IIS Management and ASP.Net Impersonation

Discussion in 'ASP .Net' started by Mick Walker, Oct 23, 2007.

  1. Mick Walker

    Mick Walker Guest

    I am attempting to write a web application that will allow various users
    (under very tight security) to control IIS.

    I am using Microsoft.Web.Administration.dll to do this.

    If I try the following:

    ServerManager iisManager = new ServerManager();
    iisManager.Sites.Add("NewSite", "http", "*:8080:", "d:\\MySite");
    iisManager.CommitChanges();

    I get the error:

    Filename: redirection.config
    Error: Cannot read configuration file due to insufficient permissions


    Description: An unhandled exception occurred during the execution of the
    current web request. Please review the stack trace for more information
    about the error and where it originated in the code.

    Exception Details: System.UnauthorizedAccessException: Filename:
    redirection.config
    Error: Cannot read configuration file due to insufficient permissions



    ASP.NET is not authorized to access the requested resource. Consider
    granting access rights to the resource to the ASP.NET request identity.
    ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5
    or Network Service on IIS 6) that is used if the application is not
    impersonating. If the application is impersonating via <identity
    impersonate="true"/>, the identity will be the anonymous user (typically
    IUSR_MACHINENAME) or the authenticated request user.

    To grant ASP.NET access to a file, right-click the file in Explorer,
    choose "Properties" and select the Security tab. Click "Add" to add the
    appropriate user or group. Highlight the ASP.NET account, and check the
    boxes for the desired access.


    What account should I set ASP.Net to impersonate to be able to have the
    required permissions for this operation?

    Regards
    Mick Walker
     
    Mick Walker, Oct 23, 2007
    #1
    1. Advertising

  2. Mick Walker

    Ken Schaefer Guest

    Hi,

    I am going to assuing you are using IIS 7.0

    redirection.config is used when enabling IIS 7.0's "shared configuration"
    feature. This allows you to store IIS 7.0 configuration on a remote file
    share, rather than locally in the default location.

    By default, only users in the local Administrators group have permission to
    alter this file. Additionally, the LocalSystem account (which is what the
    Windows Activation Service and IIS Admin Service run as) must have
    permission to read this file in order to read it's contents.

    So you can either:
    a) impersonate a user in the Administrators group
    b) grant an additional user Read permissions to this file, and impersonate
    this second user (this would obviuosly be the more secure way of doing
    things)

    Cheers
    Ken

    "Mick Walker" <> wrote in message
    news:...
    >I am attempting to write a web application that will allow various users
    >(under very tight security) to control IIS.
    >
    > I am using Microsoft.Web.Administration.dll to do this.
    >
    > If I try the following:
    >
    > ServerManager iisManager = new ServerManager();
    > iisManager.Sites.Add("NewSite", "http", "*:8080:", "d:\\MySite");
    > iisManager.CommitChanges();
    >
    > I get the error:
    >
    > Filename: redirection.config
    > Error: Cannot read configuration file due to insufficient permissions
    >
    >
    > Description: An unhandled exception occurred during the execution of the
    > current web request. Please review the stack trace for more information
    > about the error and where it originated in the code.
    >
    > Exception Details: System.UnauthorizedAccessException: Filename:
    > redirection.config
    > Error: Cannot read configuration file due to insufficient permissions
    >
    >
    >
    > ASP.NET is not authorized to access the requested resource. Consider
    > granting access rights to the resource to the ASP.NET request identity.
    > ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5
    > or Network Service on IIS 6) that is used if the application is not
    > impersonating. If the application is impersonating via <identity
    > impersonate="true"/>, the identity will be the anonymous user (typically
    > IUSR_MACHINENAME) or the authenticated request user.
    >
    > To grant ASP.NET access to a file, right-click the file in Explorer,
    > choose "Properties" and select the Security tab. Click "Add" to add the
    > appropriate user or group. Highlight the ASP.NET account, and check the
    > boxes for the desired access.
    >
    >
    > What account should I set ASP.Net to impersonate to be able to have the
    > required permissions for this operation?
    >
    > Regards
    > Mick Walker
     
    Ken Schaefer, Oct 24, 2007
    #2
    1. Advertising

  3. Mick Walker

    Mick Walker Guest

    Ken Schaefer wrote:
    > Hi,
    >
    > I am going to assuing you are using IIS 7.0
    >
    > redirection.config is used when enabling IIS 7.0's "shared
    > configuration" feature. This allows you to store IIS 7.0 configuration
    > on a remote file share, rather than locally in the default location.
    >
    > By default, only users in the local Administrators group have permission
    > to alter this file. Additionally, the LocalSystem account (which is what
    > the Windows Activation Service and IIS Admin Service run as) must have
    > permission to read this file in order to read it's contents.
    >
    > So you can either:
    > a) impersonate a user in the Administrators group
    > b) grant an additional user Read permissions to this file, and
    > impersonate this second user (this would obviuosly be the more secure
    > way of doing things)
    >
    > Cheers
    > Ken

    Thanks for that reply Ken.

    Obviously security needs to be at its tightest even though the system
    will only be used locally.
    I am just wondering would it be possible to store multiple servers
    redirections.config files in a network share? And manage them from a
    single instance of IIS?
    Or would it be better to simply create an Instance of the Hosting
    Provisioning tool on each seperate server and redirect based on the
    server selected by the user?

    For a better idea of what I am doing here, see:
    http://groups.google.co.uk/group/mi...=en&lnk=st&q=mick walker IIS#74c7d13accc6c1b1
     
    Mick Walker, Oct 24, 2007
    #3
  4. Mick Walker

    Ken Schaefer Guest

    Hi,

    You could just buy one of the existing solutions out there (like Helm).

    The redirection.config file is always local. It stores the location of where
    the server's applicationHost.config (and other config files are) if those
    files aren't stored in the default directory.

    Cheers
    Ken


    "Mick Walker" <> wrote in message
    news:...
    > Ken Schaefer wrote:
    >> Hi,
    >>
    >> I am going to assuing you are using IIS 7.0
    >>
    >> redirection.config is used when enabling IIS 7.0's "shared configuration"
    >> feature. This allows you to store IIS 7.0 configuration on a remote file
    >> share, rather than locally in the default location.
    >>
    >> By default, only users in the local Administrators group have permission
    >> to alter this file. Additionally, the LocalSystem account (which is what
    >> the Windows Activation Service and IIS Admin Service run as) must have
    >> permission to read this file in order to read it's contents.
    >>
    >> So you can either:
    >> a) impersonate a user in the Administrators group
    >> b) grant an additional user Read permissions to this file, and
    >> impersonate this second user (this would obviuosly be the more secure way
    >> of doing things)
    >>
    >> Cheers
    >> Ken

    > Thanks for that reply Ken.
    >
    > Obviously security needs to be at its tightest even though the system will
    > only be used locally.
    > I am just wondering would it be possible to store multiple servers
    > redirections.config files in a network share? And manage them from a
    > single instance of IIS?
    > Or would it be better to simply create an Instance of the Hosting
    > Provisioning tool on each seperate server and redirect based on the server
    > selected by the user?
    >
    > For a better idea of what I am doing here, see:
    > http://groups.google.co.uk/group/mi...=en&lnk=st&q=mick walker IIS#74c7d13accc6c1b1
     
    Ken Schaefer, Oct 24, 2007
    #4
  5. Mick Walker

    Mick Walker Guest

    Ken Schaefer wrote:
    > Hi,
    >
    > You could just buy one of the existing solutions out there (like Helm).
    >
    > The redirection.config file is always local. It stores the location of
    > where the server's applicationHost.config (and other config files are)
    > if those files aren't stored in the default directory.
    >
    > Cheers
    > Ken
    >
    >

    Normally would agree with you, however we looked at various options,
    Helm, Plesk etc. And all of these would require substantial internal
    development to intergrate with other existing systems such as Active
    Directory and our in house billing system, as it is not just a cause of
    billing for hosting, but more full Media management (broadband, dial up,
    Telephone, TV - and it gets more complex due to the fact we serve the
    whole of Ireland (North and South) so we have the issue that the North
    uses GBP and the South uses Euros).
    Were also partnering with the Microsoft RDP team on this, so we are
    recieving investment of time and resources in return for becoming a
    windows 2008 case study.
    At the moment all updates to IIS are done manually. So were just trying
    to create a tool which can automate the process and 'talk' to our
    billing system (and log actions as this is something which isnt done!).
     
    Mick Walker, Oct 24, 2007
    #5
  6. Mick Walker

    Kamal Reddy

    Joined:
    Jan 2, 2012
    Messages:
    1
     
    Kamal Reddy, Jan 2, 2012
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Floris van Haaster

    Project management / bug management

    Floris van Haaster, Sep 23, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    1,258
    Jon Paal
    Sep 23, 2005
  2. pouet
    Replies:
    2
    Views:
    791
    Will Hartung
    Jul 30, 2004
  3. serre

    ASP.NET Impersonation fails on IIS

    serre, Feb 7, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    143
    Paul Clement
    Feb 7, 2005
  4. Michael A. Jensen

    ASP.NET/IIS Authentication and Impersonation

    Michael A. Jensen, Jun 7, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    156
    Dominick Baier [DevelopMentor]
    Jun 7, 2005
  5. Ram

    IIS/ASP.NET impersonation probelm

    Ram, Jun 7, 2006, in forum: ASP .Net Security
    Replies:
    3
    Views:
    207
    Dominick Baier [DevelopMentor]
    Jun 8, 2006
Loading...

Share This Page