J
John Naegle
Hello,
I am getting the following event in the application event log when
trying to view a ASP.NET web application. This only happens on 2 of the
8 machines where I've deployed the application. My application is
running as the ASPNET user (<processModel ... userName="machine"
password="AutoGenerate" .. />) and using impersonation (<authentication
mode="Windows" /> <identity impersonate="true" />).
--------------------------------------------------------------------
Source: ASP.NET 1.1.4322.0
Category: None
Type: Error
Event ID: 1084
User: N/A
aspnet_wp.exe could not be started. The error code for the failure is
80004005. This error can be caused when the worker process account has
insufficient rights to read the .NET Framework files. Please ensure that
the .NET Framework is correctly installed and that the ACLs on the
installation directory allow access to the configured account.
--------------------------------------------------------------------
The first time I try to view the page the above event is preceded by:
--------------------------------------------------------------------
Source: Userenv
Category: None
Type: Error
Event ID: 1000
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot log you on because the profile cannot be loaded. Contact
your
network administrator.
DETAIL - Access is denied.
--------------------------------------------------------------------
The error the client gets is:
--------------------------------------------------------------------
The web application you are attempting to access on this web server is
currently unavailable. Please hit the "Refresh" button in your web
browser to retry your request.
Administrator Note: An error message detailing the cause of this
specific request failure can be found in the application event log of
the web server. Please review this log entry to discover what caused
this error to occur.
--------------------------------------------------------------------
I've verified that the ASPNET user is in the USER group, is not locked
out, and has the following permissions (the impersonated user is in the
Administrators group). This is a superset of the permissions described
in "Aspnet_wp.exe could not be started" error message when you view an
ASP.NET page (http://support.microsoft.com/default.aspx?kbid=811320)
..NET Framework root folder
(C:\WINNT\Microsoft.NET\Framework\v1.1.4322\): Read, list
Temporary ASP.NET files
(C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files):
Full control
C:\WINNT\System32: read
AppRoot (c:\Inetpub\wwwroot\<folder>): Read
Website Root (c:\Inetpub\wwwroot): Read
C:\WINNT\Assembly: Read
Access the computer from the network: true
Deny local logon: true
Logon as batch: true
Logon as service: true
Impersonate a client after authentication: true
Verified the IIS settings between machines that work and machines that
do not work (application is installed via a windows installer)
I've also tried to following:
1) aspnet_regiis -ua, aspnet_regiis -i
2) aspnet_regiis -ua, delete ASPNET user, aspnet_regiis -i
Adding the ASPNET user to the administrator account or changing the
process model user name to System causes the application to work, but
neither of these are options in our production environment. So what am
I missing? What security bit(s) should I look at?
Thanks,
John Naegle
I am getting the following event in the application event log when
trying to view a ASP.NET web application. This only happens on 2 of the
8 machines where I've deployed the application. My application is
running as the ASPNET user (<processModel ... userName="machine"
password="AutoGenerate" .. />) and using impersonation (<authentication
mode="Windows" /> <identity impersonate="true" />).
--------------------------------------------------------------------
Source: ASP.NET 1.1.4322.0
Category: None
Type: Error
Event ID: 1084
User: N/A
aspnet_wp.exe could not be started. The error code for the failure is
80004005. This error can be caused when the worker process account has
insufficient rights to read the .NET Framework files. Please ensure that
the .NET Framework is correctly installed and that the ACLs on the
installation directory allow access to the configured account.
--------------------------------------------------------------------
The first time I try to view the page the above event is preceded by:
--------------------------------------------------------------------
Source: Userenv
Category: None
Type: Error
Event ID: 1000
User: NT AUTHORITY\SYSTEM
Description:
Windows cannot log you on because the profile cannot be loaded. Contact
your
network administrator.
DETAIL - Access is denied.
--------------------------------------------------------------------
The error the client gets is:
--------------------------------------------------------------------
The web application you are attempting to access on this web server is
currently unavailable. Please hit the "Refresh" button in your web
browser to retry your request.
Administrator Note: An error message detailing the cause of this
specific request failure can be found in the application event log of
the web server. Please review this log entry to discover what caused
this error to occur.
--------------------------------------------------------------------
I've verified that the ASPNET user is in the USER group, is not locked
out, and has the following permissions (the impersonated user is in the
Administrators group). This is a superset of the permissions described
in "Aspnet_wp.exe could not be started" error message when you view an
ASP.NET page (http://support.microsoft.com/default.aspx?kbid=811320)
..NET Framework root folder
(C:\WINNT\Microsoft.NET\Framework\v1.1.4322\): Read, list
Temporary ASP.NET files
(C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files):
Full control
C:\WINNT\System32: read
AppRoot (c:\Inetpub\wwwroot\<folder>): Read
Website Root (c:\Inetpub\wwwroot): Read
C:\WINNT\Assembly: Read
Access the computer from the network: true
Deny local logon: true
Logon as batch: true
Logon as service: true
Impersonate a client after authentication: true
Verified the IIS settings between machines that work and machines that
do not work (application is installed via a windows installer)
I've also tried to following:
1) aspnet_regiis -ua, aspnet_regiis -i
2) aspnet_regiis -ua, delete ASPNET user, aspnet_regiis -i
Adding the ASPNET user to the administrator account or changing the
process model user name to System causes the application to work, but
neither of these are options in our production environment. So what am
I missing? What security bit(s) should I look at?
Thanks,
John Naegle