IISExpress AppPool identity verification - identity

I needed to run IISExpress under a specific identity. After going through this post how to run iisexpress app pool under a different identity I changed the processModel's username and password attributes in my \Documents\IISExpress\config\applicationhost.config file.
I would like to verify the change in my web application. Is there a way to verify?
Ultimately, what I'm after is that my security works properly using the PrincipalPermission attribute. I believe the Name property on this attribute matches the user under which IISExpress and my application are running.
Thanks in advance for your help.

IISExpress runs with current user identity and changing ProcessModel username/password won't help. Only way to run with particular identity is to launch iisexpress.exe with 'runas'.

I'm probably way too late to help, but have you tried changing your project to run with Local IIS instead of IIS Express?
Here's the way I do it (you could start in Visual Studio, but I find this more straighforward):
Launch IIS Manager with admin privilege (important that you have rights to muck with localhost)
Add a new Application Pool running with the Identity you need for your database (probably your windows account)
Create a new application on iis
point it to your project folder
assign it to the app pool you just created
In Visual Studio open your project's properties (select the project in solution explorer hit Alt-Enter or use context menu). In the Web Section, select Local IIS instead of IIS Express. No need to create virtual directory (you already did).
Now your app can open the database. As an added bonus, your project is always available to run. no need to start it from visual studio.

Related

Can't access SSRS folders on a local server following installation

edit
I also have the same problem as an admin on a domain
I just installed SSRS locally on a machine for and I cannot access the reports I deployed. Everything was installed as admin
when going to the web portal I get this massage
Could not load folder contents
You are not allowed to view this folder. Contact your administrator to obtain the necessary permissions.
and when trying to access the web service via the config manager I get this one:
The permissions granted to user <username> are insufficient for performing this operation. (rsAccessDenied)
Additionally in the web portal I got no "manage" folder and only "my subscriptions" under the settings button .
Everything is running locally and as admin, the OS is windows 11 and the SSRS is version 15.0.1102.1002 and running in native mode.
I've looked all over the place and found out something about certificates, but almost everything in google is about access problems via remote server.
adding the URL to the trusted sites didn't help
it certainly look like you don't have permission. Are you administrator? When you were installing did you set up some users to be administrators?
Find which account is administrator and then add yourself from the SSRS site. Is there another account you can run or Run as administrator?
Another way to install again.
If you decide to install again pay attention on the page with the users.

Hosting basic html site on iis

I have a basic web site (just html, js and css files) that I want to host on IIS on my local machine for testing purposes. The site runs fine when I run it directly as a file on my computer. I added a website on IIS, using the directory these files are located in, but when I try to launch it, I get an error page that says:
An error occurred loading a configuration file: Failed to start monitoring changes to '[my site path]' because access is denied.
It then says that the source file is a web.config. I know that ASP.NET sites use a web.config, but I don't even have one, and I just want to run a basic site using html, css, and javascript.
Any ideas on what the fix might be? I made sure I have an application pool for the site.
You likely put it into your user profile -- ie c:\users\skitterm\ -- which won't let the process running IIS read the folder. You are better off using IIS' built in directory structure in c:\inetpub and adding a folder for your site.
As you can tell this is a server misconfiguration. It would help to know the version of your IIS.
You can follow the steps on Microsoft's official knowledgebase to resolve the issue:
http://support.microsoft.com/kb/316721
http://support.microsoft.com/kb/317955 (for IIS v6.0, try Method 3)
I worked in IIS about a year ago and such errors are caused by misconfigured Security settings in IIS.
Sounds like you need to set up the proper access rights for the folder to the account specified by the application pool identity.
First make sure that your folder is not anywhere under your \users\, \program files\, or any other place that already has restricted access. Put it under a folder on the root (\inetpub is a good place).
Then, add the appropriate permissions (usually read only) for the folder to allow the user account specified by the app pool identity to access it. If the app pool identity is set to ApplicationPoolIdentity, adding the IIS_IUSRS local group should do it. Otherwise, use the account that is specified.
This should fix the problem.

SSRS reporting service UAC error, already tried everything

Been trying to get SSRS reporting service set up for a while now, and been stuck on the issue with UAC.
After setting up the Reporting Service Configuration Manager settings, with service account using my PC's login account, Database using ReportServer$SQLEXPRESS, etc. when launching the server # 127.0.0.1/Reports it directs me to 127.0.0.1/Reports/Pages/Folder.aspx and then after login with my PC's login this is what I get on my browser -
"User 'OCTETHP\Support' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed."
And I have done my researches online, I turned off UAC, I am on the administrator account, and I also tried to run the browser with right click to run as administrator option on both chrome and IE. Still does not solve this problem. Could anyone help me out with this??
I am currently running on windows 8.1. Thanks so much!
It is likely the problem is with the account the reporting server is running under (OCTETHP\Support). You may need to add this user to the web user group (IIS_WPG depending on your OS version). If that doesn't work, you can set the user to be a local administrator and work the permissions back from there.
If you want to run the reporting services from another account you'd want to follow these steps:
Open IIS Manager
Under websites locate the SSRS website (/Reports in your case)
In basic properties check the App Pool the site is running under
Go to the App Pools section of IIS and open the advanced properties
Setup the user that the App Pool runs under
You'll need to make sure the user is assigned to the web user group, and has permissions to access the folder that the website points to.

How to enable Windows Authentication for DNN

Sorry my question might be duplicate but i dint find any correct solution.So im posting this question again...
First i have deployed a DNN website with sql server authentication.Site was working fine.
Later we re installed the sql server 2008. So im trying to give windows authentication to connect the site.
In web config connectionstring:i have removed the username and password and gave Integrated security="true" .
In IIS :Site -> Authentication -> windows Authentication ->enabled and all others disabled.
once i browse the site is redirecting to DNN install Wizard
Need Help.
In SQL Server did you configure the Windows account that the application pool (in IIS) is using to have DBOwner access to the database?
Also make sure to change BOTH connection strings in the database.
Depending on what version of IIS you are on, that account might differ. Older versions likely would use "Network Service" while newer versions might also use "Network Service" or an application pool specific account like "iis apppool\dnndev"
You'll also want to make sure that you aren't trying to assign a DOMAIN account to the database, unless of course that is what IIS is configured to use (as opposed to a local account)

User rights needed for IIS 7.5 application pool user (domain user, not the AppPoolIdentity)

We have an active directory domain (let's call it foodomain) and a domain user account (foodomain\fooAppPoolUser) used for the IIS application pool identity.
We want to run the app pool under this user account and not under Network Service or the new AppPoolIdentity as we have to access SQL server and have multiple applications on IIS (with own app pools) accessing different databases.
The problem is that I can't find a clear HOW-TO explaining, which user rights have to be set for this user account and how IIS has to be setup so that this will work.
First I got errors (unfortunately I can't remember which ones), then I added fooAppPoolUser to the local admin group (Administrators, I know, was only to test), then it worked. Now I removed the user again, restarted IIS and it still works.
So I'm confused a bit and would like to know, how the configuration/setup has to be to have it working.
Somwhere I read, that the account needs to have the "Impersonate a client after authentication" user right. That's the reason I added the account to the Admin group (the user rights assignment is blocked via group policy, but this can for sure be changed if really needed.
I hope I was clear enough what the question is and hope somebody has an answer.
It's frustrating that this information is so hard to find, since some security admins seem to enjoy the cruel and unusual punishment of changing default policy settings to thwart installing apps within IIS.
Here's what I believe you should do to enable an account to work as an ApplicationPool identity:
Run aspnet_regiis -ga DOMAIN\USER to add permissions to access the IIS Metabase. (Exactly what that means, who knows?) aspnet_regiis reference
Add the user to the IIS_IUSRS group. This may be done automatically depending on the IIS configuration setting processmodel.manualGroupMembership but easiest to add it yourself.
If security policy is using windows defaults that's about it. If the security policy is locked down you may need to enable specific user rights for the account. The ones you have by default for ApplicationPoolIdentities (which seems a good place to start but not necessarily all required):
Access this computer from the network
Adjust memory quotas for a process
Allow log on locally
Bypass traverse checking
Generate security audit details
Impersonate a client after authentication - (Often not available by default on locked-down environments)
Log on as a batch job - (Often not available by default on locked-down environments)
Log on as a service - (I'm not sure this is needed)
Replace a process level token
If you're using windows auth and Kerberos (provider=Negotiate) then depending on the URL and if kernel-mode auth is on you might need to set up an SPN. I suggest switching to NTLM if possible. Otherwise, see articles below about SPNs and find a friendly domain admin to add them for you.
Fun reading:
Default permissions and user rights for IIS 7.0, 7.5, 8.0. This is the best reference, see the user rights at the bottom.
User Rights (on Windows Server 2008, but still interesting and helpful as it's a long article you can CTRL+F to find IIS-related comments)
User Rights Assignment on Server 2008 R2+. You have to drill into each right to see what it mentions about IIS.
How To: Create a Service Account for an ASP.NET 2.0 Application - pity there's no more recent version of this article.
SPN Checklist for Kerberos on IIS7/7.5
How to use SPNs - applies to IIS6 or to 7/8 if Kernel-mode authentication is turned off.
The reason why you application worked AFTER removing Administrator rights is that your application was compiled to the Framework temp folder using the administrator rights - Your application worked after removing the administrator rights because the application was compiled. If you update your application and it requires recompilation, the app pool account will need trusts again.
First I got errors (unfortunately I can't remember which ones), then
I added fooAppPoolUser to the local admin group (Administrators, I
know, was only to test), then it worked. Now I removed the user again,
restarted IIS and it still works.
I found the following link answered a similar question I had: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Basically, ApplicationPoolIdentity is a virtual user account that still behaves like NETWORK SERVICE, but without some of the down-sides; each app pool has it's very own ApplicationPoolIdenity account created with it.
More detailed information can also be found that is also specific to IIS 7.5 Application Pool Identities.