Using Windows Authentication with IISExpress

[Origin]: https://www.danesparza.net/2014/09/using-windows-authentication-with-iisexpress/

I do a lot of development with websites in Visual Studio 2013 nowadays. I’ve discovered that in order to use IISExpress with Windows Authentication, I had to jump through some hoops. You may find yourself banging your head on the wall trying to get IISExpress to work with Windows auth – so here are few tips for you.

Update your web.config

Make sure your web.config file both enables windows authentication and also denies anonymous authentication. HttpContext.Current.User.Identity.Name will be blank if the app falls through to anonymous authentication. Your config should look something like this:

<authentication mode="Windows" />
<authorization>
    <deny users="?"/>
</authorization>

Error 401.2 Unauthorized

Sometimes, you might get the 401.2 Unauthorized: Logon failed due to server configuration error. If you do, verify that you have permission to view this directory or page based on the credentials you supplied. Also make sure you have the authentication methods enabled on the Web server.

Updating applicationhost.config

You also might find you have to update the IISExpress applicationhost.config file (dont’ worry – I didn’t know it either). This is essentially the file version of the IIS configuration tool, where you can configure the web server itself. Finding the applicationhost.config file can be tricky. It might be in:

%userprofile%\documents\iisexpress\config\applicationhost.config

or

%userprofile%\my documents\iisexpress\config\applicationhost.config

Once you find it, update the following lines (paying special attention to enabled=true):

<windowsAuthentication enabled="true">
    <providers>
        <add value="Negotiate" />
        <add value="NTLM" />
    </providers>
</windowsAuthentication>
Advertisements

IIS AppPoolIdentity and file system write access permissions

[Origin]: https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions

Here’s an issue with IIS 7.5 and ASP.NET that I’ve been researching and getting nowhere with. Any help would be greatly appreciated.

My question is: using ASP.NET in IIS 7.5, how does IIS and/or the operating system allow the web application to write to a folder like C:\dump when running under full trust? How is it that I don’t have to explicitly add write access for the application pool user (in this case ApplicationPoolIdentity)?

This much I know:

  • In IIS 7.5, the default Identity for an Application Pool is ApplicationPoolIdentity.
  • ApplicationPoolIdentity represents a Windows user account called “IIS APPPOOL\AppPoolName”, which is created when the Application Pool is created, where AppPoolName is the name of the Application Pool.
  • The “IIS APPPOOL\AppPoolName” user is by default a member of the IIS_IUSRS group.
  • If you are running under Full Trust, your web application can write to many areas of the file system (excluding folders like C:\UsersC:\Windows, etc). For example, your application will have access to write to some folders, like, C:\dump.
  • By default, the IIS_IUSRS group is not given read or write access to C:\dump (at least not access that is visible through the “Security” tab in Windows Explorer).
  • If you deny write access to IIS_IUSRS, you will get a SecurityException when trying to write to the folder (as expected).

So, taking all of that into account, how is write access granted to the “IIS APPPOOL\AppPoolName” user? The w3wp.exe process runs as this user, so what allows this user to write to a folder it doesn’t seem to have explicit access to?

Please note that I understand this was probably done for the sake of convenience, since it would be a pain to grant a user access to every folder it needs to write to if you are running under Full Trust. If you want to limit this access, you can always run the application under Medium Trust. I am interested in finding out about the way the operating system and/or IIS allows these writes to take place, even though there appears to be no explicit file system access granted.

The ApplicationPoolIdentity is assigned membership of the Users group as well as the IIS_IUSRS group. On first glance this may look somewhat worrying, however the Users group has somewhat limited NTFS rights.

For example, if you try and create a folder in the C:\Windows folder then you’ll find that you can’t. The ApplicationPoolIdentity still needs to be able to read files from the windows system folders (otherwise how else would the worker process be able to dynamically load essential DLL’s).

With regard to your observations about being able to write to your c:\dump folder. If you take a look at the permissions in the Advanced Security Settings, you’ll see the following:

enter image description here

See that Special permission being inherited from c:\:

enter image description here

That’s the reason your site’s ApplicationPoolIdentity can read and write to that folder. That right is being inherited from the c:\ drive.

In a shared environment where you possibly have several hundred sites, each with their own application pool and Application Pool Identity, you would store the site folders in a folder or volume that has had the Users group removed and the permissions set such that only Administrators and the SYSTEM account have access (with inheritance).

You would then individually assign the requisite permissions each IIS AppPool\[name] requires on it’s site root folder.

You should also ensure that any folders you create where you store potentially sensitive files or data have the Users group removed. You should also make sure that any applications that you install don’t store sensitive data in their c:\program files\[app name] folders and that they use the user profile folders instead.

So yes, on first glance it looks like the ApplicationPoolIdentity has more rights than it should, but it actually has no more rights than it’s group membership dictates.

An ApplicationPoolIdentity‘s group membership can be examined using the SysInternals Process Explorer tool. Find the worker process that is running with the Application Pool Identity you’re interested in (you will have to add the User Name column to the list of columns to display:

enter image description here

For example, I have a pool here named 900300 which has an Application Pool Identity of IIS APPPOOL\900300. Right clicking on properties for the process and selecting the Security tab we see:

enter image description here

As we can see IIS APPPOOL\900300 is a member of the Users group.

  1. Right click on folder.
  2. Click Properties
  3. Click Security Tab. You will see something like this:

enter image description here

  1. Click “Edit…” button in above screen. You will see something like this:

enter image description here

  1. Click “Add…” button in above screen. You will see something like this:

enter image description here

  1. Click “Locations…” button in above screen. You will see something like this. Now, go to the very of top of this tree structure and select your computer name, then click OK.

enter image description here

  1. Now type “iis apppool\your_apppool_name” and click “Check Names” button. If the apppool exists, you will see your apppool name in the textbox with underline in it. Click OK button.

enter image description here

  1. Check/uncheck whatever access you need to grant to the account
  2. Click Apply button and then OK.

IIS – can’t access page by ip address instead of localhost

[Origin]: https://stackoverflow.com/questions/14029629/iis-cant-access-page-by-ip-address-instead-of-localhost

I’m trying to publish ClickOnce application and test it locally. I want to provide installation link so I need to update location with an IP address unless I won’t be able to install it (because localhost is translated into computer name and it’s not accessible). The problem is, that on my IIS I can access my page only by using localhost in the address.

http://localhost:9995/publish/Publish.htm &lt;-- working 
http://192.168.1.104:9995/publish/Publish.htm &lt;-- not working (my IP address)
http://my_pc_name:9995/publish/Publish.htm &lt;-- not working
http://127.0.0.1:9995/publish/Publish.htm &lt;-- even that is not working

I’m using Windows 7 and Visual Studio 2012 with IIS Express 8.0, but I tried the same on Visual Studio 2010 and it’s ASP.NET server and still failed. I have my firewall turned off.

Do you have any ideas what can be wrong?

Visual Studio 2015, Windows Authentication, and IIS Express

[Origin]: http://provenstyle.com/blog/2015/10/02/Visual-Studio-2015-Windows-Authentication-And-IIS-Express/

I finally upgraded my Visual Studio to 2015 and the transition has been pretty smooth! However, today I had an issue that took me a little while to solve. An Asp.net MVC web app that uses Windows Authentication, had been working great, but was suddenly gave me the following error:

Access is denied.

Description: An error occurred while accessing the resources required to serve this request. 
The server may not be configured for access to the requested URL. 

Error message 401.2.: Unauthorized: Logon failed due to server configuration.  
Verify that you have permission to view this directory or page based on the credentials 
you supplied and the authentication methods enabled on the Web server.  Contact the Web 
server's administrator for additional assistance.

I learn several things trouble shooting this. The first is that IIS Express configuration has moved from C:\Users\YourUserName\Documents\IISExpress\config\applicationhost.config out of the My Documents IISExpress folder and into the new .vs/configuration folder.

The second thing I was reminded of is that there is another place to edit properties for your project. I almost never press f4 on my project. I right click and go down to properties, but that is a very different set of properties than you get when you press f4.

The solution to my authorization issue was to go into the f4 project properties and set the following:

Anonymous Authentication – Disabled

Windows Authentication – Enabled

Apparently these properties update the IIS applicationHost.config directly. It adds the following to the config.

<location path="Project.Name.Here">
    <system.webServer>
        <security>
            <authentication>
                <windowsAuthentication enabled="true" />
                <anonymousAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
</location>

It is irritating that you can’t save these somewhere in the .csproj file instead, but not a big deal once you know it is there.

‘The format of the specified network name is invalid’ – IIS Error 0x800704BE

[Origin]: http://www.therealtimeweb.com/index.cfm/2011/10/24/iis-error-0x800704BE

Oh don’t you just love cryptic error messages that could mean one hundred and one things? Yeah, me too.

So in the interest of some poor soul (maybe it’s you 😉 searching on this topic in the year 2142 I decided to point out what resolved this issue for me.

Background: I am running Windows Server 2008 R2 with IIS inside a Hyper-V instance. The VM was configured with a static IP and each IIS site was configured to bind to that IP, and that IP alone.
I transferred the VM to Amazon EC2 (using the ec2-import-instance API) since I wanted to move away from having to maintain my own physical hardware. Long story short, once transferred I was unable to start any of the IIS sites, they all failed with the error ‘The format of the specified network name is invalid – Error 0x800704BE’.

I knew that this error was likely related to IP bindings of some kind (EC2 usually expects you to use DHCP for IP address assignment since even an elastic IP can change) so I tried binding a few IIS sites to ‘all’ IPs. Still the sites would not start, but throw the above error.

I dug deeper and used the netsh utility (Windows commandline) to show which the network configuration for the machine, and in particular which IPs the HTTP service listens to:

netsh http show iplisten

This listed just one (the previous static) IP of my VM – this was now wrong. So I removed the binding with

netsh http delete iplisten ipaddress=11.22.33.44 (where 11.22.33.44 is the actual IP that needs removing)

Next set the service up to listen to all IPs:

netsh http add iplisten ipaddress=0.0.0.0

I then restarted IIS using

1iisreset

and bingo, the sites started to work.

Hope this helps someone.

IIS does not list a website that matches the launch url

[Origin]: https://stackoverflow.com/questions/10716956/iis-does-not-list-a-website-that-matches-the-launch-url

I need to debug the website i ‘m developing (ASP.NET MVC3, Razor, .NET 4, VS2010 SP1 (as administrator)) in IIS7 (Vista Home) and getting the error:

IIS does not list a website that matches the launch url.

To test if it has to do something with the settings of the app, i did create from scratch an empty new ASP.NET MVC3 website, set for IIS, created virtual directory, launched with F5 and i worked fine!

I again did create a second website project with the exact same settings (just to be sure) and this also launched as expected.

This leads my to think that i have some configuration problem!? But what? In the past i used IIS very rare, so my knowledge is somehow limited in this direction.

Any hints?

shareedit

I hate answering my questions: in my question i stated that i was running VS under the administrator account. This was not true!!!

So the solution (for me) was to run VS2010 as administrator (Start->In Vista menu right click-> Run as administrator)…so simple.

As a side effect: VS2010 let me also create Virtual Directories without any problems (prior to that i got error messages stating that i have to manually adjust these)

shareedit

How to remove error about glyphicons-halflings-regular.woff2 not found

[Origin]: https://stackoverflow.com/questions/32300578/how-to-remove-error-about-glyphicons-halflings-regular-woff2-not-found

This problem happens because IIS does not know about woff and woff2 file mime types.

Solution 1:

Add this lines in your web.config project:

 <system.webServer>
  ...
  </modules>
    <staticContent>
      <remove fileExtension=".woff" />
      <mimeMap fileExtension=".woff" mimeType="application/x-font-woff" />
      <remove fileExtension=".woff2" />
      <mimeMap fileExtension=".woff2" mimeType="application/font-woff2" />
    </staticContent>

Solution 2:

On IIS project page:

Step 1: Go to your project IIS home page and double click on MIME Types button:

Step 1

Step 2: Click on Add button from Actions menu: Step 2

Step 3: In the middle of the screen appears a window and in this window you need to add the two lines from solution 1: Step 3

shareedit