server application unavailable

[casper]

Hi,

I created an asp.net 2.0 website with VWD and made it an application in IIS.
It was created on a ntfs disc (my documents...). The directory permissions
are set on 'anonymous allowed' using IUSR_MYSERVER, which has read/list
permissions to the apllication directory.


When i start it from the browser, i get this error:
Server Application Unavailable
The web application you are attempting to access on this web server is
currently unavailable. Please hit the "Refresh" button in your web browser
to retry your request.

Administrator Note: An error message detailing the cause of this specific
request failure can be found in the application event log of the web server.
Please review this log entry to discover what caused this error to occur.

The application event log tells this:

Failed to execute the request because the ASP.NET process identity does not
have read permissions to the global assembly cache. Error: 0x80070005 Access
is denied.

and this:

Failed to initialize the AppDomain:/LM/W3SVC/1/Root/testfromc

Exception: System.IO.FileLoadException

Message: Could not load file or assembly 'System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its
dependencies. Access is denied.

StackTrace: at System.Reflection.Assembly.nLoad(AssemblyName fileName,
String codeBase, Evidence assemblySecurity, Assembly locationHint,
StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean
forIntrospection)

Thanks for help

Casper

 

[Juan T. Llibre]

IUSR_MYSERVER is not the usual identity ASP.NET runs as.

If you're running on Windows XP, the account which needs permissions is
MACHINENAME\ASPNET...even if you're allowing anonymous access.

If you're running on Windows Server 2003, the account which needs permissions is
MACHINENAME\NETWORK SERVICE...even if you're allowing anonymous access.

Try granting access permissions to the appropiate account, as outlined above.

If you are still having problems after that, and you're impersonating some account,
save this code as "identity.aspx" and run it :

identity.aspx
========

<%@ Page Language="VB" %>
<%@ Import NameSpace = System.Security.Principal %>
<script runat="server">
Sub Page_Load()
Dim tmp As String = WindowsIdentity.GetCurrent.Name()
Label1.Text = tmp
End Sub
</script>
<html>
<head>
<title>WindowsIdentity.GetCurrent.Name()</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Label ID="Label1" Runat="server" Text="Label"></asp:Label>
</div>
</form>
</body>
</html>
======

That will tell you what the current account ASP.NET is running as.
Then, assign the appropiate permissions to that account.

 

[casper]

Hi, thanks for replying.

I'm running on windows 2000 sp4 and it's also the domain-controller. I ran
your identity.aspx and it tells me that the current account ASP.NET is
running as IWAM_myserver.
So i granted it the permissions and it works.

Strange, because i can read in directory security of IIS: username (for
anonymous access) is IUSR_myserver. And more, in my list of accounts, the
only new accounts i have after installing asp.net are three sqlserver2005
accounts, but no asp or netwoek service...

 

[Juan T. Llibre]

re:

I'm running on windows 2000 sp4 and it's also the domain-controller.
it tells me that the current account ASP.NET is
running as IWAM_myserver.

Running a web server on a domain controller is a very
unusual situation because it opens up security considerations.

You should, generally, avoid running a web server on a domain controller.

If you do, you should create a weaker account to run the webserver as.

Read : "How To: Create a Custom Account to Run ASP.NET 1.1"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetht01.asp

The instructions are, basically, the same as for ASP.NET 2.0...

You might also want to read "How To Create a Service Account for an ASP.NET 2.0 Application"

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000009.asp

Although the instructions are for Windows Server 2003, just disregard the
instructions regarding the Application Pools. The rest is the same for both OS's.

re:

So i granted it the permissions and it works.

Glad that you're running again !

However, you should either

1. not run the web server in your domain controller
2. if that's impossible, create a weaker account per the instructions above.

Good luck!

 

[casper]

Thanks

re:

Running a web server on a domain controller is a very
unusual situation because it opens up security considerations.

You should, generally, avoid running a web server on a domain controller.

If you do, you should create a weaker account to run the webserver as.

Read : "How To: Create a Custom Account to Run ASP.NET 1.1"
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetht01.asp

The instructions are, basically, the same as for ASP.NET 2.0...

You might also want to read "How To Create a Service Account for an ASP.NET 2.0 Application"

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000009.asp

Although the instructions are for Windows Server 2003, just disregard the
instructions regarding the Application Pools. The rest is the same for both OS's.

re:

Glad that you're running again !

However, you should either

1. not run the web server in your domain controller
2. if that's impossible, create a weaker account per the instructions above.

Good luck!