I am developing an asp.net c# web-application to sign PDF files on the server side. I am using a USB Token to sign the PDF file. When i developed on the development box, I can able to sign the document. But when the same code is hosted on IIS , I cannot able to sign the document. I am not getting any exception too. The error provided is An Internal error occurred.
I got stuck on this stage. Please help me on this issue.
Its look like permission related issue, you could try to use the different application pool account like network service or custom account which user has full access control permission or try to give IIS_IUSRS and IUSR permissions to the USB.
you can capture some data using process monitor.
to set application pool identity in iis please follow the below steps:
1)open iis manager.
2)select the application pool and click on the advanced setting from the action pane.
3)click on the identity.
4)in application pool identity windows click the custom account radio button and set username and password or select built-in account like network service from the drop-down.
to set application pool permission use IIS AppPool\apppool name.
I've got an MVC site that i've published to a remote server running IIS, but I've got a problem with the site where I can upload documents to a folder (on that server, within the site header folder) via the site, but I get an "Access is denied" error whenever I try to read that same document.
At first I thought it may have been a simple permissions problem, but I checked the security on the folder and it's showing full control to domain users on it, and when I run the project locally through Visual Studio I can open it up without any problems.
I assumed it may be something to do with the context of the site running under IIS, but I don't know if the changes need to be made in IIS or on the folder permissions themselves.
Can someone help?
EDIT
I'm opening the file using Process.Start like:
System.Diagnostics.Process.Start("FilePath");
EDIT 2
I've edited the app pool that the site is running on and set it to allow the process to interact with the desktop, but this has not worked. I have also tried setting the App Pool to load the user profile based on suggestions I found elsewhere but that has not worked either. The only other suggestion i've found is to set the App Pool identity to "Local System", but people have said this is a security risk so I don't want to do this unless necessary.
I use this simple line of code inside my HttpHandler:
Directory.CreateDirectory(#"\\srv-001\dev\folderToCreate\");
I receive an UnauthoridezAccessException telling me that the access to the path is denied.
From here, I create a little Dos application in C# doing the same thing and I was able to create the folder. So, I thought that it might be that IIS is running on a different user than myself. I went to IIS and changed the Application pool to a Custom user, myself. But, unfortunately, I got the same exception.
I have try to create a Share folder on my computer and I can create directory. Also, when debugging I can see that System.Threading.Thread.CurrentPrincipal.Identity have its AuthenticationType to "", IsAuthenticated to false and name to "".
So, with all those tests I can conclude that the HttpHandler that receive the file cannot create a directory because of some security access.
How can I grand access to my HttpHandler to be able to create a directory (and files) to a network folder?
actually, i thought of one other thing to check. not only is there the app pool identity, but there is also an identity associated with anonymous authentication. if you are on iis 7/7.5, you should be able to see the authentication icon for the web application and doubleclick that. selecting anonymous authentication and then clicking edit will reveal a dialog that gives you the option of specifying a user or the app pool user. i bet if you choose app pool user, that will fix it.
if you are on iis 6, i don't recall as clearly, but i'll give it a shot. don't have iis 6 in front of me to verify, but i remember there being an anonymous access button you can click that would bring up a dialog where you could specify the user. don't think you had the option there of using the app pool identity and had to specify the account explicitly.
I am running Windows 7, and am not usually a developer in this setting, and have recently built a WCF Rest Service in C#, that I'm now trying to deploy to IIS just on my local machine. After much wrangling, I setup up the application, but when I navigate to the application, I get an error message:
Compilation Error
Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.
Compiler Error Message: CS0016: Could not write to output file 'c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\scom_sibyll\8c0b945e\9329016\App_global.asax.eagmqgcd.dll' -- 'Access is denied. '
I have hunted the web to the best of my ability, and have changed the permissions on the Temporary ASP.NET Files fodler to allow the Network Service account full rights, and done the same with the Temp folder. It copies a number of files before failing, so it has write permissions presumably, so I checked the permissions to read from my source folder, and that is working as well. I additionally noted it's crapping out when it tries to to cache the DLL file, and tried turning off my Antivirus protection, as well as turning off UAC, just to see if I could figure out what is blocking this from occurring. I'm fresh out of ideas now. Anybody have any suggestions?
For those looking here as I did, if the accepted answer doesn't resolve the issue you might try following this article: http://lordzoltan.blogspot.com/2011/02/aspnet-2-and-4-default-application-pool.html
In summary, it seems that the same error is sometimes displayed when the app pool user doesn't have access to the %TMP%/%TEMP% folder.
You'll need to grant IIS_IUSRS read and modify access over the temp folder of the user the app pool is running as.
This could either be the temp folder in the app pool user's profile, e.g. c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp, or the system temp folder at c:\windows\temp.
Setting this up this resolved the issue for me.
Sounds like the account that the WCF service is running under does not have access to write to the "Temporary ASP.NET Files" directory.
You could also try re-running regiis.
%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -i
ASP.NET IIS Registration Tool (Aspnet_regiis.exe)
On Windows 8/Server 2012 there is no support for aspnet_regiis any more.
I tried reinstall using windows features: fail.
I tried reinstalling IIS: fail.
I tried reinstall through WebPI: fail.
I solved the issue by setting the ACL's on the Windows Temp Directory.
Here is a powershell that does the job:
$dir = "C:\Windows\Temp"
$acl = get-acl -path $dir
$new = "IIS_IUSRS","Modify","ContainerInherit,ObjectInherit","None","Allow"
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $new
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $dir
There're 3 step to do:
1 - check if "Application Pool Identity" is NetworkService
2 - NETWORK_SERVICE account needs full control on:
. C:\Windows\Temp
. C:\Windows\Microsoft.NET\Framework[related framework]\Temporary ASP.NET Files\
3 - restart the IIS
Error Solved
You could also try re-running regiis.
"%windir%\Microsoft.NET\Framework[related framework]\aspnet_regiis -i"
This KB resolved it for me, it appears that the temp file path was nonexistent in the OS environmental variables.
http://support.microsoft.com/kb/825791
I granted read and write access to C:\Windows\Temp for the IIS_WPG group. This worked for me. I'm on Server 2003 R2 and IIS 6 and the group name is different. I fount it from http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/ where it says:
•The IUSR built-in account replaces the IUSR_MachineName account.
•The IIS_IUSRS built-in group replaces the IIS_WPG group.
Thanks to Dommer for suggesting the windows temp folder and to zcrar70 for the nice summery and a link with detailed description.
For me the solution was a combination of the fixes described here. I had to give to the NETWORK_SERVICE account full control on
C:\Windows\Temp
and
C:\Windows\Microsoft.NET\Framework[related framework]\Temporary ASP.NET Files\
and also change the Application Pool Identity to NetworkService.
Also do not forget to restart the IIS after you give full control to NETWORK_SERVICE on the Temp folders
I was getting the same error while developing a web api using asp.net core 2.0 and it got resolved after restarting the machine.
Some times the Temp files might be locked by other process in the workstation. As a first step please reboot the workstation and check the application.
On Windows 8 absolutely nothing worked for me. One day app pools suddenly decided they no longer want to work under the NetworkService account.
I solved the problem by changing the app pool to work under my own user account. Not a great solution I know, but it worked.
This error happens when I use a bat file to delete temporary files. It probably deletes the directory itself and the given permissions are gone. So you have to restore them somehow.
The easiest way is to grant full control over following directories for Everyone:
C:\Windows\Temp
C:\Windows\Microsoft.NET\Framework[related framework]\Temporary ASP.NET Files\
I have permissions but I'm starting to get that error.
"restart machine" works for me
I started getting this error too recently in a corporate environment after the company implemented various security measures that took away admin rights from the users.
For developers, the company authorized the creation of accounts that could be used and we had to add these to the PC's admin group and then change the application pool's identity to use the account.
EXAMPLE (Windows 10)
Account created for developers: domain\developer
Someone with admin rights to the PC will have to do the following:
Go to Control Panel\User Accounts\Manage User Accounts
Click on the Advanced tab, and click on the Advanced user management button
In the lusrmgr page, click on the Groups folder in the left column to bring up groups in the center panel
Then secondary-click on the Administrators group and select "Add to Group..."
In the Administrators Properties panel, click the "Add..." button
A "Select Users, Computers, Service Accounts, or Groups" dialog opens. Add the account (domain\developer in this example)
Then click on the OK button (this button will be disabled if you don't have admin rights)
Now configure the App Pool:
Open IIS Manager, select Application Pools
Click on the application pool you want so it's highlighted, then click "Advanced Settings..." from the Actions panel on the right
Under the Process Model section, click on the Identity setting and the ellipses button
In the Application Pool Identity dialog, select "Custom account" and then click the Set button
Enter the account and the password
At this point I was able to close everything, restart IIS and then run my app. It could then access the temp folders it couldn't before.
In my case, when I change Load User Profile to True (App Pool -> Advance setting -> Load User Profile -> set to true) it works.
we developped an ASP.NET application that runs fine on our development server and in our network computers. But in production, the application works when accessing it directly from the web server but not on the clients (code behind is not executing).
Any hints?
TY
Framework is 3.5
the application works when accessing it directly from the web server but not on the clients (code behind is not executing).
This sounds like a security permissions issue.
Check to see where the website is installed. C:\inetpub\wwwroot has the proper execute permissions by default. For security reasons, many corporations like to set a policy that websites have to be installed elsewhere [1]. When setting up websites outside of the default folder, add "read & execute", "read" and "list folder contents" permissions to IIS_WPG, IWAM_server_name, IUSR_server_name and ASPNET accounts. Sometime NETWORK SERVICE needs to be added to the collection.
When you run logged in locally, the application is running with the logged in user's credentials. When hitting the website remotely, the application is trying to run with the account showned in the Authentications dialog (in IIS manager, right click the web site/application, then properties, then directory security tab, then click "edit" on the "authentication and access control" bit. Usually, "enable anonymous access" is clicked and the "user name" is IUSR_server_name.
Notes:
1 - So that when some hacker uploads malevolant code to C:\inetpub\wwwroot, the code does nothing because the websites aren't there.
hmm, "static web site" + button click = no code behind + hyperlinks
check the hyperlink paths as [Wim Hollebrandse] mentioned UNC!!
is the application correctly configured in the iis manager?
application has to be created and the .net framework has to be enabled and set to the right version.
That doesn't make any sense. Please don't tell me your clients are browsing to your website over a UNC network path/share instead of over HTTP...
Another reason could be that the clients (assuming they're on a different subnet than the working ones) end up on a different box because of some DNS or NAT issues, whilst you assume they end up on the correct server. Try connecting to the IP address instead of the DNS hostname.
Here's a list of questions that may help narrow down where the problem is:
Have you checked using Fiddler or other network tools to ensure that a request is going to the server when a button is clicked on a client's machine?
Are you sure there isn't a firewall or JavaScript issue here? If the client is using NoScript, this could cause the problem, I think.
Is the same browser being used on the server and client's computers?
Is there anything fancy about the button on the page,e.g. is an AJAX callback?