I am having problem with PCSP hanging.
PCSP is called from within a WCF service running in IIS on Windows 2008 r2.
The service is running under an app pool that is running as a domain user
the host key has been cached for that user
A client will call the service across the local network
The service will get this message and transfer the file accross to the
external site
However, this will only work if the user that the app pool/service is running as is logged into Remote Desktop
As soon as the Remote Desktop session is ended and another call is made from the client the call to PCSP will just hang.
The command and arguments that are made to PSCP are below. Followed by the code that is used to call the command
pscp.exe -pw APassword -P 22 -sftp -q -batch "\\AServer\AFolder\AFile.csv" auser#service:/adirectory
System.Diagnostics.Process proc = new System.Diagnostics.Process();
proc.StartInfo.FileName = executablePath;
proc.StartInfo.RedirectStandardError = true;
proc.StartInfo.RedirectStandardOutput = true;
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.LoadUserProfile = true;
proc.StartInfo.Arguments = arguments;
proc.Start();
proc.WaitForExit(60 * 60 * 5);
I suspect it has something to do with the getting of the host key from the registry but for the life of me cant work out what that may be. Any help with this would be greatly appreciated
After 2 days banging my head on a brick wall I found the answer.
Under the app pool settings go to Advanced Settings and there under ProcessModel is a setting to "Load User Profile" Set this to true!
Related
I have a requirement to automate one of my application which is accessible only through Remote desktop connection.
I normally connect to the application using following steps
1) Navigate to remote desktop connection and enter Ip address
2) Enter Server User id ,password
3) Then open application using browser.
Please help with the steps.
You can break your problems in 2steps :
1. Login to the box via java code (or any other preferable language, you are comfortable).
Remote Desktop Connection
JAVA
// creating credentials
Process p = Runtime.getRuntime().exec("cmdkey /generic:"+ip+" /user:"+userName+" /pass:"+password );
p.destroy();
Runtime.getRuntime().exec("mstsc /v: "+ip+" /f /console");
Thread.sleep(2*60*1000); // min sec millisec
// deleting credentials
Process p1 = Runtime.getRuntime().exec("cmdkey /delete:"+ip);
p1.destroy();
Once you able to login to the box, it is as simple as launching the browser, opening the application and running your scripts(these scripts should be present on your remote desktop where you want to run your scripts). This is pretty straight forward.
HI I was trying to login remotely in the computer hosted by amazon services. It's ubuntu 64 bit machine.
In the beginning I was able to login into the computer with both client , remote desktop connection (RDP) keeping the default port (-1) and for the command line I am using putty session to access the computer. But after we made some changes and create new images of computer state. But When I try to login again it gives me the error xrdp_mm_process_login_response: login failed.
So I was wondering is that related with the port number ? or some image creation issue.
I will look forward to hear from you.
Thanks
Yash
I have run into the same issue. The solution to me is just to create new user for xrdp. While user "ubuntu" worked on original instance. After launching a new instance using a snapshot of the original instance, "ubuntu" login didn't work anymore. Then, after creating a new user, I could login with the new user onto xrdp.
I have a page to create new users in our active directory using VB.NET
I’m using the following code
Dim rootEntry As New DirectoryEntry
With rootEntry
.Path = "LDAP://" & strServer & "/" & strLDAP
.AuthenticationType = AuthenticationTypes.Secure
.Username = strServerUsername
.Password = strServerPassword
End With
Dim newUser As DirectoryEntry = rootEntry.Children.Add("CN=" & strCN, "user")
With newUser
.CommitChanges()
.Properties("userPrincipalName").Value = TextPN.Text
.Properties("sAMAccountName").Value = TextAlias.Text
.Properties("givenname").Value = TextGivenname.Text
.Properties("sn").Value = TextSurname.Text
……
.CommitChanges()
.Invoke("setPassword", New Object() {strDefaultPassword})
.CommitChanges()
.Properties("userAccountControl").Value = &H0001
.CommitChanges()
End With
This code worked fine in the past.
Now we’ve migrated our webserver to Windows Server 2008 R2 and IIS 7.5, and suddenly the code is not working anymore. (.net framework is 2.0 and cannot be changed)
The user is still created in our active directory, but the account is automatically disabled and the password is not set.
Investigating this issue shows that an exception is thrown at the line
.Invoke("setPassword", New Object() {strDefaultPassword})
Exception
The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
The user account which is used to connect to the AD is still the same and had domain admin rights.
Since nothing has changed to the code, I think there must be another reason why this is not working anymore? Firewall settings, IIS configuration,..?
Any ideas??
I know there is a similar case here Trying to create a new Active Directory user, Invoke("SetPassword",pwd) throws "The RPC server is unavailable"
, but this doesn’t help me out.
Check TCP/UDP 445 port is opened on your firewall.
To connect to an AD server from outside a domain, you need the following ports to be opened :
. TCP/UDP 389 (LDAP)
. TCP 3268 (GC)
. TCP/UDP 445 (SMB over IP)
DirectoryEntry.Invoke() requires AuthenticationType.Secure. What this means is that it needs to be able to authenticate the request via Kerberos or NTLM.
It attempts to use LDAPS (TCP 636) first, then falls back to CiFS (TCP445) if/when it times out or fails because of a missing or invalid certificate. If neither of these ports are open, it will fail with an "RPC Server unavailable" exception.
I am using Windows Server 2008 R2 and IIS 7.5.7600
So I have installed the SMTP service and it is running. I have tested that it works using the following powershell script:
$emailFrom = "user#yourdomain.com"
$emailTo = "user#yourdomain.com"
$subject = "your subject"
$body = "your body"
$smtpServer = "your smtp server"
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($emailFrom, $emailTo, $subject, $body)
The email gets sent using "localhost" as the server.
However, after configuring the WCF services' web.config:
<system.net>
<mailSettings>
<smtp deliveryMethod="Network" from="user#yourdomain.com">
<network
host="localhost"
port="25"
/>
</smtp>
</mailSettings>
</system.net>
I receive a generic meaningless error when my code calls:
var mail = new MailMessage();
mail.To.Add("user#yourdomain.com");
mail.Subject = "[Smtp Client] TEST";
mail.Body = "TEST";
mail.IsBodyHtml = false;
var smtpMail = new SmtpClient();
smtpMail.Send(mail);
I get:
Failure sending mail.
at System.Net.Mail.SmtpClient.Send(MailMessage message)
I am at a loss as to what else to check? Yes I have installed the application server role on the server. Yes the WCF service is working properly, all of my other code runs as expected, only sending of the email is failing. It seems as though there is some disconnect between IIS and the local SMTP relay but I have not been able to find anything discussing this particular problem (only people who can't get the smtp up and running or can't sort out their configs).
Thank you for your time and attention.
So the answer turned out to be permissions with the Metabase. I had found this mentioned before but the sources I had previously encountered only said to give read permissions to the LM\SMTPSVC path and had no mention of the LM\SMTPSVC\1 (I thought the permissions would cascade down to sub folders/paths). For a more detailed explanation see below :
Taken from HERE.
In 2008/IIS7+ the ApplicationPoolIdentity accounts are hidden accounts that have dynamically assigned SID's (created and assigned when the ApplicationPool is started). But the accounts live as (hidden) users under the IIS_IUSRS group on the local machine (this makes giving them permissions to the AppPools pretty easy, since you can use the normal GUI interface for perms or use scripts while specifying the local user group). To fix the issue with ASP sites running under IIS7.5 not being able to send email:
Give Read/Write permissions for the IIS_IUSRS group to the Mailroot folder (permissions will inherit down to Pickup/etc folders).
Now use a Metabase Permissions modifier (Metabase Explorer works, so does METAACL.VBS from 2003), Open LM\SMTPSVC and SMTPSVC\1 and add IIS_IUSRS with read permissions to those branches of the metabase.
cscript metaacl.vbs IIS://LOCALHOST/SMTPSVC %computername%\IIS_IUSRS R
cscript metaacl.vbs IIS://LOCALHOST/SMTPSVC/1 %computername%\IIS_IUSRS R
Those permissions will allow any of the ApplicationPoolIdentity users to create and send email using the local SMTP service. This can be tested with SMTP service on the local machine stopped, which will force the .EML files to show up in the mailroot\pickup folder. The reason sending email works for NetworkService and LocalService and not the ApplicationPoolIdentity is that the Metabase, by default, has read permissions for SYSTEM and NetworkService. This is an yet another example of why running AppPools as ApplicationPoolIdentity provides more security than running as NetworkService: the applications must be given explicit privileges to any registry entry, folder hierarchy, file, etc that it must read or write.
I'm trying to make a post, from an asp classic server side page, using the user credentials...
I'm using msxml2.ServerXMLHTTP to programatically make the post
I've tried with several configurations in the IIS 5.1 site, but there's no way I can make IIS run with a specified account...
I made a little asp page that runs whoami to verify what account the iis process i using...
with IIS 5.1, using integrated security the process uses:
my_machine\IWAM_my_machine
I disable integrated security, and leave a domain account as anonymous access, and I get the same (¿?)
to test the user I do the following
private function whoami()
dim shell, cmd
set shell = createObject("wscript.shell")
set cmd = shell.exec( server.mapPath( "whoami.exe" ) )
whoami = cmd.stdOut.readAll()
set shell = nothing: set cmd = nothing
end function
is it because I'm issuing a shell command?
I'd like to make http post calls, to another site that works with integrated security...
So I need some way to pass the credentials, or at least to run with a specified account, and then configure the remote site to thrust that account...
I thought that just setting the site to work with integrated security would be enough...
How can I achieve such a thing?
ps: with IIS6,happens the same
but if I change the pool canfiguration I get the following info from whoami
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\SYSTEM
if I set a domain account, I get a "service unavailable" message...
edit: found this
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/275269ee-1b9f-4869-8d72-c9006b5bd659.mspx?mfr=true
it says what I supossed, "If an authenticated user makes a request, the thread token is based on the authenticated account of the user", but somehow I doesn't seem to work like that... what could I possibly be missing?
edit:
well the whoami thing is obviously fooling me, I tried with the following function
private function whoami_db( serverName, dbName )
dim conn, data
set conn = server.createObject("adodb.connection")
conn.open "Provider=SQLOLEDB.1;Integrated Security=SSPI;" & _
"Initial Catalog=" & dbName & ";Data Source=" & serverName
set data = conn.execute( "select suser_sname() as user_name" )
whoami_db = data("user_name")
data.close: conn.close
set data = nothing: set conn = nothing
end function
and everything seemed to be working fine...
but how can I make msxml2.ServerXMLHTTP work with the user credentials???
You are correct whoami.exe was confusing you. Launching a separate process caused the new process to run as the user of the current process. On XP that would be the COM+ application host (DLLHOST) and would normally run as IWAM_<machine>. On IIS6 it would the w3wp.exe work process and typically runs as NT AUTHORITY\Network Service.
However a thread processing a HTTP request will impersonate a different security token. With integrated security as you have discovered this would the security token of the user making the request, as your SSPI experiment bears out. With anonymous access the anonymous user configured on the site/application is used, this is typically <MACHINE>\IUSR_<machine>.
As to your specific problem with ServerXMLHTTP this goes back to the underlying component WinHTTP. This by default will only send the current users credentials if the server being accessed is the proxy bypass list. Even then it possible to the ServerXMLHTTP configures it to never send the user credentials, I've not test that scenario myself.
Unfortunately ServerXMLHTTP provides very limited access to the configuration details on WinHTTP. However if this is a show stopper then you could always use the WinHTTP component directly yourself:-
Dim oWinHTTP
Dim oDOM
Const AutoLogonPolicy_Always = 0
Set oWinHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
oWinHTTP.SetAutoLogonPolicy AutoLogonPolicy_Always
oWinHTTP.Open "GET", "http://remoteserver.org/getsomexml.xxx", False
oWinHTTP.Send
If oWinHTTP.Status = 200 Then
Set oDOM = CreateObject("MSXML2.DOMDocument.3.0")
oDOM.async = false
oDOM.Load oWinHTTP.ResponseStream
End If
Set oWinHTTP = Nothing
That should work for http, for https it gets real messy.