I have IIS7.5 with two websites, and I have an Access database on a server on our network.
The first website has anonymous auth on, using a specific network account (lets say 'jim.smith').
The second website has windows auth on.
I've written some ASP to use a DSN-Less connection to the Access database, and I'm using the same code in both websites.
When logged on to a computer with the same network account as is in use with the first website anonymous setting ('jim.smith') - when viewing in a browser, the first website has access to the database, the second website does not.
The error message is: 80004005 The Microsoft Jet database engine cannot open the file '...'. It is already opened exclusively by another user, or you need permission to view its data.
It is definitely not opened by another user.
So the first website is being accessed by network user 'jim.smith' via the anonymous setting.
The second website is being accessed by network user 'jim.smith' via windows auth.
Why would access to the database work from website one, and not website two..?
Does anyone know how to make windows auth work the same as the anonymous setting so I have access to the database from website two..?
Cheers!
Steve
Edit: Everyone has full rights to the folder where the database sits.
Seems to me that you need to enable impersonation so that the incoming user is used to acces the database. Otherwise the user of the application pool is used and this usually doesn't even have right on the server itself ( Application Pool Identity)
When using 'Integrated Pipeline' on IIS on the server, and if your application does not rely on impersonating the requesting user in the 'BeginRequest' and 'AuthenticateRequest' stages (the only stages where impersonation is not possible in Integrated mode), but still requires Impersonation in other areas of the application, ignore this error (500 - Internal Server Error) by adding the following to your application’s web.config
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
See:
http://allen-conway-dotnet.blogspot.com/2010/11/how-to-use-impersonation-in-aspnet.html
Related
I have a Microsoft Access application (accdb) hosted on a server that all users remote into. I'm using the code from Microsoft to list users. The problem is that the LOGIN_NAME for all the users is Admin Pic of list of users all named Admin.
Is there a setting on the server I can change that uses the Login ID of each user instead of Admin?
That code refers to the workgroup security of the JET engine, which was abandoned in Access 2010 and still is.
You will have to obtain the logon name of the session. The extremely simple method in VBA is:
Username = Environ("username")
You can also use an API call for this.
You should know also that an Access application must be split into 2 files (front & back) for simultaneous multi user deployment. Each user must be assigned their own unique front file. All front files link to the single back file that holds the tables. No one directly uses the back file.
If you have sufficient privileges to open an Administrative Command Prompt on the remote server, I suggest the OpenFiles command. You could also look at the SysInternals PsFile command. Both should tell you the real usernames of all users attached to an Access database file.
I'm new to Federation Services and I'm trying to understand how ADFS works as a whole and I've started to get down into the details. I followed along with creating an app using OIDC to authenticate a user, however, within the tutorial, they specified using a "Server Application" when setting up an Application Group. This ended up not working for me so I tried setting up a "Native Application" application group for kicks and was able to successfully login.
The thing that threw me off is, I ended up hosting ADFS on a server outside of the domain in which I had my application running, so I'm confused as to how that is "native" in terms of ADFS.
I went looking for this answer within microsoft's documentation but I didn't find the information very clear.
Native Application:
"Sometimes called a public client, this is intended to be a client app that runs on a pc or device and with which the user interacts."
Server Application:
"A web application that runs on a server and is generally accessible to users via a browser. Because it is capable of maintaining its own client 'secret' or credential, it is sometimes called a confidential client."
This may seem simple to some, but I'm trying to really get a grip on what would be used when. To me it sounds like a native application is used when you're running the application natively on a pc in which the user is also using the same pc, and the server application is run remotely in which the user would not be using the same machine. Is it really that simple or am I misunderstanding?
A native application (in Microsoft speak) is something that is not browser based e.g. mobile. The code runs client side. It may use JavaScript in which case the secret key is publicly accessible. (The secret key is one of the OAuth parameters). You use ADAL / MSAL to access it.
A server application runs server side e.g a web API. The secret key is not publicly accessible. You use OWIN to access it.
These terms have no relevance to where ADFS is actually installed. Native applications typically are not domain joined.
I got a multisite network, and got subsites on it, unfortunately the main domain has expired, and I cannot access my WP admin. I don't worry about the main site but I need to have the subsite.
I am able to access the main site using the IP but not its WP admin. I tried following this but it didn't help. I saw a way via accessing database (this method) but I couldn't access database as its hosted in Digital Ocean, it's pretty hard without a control panel.
want a way to access main sites WP admin
access my subsite via URL (it has a separate domain which is being masked)
If your domain has expired, ordinary DNS will not work. This means that domain-based hosting on the web server will no longer operate as well.
However, you can easily trick your local machine into thinking the domain still exists. This will work on Linux and OS X. You'll need to know the IP address of your web server - if you do not have this, you'll have this in the welcome emails you've received from your web host, or perhaps by logging onto your customer control panel.
Edit your /etc/hosts/ file. In a blank link at the end, add this:
yourdomain.tld 1.2.3.4
where 1.2.3.4 is your IPv4 address. The gap between the two can be any number of spaces or tabs.
Once this file is saved, you should be able to ping it thus, in a console or terminal utility:
ping yourdomain.tld
and it will show you what IP address you have assigned it to.
You can then access it normally. Bear in mind, though, that only you have the DNS information, so it will not work on any other machine. It will however allow you to access your WordPress control panel.
Been trying to get SSRS reporting service set up for a while now, and been stuck on the issue with UAC.
After setting up the Reporting Service Configuration Manager settings, with service account using my PC's login account, Database using ReportServer$SQLEXPRESS, etc. when launching the server # 127.0.0.1/Reports it directs me to 127.0.0.1/Reports/Pages/Folder.aspx and then after login with my PC's login this is what I get on my browser -
"User 'OCTETHP\Support' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed."
And I have done my researches online, I turned off UAC, I am on the administrator account, and I also tried to run the browser with right click to run as administrator option on both chrome and IE. Still does not solve this problem. Could anyone help me out with this??
I am currently running on windows 8.1. Thanks so much!
It is likely the problem is with the account the reporting server is running under (OCTETHP\Support). You may need to add this user to the web user group (IIS_WPG depending on your OS version). If that doesn't work, you can set the user to be a local administrator and work the permissions back from there.
If you want to run the reporting services from another account you'd want to follow these steps:
Open IIS Manager
Under websites locate the SSRS website (/Reports in your case)
In basic properties check the App Pool the site is running under
Go to the App Pools section of IIS and open the advanced properties
Setup the user that the App Pool runs under
You'll need to make sure the user is assigned to the web user group, and has permissions to access the folder that the website points to.
We have an active directory domain (let's call it foodomain) and a domain user account (foodomain\fooAppPoolUser) used for the IIS application pool identity.
We want to run the app pool under this user account and not under Network Service or the new AppPoolIdentity as we have to access SQL server and have multiple applications on IIS (with own app pools) accessing different databases.
The problem is that I can't find a clear HOW-TO explaining, which user rights have to be set for this user account and how IIS has to be setup so that this will work.
First I got errors (unfortunately I can't remember which ones), then I added fooAppPoolUser to the local admin group (Administrators, I know, was only to test), then it worked. Now I removed the user again, restarted IIS and it still works.
So I'm confused a bit and would like to know, how the configuration/setup has to be to have it working.
Somwhere I read, that the account needs to have the "Impersonate a client after authentication" user right. That's the reason I added the account to the Admin group (the user rights assignment is blocked via group policy, but this can for sure be changed if really needed.
I hope I was clear enough what the question is and hope somebody has an answer.
It's frustrating that this information is so hard to find, since some security admins seem to enjoy the cruel and unusual punishment of changing default policy settings to thwart installing apps within IIS.
Here's what I believe you should do to enable an account to work as an ApplicationPool identity:
Run aspnet_regiis -ga DOMAIN\USER to add permissions to access the IIS Metabase. (Exactly what that means, who knows?) aspnet_regiis reference
Add the user to the IIS_IUSRS group. This may be done automatically depending on the IIS configuration setting processmodel.manualGroupMembership but easiest to add it yourself.
If security policy is using windows defaults that's about it. If the security policy is locked down you may need to enable specific user rights for the account. The ones you have by default for ApplicationPoolIdentities (which seems a good place to start but not necessarily all required):
Access this computer from the network
Adjust memory quotas for a process
Allow log on locally
Bypass traverse checking
Generate security audit details
Impersonate a client after authentication - (Often not available by default on locked-down environments)
Log on as a batch job - (Often not available by default on locked-down environments)
Log on as a service - (I'm not sure this is needed)
Replace a process level token
If you're using windows auth and Kerberos (provider=Negotiate) then depending on the URL and if kernel-mode auth is on you might need to set up an SPN. I suggest switching to NTLM if possible. Otherwise, see articles below about SPNs and find a friendly domain admin to add them for you.
Fun reading:
Default permissions and user rights for IIS 7.0, 7.5, 8.0. This is the best reference, see the user rights at the bottom.
User Rights (on Windows Server 2008, but still interesting and helpful as it's a long article you can CTRL+F to find IIS-related comments)
User Rights Assignment on Server 2008 R2+. You have to drill into each right to see what it mentions about IIS.
How To: Create a Service Account for an ASP.NET 2.0 Application - pity there's no more recent version of this article.
SPN Checklist for Kerberos on IIS7/7.5
How to use SPNs - applies to IIS6 or to 7/8 if Kernel-mode authentication is turned off.
The reason why you application worked AFTER removing Administrator rights is that your application was compiled to the Framework temp folder using the administrator rights - Your application worked after removing the administrator rights because the application was compiled. If you update your application and it requires recompilation, the app pool account will need trusts again.
First I got errors (unfortunately I can't remember which ones), then
I added fooAppPoolUser to the local admin group (Administrators, I
know, was only to test), then it worked. Now I removed the user again,
restarted IIS and it still works.
I found the following link answered a similar question I had: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
Basically, ApplicationPoolIdentity is a virtual user account that still behaves like NETWORK SERVICE, but without some of the down-sides; each app pool has it's very own ApplicationPoolIdenity account created with it.
More detailed information can also be found that is also specific to IIS 7.5 Application Pool Identities.