Search Results

Search found 42 results on 2 pages for 'iusr'.

Page 1/2 | 1 2  | Next Page >

  • IUSR account and SCCM 2007 R3 agent

    - by steve schofield
    I recently started working with SCCM and rolling the agent out with machine having IIS 7.x installed.  I ran into issues where the SCCM agent wouldn't install.  The errors mostly were 0x80004005 and 1603, another key one I found was Return Value 3 in the SCCM setup log.  During the troubleshooting, I found a cool utility called WMI Diag  WMI diag is a VBS script that reads the local WMI store and helps diagnose issue.  Anyone working with SMS or SCCM should keep this handy tool around.  The good thing my particular case WMI was healthy.  The issue turned out I changed the Anonymous Authentication module from using the IUSR account to inherit Application Pool identity.  Once we temporarily switched back to IUSR, installed the agent, then switched the setting back to inherit application pool identity, the SCCM agent installed with no issues. I'm not sure why switching back to the IUSR account solved my issue, if I find out I'll update the post.  More information on IIS 7 builtin accounts http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7 Specify an application pool identity  http://technet.microsoft.com/en-us/library/cc771170(WS.10).aspx SCCM resources (Config Mgr Setup  / Deployment forums) http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/threads http://www.myitforum.com (the best independent SCCM community resource) Hope this helps. Steve SchofieldMicrosoft MVP - IIS

    Read the article

  • IUSR vs. Application Pool credentials

    - by jlew
    I have a IIS7/ASP.NET application running with the following configuration: Anonymous authentication (IUSR). Application Pool running as a domain account If IUSR is denied the "logon locally", then it appears that ASPX pages will still render their HTML, but static content such as images will not be delivered. I'm wondering what the technical reason is for this? If IUSR is "broken", why will a request to an ASPX page be passed down the pipeline and executed, but IIS will refuse to serve an image in the same directory?

    Read the article

  • Missing IUSR account on Windows Server 2008 R2 / IIS7.5

    - by Thomas Wright
    Ok, I'm stumped. I've been given the job of installing PHP5.4 on this machine. One of the manual installation steps is to configure the IUSR account to have specific permissions. The problem is, I see the IIS_IUSRS group, but no IUSR account. The only users listed are the Admin user, a Guest account, and a user for the security software. I'm not really the Windows server type, more of a *NIX guy - so this is getting a little frustrating. I've searched everywhere and haven't found a suitable answer, but I have learned a lot about IIS7.5 - so it hasn't been a total waste of time. I've tried several recommendations and found several similar problems, but nothing has worked so far. I've also just tried making the IUSR account myself, but to no avail. If anyone knows how to get this going, I will be ever so grateful.

    Read the article

  • Should I impersonate PHP via FastCGI?

    - by AKeller
    I am installing the latest version of PHP onto IIS 7.5 via FastCGI, and all of the instructions say that FastCGI should impersonate the calling client by setting fastcgi.impersonate = 1 If my website will have this configuration dedicated application pool application pool identity of ApplicationPoolIdentity anonymous authentication only (as IUSR) why do I want to impersonate? I come from an ASP.NET background, where the IUSR gets read-only permissions and the application pool identity gets any write permissions. Giving write access to the IUSR usually opens the door for WebDAV vulnerabilities. So I hesitate to let PHP run as the IUSR. I can't find many people asking this question (1 | 2) so I think I must be missing something. Can someone clarify this for me?

    Read the article

  • The risk of granting to IUSR* NTFS permissions on a folder on the server

    - by vtortola
    I have two web applications that must share a file in the server file system. Both apps are inside of "Inetpub\wwwroot". The file cannot be accessed freely from outside, so it is in a folder out of "Inetpub". I have granted full NTFS permissions to the user "IUSR_whatever" (is the user that runs IIS in anonymous requests) in that folder. The folder has only that file, and has no other use. It works so far :) But, what is the risk? what should I be afraid of? As I see it, as long the folder is out of the "InetPub" cannot be accessed, and as long the apps don't have any security flaw like "path traversal" or server side code injection, it should be safe enough.... But I'm always keen to be wrong :) What do you think? May the file or even the server itself get compromised because of this? Thanks.

    Read the article

  • Is there Powershell way to re-apply a restored password for the IIS IUSR account?

    - by Philippe Monnet
    On one of our IIS web servers the IUSR account suddenly expired or got corrupted, I recovered the password from the IIS metabase (using Cscript adsutil.vbs get w3svc\anonymoususerpass after switching IsSecureProperty = False). I then reset the password accordingly. Now I have to re-key that password on the Directory Security tab of all virtual directories (for the anonymous account) of all web sites on that server. Is there a way to automate this using Powershell? (I have searched so far in vain)

    Read the article

  • Windows, Apache and MSSQL Authentication

    - by user1114330
    I have a create database script written in perl. I remember it working just fine another machine. A couple years later using a Vista machine I am trying to use it again and it keeps failing. The main difference is that now I am using Apache instead of IIS. In the script the IUSR account is granted permissions as it needs to write to the database as a part of another program. IIS has been uninstalled on this machine but the IUSR account still exists. The NT AUTHORITY\IUSR is also seen in the logins drop down in MSSQL(2012). The machine is running Vista Home Edition. However when running the script I get errors that say that NT AUTHORITY\IUSR cannot be found. I tried also with COMPUTERNAME\IUSR just for the heck of it and of course it was not found. I also tried with IUSR alone and for some reason the user isn't being "found"? Any ideas?

    Read the article

  • Dokuwiki: Moving Just the data directory on other server

    - by amit
    I have installed dokuwiki on IIS7. As per my teams requirement we have to move just the Data directory to other server location. e.g - IIS7 installed Dokuwiki location: C:\inetpub\wwwroot\dokuwiki\conf - data location on the other server we want: U:\Archive\LP_Archive\SH_Systems\DEV01\dokuwiki So for doing that I followed pointers on dokuwiki install iis7 As per the above link, I tried adding IUSR to data folder permissions but its failing due to my insufficient privileges. And without that IUSR permission set on data folder I am getting an error as "The datadir ('pages') at is not found, isn't accessible or writable". Is there any other way to make it work? Is there any other account than IUSR I can use?

    Read the article

  • ASP.NET Writing to the Bin directory, access denied when anonymous user

    - by LeeW
    Hi all I have a program that creates a small file in the Bin directory for the purpose of tracking a license (that's the intention), all works fine when debugging but I've just realized that when I run it on a IIS server under the anonymous user account (IUSR) the file isn't created as IUSR only has read permission (I know this is correct but drat!). Can I write to another location under IUSR account or can I run my code under 'Local Service' account? Thanks

    Read the article

  • Which user does PHP/IIS6 use to read/write files?

    - by Stung
    Hi, I've installed PHP5 (FastCGI) on IIS6 and is just wondering which windows user PHP uses to access the file system? With ASP.NET for example, the ASPNET account is used to access the file system. But how about PHP? I've read some post that suggest it uses the anonymous (i.e. IUSR) account. But isn't it a security breach if I give write access to the IUSR account? Thanks!

    Read the article

  • IIS Strategies for Accessing Secured Network Resources

    - by ErikE
    Problem: A user connects to a service on a machine, such as an IIS web site or a SQL Server database. The site or the database need to gain access to network resources such as file shares (the most common) or a database on a different server. Permission is denied. This is because the user the service is running under doesn't have network permissions in the first place, or if it does, it doesn't have rights to access the remote resource. I keep running into this problem over and over again and am tired of not having a really solid way of handling it. Here are some workarounds I'm aware of: Run IIS as a custom-created domain user who is granted high permissions If permissions are granted one file share at a time, then every time I want to read from a new share, I would have to ask a network admin to add it for me. Eventually, with many web sites reading from many shares, it is going to get really complicated. If permissions are just opened up wide for the user to access any file shares in our domain, then this seems like an unnecessary security surface area to present. This also applies to all the sites running on IIS, rather than just the selected site or virtual directory that needs the access, a further surface area problem. Still use the IUSR account but give it network permissions and set up the same user name on the remote resource (not a domain user, a local user) This also has its problems. For example, there's a file share I am using that I have full rights to for sharing, but I can't log in to the machine. So I have to find the right admin and ask him to do it for me. Any time something has to change, it's another request to an admin. Allow IIS users to connect as anonymous, but set the account used for anonymous access to a high-privilege one This is even worse than giving the IIS IUSR full privileges, because it means my web site can't use any kind of security in the first place. Connect using Kerberos, then delegate This sounds good in principle but has all sorts of problems. First of all, if you're using virtual web sites where the domain name you connect to the site with is not the base machine name (as we do frequently), then you have to set up a Service Principal Name on the webserver using Microsoft's SetSPN utility. It's complicated and apparently prone to errors. Also, you have to ask your network/domain admin to change security policy for both the web server and the domain account so they are "trusted for delegation." If you don't get everything perfectly right, suddenly your intended Kerberos authentication is NTLM instead, and you can only impersonate rather than delegate, and thus no reaching out over the network as the user. Also, this method can be problematic because sometimes you need the web site or database to have permissions that the connecting user doesn't have. Create a service or COM+ application that fetches the resource for the web site Services and COM+ packages are run with their own set of credentials. Running as a high-privilege user is okay since they can do their own security and deny requests that are not legitimate, putting control in the hands of the application developer instead of the network admin. Problems: I am using a COM+ package that does exactly this on Windows Server 2000 to deliver highly sensitive images to a secured web application. I tried moving the web site to Windows Server 2003 and was suddenly denied permission to instantiate the COM+ object, very likely registry permissions. I trolled around quite a bit and did not solve the problem, partly because I was reluctant to give the IUSR account full registry permissions. That seems like the same bad practice as just running IIS as a high-privilege user. Note: This is actually really simple. In a programming language of your choice, you create a class with a function that returns an instance of the object you want (an ADODB.Connection, for example), and build a dll, which you register as a COM+ object. In your web server-side code, you create an instance of the class and use the function, and since it is running under a different security context, calls to network resources work. Map drive letters to shares This could theoretically work, but in my mind it's not really a good long-term strategy. Even though mappings can be created with specific credentials, and this can be done by others than a network admin, this also is going to mean that there are either way too many shared drives (small granularity) or too much permission is granted to entire file servers (large granularity). Also, I haven't figured out how to map a drive so that the IUSR gets the drives. Mapping a drive is for the current user, I don't know the IUSR account password to log in as it and create the mappings. Move the resources local to the web server/database There are times when I've done this, especially with Access databases. Does the database have to live out on the file share? Sometimes, it was just easiest to move the database to the web server or to the SQL database server (so the linked server to it would work). But I don't think this is a great all-around solution, either. And it won't work when the resource is a service rather than a file. Move the service to the final web server/database I suppose I could run a web server on my SQL Server database, so the web site can connect to it using impersonation and make me happy. But do we really want random extra web servers on our database servers just so this is possible? No. Virtual directories in IIS I know that virtual directories can help make remote resources look as though they are local, and this supports using custom credentials for each virtual directory. I haven't been able to come up with, yet, how this would solve the problem for system calls. Users could reach file shares directly, but this won't help, say, classic ASP code access resources. I could use a URL instead of a file path to read remote data files in a web page, but this isn't going to help me make a connection to an Access database, a SQL server database, or any other resource that uses a connection library rather than being able to just read all the bytes and work with them. I wish there was some kind of "service tunnel" that I could create. Think about how a VPN makes remote resources look like they are local. With a richer aliasing mechanism, perhaps code-based, why couldn't even database connections occur under a defined security context? Why not a special Windows component that lets you specify, per user, what resources are available and what alternate credentials are used for the connection? File shares, databases, web sites, you name it. I guess I'm almost talking about a specialized local proxy server. Anyway, so there's my list. I may update it if I think of more. Does anyone have any ideas for me? My current problem today is, yet again, I need a web site to connect to an Access database on a file share. Here we go again...

    Read the article

  • IIS Strategies for Accessing Secured Network Resources

    - by Emtucifor
    Problem: A user connects to a service on a machine, such as an IIS web site or a SQL Server database. The site or the database need to gain access to network resources such as file shares (the most common) or a database on a different server. Permission is denied. This is because the user the service is running as doesn't have network permissions in the first place, or if it does, it doesn't have rights to access the remote resource. I keep running into this problem over and over again and am tired of not having a really solid way of handling it. Here are some workarounds I'm aware of: Run IIS as a custom-created domain user who is granted high permissions If permissions are granted one file share at a time, then every time I want to read from a new share, I would have to ask a network admin to add it for me. Eventually, with many web sites reading from many shares, it is going to get really complicated. If permissions are just opened up wide for the user to access any file shares in our domain, then this seems like an unnecessary security surface area to present. This also applies to all the sites running on IIS, rather than just the selected site or virtual directory that needs the access, a further surface area problem. Still use the IUSR account but give it network permissions and set up the same user name on the remote resource (not a domain user, a local user) This also has its problems. For example, there's a file share I am using that I have full rights to for sharing, but I can't log in to the machine. So I have to find the right admin and ask him to do it for me. Any time something has to change, it's another request to an admin. Allow IIS users to connect as anonymous, but set the account used for anonymous access to a high-privilege one This is even worse than giving the IIS IUSR full privileges, because it means my web site can't use any kind of security in the first place. Connect using Kerberos, then delegate This sounds good in principle but has all sorts of problems. First of all, if you're using virtual web sites where the domain name you connect to the site with is not the base machine name (as we do frequently), then you have to set up a Service Principal Name on the webserver using Microsoft's SetSPN utility. It's complicated and apparently prone to errors. Also, you have to ask your network/domain admin to change security policy for the web server so it is "trusted for delegation." If you don't get everything perfectly right, suddenly your intended Kerberos authentication is NTLM instead, and you can only impersonate rather than delegate, and thus no reaching out over the network as the user. Also, this method can be problematic because sometimes you need the web site or database to have permissions that the connecting user doesn't have. Create a service or COM+ application that fetches the resource for the web site Services and COM+ packages are run with their own set of credentials. Running as a high-privilege user is okay since they can do their own security and deny requests that are not legitimate, putting control in the hands of the application developer instead of the network admin. Problems: I am using a COM+ package that does exactly this on Windows Server 2000 to deliver highly sensitive images to a secured web application. I tried moving the web site to Windows Server 2003 and was suddenly denied permission to instantiate the COM+ object, very likely registry permissions. I trolled around quite a bit and did not solve the problem, partly because I was reluctant to give the IUSR account full registry permissions. That seems like the same bad practice as just running IIS as a high-privilege user. Note: This is actually really simple. In a programming language of your choice, you create a class with a function that returns an instance of the object you want (an ADODB.Connection, for example), and build a dll, which you register as a COM+ object. In your web server-side code, you create an instance of the class and use the function, and since it is running under a different security context, calls to network resources work. Map drive letters to shares This could theoretically work, but in my mind it's not really a good long-term strategy. Even though mappings can be created with specific credentials, and this can be done by others than a network admin, this also is going to mean that there are either way too many shared drives (small granularity) or too much permission is granted to entire file servers (large granularity). Also, I haven't figured out how to map a drive so that the IUSR gets the drives. Mapping a drive is for the current user, I don't know the IUSR account password to log in as it and create the mappings. Move the resources local to the web server/database There are times when I've done this, especially with Access databases. Does the database have to live out on the file share? Sometimes, it was just easiest to move the database to the web server or to the SQL database server (so the linked server to it would work). But I don't think this is a great all-around solution, either. And it won't work when the resource is a service rather than a file. Move the service to the final web server/database I suppose I could run a web server on my SQL Server database, so the web site can connect to it using impersonation and make me happy. But do we really want random extra web servers on our database servers just so this is possible? No. Virtual directories in IIS I know that virtual directories can help make remote resources look as though they are local, and this supports using custom credentials for each virtual directory. I haven't been able to come up with, yet, how this would solve the problem for system calls. Users could reach file shares directly, but this won't help, say, classic ASP code access resources. I could use a URL instead of a file path to read remote data files in a web page, but this isn't going to help me make a connection to an Access database, a SQL server database, or any other resource that uses a connection library rather than being able to just read all the bytes and work with them. I wish there was some kind of "service tunnel" that I could create. Think about how a VPN makes remote resources look like they are local. With a richer aliasing mechanism, perhaps code-based, why couldn't even database connections occur under a defined security context? Why not a special Windows component that lets you specify, per user, what resources are available and what alternate credentials are used for the connection? File shares, databases, web sites, you name it. I guess I'm almost talking about a specialized local proxy server. Anyway, so there's my list. I may update it if I think of more. Does anyone have any ideas for me? My current problem today is, yet again, I need a web site to connect to an Access database on a file share. Here we go again...

    Read the article

  • IIS 401.3 - Unauthorized on only 1 server out of 3 set up for network load balancing

    - by Tony
    Over the weekend our Server Admin set up two virtual Windows 2008 machines with IIS installed and set them up under NLB. I came in and changed the application pool the website was running under to our domain account that has proper access to the database and the file share hosting our .NET web application Sitefinity, and changed it to .NET 4 Integrated. NLB and everything was running fine on both servers. He brought up the third server for our cluster on Tuesday and I performed the same actions.. The only difference was that I was given admin rights for the third server so I could set it up remotely instead of going to his office. He has full control over the share and NTFS perms on \\hostname\Sitefinity and I believe I only had read access. I pointed the web site to the same \\hostname\Sitefinity\sitename share that the others were on and the authentication/authorization test settings passed. I hit the site from http://localhost (like I did successfully from the other two before trying the cluster's IP address) and I received a HTTP Error 401.3 - Unauthorized. I've verified many times that the application pool is running under the same service account. I tried hitting just a simple test.htm.. works fine on both of the first two servers but I get the same 401.3 on the third. I copied my dev project to the local inetpub directory and re-pointed the website and that ran perfectly. I turned on Failed Request Tracing and it acts like it's still running the local IUSR account I guess (instead of my domain account)? Here is an excerpt of the File Cache Access Start and the error from the trace: FileName \\hostname\sitefinity\sitename\test.htm UserName IUSR DomainName NT AUTHORITY ---------- Successful false FileFromCache false FileAddedToCache false FileDirmoned true LastModCheckErrorIgnored true ErrorCode 2147942405 LastModifiedTime ErrorCode Access is denied. (0x80070005) ---------- ModuleName IIS Web Core Notification 2 HttpStatus 401 HttpReason Unauthorized HttpSubStatus 3 ErrorCode 2147942405 ConfigExceptionInfo Notification AUTHENTICATE_REQUEST ErrorCode Access is denied. (0x80070005) ---------- My personal AD account was then granted read/write perms to the share so I created a new application pool and set the site under it in case there was an issue with the application pool but no success. I created another under my own account and it still failed. It just seems like maybe it's not trying to access the files under the account my application pools are running under although that's the only way I've done things before. I set the Physicial Path Credentials in Advanced Settings on the site to the service account and it threw a 500 error of some sort so I assume that's not the answer (and I don't have to do it on the other servers). It's like somehow I'm trying to force impersonation on the IUSR account or something?

    Read the article

  • Understanding IUSR_<machine> account

    - by liho1eye
    Namely how is setting read/write permission for this account different from giving read/write access in the IIS (Windows 2003, so it should be IIS6 if I am not mistaken). Here is the issue: It looks like we had a security sweep and as a part of that IUSR account lost write access everywhere. A whole bunch of legacy ASP sites didn't like that at all... My very surfacish understanding is that it is enough to deny write access in the IIS console to protect a website from someone just dropping random files into it, and IUSR access only has effect on the application scripts running server side, and thus can be safely given write access back. edit: The applications in question obviously require write access to their own web folders, otherwise this wouldn't be an issue at all. Question is how to configure IIS/application to both satisfy security and make them work. My first instinct was to change account which is used to run the app pool. However that is already set to NETWORK_SERVICE, and that guy already has full access to folders in question.

    Read the article

  • How do I get ELMAH to work with SQL Server (permission problems)

    - by Gary McGill
    I've got ELMAH working on my (Cassini) development server, and was quite happy with it, but now that I'm trying to move everything to my production server (IIS7), the honeymoon looks like being over. I've got past the "gotcha" with IIS7, which frankly could have been better highlighted in the documentation, and if I just use the in-memory log then it works. However, I'm trying to get it to use the SQL Server log (as I do on my development system), and I'm getting an error along the lines of: The EXECUTE permission was denied on the object ELMAH_GetErrorsXml Well, fine. I know how to grant database permissions, but I'm really struggling to understand which user and which stored procs/tables I need to grant access to. The thing that's really confusing me is that I didn't have to do anything like this to get it to work on my development server. The only difference I can see is that on my development server it seems to connect as NT AUTHORITY\IUSR, whereas on my production server it seems to connect as NT AUTHORITY\NETWORK SERVICE. (It's just using a trusted connection so I've not explicitly configured it to do that - I presume it's to do with the web server). UPDATE: I've since established that because I'm using Cassini, it was actually logging in as me (an admin) and not IUSR, which explains why I didn't get any permission problems. On my development server, the IUSR account is a member of the public database role, and has access to the required database (again as "public"). There's no explicit granting of object-level permissions. [See update above - this is irrelevant]. On my production server, I've added NETWORK SERVICE in exactly the same way (public database role, explicit access to the database as "public"). Yet, I get this permission error. Why?!! [See update above - the only reason I don't get a permission error is because I'm running as an admin]. And, of course, if the fact that it works locally is just "luck", I will need to know which SPs/tables to grant access to. My guess would be all 3 SPs and not the table, but it would be good (again) to see some documentation that makes this explicit.

    Read the article

  • Cannot find "IIS APPPOOL\{application pool name}" user account in Windows Server 2008

    - by MacGyver
    Normally when setting up IIS 7, I'm used to allowing permissions to user IIS APPPOOL\{application pool name} on the root folder of my web application(s). I also give permissions to IUSR (or the IIS_IUSRS user group. (Note, in Windows Server 2008, I found that IUSR isn't in that group by default, so I added it). In Windows Server 2008, I cannot find user IIS APPPOOL\{application pool name} under Security under the Windows Folder Properties. I'm using Windows Authentication in ASP.NET. I'm receiving a 401.1 on the page in Internet Explorer 8 after getting the authentication prompt. Mozilla Firefox also gave me a Windows authentication prompt, and got me into the site fine. Same with Google Chrome. How can I solve this one? HTTP Error 401.1 - Unauthorized You do not have permission to view this directory or page using the credentials that you supplied. Specific page information: Module: WindowsAuthenticationModule Notification: AuthenticateRequest Handler: PageHandlerFactory-ISAPI-4.0_32bit Error Code: 0x8009030e Requested URL: http://.....aspx Physical Path: C:\.........aspx Logon Method: Not yet determined Logon User: Not yet determined

    Read the article

  • What does this error mean in my IIS7 Failed Request Tracing report?

    - by Pure.Krome
    Hi folks, when I attempt to goto any page in my web application (i'm migrating the code from an asp.net web site to web application, and now testing it) .. i keep getting some not authenticated error(s) . So, i've turned on FREB and this is what it says... I'm not sure what that means? Secondly, i've also made sure that my site (or at least the default document which has been setup to be default.aspx) has anonymous on and the rest off. Proof: - C:\Windows\System32\inetsrv>appcmd list config "My Web App/default.aspx" -section:anonymousAuthentication <system.webServer> <security> <authentication> <anonymousAuthentication enabled="true" userName="IUSR" /> </authentication> </security> </system.webServer> C:\Windows\System32\inetsrv>appcmd list config "My Web App" -section:anonymousAuthentication <system.webServer> <security> <authentication> <anonymousAuthentication enabled="true" userName="IUSR" /> </authentication> </security> </system.webServer> Can someone please help?

    Read the article

  • What does this error mean in my IIS7 Failed Request Tracing report?

    - by Pure.Krome
    when I attempt to goto any page in my web application (i'm migrating the code from an asp.net web site to web application, and now testing it) .. i keep getting some not authenticated error(s) . So, i've turned on FREB and this is what it says... I'm not sure what that means? Secondly, i've also made sure that my site (or at least the default document which has been setup to be default.aspx) has anonymous on and the rest off. Proof: - C:\Windows\System32\inetsrv>appcmd list config "My Web App/default.aspx" -section:anonymousAuthentication <system.webServer> <security> <authentication> <anonymousAuthentication enabled="true" userName="IUSR" /> </authentication> </security> </system.webServer> C:\Windows\System32\inetsrv>appcmd list config "My Web App" -section:anonymousAuthentication <system.webServer> <security> <authentication> <anonymousAuthentication enabled="true" userName="IUSR" /> </authentication> </security> </system.webServer> Can someone please help?

    Read the article

  • certificate issues running app in windows 7 ?

    - by Jurjen
    Hi, I'm having some problems with my App. I'm using 'org.mentalis.security' assembly to create a certificate object from a 'pfx' file, this is the line of code where the exception occurs : Certificate cert = Certificate.CreateFromPfxFile(publicKey, certificatePassword); this has always worked and still does in production, but for some reason it throws an exception when run in windows 7 (tried it on 2 machines). CertificateException : Unable to import the PFX file! [error code = -2146893792] I can't find much on this message via google, but when checking the EventViewer I get an 'Audit Failure' every time this exception occurs: Event ID = 5061 Source = Microsoft Windows Security Task Category = system Integrity Keywords = Audit Failure Cryptographic operation. Subject: Security ID: NT AUTHORITY\IUSR Account Name: IUSR Account Domain: NT AUTHORITY Logon ID: 0x3e3 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: Not Available. Key Name: VriendelijkeNaam Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x2 ` I'm not sure why this isn't working on win 7, I've never had problems when I was running on Vista with this. I am running VS2008 as administrator but I guess that maybe the ASP.NET user doesn't have sufficient rights or something. It's pretty strangs that the 'Algorithm name' is 'Not Available' can anyone help me with this... TIA, Jurjen de Groot

    Read the article

  • Server.CreateObject Fails when calling .Net object from ASP on 64-bit windows in IIS 32-bit mode

    - by DrFredEdison
    I have a server running Windows 2003 64-bit, that runs IIS in 32-bit mode. I have a COM object that was registered using the following command: C:\WINDOWS\microsoft.net\Framework\v2.0.50727>regasm D:\Path\To\MyDll.dll /tlb:MyTLB.tlb /codebase When I create the object via ASP I get: Server object error 'ASP 0177 : 8000ffff' Server.CreateObject Failed /includes/a_URLFilter.asp, line 19 8000ffff When I create the object in a vbs script and use the 32-bit version of cscript (in \Windows\syswow64) it works fine. I've checked permissions on the DLL, and the IUSR has Read/Execute. Even if I add the IUSR to the Administrators group, I get the same error. This is the log from ProcessMonitor filtering for the path of my dll (annotated with my actions): [Stop IIS] 1:56:30.0891918 PM w3wp.exe 4088 CloseFile D:\Path\To\MyDll.dll SUCCESS [Start IIS] [Refresh ASP page that uses DLL] 1:56:42.7825154 PM w3wp.exe 2196 QueryOpen D:\Path\To\MyDll.dll SUCCESS CreationTime: 8/19/2009 1:11:17 PM, LastAccessTime: 8/19/2009 1:30:26 PM, LastWriteTime: 8/18/2009 12:09:33 PM, ChangeTime: 8/19/2009 1:22:02 PM, AllocationSize: 20,480, EndOfFile: 20,480, FileAttributes: A 1:56:42.7825972 PM w3wp.exe 2196 QueryOpen D:\Path\To\MyDll.dll SUCCESS CreationTime: 8/19/2009 1:11:17 PM, LastAccessTime: 8/19/2009 1:30:26 PM, LastWriteTime: 8/18/2009 12:09:33 PM, ChangeTime: 8/19/2009 1:22:02 PM, AllocationSize: 20,480, EndOfFile: 20,480, FileAttributes: A 1:56:42.7826961 PM w3wp.exe 2196 CreateFile D:\Path\To\MyDll.dll SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: SERVER2\IUSR_SERVER2, OpenResult: Opened 1:56:42.7827194 PM w3wp.exe 2196 CreateFileMapping D:\Path\To\MyDll.dll SUCCESS SyncType: SyncTypeCreateSection, PageProtection: 1:56:42.7827546 PM w3wp.exe 2196 CreateFileMapping D:\Path\To\MyDll.dll SUCCESS SyncType: SyncTypeOther 1:56:42.7829130 PM w3wp.exe 2196 Load Image D:\Path\To\MyDll.dll SUCCESS Image Base: 0x6350000, Image Size: 0x8000 1:56:42.7830590 PM w3wp.exe 2196 Load Image D:\Path\To\MyDll.dll SUCCESS Image Base: 0x6360000, Image Size: 0x8000 1:56:42.7838855 PM w3wp.exe 2196 CreateFile D:\Webspace\SecurityDll\bin SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: SERVER2\IUSR_SERVER2, OpenResult: Opened 1:56:42.7839081 PM w3wp.exe 2196 QueryDirectory D:\Path\To\MyDll.INI NO SUCH FILE Filter: SecurityDll.INI 1:56:42.7839281 PM w3wp.exe 2196 CloseFile D:\Webspace\SecurityDll\bin SUCCESS [Refresh ASP page that uses DLL] [Refresh ASP page that uses DLL] [Refresh ASP page that uses DLL] This dll works fine on other servers, running 32-bit windows. I can't think of anything else that would make this work. Any suggestions? UPDATE The .dll is not in the GAC, it is compiled as 32-bit, and is Strongly signed.

    Read the article

  • Login failed for user 'DOMAIN\MACHINENAME$'

    - by sah302
    I know this is almost duplicate of : http://stackoverflow.com/questions/1269706/the-error-login-failed-for-user-nt-authority-iusr-in-asp-net-and-sql-server-2 and http://stackoverflow.com/questions/97594/login-failed-for-user-username-system-data-sqlclient-sqlexception-with-linq-i but some things don't add up compared to other appliations on my server and I am not sure why. Boxes being used: Web Box SQL Box SQL Test Box My Application: I've got aASP.NET Web Application, which references a class library that uses LINQ-to-SQL. Connection string set up properly in the class library. As per http://stackoverflow.com/questions/97594/login-failed-for-user-username-system-data-sqlclient-sqlexception-with-linq-i I also added this connection string to the Web Application. The connection string uses SQL credentials as so (in both web app and class library): <add name="Namespace.My.MySettings.ConnectionStringProduction" connectionString="Data Source=(SQL Test Box);Initial Catalog=(db name);Persist Security Info=True;User ID=ID;Password=Password" providerName="System.Data.SqlClient" /> This connection confirmed as working via adding it to server explorer. This is the connection string my .dbml file is using. The problem: I get the following error: System.Data.SqlClient.SqlException: Login failed for user 'DOMAIN\MACHINENAME$'. Now referencing this http://stackoverflow.com/questions/1269706/the-error-login-failed-for-user-nt-authority-iusr-in-asp-net-and-sql-server-2 it says that's really the local network service and using any other non-domain name will not work. But I am confused because I've checked both SQL Box and SQL Test Box SQL Management Studio and both have NT AUTHORITY/NETWORK SERVICE under Security - Logins, at the database level, that isn't listed under Security - Users, but at the database level Security - Users I have the user displayed in the connection string. At NTFS level on web server, the permissions have NETWORK SERVICE has full control. The reason why I am confused is because I have many other web applications on my Web Server, that reference databases on both SQL Box and SQL Test Box, and they all work. But I cannot find a difference between them and my current application, other than I am using a class library. Will that matter? Checking NTFS permissions, setup of Security Logins at the server and databases levels, connection string and method of connecting (SQL Server credentials), and IIS application pool and other folder options, are all the same. Why do these applications work without adding the machinename$ to the permissions of either of my SQL boxes? But that is what the one link is telling me to do to fix this problem.

    Read the article

  • IIS permissions in C#

    - by Paulo
    Hello, I'm developing a solution in C# and I need to set permissions to some folders in the file system and in the Registry for IIS. Is there a way to give permitions to the file system and to the registry for the IIS users, that work for all IIs versions? For instance, in IIS 5 the user acount is ASPNET (I think that it has the IUSR_MachineName to), IIS 6 IUSR_MachineName and IIS 7 is IUSR. Thanks in advance, Paulo

    Read the article

  • win2008 r2 IIS7.5 - setting up a custom user for an application pool, and trust issues

    - by Ken Egozi
    Scenario: blank win2008 r2 install the goal was to have a couple of sites running with isolated pool and dedicated users A new folder for a new website - c:\web\siteA\wwwroot, with the app (asp.net) deployed there in the /bin folder created a user named "appuser" and added it to the IIS_USERS group gave the website folder read and execute permissions for IIS_USERS and the appuser created the IIS site. set the app=pool identity to the appuser now I'm getting YSOD telling me that the trust-level is too low - SecurityException: That assembly does not allow partially trusted callers Added <trust level="Full" /> on the web-config, did not help changing the app-pool user to Administrator makes the site run Setting "anonymous user identity" to either IUSR or the app pool identity makes no difference any idea? is there a "step by step" howto guide for setting up users for isolated app pools on IIS7.5?

    Read the article

  • IIS 7.5 doesn't load static html pages

    - by Kizz
    There is an IIS 7.5 freshly installed on a dedicated server. ASP.NET 4.0 Web app copied to its folder, new website is created on its own IP on post 80, IIS_IUSR and IUSR accounts have read/execute rights on site's folder, the site is assigned to its own Integrated app pool with 4.0 .NET (I tried Classic pool with the same results). The problem: when I try to access this web site, browser only loads content generated by .NET resources such as aspx pages, .axd files, etc. Static images, static js, css and html files are in the page source but IIS doesn't serve them. Dev tools in all browsers complain that all those static resources have been sent by the server with wrong content type (plain text instead of image, styles, etc). What do I do wrong?

    Read the article

  • Bypass IIS Basic Authentication for localhost

    - by George
    I'd like to have a website authenticated with basic auth, but then also allow the website to access itself locally. That is, I want to allow unauthenticated access only from localhost. In IIS I have only basic authentication enabled (not worrying about SSL for now), and I have the correct file system permissions such that outside users can login successfully and view the website. I have tried setting IIS_IUSR as owner of the directory, and added IUSR with modify permissions, however I'm still getting a 401 error when the website tries to access itself. Anyone have any idea how to get this to work?

    Read the article

1 2  | Next Page >