I'm having an issue deploying a WCF service to IIS on Windows Server 2016.
The service needs a private key, which location is configured as follows:
<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="..." />
I'm getting the famous error "Keyset does not exist", so I googled and doubled checked permissions etc.
The certificate is correctly placed in LocalMachine/Personal/Certificates. Primary Key export is allowed.
I granted primary key permissions to the APPPOOL identity and IIS_IUSRS.
I evenn tried granting full access to "Everyone".
I also tried running the application pool under my administrator account.
No luck.
I tried creating a small C# console application that reads the certificate, the primary key, and exports the primary key.
That works.
So I'm out of options now.
Any suggestions that might solve this?
The application is running as a application of a parent site, but with it's own dedicated app pool. Granting private key permissions to the parent site's app pool, fixes the issue. It doesn't make any sense to me, but at least it works now...
Related
The goal here is to: Assist client in configuring his Key Vault so that he would be able to enable TDE encryption and access it over the government portal url
Customer Verbatim:
"I am running into an issue when trying to enable TDE for SQL Server 2016. I have attached a few files with show the problem. Basically the problem is when SQL tries to connect to the Azure Key Vault it is using the public suffix (azure.net) instead of the the govcloud suffix (usgovcloudapi.net).
How do I force it to use the correct URL?"
https://vant4gekeyvault.vault.usgovcloudapi.net/
I think the issue is this is a gov tenant and he's stuck using the commercial URL but we were unable to force the correct URL. I sent him instructions on how to
Set-AzureRmEnvironment for AzureKeyVaultServiceEndpointResourceId as *.vault.usgovcloudapi.net, should be https://vault.usgovcloudapi.net.
but that didn't seem to work. I may be way off on this assumption too, as I'm not really that great in KV. Any Ideas or a known fix?
Here is his error message:
---SQL
Msg 33049, Level 16, State 2, Line 17
Key with name 'SqlTDEKey' does not exist in the provider or access is denied. Provider error code: 2058. (Provider Error - No explanation is available, consult EKM Provider for details)
---EVENT LOG
The description for Event ID 2 from source SQL Server Connector for Microsoft Azure Key Vault cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Vault Name: EKM Operation
Operation: SqlCryptGetKeyInfoByName
Key Name: N/A
Message: Error when accessing registry:5
Read the message again, the account doesn't have permission to modify the registry. It's an issue introduced in the feb release of the connector. I ran into a similar issue, the provider tries to create a registry key but doesn't have permissions to do so, therefore it fails. Try the following steps taken from this blogpost [1]
Open regedit
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
Create a new Key called “SQL Server Cryptographic Provider” (without quotes)
Right click the key, from the context menu select ‘permissions.
Give Full Control permissions to this key to the Windows service account that runs SQL Server
[1] https://www.visualstudiogeeks.com/devops/SqlServerKeyVaultConnectorProviderError2058RegistryConsultEKMProvider
we have an existing production environment MFP7.1. We have decided to use authentication and session independence.
Now the problem is a handful of devices are now getting “Access Denied” I understand this is because the server does not recognize the device, but the server has not changed, what other instance would cause this problem.
These are people that already have the app deployed on their phones..
FWLSE0376E: JWS signed ClientId signature does not match the client ID [project sonepar] Seems to be the error on server.
The immediate resolution from a user perspective is to delete the app and reinstall it.
#tik27 You mention you "update the server with Session Independence and added adapter authentication code.", and this is enough to (in the lack of better terms) trigger an invalidation of the authentication session token between the server and the application.
Specifically, it also happened to a project I worked on when I went from unprotected adapters to protected ones, and the only solution I found was to reinstall the app.
BLUF
Our application is attempting to write a file to a UNC folder using an ASP.NET web service running under .NET 4.5, IIS 7.5, and Windows Server 2008 R2. However, any attempt to write the file to the desired location results in an access denied exception.
The task seems simple however me and my team have been troubleshooting this for a while now and we are stumped as to what may be causing the error. Below are the details of our setup and what we have tried and found so far. Names have been changed to protect the innocent.
Environment Setup
The web server, mywebserver, has a website named My.Site.Com with a corresponding application pool named My.Site.Com. The application pool is configured as shown below.
.NET Framework Version : v4.0
Enable 32-bit Applications : False
Managed Pipeline Mode : Integrated
Name : My.Site.Com
Identity : ApplicationPoolIdentity
Load User Profile : False
The UNC path we are attempting to write to is \myotherserver\mydirectories\output where mydirectories is the actual share. On this share a domain group named mygroup-www has been granted full permissions to the share and all subfolders. The machine account (i.e., mywebserver) is a member of this mygroup-www group.
NOTE: For the moment, this UNC path actually lives on the same
machine, mywebserver. However, this will eventually be moved to a machine other
than mywebserver in our test environment and in the production environment
when that it is ready. Currently, I only have the one test environment to troubleshoot with.
The error can be replicated by executing the following code.
[WebMethod]
[ScriptMethod(UseHttpGet = false, ResponseFormat = ResponseFormat.Json)]
public string ExportReport(int reportId)
{
try
{
string output = ConfigHelper.OutputPath + "test.html"; // UNC path
string url = ConfigHelper.VirtualPath + "test.html";
string[] lines = { "Hello", "World!" };
File.WriteAllLines(output, lines); // Access Denied!
return url;
}
catch (System.Exception ex)
{
Logger.ErrorException("Error exporting report", ex);
throw;
}
}
Troubleshooting
Failed Attempts
We tried various combinations of group/user permissions on the folders (listed below). When running these tests we also ran Process Monitor. For each configuration we saw the same result. The w3wp.exe process attempted to create the file in the desired location but reported a result of ACCESS DENIED. The user of each configuration was IIS APPPOOL\My.Site.Com as expected.
Granting mydomain\mymachine$ full permissions to \myotherserver\mydirectories
Granting mydomain\mymachine$ full permissions to \myotherserver\mydirectories\output
NOTE: I have also tried modifying the code so that it would read a
simple file from \myotherserver\mydirectories\output. When
attempting to read the file, the process fails with an ACCESS DENIED
message as it did when writing the file.
Successful Attempts
We also tried several configurations that worked.
Grant the local IIS APPPOOL\My.Site.Com permissions
The first configuration to work was to grant the IIS APPPOOL\My.Site.Com full permissions to \myotherserver\mydirectories The file was successfully written however the process's user was quite unexpectedly a domain account that was set up for a web application on the same machine in another website. This remains very confusing but worked as the 'other' account also has write permissions to the share.
This won't work in production as we cannot use local accounts to grant access to networked resources but is an interesting data point nonetheless.
Change the App Pool Identity to Domain User
The second configuration that worked was to change the My.Site.Com application pool's identify to domain account that had full permissions to \myotherserver\mydirectories. This was a 'vanilla' domain account that was manually created by us. We did not capture what the user of the process was but that may be another useful data point.
This option may be possible, however it breaks away from best practices with IIS 7.5 and may not be allowed in our production environment due to fairly stringent IT policies.
Run the Site On My Development Machine
The third test was to run the site locally on my development machine, mydevmachine. My local IIS configuration is identical to mywebserver with the exception that I am running Windows 7 instead of Windows Server 2008. I granted full permissions for mydomain\mydevmachine to the \myotherserver\mydirectories and ran the application. The file was successfully written. According to Process Monitor the user for the process was correctly set to IIS APPPOOL\My.Site.Com.
Conclusion
We would like to enable write access as designed using the machine account of mywebserver. We have read ApplicationPoolIdentity user cannot modify files in shared folder in Windows Server 2008 and Permissions for Shared Folder for IIS 7 Application Pool Identity Across Domain and Application Pool Identities.
According to this information we should be able use the machine account to grant read and write access to networked resources such as the UNC path. In fact, I can do this in the desired manner when running the web site from my development machine.
There are a couple thoughts that come to mind. Perhaps there is something wrong with the machine account of the test web server. Or perhaps that 'other' software is interfering with the process somehow.
Any thoughts as to what may be causing this issue? What else should we do to troubleshoot?
Reboot your 'mywebserver'.
Marvel at the now mysteriously functional ApplicationPoolIdentity.
Install MS HotFix KB2545850 and learn the details about this bug in KB2672809 which also shows the steps to reproduce and demonstrate this apparently random problem. Direct download link here.
Speculate why Microsoft has not managed to release a normal windows update for this in the 3 years since that hotfix was published. While people still continue running into it and pulling their hair out because of this obscure problem.
Learn about the other folks who have shared and enjoyed this gift from MS that still continues to keep on giving:
IIS application using application pool identity loses primary token?
DirectoryServicesCOMException 80072020 From IIS 7.5 Site Running Under ApplicationPoolIdentity
ApplicationPoolIdentity cannot access network resources
ApplicationPoolIdentity IIS 7.5 to SQL Server 2008 R2 not working
Windows Authentication Failed when using application pool identity
IIS 7.5 stops using machine account to connect to network resource when using AppPoolIdentity
Your Windows 7 dev machine probably worked fine because it reboots more often than the server. Congrats on your very well written and thorough bug report. I rarely see that here.
I had similar problem accessing a network share using AppPoolIdentity in an ASP.NET application (access denied).
Using NetworkService account or other domain account worked but these were not the best solution.
I performed almost all the tests you did but finally found something that worked.
I figured out that the Network Service account was not used when accessing the shares, just like you did (i expected domain\machine$ account)
This worked for us:
On your IIS web site, go to Authentication and change the Anonymous Authentication item to "Application Pool Identity". It's by default set to "IUSR". This solved our problem.
Also maybe activating ASP.NET impersonation (still in Authentication menu) may help.
Thibault
I have faced same issue, I resolved by creating one domain account for each environemt (QA, STAGE, PRODUCTION). In Application pool identity I have set custom account and I used domain user for respective account. Now It gives me the ability to write and read the files from UNC Path.
I have a MVC Web Application deployed to a 2003 Server running IIS 6. There is an inconsistent behavior that started this week when we created a new Domain service account with God rights to be used as the identity for the Application Pool and the Anonymous User for the Website with Integrated Authentication set. This Service account has also been added to the SQL users with full rights to the data.
The inconsistent behavior is that the Web Application will run fine, hitting the data, etc..., then out of the blue the Application Pool gets automatically disabled. I check the event logs on the server and sure enough I see two warnings and an error saying that the Identity is INVALID and that the pool was disabled.
I turn it back on and then try to browse to the Website again and BOOM! It does it again. We finally after three attempts lock the account out and have to unlock it. Then it spirals back to the same issue.
Any ideas? Because I'm at my wits end!
This problem might be solved because the question is old, but anyway.
Try manual login with username and password, then
reapply the identity on the application pool, answer yes to apply user rights if questioned, restart the application pool and check the eventlog for errors.
Make sure the useraccount has the appropriate user rights , there will be complaints in the eventlog otherwise. Also make sure allow login to on the user account has the server entered or allow any.
Thanks
Andreas
I have a WCF service which I install via cmd line, due to installment on many servers!
When installing application pool and configuring it, I set a custom account on the process model identity, which is just an account with local administrator rights!
But when I try to browse the service just to see the front service page I get a Service Unavailable message with http error 503, which is a server error which again comes from an event id 5021, which states that the identity for the service's application pool is invalid due to either incorrect username/password or the user may not have batch logon rights.
Ergo, the error has to do with the user identity! When I change Identity to NetworkService there is no problem. I cannot either manually set the Identity to the user...
My cmd line looks like:
c:\Windows\System32\inetsrv\appcmd add apppool /name:"calendarproviderservice" ^
/autostart:"true" ^
/managedRuntimeVersion:"v4.0" ^
/processModel.idleTimeout:"24:00:00" ^
/enable32BitAppOnWin64:"true" ^
/processmodel.identitytype:"SpecificUser" ^
/processModel.userName:"PlannerAdmin"
Anyone has a clue...?
Cheers, Finn.
It's been a while, but I finally solved my problem! Unfortunately I didn't sketch the hole scenario in the main question because I didn't think it mattedered in the context. But it did!
The scenario was that my server was a deployed server with a base configuration including IIS 7.5! And this is the problem!
When you try to set the application pool identity to a domain account, IIS has to keep a local copy of your username and password. This is stored in IIS applicationHost.config in encrypted format. In the encryption IIS uses the machine specific keys in iisConfiguration and iisWasKey containers. When this applicationHost.config is moved to a different server (in this case the deployed server on new hardware), IIS can no longer decrypt the password because of the new machine keys.
One can export configuration Keys, but I already deleted the base server I made an image of!
So the lesson learned here is: If you have to deploy many servers with IIS on, make a base image WITHOUT IIS, and script the IIS on the server after deployment!!!
Cheers, Finn.
PS. Dominik, sorry that I wasn't that clear on the intro question!
Have you assigned the user to the local IIS_USRS group?