I need to monitor the status of an application in the applications pool of IIS 7 from another machine on the same domain. My monitoring application must be in C# and running as a Windows service.
On my server, I create a user with administration rights and I execute the command aspnet_regiis -ga machine\username which worked successfully.
My problem is when I try to access the application pool I still get COMExcepttion "Access denied".
What did I do wrong or which step did I miss?
I used code from http://patelshailesh.com/index.php/create-a-website-application-pool-programmatically-using-csharp as example.
int status = 0;
string ipAddress = "10.20.2.13";
string username = "username";
string password = "password";
try
{
DirectoryEntry de = new DirectoryEntry(string.Format("IIS://{0}/W3SVC/AppPools/MyAppPoolName", ipAddress), username, password);
//the exception is thrown here.
status = (int)de.InvokeGet("AppPoolState");
switch (status)
{
case 2:
//Running
break;
case 4:
//Stopped
break;
default:
break;
}
}
catch (Exception ex)
{
}
The code you found seems to be for IIS6. Perhaps you will be better off using the new and supported IIS7 management API. You could start by calling ServerManager.OpenRemote to get the ServerManager object.
You might need to mess around with the AuthenticationType, the default starting with 2.0 is Secure but you might need to set SSL. Also, I've seen Access Denied messages from accounts with the "user must change password on next logon" checked.
This works pretty well on Windows 7 and Windows server 2008 (unfortunately not on XP and 2003 Server). I had to add Management Service role in the IIS via the Server Manager in order to enable remote connection.
Here's an short example of how to get the State of an Application Pool.
public ObjectState State
{
get
{
ServerManager server = null;
ObjectState result = ObjectState.Unknown;
try
{
server = ServerManager.OpenRemote(address);
result = server.ApplicationPools[name].State;
}
finally
{
if (server != null)
server.Dispose();
}
return result;
}
}
Thanks to driis.
Related
I have a piece of code that should connect to the server. The code is as following:
var rdp = new MsRdpClient8NotSafeForScripting();
rdp.Server = "192.168.0.101"; //adress
rdp.Domain = "localdomain"; //domain
rdp.UserName = "test"; //login
rdp.AdvancedSettings8.ClearTextPassword = "123456";//password
try
{
rdp.Connect();
}
catch (Exception e)
{
Console.WriteLine(e);
}
Console.WriteLine(rdp.Connected);
if (rdp.Connected != 0)
{
rdp.Disconnect();
}
Console.ReadLine();
This is supposed to "connect" to my remote server via 3389 port so that I can be able to read a file from my desktop which is called: "min.txt"
So far I have tried specifying the login data of my server but I always just get output of "0" in the console's window, regardless of whether I specify correct or incorrect login data..
My questions here are:
Why is it connecting even with wrong login data (ip, user + password)
How can I, once I've been indeed successfully connected to the server, access the min.txt file on my remote server, which is located at desktop...
Can someone help me out?
Probably you can try specifying the password like below:
MSTSClib.IMsTscNonScriptable secured = (MSTSClib.IMsTscNonScriptable)rdp.GetOcx();
secured.ClearTextPassword = “123456”;
For reference: MSDN link is here
Once connected, you can access the file like a shared network file via UNC.
Example:
System.IO.FileStream stream = System.IO.File.OpenRead("\\servername\sharedname\path\somefile.txt");
Then need to ensure that permissions are in place to access the folder.
I am working on an C# utility that would help clients publishing SSRS reports on their sites. Here my code:
public void createFolder()
{
ReportingService2010 rs = new ReportingService2010();
rs.Credentials = System.Net.CredentialCache.DefaultCredentials;
// Create a custom property for the folder.
Property newProp = new Property();
newProp.Name = "Department";
newProp.Value = "Finance";
Property[] props = new Property[1];
props[0] = newProp;
string folderName = "Budget";
try
{
rs.CreateFolder(folderName, "/", props);
Console.WriteLine("Folder created: {0}", folderName);
}
catch (SoapException e)
{
Console.WriteLine(e.Detail.InnerXml);
}
}
I am getting the following error:
ErrorCode xmlns="http://www.microsoft.com/sql/reportingservices">rsAccessDenied</ErrorCode><HttpStatus xmlns="http://www.microsoft.com/sql/reportingservices">400</HttpStatus><Message xmlns="http://www.microsoft.com/sql/reportingservices">The permissions granted to user 'NT AUTHORITY\NETWORK SERVICE' are insufficient for performing this operation.</Message><HelpLink xmlns="http://www.microsoft.com/sql/reportingservices">https://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsAccessDenied&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=13.0.1601.5</HelpLink><ProductName xmlns="http://www.microsoft.com/sql/reportingservices">Microsoft SQL Server Reporting Services</ProductName><ProductVersion xmlns="http://www.microsoft.com/sql/reportingservices">13.0.1601.5</ProductVersion><ProductLocaleId xmlns="http://www.microsoft.com/sql/reportingservices">127</ProductLocaleId><OperatingSystem xmlns="http://www.microsoft.com/sql/reportingservices">OsIndependent</OperatingSystem><CountryLocaleId xmlns="http://www.microsoft.com/sql/reportingservices">1033</CountryLocaleId><MoreInformation xmlns="http://www.microsoft.com/sql/reportingservices"><Source>ReportingServicesLibrary</Source><Message msrs:ErrorCode="rsAccessDenied" msrs:HelpLink="https://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsAccessDenied&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=13.0.1601.5" xmlns:msrs="http://www.microsoft.com/sql/reportingservices">The permissions granted to user 'NT AUTHORITY\NETWORK SERVICE' are insufficient for performing this operation.</Message></MoreInformation><Warnings xmlns="http://www.microsoft.com/sql/reportingservices" />
Any idea?
Please note that a point of this exercise is not just get it work but knowing that it is going to run on a client side ideally without any tweaking on their part.
Thanks for help.
Your question is a little unclear. It sounds like you're not sure why you're getting a permissions error. The answer is that you need to create a new role. I assume (after your comment) that your question is how you can do that using C#.
You can use the CreateRole() method, which will only work with SSRS Native Mode. If SSRS is installed in SharePoint Integrated mode, there is no supported method other than using the UI.
This method throws an OperationNotSupportedSharePointMode exception
when invoked in SharePoint mode
I recently made a c# printer management tool that uses a WCF service which contains WMI Win32_Printer methods like AddPrinterConnection and SetDefaultPrinter.
Everything works fine if both the client and the WCF service run on the same machine. But if i try to move the WCF service on another machine, the methods stop working but nothing crashes.
The AddPrinterConnection for example returns 0 which means success but no printer is really added on the local machine. The default printer even if is set to default returns false, etc. The printers list is somehow accesible.
The WCF service behaves the same even if is hosted in IIS with an administrator identity for the application pool or hosted in ASP development server on the server.
But with the same identity on the local machine all is fine. The printer name and local machine address are sent as parameters to the WCF methods.
Is this a rights, delegation or impersonation issue? Is this a limitation of the WMI? Does anyone encountered this problem? I really need a solution for this. Thank you in advance.
EDIT: Here is some code representing the function called on the WCF service that adds a printer.
Note: On both local instalation (client and service local) and remote (client local, service remote) the function returns 0, which means "success" and no error but in the second case nothing is really added.
I tried all kind of impersonations too, and as i said the identity under which the WCF service runs is the same as the user that uses the client. I supose is a thing related to the user context, because it doesn't make much sense. I tried to find some information from Microsoft regarding this but with no luck.
public static string AddPhysicalPrinter(string sPrinterName, string address)
{
try
{
ConnectionOptions options = new ConnectionOptions();
options.Impersonation = ImpersonationLevel.Impersonate;
options.Authentication = AuthenticationLevel.PacketPrivacy;
options.EnablePrivileges = true;
options.Username = "username";
options.Password = "password";
oManagementScope = new ManagementScope(new ManagementPath("\\\\" + address + "\\root" + "\\cimv2"), options);
oManagementScope.Connect();
ManagementClass oPrinterClass = new ManagementClass (new ManagementPath("Win32_Printer"), null);
ManagementBaseObject oInputParameters = oPrinterClass.GetMethodParameters("AddPrinterConnection");
oInputParameters.SetPropertyValue("Name", sPrinterName);
ManagementBaseObject x = oPrinterClass.InvokeMethod("AddPrinterConnection", oInputParameters, null);
foreach(PropertyData p in x.Properties)
{
switch ((UInt32)p.Value)
{
case 0:
return "has been added successfuly";//success
case 5:
return "access denied";//access denied
case 1801:
return "invalid printer name";//invalid printer name
case 1930:
return "incompatible printer driver";//incompatible printer driver
default:
return "unknown error";
}
}
return "unknown error";
}
catch (Exception ex)
{
return "exception caught";
}
}
After some research i found out that it is not possible to do that from a third machine. It must be done with a local logon.
I am having issues getting the groups from Active Directory via System.DirectoryServices
Originally I started my application on a computer that was registered on the domain, but as it was a live domain I did not want to do any writes to AD what so ever, so I set up a machine with Windows XP as the host operating system, and installed windows server 2003 on a VM.
I've added another Ethernet port in the machine and set up a switch, the 1 Ethernet port is dedicated to the VM and the other port is used for the host.
After configuring the IP addresses to get them communicating I transferred my application onto the host machine and fired it up, but I was getting an DirectoryServicesCOMException.
With the message that the user name and password was invalid :( just to check that it was not active directory I created a 3rd virtual machine and installed Windows XP, which i added to the domain with the credentials tested in the APP, works a treat.
So I thought it must be because the machine where the application is running is not part of the domain.
Heres the block of code that was causing the issue:
public CredentialValidation(String Domain, String Username, String Password, Boolean Secure)
{
//Validate the Domain!
try
{
PrincipalContext Context = new PrincipalContext(ContextType.Domain, Domain); //Throws Exception
_IsValidDomain = true;
//Test the user login
_IsValidLogin = Context.ValidateCredentials(Username, Password);
//Check the Group Admin is within this user
//******HERE
var Results = UserPrincipal.FindByIdentity(Context, Username).GetGroups(Context);
foreach(Principal Result in Results)
{
if (Result.SamAccountName == "Domain Admins")
{
_IsAdminGroup = true;
break;
}
}
Results.Dispose();
Context.Dispose();
}
catch (PrincipalServerDownException)
{
_IsValidDomain = false;
}
}
The information in the login dialogue is being entered like so:
Domain: test.internal
Username: testaccount
Password: Password01
Hope someone can shed some light in this error.
Update:
After checking the Security Logs on the server i can see that my log in attempts was successful, but this is down to:
_IsValidLogin = Context.ValidateCredentials(Username, Password);
The line after where im checking the groups is causing the error, so the main issue is that the lines of code below are not working correctly from a machine thats not joined to the network:
var Results = UserPrincipal.FindByIdentity(Context, Username).GetGroups(Context);
According to your code snippet, you're failing when you attempt to create the PrincipalContext, before calling ValidateCredentials. At that point the thread running your code is still working under either a local identity (if you're in a web process) or the identity you signed onto your machine with (for a windows process). Either of these won't exist on the test.internal domain.
You might want to try the overload of PrincipalContext that includes the username and password in the constructor. See http://msdn.microsoft.com/en-us/library/bb341016.aspx
I used to do quite a bit of user management via C# .NET. I just dug up some methods you can try.
The following two methods will get a DirectoryEntry object for a given SAM account name. It takes a DirectoryEntry that is the root of the OU you want to start searching for the account at.
The other will give you a list of distinguished names of the groups the user is a member of. You can then use those DN's to search AD and get a DirectoryEntry object.
public List<string> GetMemberOf(DirectoryEntry de)
{
List<string> memberof = new List<string>();
foreach (object oMember in de.Properties["memberOf"])
{
memberof.Add(oMember.ToString());
}
return memberof;
}
public DirectoryEntry GetObjectBySAM(string sam, DirectoryEntry root)
{
using (DirectorySearcher searcher = new DirectorySearcher(root, string.Format("(sAMAccountName={0})", sam)))
{
SearchResult sr = searcher.FindOne();
if (!(sr == null)) return sr.GetDirectoryEntry();
else
return null;
}
}
I need to change Logon user for a Windows service programmatically. And I am using the following code to do that:
string objPath = string.Format("Win32_Service.Name='{0}'", ServiceName);
using (ManagementObject service = new ManagementObject(new ManagementPath(objPath)))
{
object[] wmiParams = new object[11];
if (PredefinedAccount)
{
wmiParams[6] = "LocalSystem";
wmiParams[7] = "";
}
else
{
wmiParams[6] = ServiceUsername; // provided by user
wmiParams[7] = ServicePassword; // provided by user
}
object invokeResult = service.InvokeMethod("Change", wmiParams);
// handle invokeResult - no error up to this point
}
This code works in 90% of situations, but in some situations service cannot be started due to logon failure. There is usually no error on InvokeMetod but when we try to start the service we get the following error:
System.InvalidOperationException: Cannot start service X on computer
'.'. --> System.ComponentModel.Win32Exception: The service did not
start due to a logon failure.
The workaround solution is simple, we just need to enter the same credentials via Windows interface and problem is solved.
So my question is, has anybody experienced the similar problem with ManagementObject because it seems that in some situation it does not relate Username and password to windows service?
It's because the account has no "Log On as service" privilege. You need to use LsaAddAccountRights to add such privilege to the account.
Do you notice any patterns amongst those failures? Same machine? Same OS? Same user? Does the user have "logon as service" or "logon interactively" rights? Personally, I am not familiar with this method of specifying the user for a service. I would have thought you would have to restart the service, but I guess not if it works 90% of the time.