New local/ domain user needs to be created using a Web based application.
I have used System.DirectoryServices and System.DirectoryServices.AccountManagement namespaces to attain it.
So if I run the application using Visual Studio (2012) everything goes smooth (User is getting added to the active directory!).
But if I host the website in IIS and try to do the same operation, it throws an error message saying Access is Denied.
I did a research and found out the reason also - It is happening because the APPLICATION POOL Identity is set to an user who has only USER Privileges.
But due to security reasons user with ADMINISTRATIVE Privilege cannot be given as the Application Pool Identity in the application.
So, is there any alternative way to by-pass this Application Pool Identity and allow the user to create local/ domain user successfully.
Waiting for valuable reply/ suggestions.
Related
Its on win server 2012 R2 and researching says its IUSR_MACHINENAME which doesn't even come up when I try to add that to the folder's security list.
The error i'm getting is Access to the path denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
About the access error you mentioned, you can try this:
Make specific folders being accessed read/write for users who need it,
this can be done by a unique user or a group of users within an
organization. ex: right click and security tab, give IIS_IUSRS setting
read and write permissions on the folder. Or another way is that set
.Net Framework V4 in "Application Pool" to "Integrated" instead of
"Classic".
You can refer to this thread for the similar issue: ASP.NET is not authorized to access the requested resource when accessing temp folder
I have created a batch job and created the iorganisationservice object by just adding the service reference.
This works when I run it on visual studio while debugging, but when I copy the exe on the server and run it gives error:
The caller was not authenticated by the service.::Inner Exception::The request for security token could not be satisfied because authentication failed.
At line: contactEntityCollection = client.RetrieveMultiple(fetchExp);
Please help.
Whatever security context the exe is running under on the server will need to be a valid user in CRM. If it's a windows service set the account to a user other than LocalSystem in the services MMC tool. If it's running as a web application set the Application Pool to the dedicated account. If it's a scheduled task set it in the configuration of the task.
You can also specify an instance of the ClientCredential class providing username and password but I'd highly recommend you avoid this route as you'll be responsible for securing the password within your application.
I've managed to setup two virtual machines in my local windows 7 laptop. Both of them are Windows server 2008 R2. One acts as Active Directory Domain controller and also as Active Directory Federation Services, and one other as the web app server. This second one is where I've set up my claims aware asp.net mvc web application and I also plan to setup ThinkTecture Identity Server later as my way to authenticate against custom username and password outside AD.
I've successfully implemented the installation and configuration needed for connecting our ASP.NET MVC apps through ADFS. They include :
Configure first server as Domain Controller and add domain account store (add user as testing -> this user belongs to Domain Users Group).
Configure first server also as active directory federation services.
configure relying party trust identifier from federation metadata generated from FedUtil.exe in second server.
Configure group claim mapping and assign Domain Users to this group.
Configure web apps server to be claims aware agent.
The one that's always troubled me is that every time I access my apps, it successfully prompts login dialog box. Once I enter My AD account and password, it always gives me the following error message : "There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: c558ed55-b203-42cc-b6bd-3d66bddb96cd".
Any idea from you guys how to get this to work?? Any suggestion and ideas will be highly appreciated.
Have you looked in the event log?
Open Event Viewer > Go to Applications and Services Logs > AD FS 2.0
You'll see an list of errors which should give you some more guidance.
If you see the ADFS login screen, you can get to ADFS so I suspect it's something to do with your RP configuration.
Just to check - you are using ADFS 2.0 which you downloaded?
I created a brand new WCF web application with .NET 4.5.1
I have set in IIS the Authentication to Anonymous Authentication (enabled). All the other options are disabled. The web site in IIS is set to its own application pool which run under my credential. I am the administrator of the machine. The application pool is set to use version 4.
The url is
http://localhost:8885/Service1.svc
The port is good.
If I use the Process Monitoring I see this output for w3wp.exe:
Full Size here
Why do I get a 401 error, if I have the read-write access (the app pool is running my account)?
Server Error in '/' Application.
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources.
Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\Users\Patrick\Documents\Visual Studio 2013\Projects\MyServiceA\MyServiceA\Service1.svc'.
To make it works, you have to create a website in IIS and inside Visual Studio, in the property of the project, you add a virtual directory.
After, if you go into IIS, you will see an application added to your website.
From here you can access your WCF services
http://localhost:8885/MyServiceA/Service1.svc
In my code I'm running under elevated privileges, to access other Web applications. But I get a security error when the web application user can't access the database (when ever I try to access a SPWeb object).
Is there a way to make sure (in code) that a user has access to the Content database of a web application before trying to access sites in a site collection on that web application?
No, you can't make sure of this in code. If you're having your web app pools running as different accounts then you need to impersonate the other web app pool accounts.