I have a MVC Web Application deployed to a 2003 Server running IIS 6. There is an inconsistent behavior that started this week when we created a new Domain service account with God rights to be used as the identity for the Application Pool and the Anonymous User for the Website with Integrated Authentication set. This Service account has also been added to the SQL users with full rights to the data.
The inconsistent behavior is that the Web Application will run fine, hitting the data, etc..., then out of the blue the Application Pool gets automatically disabled. I check the event logs on the server and sure enough I see two warnings and an error saying that the Identity is INVALID and that the pool was disabled.
I turn it back on and then try to browse to the Website again and BOOM! It does it again. We finally after three attempts lock the account out and have to unlock it. Then it spirals back to the same issue.
Any ideas? Because I'm at my wits end!
This problem might be solved because the question is old, but anyway.
Try manual login with username and password, then
reapply the identity on the application pool, answer yes to apply user rights if questioned, restart the application pool and check the eventlog for errors.
Make sure the useraccount has the appropriate user rights , there will be complaints in the eventlog otherwise. Also make sure allow login to on the user account has the server entered or allow any.
Thanks
Andreas
Related
I have a simple VB.net console application that displays the current user, waits for key input, and then exits. It uses the following call to display the information:
System.Security.Principal.WindowsIdentity.GetCurrent.Name.ToString()
If I create a remote app hosting this application, and create an azure user that has rights to run the remote app such as;
thisisa#test.onmicrosoft.com
When this user connects to the remote app the output of the line of code above would look something like;
YLSDAAYU0007\thisisa_000
Is there anyway of reading the user running the remoteapp at the time? in this case, I am looking to obtain thisisa#test.onmicrosoft.com ?
Catalin from the RemoteApp team here. You have stumbled across one of our implementation details here :)
Windows does not allow automatic login with Azure Active Directory (AAD) users: they only allow users that have Microsoft Accounts or domain accounts in case the collection is domain joined. We are working around this limitation by creating a local user on the VM and logging in with that user instead of the AAD user.
If you have any more questions about this, feel free to contact me: catalda @ microsoft com
I'm just in the process of trying to properly configure asp.net 4.5 on our IIS servers.
I have been able to navigate and launch an ASPX page that contains no data conenctions sucessfully so I know that the application pool authentication to the local directories is working as it should.
Now though I have a seperate SQL server that is connected to the domain and have a connection string stored in the code that connects the ASPX page to the server using a trusted connection. When running in visual studio debug mode, the connection works fine - but at that point I assume it is using my login credentials.
My question is, when a user calls the aspx page via the browser when hosted on the new IIS7 server, which account is used to call the SQL server when using a trusted connection? - Is it the end users or is it a local account from the IIS server?
When I call a page with data connections embedded I get the error: Login failed for user ADMIN\PCNAME$ ... which is an indication that this is the account that it is using. However this account doesn't exist on the domain that I'm aware of. - Or does it ?!
Thanks in advance,
It will use the account that ASP.NET is running under, as you've worked out. What you usually should do is create a Domain Account (with the right privileges) and run your ASP.NET AppPool under that account. Then a Trusted Connection will use that account for connecting to the database, and as long as you've given it access (which as a Domain Account you can do) it should all work.
Added:
After some back and forth on comments, lets go back to the start: set the new AppPool to run with the domain users account, and recycle the AppPoolo. What is it that says the password is wrong? If it's IIS trying to start the AppPool, then it is extremeny likely that the Password you gave the AppPool IS wrong, or else that the password is set to change on first logon.
If its not IIS, but opening a Database connection, are you sure that the database allows this Domain Account access to the database and the tables within it it will need? What roles have you assigned to this account? Also, what SQL statement is it trying to execute (if it's got far enough to try and execute a statement at all)?
I suggest you put any response in you original question - comments get to be a drag if there are too many of them.
I have written my own windows service which interacts with a SQL database and updates it. The service was running fine and seems to be functioning correctly, however of late it seems to go down at random times and cannot restart due to the error designated in the question. I have tried various searches to fix this, but unfortunately I have come up with nothing. The aim is to eventually having this service running on my companies server, but I can't adjust any server settings, I am but a user on the server, so I have restrictions to some settings.
Any quick fixes, would be helpful!
Open the Services Manager. ( Win + R, then type services.msc )
Then right click on the SQL Server process and click Properties
Then go to Log On, and select This account:
Then click Browse, and add your username in the box. (Notice it should contain the domain, in my case is AD\myusername), then Check Names and accept.
Finally type your password in the other two fields, and that's it, you should have permission to start your process now.
Cheers!!
One issue for us was the format of the account user name, we initially used
domain\username
and got the 1069-logon error, then ultimately I tried validating the user name in the properties | logon tab of the Service (in Control Panel / Service Manager), using the "Browse" and "Search" for the user name and it turned it suggested and validated ok with the reverse format
username#domain
This also worked and resolved the 1069 error, and let us script the startup using sc.exe.
Error 1069 is vague and can have different causes. I am sharing my experience here.
I encountered this error when trying to get a service to run under my account (I am trying to get my services to see the same LocalDB as interactive processes running on my account for development purposes). I use an MSA (Microsoft Account) with Windows’s PIN login normally, so I rarely enter my Windows password. To resolve the issue, I locked my screen, selected Password input instead of PIN input, and then entered my password. I assume this somehow reminded Windows what my password was and made my local account more legit.
Before doing this, you need to configure the user account in question to have the Logon as Service privilege. To do this, open the Group Policy Editor. Expand Computer / Windows Configuration / Security Configuration / Local Policies / User Permissions Assignment and then open Login as Service. From there, you can add your user in question.
also check for "Deny Logon service" policy.
user should not be added over there
We had this issue as well because the account was set so that the password expired. After we updated the account to not expire and set the password this error stopped.
The account could also be locked out. To unlock it, you only need to change that user's password (new and old password can be the same).
What also worked for me was re-entering the password in the services->LogOn window. Even when you think the account and password is correct, re-entering it will re-grant the account permission to log on as a service.
Something happened on my development workstation (Windows 8.1) in the last few weeks which require me to either run my App Pools with the "Load User Profile" setting at False or not run with the identity set to ApplicationPoolIdentity. If I were to create a new app pool, using ApplicationPoolIdentity as the identity and with loadUserProfile=true, the following happens when trying to load the application in a browser:
A number of errors in the Windows Event Log (both System and Application types):
Warning event 1509 - Windows cannot copy file \\?\C:\Users\Default\AppData\Local\Microsoft\VSCommon\12.0\SQM\sqmdata-7236-039-00000.sqm to location \\?\C:\Users\[Name of App Pool]\AppData\Local\Microsoft\VSCommon\12.0\SQM\sqmdata-7236-039-00000.sqm. This error may be caused by network problems or insufficient security rights.
Error event 1511 - Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Another 1509 warning
Error event 1500 - Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. DETAIL - Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
5 x event 5022 warnings - The Windows Process Activation Service failed to create a worker process for the application pool '[App Pool Name]'. The data field contains the error number.
Finally an error 5002 - Application pool '[App Pool Name]' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
The App Pool is shut down, as the error 5002 said
"HTTP Error 503. The service is unavailable." is then seen in the browser. Any further requests are met with the same (which makes sense since the app pool is shut off).
I've seen a common "fix" for this here and here which basically say to turn off profile loading. Yes it makes the problem go away, but this doesn't get to the root cause. I know that it is possible to run with this configuration as a I have a Windows 2012 machine which supports the configuration just fine. In this case, hitting an app with a new app pool set to ApplicationPoolIdentity and loadUserProfile=true actually creates the new user profile (I can watch as the profiles folder is created in C:\Users) and the app runs merrily. What's worse is I know this configuration worked on the problem machine just a few weeks ago. I have a number of App Pools I created which have their own profiles and folder under the C:\Users folder. These app pools work just fine NOW with the ApplicationPoolIdentity and loadUserProfile=true settings. It's just that NEW app pools refuse to run and load a user profile.
Does anyone have any insight to what might be going on?
Edit: I read the bottom of this recent article. It's a bit contradictory in saying that the setting can be turned on, but also says:
Only the standard application pools (DefaultAppPool and Classic .NET AppPool) have user profiles on disk. No user profile is created if the Administrator creates a new application pool.
However, if you want, you can configure IIS application pools to load the user profile by setting the LoadUserProfile attribute to "true".
I'm very confused.
The SQM file listed in the event log warning was created by a Windows or Visual Studio update. When the user profile service or application pool runs and tries to create a new profile, it tries to copy the file to the profile. The SQM file requires administrator permissions to copy. The user profile service or application pool does not have sufficient permissions to copy the file, an error is generated, and the user profile is not created. Without a user profile, the application pool cannot run because it doesn't have an isolated secure place to store data.
Remove or delete the SQM file from the source directory, and the user profile will be created successfully when the app pool is initialized. You can also change the permissions on the SQM file, but I'm not sure what the appropriate permissions should be. The user profile service runs as "LocalSystem Account". See its documentation for permission info. It's unclear to me whether the application pool identity itself is being used to perform the copy operation, or the local system account.
If you remove the file from the source directory, you could also manually copy the file where it was trying to go as well.
After a very brief search about what SQM is, it seems like it is traditionally used as "service quality management". Usually it would contain information to send back to the program authors with metrics, logs, or somesuch. I don't know if this is the case with this file or not. So it doesn't seem like it's important to include it in the new profile.
I can't take 100% credit for this answer, as I was tipped off by a comment attached to an answer on some other question. I can't find the link to it in the 50 browser tabs open for troubleshooting this. That guy deserves a thank you, because I believe this is a much better solution than compromising the security of a server by pooling all the resources together like in IIS 6.
P.S. As noted in your comment, a bug report has been filed.
I have a WCF service which I install via cmd line, due to installment on many servers!
When installing application pool and configuring it, I set a custom account on the process model identity, which is just an account with local administrator rights!
But when I try to browse the service just to see the front service page I get a Service Unavailable message with http error 503, which is a server error which again comes from an event id 5021, which states that the identity for the service's application pool is invalid due to either incorrect username/password or the user may not have batch logon rights.
Ergo, the error has to do with the user identity! When I change Identity to NetworkService there is no problem. I cannot either manually set the Identity to the user...
My cmd line looks like:
c:\Windows\System32\inetsrv\appcmd add apppool /name:"calendarproviderservice" ^
/autostart:"true" ^
/managedRuntimeVersion:"v4.0" ^
/processModel.idleTimeout:"24:00:00" ^
/enable32BitAppOnWin64:"true" ^
/processmodel.identitytype:"SpecificUser" ^
/processModel.userName:"PlannerAdmin"
Anyone has a clue...?
Cheers, Finn.
It's been a while, but I finally solved my problem! Unfortunately I didn't sketch the hole scenario in the main question because I didn't think it mattedered in the context. But it did!
The scenario was that my server was a deployed server with a base configuration including IIS 7.5! And this is the problem!
When you try to set the application pool identity to a domain account, IIS has to keep a local copy of your username and password. This is stored in IIS applicationHost.config in encrypted format. In the encryption IIS uses the machine specific keys in iisConfiguration and iisWasKey containers. When this applicationHost.config is moved to a different server (in this case the deployed server on new hardware), IIS can no longer decrypt the password because of the new machine keys.
One can export configuration Keys, but I already deleted the base server I made an image of!
So the lesson learned here is: If you have to deploy many servers with IIS on, make a base image WITHOUT IIS, and script the IIS on the server after deployment!!!
Cheers, Finn.
PS. Dominik, sorry that I wasn't that clear on the intro question!
Have you assigned the user to the local IIS_USRS group?