we developped an ASP.NET application that runs fine on our development server and in our network computers. But in production, the application works when accessing it directly from the web server but not on the clients (code behind is not executing).
Any hints?
TY
Framework is 3.5
the application works when accessing it directly from the web server but not on the clients (code behind is not executing).
This sounds like a security permissions issue.
Check to see where the website is installed. C:\inetpub\wwwroot has the proper execute permissions by default. For security reasons, many corporations like to set a policy that websites have to be installed elsewhere [1]. When setting up websites outside of the default folder, add "read & execute", "read" and "list folder contents" permissions to IIS_WPG, IWAM_server_name, IUSR_server_name and ASPNET accounts. Sometime NETWORK SERVICE needs to be added to the collection.
When you run logged in locally, the application is running with the logged in user's credentials. When hitting the website remotely, the application is trying to run with the account showned in the Authentications dialog (in IIS manager, right click the web site/application, then properties, then directory security tab, then click "edit" on the "authentication and access control" bit. Usually, "enable anonymous access" is clicked and the "user name" is IUSR_server_name.
Notes:
1 - So that when some hacker uploads malevolant code to C:\inetpub\wwwroot, the code does nothing because the websites aren't there.
hmm, "static web site" + button click = no code behind + hyperlinks
check the hyperlink paths as [Wim Hollebrandse] mentioned UNC!!
is the application correctly configured in the iis manager?
application has to be created and the .net framework has to be enabled and set to the right version.
That doesn't make any sense. Please don't tell me your clients are browsing to your website over a UNC network path/share instead of over HTTP...
Another reason could be that the clients (assuming they're on a different subnet than the working ones) end up on a different box because of some DNS or NAT issues, whilst you assume they end up on the correct server. Try connecting to the IP address instead of the DNS hostname.
Here's a list of questions that may help narrow down where the problem is:
Have you checked using Fiddler or other network tools to ensure that a request is going to the server when a button is clicked on a client's machine?
Are you sure there isn't a firewall or JavaScript issue here? If the client is using NoScript, this could cause the problem, I think.
Is the same browser being used on the server and client's computers?
Is there anything fancy about the button on the page,e.g. is an AJAX callback?
Related
I've viewed a few of the other IIS reverse proxy with windows authentication posts on here and they don't seem to be what I'm trying to do. Hopefully someone will be able to help or spot what I'm not doing or doing wrong.
I've got a server which has a website running on port 80 which I need to present a number of other web applications on. I cannot create new hostnames so I created a virtual directory in the site which pointed to my web apps, however the root site is using .net2.0 app pool which must stay as .net2.0 whereas my ASP.NET MVC apps all need 4.0 app pools. As per the web.config inheritance problem this is not working and I cannot change the web.config in the root to ignore propagation to child web.configs - with me so far? ;-)
To cut a long story short I've now got a virtual directory in my port 80 site which is acting as a reverse proxy to another site on port 81 and this is working fine for anonymous connections. I've tested it with a simple HTML page and I can access it and the url re-writing is working on links in the HTML page, all good so far.
Now I need to enable windows authentication on the port 81 site, so I followed the instructions similar to what is in these links on MSDN site to configure SPN's for the domain account I'm using (DOMAIN\testaccount) and other IIS config's:-
link 1
link 2
The problem is that all I get now is the good old error message:-
Access is denied. Description: An error occurred while accessing the
resources required to serve this request. The server may not be
configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
-------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:4.0.30319;
ASP.NET Version:4.0.30319.34280
I've tried creating a test aspx page which just outputs the server variables to the response but even this is not working.
I can't find anything else to try, initially I thought I'd have to get Kerberos sorted to pass the details from virtual directory to site on port 81 but the MSDN posts say this is not needed, just the SPN's.
Anyone any ideas?
This turned out to be something very simple and me being dumb for not checking! :-)
I spent days trying to figure out why this wasn't working, not sure why I didn't try earlier but I changed the application pool it was running under to use .net2.0 and then my test aspx page worked!?!
Turns out in IIS manager if you click on the root server node itself that under 'ISAPI and CGI restrictions' feature settings that the .net4.0 DLL's were set to 'Not Allowed' but the .net2.0 DLL's were 'Allowed'! I just enabled the .net4.0 changed the application pool back and then voila it works.
I'm running a web application developed on ASP.NET; C# and SQL Server 2008; on Local Host on a Network.
It is showing an error 500.19 for some Permissions...
Can anyone help me out to solve this and run my website on localhost without hosting it online.....Have a look, What's the error is...
It might be the issue of permissions for the directory/files for your application.
Make sure you have given the full permission to the users types that will be accessing the application.
For adding/editing permissions, you can navigate to the concerned folder and right click on it, selec properties and then go to security tab wherein you can edit the permissions of existing users as well as add new users with specific permissions.
Also, if you have your application hosted on IIS, there is also an option for changing permissions which will again, open the folder for you and you will have to follow the same steps as mentioned above.
Hope this helps.
Such issue occurs when, some wrong or duplicate element added in web.config file.
Verify your web.config file.
Also confirm execute version of virtual directory (32 Bit / 64 Bit)
I have created site on my local machine that works fine on debug mode but when i put the site on local iis (7.5) of my machine i get
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
Authentication Settings
I have windows impersonation and windows authentication enabled and everything else in that section is disabled
All the folder have full permissions
Can anyone tell me what's going on?
As a quick and dirty fix, grant the IIS_IUSRS group Read/Execute or Modify permissions to your web folder... BUT DON'T DO THIS ON AN INTERNET FACING SERVER, read on....
To fix this properly you should grant the Application Pool Identity for your site Read/Execute or Modify permissions to your application's web folder. To do this:
Open IIS Manager, navigate to your website or application folder where the site is deployed to.
Open Advanced Settings (it's on the right hand Actions pane).
Note down the Application Pool name then close this window
Double click on the Authentication icon to open the authentication settings
Disable Windows Authentication
Right click on Anonymous Authentication and click Edit
Choose the Application pool identity radio button the click OK
Select the Application Pools node from IIS manager tree on left and select the Application Pool name you noted down in step 3
Right click and select Advanced Settings
Expand the Process Model settings and choose ApplicationPoolIdentity from the "Built-in account" drop down list then click OK.
Click OK again to save and dismiss the Application Pool advanced settings page
Open an Administrator command line (right click on the CMD icon and select "Run As Administrator". It'll be somewhere on your start menu, probably under Accessories.
Run the following command:
icacls <path_to_site> /grant "IIS APPPOOL\<app_pool_name>"(CI)(OI)(M)
For example:
icacls C:\inetpub\wwwroot\mysite\ /grant "IIS APPPOOL\DEFAULTAPPPOOL":(CI)(OI)(M)
If all is good icacls.exe will report:
processed file: c:\inetpub\wwwroot\mysite
Successfully processed 1 files; Failed processing 0 files
In my case this had nothing to do with permissions. This is the "loopback check" protection. The problem was because I was connecting from the local machine that had the IIS.
Symptoms are: You connect and you get a browser prompt to insert credentials 3 times, then an HTTP 401.1 error.
Testing from a different computer works well.
Some sites will tell you to disable the "loopback check", but instead you have to add the FQDN domain you're connecting to to a whitelist, as described in this serverfault response:
https://serverfault.com/a/485011/415362
i also had the same issue. i simply remove the application. created a new floder and hosted it again. problem solved.
Somewhat late in coming, but an alternative that I sometimes forget is time difference. In a domain environment, run "Net Time /SET" to synchronise with the AD Box.
Additional Reading:
For all of this to work and to ensure security, the domain controllers and clients must have the same time. Windows operating systems include the Time Service tool (W32Time service). Kerberos authentication will work if the time interval between the relevant computers is within the maximum enabled time parameters. The default is five minutes. You can also turn off the Time Service tool and install a third-party time service. Of course, if you have problems authenticating, you should make sure that the time is correct for the domain controllers and the client that is experiencing the problem.
(Source: https://sourcedaddy.com/windows-7/server-authentication.html)
Heavier Reading:
.... In addition, IT professionals should understand how Windows Time Service works because Kerberos security is highly dependent on time services. ....
(Source: https://redmondmag.com/articles/2012/02/01/understanding-the-essentials-of-the-kerberos-protocol.aspx )
I finished my very first C# project in VS 2008 and it is working well now. But now I need to publish this project onto my new website. This project is a web application that interacts with my SQL Server 2008 Adventureworks database on this same computer(XP Professional OS). I am running IIS 6.0 Manager, but I am a newbie to both IIS 6.0 and VS 2008.
I began by right-clicking the application in VS and selecting "Publish", but I've just selected File System, cause choosing Local IIS forces me to enter Username and password.
The problem is that I can't open this website from IIS without it prompting me for username and password. I have modified machine.config file several times in the processModel section, by setting username="D610-M\ASPNET", password="AutoGenerate". But this makes me enter built-in password when I try to view it. And I don't know what built-in ASPNET password is. When I cancel this password popup, it returns:
HTTP 401.1 "You are not authorized to
view this page."
And I've reset the ASPNET password several times. First I tried setting it to a password I knew, then I ran the aspnet_regiis command to reinitialize it. I also tried substituting other usernames and passwords, but none of them have worked. I even tried entering "SYSTEM" for username and AutoGenerate password, but even this prompts me to enter password. I have added the ASPNET user Read/Write/List permissions to all relevant folders. And I tried to create a new website pointing to http://localhost/[AppName], but this forces me to enter password. So no getting around that password.
I have modified Properties for Default Website in IIS: Home Directory pointing to my application in VS 2008 folder and Application Protection = Low. On Directory Security tab, I set username to D610-M\IUSR_D610-M and I checked "Enable anonymous access." I unchecked the Allow IIS to control password.
And I have read alot of MS URL's and other websites to see if I could answer these problems myself, but none of their helps worked either. This should be simple. I'm just trying to add my web application to my website. I know that my website works cause I installed a default website with basic HTML and it works.
What else can I try in order to add this web app to my website?
One important limitation to remember is that you are only allowed one website on IIS6 on XP.
If you have edited your machine.config you have introduced too many new variables into the equation to properly troubleshoot the problem (not that editing machine.config in itself is harmful, but it's an indication that there's a bit of shotgun approach to the problem).
You need to start out by wiping your slate clean and making sure that you have an otherwise working system. Browsing an HTML page does not prove much as running HTML and running ASP.NET are like apples and bicycles.
The best that I know of for doing this is uninstalling and reinstalling IIS and whatever .NET framework you are on. If you are on 3.5 you should do this for both two and three point five. If you can you need to put machine.config and every version of web.config (except the one in your web app itself) back to their defaults. There is nothing there you should need to edit run an ordinary ASP.NET app.
Once you think you have a tabla rasa and can browse an html page, then change its extension to .aspx and see if you can still browse it.
My last suggestion for today is:
As a poster above said set your ACLs on the folder where your website is (typically c:\inetpub\wwwroot) so that the group "Everyone" has "Full Access". Don't leave it this way, even on your own machine, but it takes file permissions out of the equation. If you are still having problems let me know, but basically you need to start from a "known good" state if you ever hope to get this problem resolved.
I am not sure if this is it, but.... I have seen this error myself and it is usually caused by not having the ASP.NET version set to 2.0 in your Website properties under the ASP.NET tab. This setting is often defaulted to ASP.NET 1.1 which would cause this error to occur. Note, that even though you are using Visual Studio 2008 the ASP.NET Version is still needs to be 2.0 in IIS. I would double check this setting.
Usually, I recommend the initial build to be to a location in C:\ (example being C:\MyFirstApplication). You also need to make sure the "Network Service" has permissions to that folder. Placing the application in the projects (or whatever) folder in your personal documents list is asking for permissions and access issues. Try that and see if it works!
You need to set root level folder permissions on your web site. Navigate to the folder that holds your web site, right click, permissions, security tab. Make sure that you have asp.net, anonymous user, Internet Guest Account (computer\iuser_{something}) and network service in the allowed roles.
As an aside I suggest that you pre-compile your site before posting it to your web server. This is a security precaution and a performance booster. Getting into this habit will be a good thing for you in the long run. It keeps people from tweaking the code on the server. There is a good utility here to make this easier: http://www.west-wind.com/tools/aspnetcompiler.asp
I believe this is pretty much the same as the question posed by him earlier here
You do not have permission to view this directory or page using the credentials you supplied.
It looks like you are trying to access files over network by IIS, however to do that, in network share you will need to add IUSER_ , IWAM_ or ASPNET user permissions as well.
I had the same problem, but neither giving access to Network Service, nor to IUSR helped me. I was trying to deploy an ASP.Net 4.0 web application with Forms Authentication on IIS7 on Windows Server 2008. What solved the problem was providing read and script permissions to the handlers, which can be accomplished by opening Handler Mappings and then selecting "Edit Feature Permissions" from the right menu.
Probably because you don't have permission... If this is unexpected, provide some more information and we can help.