I'm trying to use adsutil in an installation script of a web app I am installing on IIS 6.0 to set access control. There is a command that works as follows:
adsutil.vbs set w3svc/1/root/Authflags 4
This is the command for the default web site, as its Identifier is 1. However, new web apps are given a generated Identifier. In my case, the app I installed was given the Identifier of 2082238887, so my command should look like this
adsutil.vbs set w3svc/2082238887/root/Authflags 4
However, I only know this value now from previously installing the app. How would I get this ID during a fresh installation? Every example I have seen for adsutil assumes you are working with the default web site, and therefore an ID of 1.
I need my install script to install the app, get its Identifier, and then use it to set permissions via adsutil.
This script lets you provide the site name as a parameter and iterates over the web sites until it matches the site name you provide. I included the code to update the authflags. This can be run via cscript.exe.
Dim Siteobj
Dim Site
Dim SiteName
Dim SiteId
Dim SiteLocation
SiteName=WScript.Arguments( 0 )
Set SiteObj = GetObject("IIS://localhost/W3SVC")
for each Site in Siteobj
if Site.keytype="IIsWebServer" Then
if Site.ServerComment = SiteName Then
SiteId=Site.Name
SiteLocation = "IIS://LocalHost/w3svc/" & SiteId
SiteLocation = SiteLocation & "/root"
Dim SiteObj1
Set SiteObj1 = GetObject(SiteLocation)
SiteObj1.authflags=4
SiteObj1.SetInfo
End if
End if
Next
Related
please help. I have my code in visual basic. Error permission denied GetObject("IIS://loclahost/w3svc/4/ROOT")
Set wServer = GetObject("IIS://loclahost/w3svc/4")
Set wRoot = GetObject("IIS://loclahost/w3svc/4/ROOT") 'Get the root web
Set wNew = wRoot.Create("IIsWebVirtualDir", strWebName) 'Create a new web off the root
''Create New App
wNew.AppCreate True
I suggest you could post more details information about your requirement.
Do you run this code in your web application which hosted on the IIS?
It seems that your application pool doesn't have the enough permission to get the IIS web site information.
I suggest you could try to modify the application pool identity permission to local system, if you want to create or modify the IIS setting.
Details, you could refer to below steps:
1.In IIS Manager, select Application Pools.
2.From the list of application pools, right-click your application pool and select Advanced Settings.
3.In the Process Model section, change the identity property from ApplicationPoolIdentity to localsystem, and click OK.
I have written a VB.NET application and created a setup file to install the same on the target machine. An ODBC connection is used to connect to SQL Server instance through a DSN.
My development computer used Integrated Security whereas the target computer uses SQL Authentication which requires me to hard code the credentials in the connection string while building the setup file.
I have previously looked up for solutions, but they require one to define the credentials every time the application is run. I have seen an application that requests the credentials the first time it is run or if the connection is unsuccessful, but unfortunately could not retrieve the source code for the same.
Any guidance on similar lines would be helpful.
Add application settings of string type with user scope for the user name and password, lets say username & userpass. Let the User save these values the first time they run your app. Then just incorporate the My.Settings.username and My.Settings.userpass into your connection string.
To save the settings:
My.Settings.username = txt_user.text
My.Settings.Save()
This way the user can change the username & password if required without you having to update your code.
I've got an Application under my Default Web Site in IIS 7 and whenever I try to access another document on the same domain (but different machines), File.Exists returns False, even though the document does exist and I can access it just fine from the machine hosting the site. The AD portion of the setup appears to be working fine, I'm just not able to access documents on different machines in the domain. Here's my IIS setup:
Application Pool: .NET 4.0, Integrated Pipeline, and using the ApplicationPoolIdentity Identity. I've tried using NetworkService but that didn't seem to make a difference.
Authentication: My Application has only ASP.NET Impersonation and Windows Authentication enabled. The bin folder is the same.
If there's anything else relevant to IIS set up, please let me know and I'll get it added.
I've also tried granting my machine full permissions on the folder that has the document (which is on another machine in the same domain) which I'm trying to access. That didn't seem to make a difference either.
Has anyone come across this before or know of anything else I can try or know of any IIS settings I can check? If there's anything else relevant that I can include in my setup, please let me know!
UPDATE:
Is it possible to find out what identity is being used or who is being impersonated when System.IO.File.Exists() is called, or more specifically find out who that method impersonates as? I've tried checking Thread.CurrentPrincipal.Identity.Name right before calling File.Exists() and it correctly returns my domain user.
So it appears that isn't the user being impersonated when File.Exists() executes. What's more is that if, in IIS, I change the ASP.NET Impersonation (in Authentication settings) to use my specific domain user, everything works fine! But when I change it back to use the "Authenticated User", it doesn't?
I can also confirm that calling Principal.WindowsIdentity.GetCurrent.Name() right before File.Exists() also returns the correct domain user.
UPDATE 2:
I've also tried setting the Application Pool Identity to my specific domain user, which doesn't seem to make a difference either. At this point, I'm not sure what other account it could be impersonating as when checking if the file exists?
UPDATE 3:
I've tried using Process Monitor on the machine which has the documents I'm trying to access, but when I filter it down to the file type I'm looking for (or expecting to see), nothing shows up when I re-run my tests. I can only assume doing a File.Exists() on a file you don't have access to, doesn't register to the Process Monitor? Are there any other ways for me to find out which impersonated user/service is trying (unable) to access these documents?
UPDATE 4:
Using the examples found by #john below, I've tried to programmatically impersonate the logged in user before checking if the file exists:
Dim wID As WindowsIdentity = HttpContext.Current.User.Identity
Dim ctx As WindowsImpersonationContext = Nothing
ctx = wID.Impersonate()
If System.IO.File.Exists(sFile) Then
Else
'Still gets here?
End If
However, File.Exists() still returns false even when impersonating.
UPDATE 5 (SOLUTION):
I needed this:
Using ctx As System.Security.Principal.WindowsImpersonationContext = System.Security.Principal.WindowsIdentity.Impersonate(IntPtr.Zero)
'My code here
End Using
In IIS, select your website, then goto Authentication, select Windows Authentication,
Select Advanced Settings -> make sure kernel mode is enabled
Select Provider, check if Negotiate is the first item in the mapping
When you test only use IE and running from your Intranet.
Also you can impersonate a specific user, goto ASP.NET impersonation, specify the user who has access to the remote directory.
I'm trying to make a post, from an asp classic server side page, using the user credentials...
I'm using msxml2.ServerXMLHTTP to programatically make the post
I've tried with several configurations in the IIS 5.1 site, but there's no way I can make IIS run with a specified account...
I made a little asp page that runs whoami to verify what account the iis process i using...
with IIS 5.1, using integrated security the process uses:
my_machine\IWAM_my_machine
I disable integrated security, and leave a domain account as anonymous access, and I get the same (¿?)
to test the user I do the following
private function whoami()
dim shell, cmd
set shell = createObject("wscript.shell")
set cmd = shell.exec( server.mapPath( "whoami.exe" ) )
whoami = cmd.stdOut.readAll()
set shell = nothing: set cmd = nothing
end function
is it because I'm issuing a shell command?
I'd like to make http post calls, to another site that works with integrated security...
So I need some way to pass the credentials, or at least to run with a specified account, and then configure the remote site to thrust that account...
I thought that just setting the site to work with integrated security would be enough...
How can I achieve such a thing?
ps: with IIS6,happens the same
but if I change the pool canfiguration I get the following info from whoami
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\SYSTEM
if I set a domain account, I get a "service unavailable" message...
edit: found this
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/275269ee-1b9f-4869-8d72-c9006b5bd659.mspx?mfr=true
it says what I supossed, "If an authenticated user makes a request, the thread token is based on the authenticated account of the user", but somehow I doesn't seem to work like that... what could I possibly be missing?
edit:
well the whoami thing is obviously fooling me, I tried with the following function
private function whoami_db( serverName, dbName )
dim conn, data
set conn = server.createObject("adodb.connection")
conn.open "Provider=SQLOLEDB.1;Integrated Security=SSPI;" & _
"Initial Catalog=" & dbName & ";Data Source=" & serverName
set data = conn.execute( "select suser_sname() as user_name" )
whoami_db = data("user_name")
data.close: conn.close
set data = nothing: set conn = nothing
end function
and everything seemed to be working fine...
but how can I make msxml2.ServerXMLHTTP work with the user credentials???
You are correct whoami.exe was confusing you. Launching a separate process caused the new process to run as the user of the current process. On XP that would be the COM+ application host (DLLHOST) and would normally run as IWAM_<machine>. On IIS6 it would the w3wp.exe work process and typically runs as NT AUTHORITY\Network Service.
However a thread processing a HTTP request will impersonate a different security token. With integrated security as you have discovered this would the security token of the user making the request, as your SSPI experiment bears out. With anonymous access the anonymous user configured on the site/application is used, this is typically <MACHINE>\IUSR_<machine>.
As to your specific problem with ServerXMLHTTP this goes back to the underlying component WinHTTP. This by default will only send the current users credentials if the server being accessed is the proxy bypass list. Even then it possible to the ServerXMLHTTP configures it to never send the user credentials, I've not test that scenario myself.
Unfortunately ServerXMLHTTP provides very limited access to the configuration details on WinHTTP. However if this is a show stopper then you could always use the WinHTTP component directly yourself:-
Dim oWinHTTP
Dim oDOM
Const AutoLogonPolicy_Always = 0
Set oWinHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
oWinHTTP.SetAutoLogonPolicy AutoLogonPolicy_Always
oWinHTTP.Open "GET", "http://remoteserver.org/getsomexml.xxx", False
oWinHTTP.Send
If oWinHTTP.Status = 200 Then
Set oDOM = CreateObject("MSXML2.DOMDocument.3.0")
oDOM.async = false
oDOM.Load oWinHTTP.ResponseStream
End If
Set oWinHTTP = Nothing
That should work for http, for https it gets real messy.
I am trying to save an image file in a custom module I am building for a DNN site.
However when I run the code I get an UnauthorizedAccessException.
if(upLoadAddImg.HasFile)
{
String imageLocation = ConfigurationManager.AppSettings["ImageFolderPath"];
//Upload file
upLoadAddImg.SaveAs(Server.MapPath(imageLocation));
}
I am running on localhost using the internal visual studio server. Tthe folderpath is all right and I have made sure Network Service has full permissions.
Am I missing something obvious or does DNN have some special permission setting I am missing?
If you are using the dev server in VS its identity is not Network Service by default. Most likely the directory you are saving to loccally is not allowed for the aspnet user - if you run this on a web site it should work at least code wise -------
To test it you can do one of two things make the portal directory open to everyone or set up a local site not run on the dev server ----