IIS Management and ASP.Net Impersonation

[Mick Walker]

I am attempting to write a web application that will allow various users
(under very tight security) to control IIS.

I am using Microsoft.Web.Administration.dll to do this.

If I try the following:

ServerManager iisManager = new ServerManager();
iisManager.Sites.Add("NewSite", "http", "*:8080:", "d:\\MySite");
iisManager.CommitChanges();

I get the error:

Filename: redirection.config
Error: Cannot read configuration file due to insufficient permissions


Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.

Exception Details: System.UnauthorizedAccessException: Filename:
redirection.config
Error: Cannot read configuration file due to insufficient permissions



ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request identity.
ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5
or Network Service on IIS 6) that is used if the application is not
impersonating. If the application is impersonating via <identity
impersonate="true"/>, the identity will be the anonymous user (typically
IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add the
appropriate user or group. Highlight the ASP.NET account, and check the
boxes for the desired access.


What account should I set ASP.Net to impersonate to be able to have the
required permissions for this operation?

Regards
Mick Walker

 

[Ken Schaefer]

Hi,

I am going to assuing you are using IIS 7.0

redirection.config is used when enabling IIS 7.0's "shared configuration"
feature. This allows you to store IIS 7.0 configuration on a remote file
share, rather than locally in the default location.

By default, only users in the local Administrators group have permission to
alter this file. Additionally, the LocalSystem account (which is what the
Windows Activation Service and IIS Admin Service run as) must have
permission to read this file in order to read it's contents.

So you can either:
a) impersonate a user in the Administrators group
b) grant an additional user Read permissions to this file, and impersonate
this second user (this would obviuosly be the more secure way of doing
things)

Cheers
Ken

 

[Mick Walker]

Hi,

I am going to assuing you are using IIS 7.0

redirection.config is used when enabling IIS 7.0's "shared
configuration" feature. This allows you to store IIS 7.0 configuration
on a remote file share, rather than locally in the default location.

By default, only users in the local Administrators group have permission
to alter this file. Additionally, the LocalSystem account (which is what
the Windows Activation Service and IIS Admin Service run as) must have
permission to read this file in order to read it's contents.

So you can either:
a) impersonate a user in the Administrators group
b) grant an additional user Read permissions to this file, and
impersonate this second user (this would obviuosly be the more secure
way of doing things)

Cheers
Ken

Thanks for that reply Ken.

Obviously security needs to be at its tightest even though the system
will only be used locally.
I am just wondering would it be possible to store multiple servers
redirections.config files in a network share? And manage them from a
single instance of IIS?
Or would it be better to simply create an Instance of the Hosting
Provisioning tool on each seperate server and redirect based on the
server selected by the user?

For a better idea of what I am doing here, see:
http://groups.google.co.uk/group/mi...=en&lnk=st&q=mick+walker+IIS#74c7d13accc6c1b1

 

[Ken Schaefer]

Hi,

You could just buy one of the existing solutions out there (like Helm).

The redirection.config file is always local. It stores the location of where
the server's applicationHost.config (and other config files are) if those
files aren't stored in the default directory.

Cheers
Ken

 

[Mick Walker]

Hi,

You could just buy one of the existing solutions out there (like Helm).

The redirection.config file is always local. It stores the location of
where the server's applicationHost.config (and other config files are)
if those files aren't stored in the default directory.

Cheers
Ken

Normally would agree with you, however we looked at various options,
Helm, Plesk etc. And all of these would require substantial internal
development to intergrate with other existing systems such as Active
Directory and our in house billing system, as it is not just a cause of
billing for hosting, but more full Media management (broadband, dial up,
Telephone, TV - and it gets more complex due to the fact we serve the
whole of Ireland (North and South) so we have the issue that the North
uses GBP and the South uses Euros).
Were also partnering with the Microsoft RDP team on this, so we are
recieving investment of time and resources in return for becoming a
windows 2008 case study.
At the moment all updates to IIS are done manually. So were just trying
to create a tool which can automate the process and 'talk' to our
billing system (and log actions as this is something which isnt done!).

 

[Kamal Reddy]

Hi,

I am going to assuing you are using IIS 7.0

redirection.config is used when enabling IIS 7.0's "shared configuration"
feature. This allows you to store IIS 7.0 configuration on a remote file
share, rather than locally in the default location.

By default, only users in the local Administrators group have permission to
alter this file. Additionally, the LocalSystem account (which is what the
Windows Activation Service and IIS Admin Service run as) must have
permission to read this file in order to read it's contents.

So you can either:
a) impersonate a user in the Administrators group
b) grant an additional user Read permissions to this file, and impersonate
this second user (this would obviuosly be the more secure way of doing
things)

Cheers
Ken

Hi Ken,

I am a noob. Just started learning asp. I got the same error about having not enough permissions to edit redirection.config file. I understood what u said but please tell me how to do that exactly ie., grant read permissions to additional user.