IIS Management and ASP.Net Impersonation

Discussion in 'ASP .Net' started by Mick Walker, Oct 23, 2007.

  1. Mick Walker

    Mick Walker Guest

    I am attempting to write a web application that will allow various users
    (under very tight security) to control IIS.

    I am using Microsoft.Web.Administration.dll to do this.

    If I try the following:

    ServerManager iisManager = new ServerManager();
    iisManager.Sites.Add("NewSite", "http", "*:8080:", "d:\\MySite");

    I get the error:

    Filename: redirection.config
    Error: Cannot read configuration file due to insufficient permissions

    Description: An unhandled exception occurred during the execution of the
    current web request. Please review the stack trace for more information
    about the error and where it originated in the code.

    Exception Details: System.UnauthorizedAccessException: Filename:
    Error: Cannot read configuration file due to insufficient permissions

    ASP.NET is not authorized to access the requested resource. Consider
    granting access rights to the resource to the ASP.NET request identity.
    ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5
    or Network Service on IIS 6) that is used if the application is not
    impersonating. If the application is impersonating via <identity
    impersonate="true"/>, the identity will be the anonymous user (typically
    IUSR_MACHINENAME) or the authenticated request user.

    To grant ASP.NET access to a file, right-click the file in Explorer,
    choose "Properties" and select the Security tab. Click "Add" to add the
    appropriate user or group. Highlight the ASP.NET account, and check the
    boxes for the desired access.

    What account should I set ASP.Net to impersonate to be able to have the
    required permissions for this operation?

    Mick Walker
    Mick Walker, Oct 23, 2007
    1. Advertisements

  2. Mick Walker

    Ken Schaefer Guest


    I am going to assuing you are using IIS 7.0

    redirection.config is used when enabling IIS 7.0's "shared configuration"
    feature. This allows you to store IIS 7.0 configuration on a remote file
    share, rather than locally in the default location.

    By default, only users in the local Administrators group have permission to
    alter this file. Additionally, the LocalSystem account (which is what the
    Windows Activation Service and IIS Admin Service run as) must have
    permission to read this file in order to read it's contents.

    So you can either:
    a) impersonate a user in the Administrators group
    b) grant an additional user Read permissions to this file, and impersonate
    this second user (this would obviuosly be the more secure way of doing

    Ken Schaefer, Oct 24, 2007
    1. Advertisements

  3. Mick Walker

    Mick Walker Guest

    Thanks for that reply Ken.

    Obviously security needs to be at its tightest even though the system
    will only be used locally.
    I am just wondering would it be possible to store multiple servers
    redirections.config files in a network share? And manage them from a
    single instance of IIS?
    Or would it be better to simply create an Instance of the Hosting
    Provisioning tool on each seperate server and redirect based on the
    server selected by the user?

    For a better idea of what I am doing here, see:
    Mick Walker, Oct 24, 2007
  4. Mick Walker

    Ken Schaefer Guest


    You could just buy one of the existing solutions out there (like Helm).

    The redirection.config file is always local. It stores the location of where
    the server's applicationHost.config (and other config files are) if those
    files aren't stored in the default directory.

    Ken Schaefer, Oct 24, 2007
  5. Mick Walker

    Mick Walker Guest

    Normally would agree with you, however we looked at various options,
    Helm, Plesk etc. And all of these would require substantial internal
    development to intergrate with other existing systems such as Active
    Directory and our in house billing system, as it is not just a cause of
    billing for hosting, but more full Media management (broadband, dial up,
    Telephone, TV - and it gets more complex due to the fact we serve the
    whole of Ireland (North and South) so we have the issue that the North
    uses GBP and the South uses Euros).
    Were also partnering with the Microsoft RDP team on this, so we are
    recieving investment of time and resources in return for becoming a
    windows 2008 case study.
    At the moment all updates to IIS are done manually. So were just trying
    to create a tool which can automate the process and 'talk' to our
    billing system (and log actions as this is something which isnt done!).
    Mick Walker, Oct 24, 2007
  6. Mick Walker

    Kamal Reddy

    Jan 2, 2012
    Likes Received:
    Kamal Reddy, Jan 2, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.