but I don't want to do this.
Why I Thought This Would Work
This article about IIS Application Pool Identities says that
Using the Network Service account in a domain environment has a great
benefit. Worker process running as Network Service access the network
as the machine account. Machine accounts are generated when a machine
is joined to a domain. They look like this:
domainname\machinename$,
For example:
mydomain\machine1$ The nice thing about this is that network resources
like file shares or SQL Server databases can be ACLed to allow this
machine account access.
WHAT ABOUT APPLICATION POOL IDENTITIES?
The good news is that application pool identities also use the machine
account to access network resources. No changes are required.
Based upon that information, I would assume that granting MY_DOMAIN\SERVERA$ permissions on MyQueue, then things should work. But they aren't.
Any idea what I'm doing wrong?
This question is ageing now, but I've managed to query MSMQ from an IIS application using an ApplicationPoolIdentity user:
Go to the application pool list in the IIS Management Console and note the application pool name for the desired application
Right-click on the MSMQ queue in Server Manager > Properties > Security
Click Add
Enter the object name IIS APPPOOL\{application pool name from step 1}. This should auto-complete to the name of the application pool
Grant the required permissions - generally this will be Peek Message and/or Receive Message
It's better to avoid granting permissions to Everyone.
Reference: https://serverfault.com/a/81246/24816
I have just stumbled upon this and have found resolution in my case, if I setup IIS to run as the network service account the remote queue will receive the message I end to it.
This has eaten up a lot of my time today, now I need to work out if running IIS as network service is actually ok and does not break anything else.
I've been going crazy over this one! I've googled this problem and read everything that pertains to this but no luck! I've developed a WCF Service and a test web site to test this service with. These two work together very well (on my machine) when I add the service reference to the test web site, but when I publish the WCF Service to a remote machine and try to add that service reference I get an error that states:
There was an error downloading '\SNMCDEVTEST\sslroot\EncompassService'.
Access to the path '\snmcdevtest\sslroot\EncompassService' is denied.
This is behind the SSL (versus wwwroot) part of the remote servers IIS. I have a self-signed certificate attached to the server and a new application pool attached to the WCF service. I've made sure that everyone has access to this folder, but I still keep on getting this error!
Thanks in advance for your help.
Steve
I have a WCF Service running on Windows Server 2008 R2 Enterprise. The IIS Version is 7.5. One of the methods in the service reads from a file on the network. It's failing when it tries to do this, but I can't log a proper error to find out why. My guess is that this is a permissions issue, but not being savvy with IIS, I don't know where to start.
The site running my service is using an App Pool with NetwrokService as the Identity. I have tried other built-in accounts, but I get the same problem. When looking at the running processes in Task Manager, I see w3wp.exe is running under the NetworkService account - which is how the App Pool is configured.
I'm trying to reach a share such as: \Machine1\SharedFiles\MyFile.txt. I can access this same share easily from file explorer so I know it's valid. Every other part of the service runs as expected which leads me to believe my IIS configuration is fine - other than possibly a permission setting that allows reading of files on other machines.
Anyone have any idea what I am doing wrong?
Thanks,
Start here:
http://learn.iis.net/page.aspx/624/application-pool-identities/
It is a permission issue. The share, and the files within it, need to grant access to the IIS servers machine account.