|
IIS Management and ASP.Net Impersonation
I am attempting to write a web application that will allow various users
(under very tight security) to control IIS. I am using Microsoft.Web.Administration.dll to do this. If I try the following: ServerManager iisManager = new ServerManager(); iisManager.Sites.Add("NewSite", "http", "*:8080:", "d:\\MySite"); iisManager.CommitChanges(); I get the error: Filename: redirection.config Error: Cannot read configuration file due to insufficient permissions Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.UnauthorizedAccessException: Filename: redirection.config Error: Cannot read configuration file due to insufficient permissions ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user. To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access. What account should I set ASP.Net to impersonate to be able to have the required permissions for this operation? Regards Mick Walker |
Re: IIS Management and ASP.Net Impersonation
Hi,
I am going to assuing you are using IIS 7.0 redirection.config is used when enabling IIS 7.0's "shared configuration" feature. This allows you to store IIS 7.0 configuration on a remote file share, rather than locally in the default location. By default, only users in the local Administrators group have permission to alter this file. Additionally, the LocalSystem account (which is what the Windows Activation Service and IIS Admin Service run as) must have permission to read this file in order to read it's contents. So you can either: a) impersonate a user in the Administrators group b) grant an additional user Read permissions to this file, and impersonate this second user (this would obviuosly be the more secure way of doing things) Cheers Ken "Mick Walker" <materialised@privacy.net> wrote in message news:5o6gigFld69dU1@mid.individual.net... >I am attempting to write a web application that will allow various users >(under very tight security) to control IIS. > > I am using Microsoft.Web.Administration.dll to do this. > > If I try the following: > > ServerManager iisManager = new ServerManager(); > iisManager.Sites.Add("NewSite", "http", "*:8080:", "d:\\MySite"); > iisManager.CommitChanges(); > > I get the error: > > Filename: redirection.config > Error: Cannot read configuration file due to insufficient permissions > > > Description: An unhandled exception occurred during the execution of the > current web request. Please review the stack trace for more information > about the error and where it originated in the code. > > Exception Details: System.UnauthorizedAccessException: Filename: > redirection.config > Error: Cannot read configuration file due to insufficient permissions > > > > ASP.NET is not authorized to access the requested resource. Consider > granting access rights to the resource to the ASP.NET request identity. > ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 > or Network Service on IIS 6) that is used if the application is not > impersonating. If the application is impersonating via <identity > impersonate="true"/>, the identity will be the anonymous user (typically > IUSR_MACHINENAME) or the authenticated request user. > > To grant ASP.NET access to a file, right-click the file in Explorer, > choose "Properties" and select the Security tab. Click "Add" to add the > appropriate user or group. Highlight the ASP.NET account, and check the > boxes for the desired access. > > > What account should I set ASP.Net to impersonate to be able to have the > required permissions for this operation? > > Regards > Mick Walker |
Re: IIS Management and ASP.Net Impersonation
Ken Schaefer wrote:
> Hi, > > I am going to assuing you are using IIS 7.0 > > redirection.config is used when enabling IIS 7.0's "shared > configuration" feature. This allows you to store IIS 7.0 configuration > on a remote file share, rather than locally in the default location. > > By default, only users in the local Administrators group have permission > to alter this file. Additionally, the LocalSystem account (which is what > the Windows Activation Service and IIS Admin Service run as) must have > permission to read this file in order to read it's contents. > > So you can either: > a) impersonate a user in the Administrators group > b) grant an additional user Read permissions to this file, and > impersonate this second user (this would obviuosly be the more secure > way of doing things) > > Cheers > Ken Thanks for that reply Ken. Obviously security needs to be at its tightest even though the system will only be used locally. I am just wondering would it be possible to store multiple servers redirections.config files in a network share? And manage them from a single instance of IIS? Or would it be better to simply create an Instance of the Hosting Provisioning tool on each seperate server and redirect based on the server selected by the user? For a better idea of what I am doing here, see: http://groups.google.co.uk/group/mic...c7d13accc6c1b1 |
Re: IIS Management and ASP.Net Impersonation
Hi,
You could just buy one of the existing solutions out there (like Helm). The redirection.config file is always local. It stores the location of where the server's applicationHost.config (and other config files are) if those files aren't stored in the default directory. Cheers Ken "Mick Walker" <materialised@privacy.net> wrote in message news:5o897vFli5ufU1@mid.individual.net... > Ken Schaefer wrote: >> Hi, >> >> I am going to assuing you are using IIS 7.0 >> >> redirection.config is used when enabling IIS 7.0's "shared configuration" >> feature. This allows you to store IIS 7.0 configuration on a remote file >> share, rather than locally in the default location. >> >> By default, only users in the local Administrators group have permission >> to alter this file. Additionally, the LocalSystem account (which is what >> the Windows Activation Service and IIS Admin Service run as) must have >> permission to read this file in order to read it's contents. >> >> So you can either: >> a) impersonate a user in the Administrators group >> b) grant an additional user Read permissions to this file, and >> impersonate this second user (this would obviuosly be the more secure way >> of doing things) >> >> Cheers >> Ken > Thanks for that reply Ken. > > Obviously security needs to be at its tightest even though the system will > only be used locally. > I am just wondering would it be possible to store multiple servers > redirections.config files in a network share? And manage them from a > single instance of IIS? > Or would it be better to simply create an Instance of the Hosting > Provisioning tool on each seperate server and redirect based on the server > selected by the user? > > For a better idea of what I am doing here, see: > http://groups.google.co.uk/group/mic...c7d13accc6c1b1 |
Re: IIS Management and ASP.Net Impersonation
Ken Schaefer wrote:
> Hi, > > You could just buy one of the existing solutions out there (like Helm). > > The redirection.config file is always local. It stores the location of > where the server's applicationHost.config (and other config files are) > if those files aren't stored in the default directory. > > Cheers > Ken > > Normally would agree with you, however we looked at various options, Helm, Plesk etc. And all of these would require substantial internal development to intergrate with other existing systems such as Active Directory and our in house billing system, as it is not just a cause of billing for hosting, but more full Media management (broadband, dial up, Telephone, TV - and it gets more complex due to the fact we serve the whole of Ireland (North and South) so we have the issue that the North uses GBP and the South uses Euros). Were also partnering with the Microsoft RDP team on this, so we are recieving investment of time and resources in return for becoming a windows 2008 case study. At the moment all updates to IIS are done manually. So were just trying to create a tool which can automate the process and 'talk' to our billing system (and log actions as this is something which isnt done!). |
[QUOTE=Ken Schaefer;3109285]Hi,
I am going to assuing you are using IIS 7.0 redirection.config is used when enabling IIS 7.0's "shared configuration" feature. This allows you to store IIS 7.0 configuration on a remote file share, rather than locally in the default location. By default, only users in the local Administrators group have permission to alter this file. Additionally, the LocalSystem account (which is what the Windows Activation Service and IIS Admin Service run as) must have permission to read this file in order to read it's contents. So you can either: a) impersonate a user in the Administrators group b) grant an additional user Read permissions to this file, and impersonate this second user (this would obviuosly be the more secure way of doing things) Cheers Ken Hi Ken, I am a noob. Just started learning asp. I got the same error about having not enough permissions to edit redirection.config file. I understood what u said but please tell me how to do that exactly ie., grant read permissions to additional user. |
| All times are GMT. The time now is 01:05 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.