What permissions are required for Orchard CMS? - permissions

I used the web platform installer to install the Orchard CMS but when the setup web page comes up for the CMS, once I submit my details, the following error is shown on the orchard system for the first time:
Setup failed: Exception has been
thrown by the target of an invocation.
Exception has been thrown by the
target of an invocation. Access is
denied. (Exception from HRESULT:
0x80070005 (E_ACCESSDENIED))
I have checked my application pool and that user has full permissions to the app data folder which is where the local database is created (I think that is where it is falling over).
It creates a error log file at the same time but it is empty which is handy.
Anyone else had any issues with running the first time setup?
I have looked on there project site but troubleshooting documentation is very thin: http://www.orchardproject.net/docs/Installing-Orchard.ashx

Ok, here is a solution.
Although I managed to install Orchard using the existing SQL Server, I was still curious about this issue and not working with SQL Server Compact. Apparently it was some permission problem with folder where SQL CE should be put, well that was my thinking.
Then I found this answer here at SO Deploying SQL CE 4 to IIS 7 - Special Permissions Needed? and kaboom! that's it. There were no permissions on bin folder for IUSR, even though I added it for parent folder. Hm, whatever happened, now it's gone.

Might be unrealted but the very first thing you should check is whether the app pool is configured to use .NET 4.0.

Related

Classic ASP AspXml createobject fails after windows updates (20212R2 - IIS8)

Today our HTTP server had been updated with KB5001382, KB5001393 and KB5001403.
It's a windows server 2012R2 with IIS8 installed
But after those updates I started getting an error on one of my classic asp pages.
set xml0 = Server.CreateObject("AspXml.AspXml")
set xml = xml0.HttpGet(XML_File)
xml.FirstChild2() (error on this line)
Error message:
Microsoft VBScript runtime error '800a01a8'
Object required: 'xml'
I tested the XML_file and it loads fine local and on te server (browser).
My hosting provider says its something about case sensitivity but I can't imagine what they mean...
Please make sure IIS and permissions to registry/files/folders related to the DLL involved.
Searched the registry for the Object name. In this case "AspXml.AspXml"
For all registry entries, you should take ownership of the parent registry folders, so please give read access to IIS user account.
Make sure the files/folders had read/execute permission for the IIS user account(s).
Registered the DLL at the command line for good measure.
Rebooted because restarting IIS didn't seem to do it.

User/Role List could not be obtained pentaho

I am installing pentaho 8.1 CE on ubuntu 16.04
have made change of bd from HSQLDB to Mysql, tables have been created, jackrabbit, hibernate and hibernate.
When starting the server, not login, I imagine that the users are missing or not created. ??
the error that throws me in
catalina.out
ERROR [CompositeUserRoleListService] User / Role List could not be obtained.
java.lang.IllegalStateException: Target of Bean was never resolved: org.springframework.security.core.userdetails.UserDetailsService
atorg.pentaho.platform.engine.core.system.objfac.spring.BeanBuilder$1.invoke(BeanBuilder.java:159)
at com.sun.proxy.$Proxy84.loadUserByUsername(Unknown Source)
..
..
Database Jackrabbit no created tables..
any idea?
When changing the back-end database, there's a few things you need to make sure you check.
repository.xml
quartz.properties
hibernate-settings.xml
[your-database].hibernate.cfg.xml
context.xml (in WEB-INF)
You'll need to confirm the settings for the connection to the new database has been properly configured in all of these different config files. Some additional details on how to config these files for MySQL specifically can be found in the documentation here: https://help.pentaho.com/Documentation/8.1/Setup/Installation/Archive/MySQL_Repository
Past that, make sure that you delete the "repository" directory inside of /pentaho-solutions/system/jackrabbit as this is an index of the repository. If you change your database back-end, then this index needs to be rebuilt. The index is rebuilt automatically if the server sees that "repository" directory doesn't exist at startup.
I've found the same issue on Windows Server 2016 and MySQL8.0, with Pentaho 8.0.2.
Starting Pentaho server from the start-pentaho.bat command, everything was fine.
The problem arise when I was using Tomcat.
The solution was to be sure that Tomcat service was running with the LOCAL SYSTEM account.
If the Tomcat service runs with lower privileges, maybe it can't access to the pentaho-solutions directory and it cannot load the required java beans.
if everything as per the document is configured correctly, then You might be missing the connection change in applicationContext-spring-security-hibernate.properties, please check that.

Granting write permissions to a networked UNC folder for ASP.NET under IIS 7.5 and Windows Server 2008 R2

BLUF
Our application is attempting to write a file to a UNC folder using an ASP.NET web service running under .NET 4.5, IIS 7.5, and Windows Server 2008 R2. However, any attempt to write the file to the desired location results in an access denied exception.
The task seems simple however me and my team have been troubleshooting this for a while now and we are stumped as to what may be causing the error. Below are the details of our setup and what we have tried and found so far. Names have been changed to protect the innocent.
Environment Setup
The web server, mywebserver, has a website named My.Site.Com with a corresponding application pool named My.Site.Com. The application pool is configured as shown below.
.NET Framework Version : v4.0
Enable 32-bit Applications : False
Managed Pipeline Mode : Integrated
Name : My.Site.Com
Identity : ApplicationPoolIdentity
Load User Profile : False
The UNC path we are attempting to write to is \myotherserver\mydirectories\output where mydirectories is the actual share. On this share a domain group named mygroup-www has been granted full permissions to the share and all subfolders. The machine account (i.e., mywebserver) is a member of this mygroup-www group.
NOTE: For the moment, this UNC path actually lives on the same
machine, mywebserver. However, this will eventually be moved to a machine other
than mywebserver in our test environment and in the production environment
when that it is ready. Currently, I only have the one test environment to troubleshoot with.
The error can be replicated by executing the following code.
[WebMethod]
[ScriptMethod(UseHttpGet = false, ResponseFormat = ResponseFormat.Json)]
public string ExportReport(int reportId)
{
try
{
string output = ConfigHelper.OutputPath + "test.html"; // UNC path
string url = ConfigHelper.VirtualPath + "test.html";
string[] lines = { "Hello", "World!" };
File.WriteAllLines(output, lines); // Access Denied!
return url;
}
catch (System.Exception ex)
{
Logger.ErrorException("Error exporting report", ex);
throw;
}
}
Troubleshooting
Failed Attempts
We tried various combinations of group/user permissions on the folders (listed below). When running these tests we also ran Process Monitor. For each configuration we saw the same result. The w3wp.exe process attempted to create the file in the desired location but reported a result of ACCESS DENIED. The user of each configuration was IIS APPPOOL\My.Site.Com as expected.
Granting mydomain\mymachine$ full permissions to \myotherserver\mydirectories
Granting mydomain\mymachine$ full permissions to \myotherserver\mydirectories\output
NOTE: I have also tried modifying the code so that it would read a
simple file from \myotherserver\mydirectories\output. When
attempting to read the file, the process fails with an ACCESS DENIED
message as it did when writing the file.
Successful Attempts
We also tried several configurations that worked.
Grant the local IIS APPPOOL\My.Site.Com permissions
The first configuration to work was to grant the IIS APPPOOL\My.Site.Com full permissions to \myotherserver\mydirectories The file was successfully written however the process's user was quite unexpectedly a domain account that was set up for a web application on the same machine in another website. This remains very confusing but worked as the 'other' account also has write permissions to the share.
This won't work in production as we cannot use local accounts to grant access to networked resources but is an interesting data point nonetheless.
Change the App Pool Identity to Domain User
The second configuration that worked was to change the My.Site.Com application pool's identify to domain account that had full permissions to \myotherserver\mydirectories. This was a 'vanilla' domain account that was manually created by us. We did not capture what the user of the process was but that may be another useful data point.
This option may be possible, however it breaks away from best practices with IIS 7.5 and may not be allowed in our production environment due to fairly stringent IT policies.
Run the Site On My Development Machine
The third test was to run the site locally on my development machine, mydevmachine. My local IIS configuration is identical to mywebserver with the exception that I am running Windows 7 instead of Windows Server 2008. I granted full permissions for mydomain\mydevmachine to the \myotherserver\mydirectories and ran the application. The file was successfully written. According to Process Monitor the user for the process was correctly set to IIS APPPOOL\My.Site.Com.
Conclusion
We would like to enable write access as designed using the machine account of mywebserver. We have read ApplicationPoolIdentity user cannot modify files in shared folder in Windows Server 2008 and Permissions for Shared Folder for IIS 7 Application Pool Identity Across Domain and Application Pool Identities.
According to this information we should be able use the machine account to grant read and write access to networked resources such as the UNC path. In fact, I can do this in the desired manner when running the web site from my development machine.
There are a couple thoughts that come to mind. Perhaps there is something wrong with the machine account of the test web server. Or perhaps that 'other' software is interfering with the process somehow.
Any thoughts as to what may be causing this issue? What else should we do to troubleshoot?
Reboot your 'mywebserver'.
Marvel at the now mysteriously functional ApplicationPoolIdentity.
Install MS HotFix KB2545850 and learn the details about this bug in KB2672809 which also shows the steps to reproduce and demonstrate this apparently random problem. Direct download link here.
Speculate why Microsoft has not managed to release a normal windows update for this in the 3 years since that hotfix was published. While people still continue running into it and pulling their hair out because of this obscure problem.
Learn about the other folks who have shared and enjoyed this gift from MS that still continues to keep on giving:
IIS application using application pool identity loses primary token?
DirectoryServicesCOMException 80072020 From IIS 7.5 Site Running Under ApplicationPoolIdentity
ApplicationPoolIdentity cannot access network resources
ApplicationPoolIdentity IIS 7.5 to SQL Server 2008 R2 not working
Windows Authentication Failed when using application pool identity
IIS 7.5 stops using machine account to connect to network resource when using AppPoolIdentity
Your Windows 7 dev machine probably worked fine because it reboots more often than the server. Congrats on your very well written and thorough bug report. I rarely see that here.
I had similar problem accessing a network share using AppPoolIdentity in an ASP.NET application (access denied).
Using NetworkService account or other domain account worked but these were not the best solution.
I performed almost all the tests you did but finally found something that worked.
I figured out that the Network Service account was not used when accessing the shares, just like you did (i expected domain\machine$ account)
This worked for us:
On your IIS web site, go to Authentication and change the Anonymous Authentication item to "Application Pool Identity". It's by default set to "IUSR". This solved our problem.
Also maybe activating ASP.NET impersonation (still in Authentication menu) may help.
Thibault
I have faced same issue, I resolved by creating one domain account for each environemt (QA, STAGE, PRODUCTION). In Application pool identity I have set custom account and I used domain user for respective account. Now It gives me the ability to write and read the files from UNC Path.

Replicate Error in Azure Locally

I'm currently working on a project. The project has a web role and a worker role. Whenever a new instance of the project is deployed to windows azure, I would notice that the web role would start normally, however, the worker role would throw and error. It will stay "recycling". Then, it would say that there was a type initialization exception.
However, when I debug the project on my local machine I do not experience this error. Is there a way for me to replicate the project locally, or at least view the stack trace of the error?
If you are deploying from within Visual Studio, enable IntelliTrace during the publish wizard. Once the role is unhealthy, you can download the IntelliTrace logs and see the stack of the exception.
I am guessing that a DLL is not being copied with the deployment.

Server 2012 IIS site on different drive

I'm trying to get IIS 8 on a brand new Server 2012 up and running to run a .net 4.5 app and I can't get it to work across drives
Error: 500.19
Module
IIS Web Core
Notification
Unknown
Handler
Not yet determined
Error Code
0x80070005
Config Error
Cannot read configuration file due to insufficient permissions
Config File
\\?\D:\callsheet-test\web.config
The current site is just a single file index.html.
If I copy the folder to anywhere on c: like c:\callsheet-test\ or c:\inetpub\callsheet-test it works perfectly once I change the target location in IIS 8 (site > basic settings).
It doesn't matter if there is an web.config file as a complex mvc/webforms app gives the same error.
I have tried copying the file with permissions and even thought the permissions seem to match for all users. I am still getting this error.
I have deleted the partition and and recreated it as a mount point c:\mount and the same issue happens. Copy the files to c:\notamount and they work fine.
This server is running on a VMware server. Windows 2012 x64 Standard.
Based on further investigation of the problem (via link in my comment above), I've found a workaround via here: change the Group Policy value of "Audit Removable Storage" from "Not Configured" to "No Auditing" and reboot. Bizarre I know. This setting is in Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access.
Even though we're using VMWare and not Hyper-V this workaround still worked for me. Hopefully Microsoft can provide a answer.
I also had the same error and the solution was similar. I had installed Sql Server 2012 on Windows Server 2012 and it was at this time that I noticed IIS worker processes running from the system C: drive were unable to access configuration files on the E: drive. The site could only be loaded when on the C: drive, despite all the necessary NTFS permissions being granted through IIS_IUSRS, IUSR, Users and/or even the specific AppPool itself. This became evident when IIS couldn't access the E: drive even when running the AppPool (.NET 4.5) using an admin account other than the ApplicationPoolIdentity account (IIS APPPOOL.NET v4.5 in this context - verified in procexp.exe). Installing Sql Server 2012 was throwing errors during installation and required enabling auditing for object access among other settings.
Solution:
Run -> secpol.msc
Security Settings -> Local Policies -> Audit Policy
Change "Audit Object Access" policy to "No Auditing"
Hopefully, this background helps ease someone's headache. :-)