I'm moving a PHP app from IIS7 to IIS8.5 on Win2012 R2. The app runs in its own application pool (MyPortal) and needs write permission on a sub-folder to create PDFs. So I assign Modify or Full Control permissions to IIS AppPool\MyPortal on the local machine, however the app is still unable to write to the folder. The only way I have found to allow it to do so is by giving Modify access to the local USERS group, which I'd rather not do (although I have no choice ATM).
The php-cgi.exe process is running under the MyPortal identity, but somehow isn't picking up the permissions I have assigned to the MyPortal user on the folder. The PHP process is doing a simple fopen command $file = fopen($tmp_filename,"w");.
I saw this similar post https://serverfault.com/questions/570033/iis-iusrs-and-defaultapppool-permissions-do-not-work which suggested it may be a permissions caching issue, solved by a reboot, but that's not worked in this instance.
Any suggestions as to what's wrong?
You've got it #Jan Reinlink. Anonymous Authentication needed setting to 'Application identity pool'. I had assumed that because the PHP process was running as MyPortal it was using the same permissions.
Related
BC users need to retrieve files from a non-cloud file store. There is a simple webservice on the storage computer that can provide contents of the files. WS gets a user name. Users exists as users on the computer/LAN, where the files are stored, so the webservice is able to check whether the user has read permission on the file or not.
WS cannot get a user password, so I cannot make any impersonation, but the webservice runs in context with privileges able to read all these documents and can check permissions by user name.
I found a solution, how to check file permissions by user name. Solution works well in development environment (IIS Express in Visual Studio) but fails on IIS (production environment). The problem seems to be the initialization of the WindowsIdentity object, where proces on IIS fails with the message: "A specified logon session does not exist. It may already have been terminated."
Constructor of WindowsIdentity object probably calls some AD service and some restriction in IIS it rejects.
Do you have any suggestions on what to set up in IIS or what to do to make permission checking work?
I just created an Azure VM using the Windows 8.1 image in the Marketplace. During the creation process I provided a username and password.
After the VM has been created I press connect and try and login via MSTSC - using the credentials that I just entered (with a slash to remove the domain).
But I keep getting 'Your credentials did not work'. What have I done wrong? This procedure has worked for me in the past.
Furthermore, when I review the users of the VM through the portal, I only see 'Subscription admins' containing my Microsoft ID. I can't login using my Microsoft ID either.
First of all, I don't know why someone downvoted this question. It was legitimate, it also happened to me and I reached this post while trying to find a solution.
Currently I found it. I created a Windows 8.1 VM in Azure and, after providing a username and password, I was getting the 'Your credentials did not work' message when giving them.
I tried some variants and I finally got sucessfull by adding the machine name as the domain (as the user I created is local, it makes sense).
e.g. if your machine is xpto.cloudapps.net, try logging using "xpto\username" as your username.
It worked with me.
After installing Domain in the server, you need to login with domain name.
like
domainname\user
That will resolve the issue
Recently i realized that i need more than basic information for my facebook application.
I need the user's birthday as well.
In my App permissions configuration i added "user_birthday" and by checking the example given by facebook the permission was added successfully.
(goes without saying that i clicked "Save changes")
when im trying to log in to my application the "user_birthday" does not appear.
(after waiting several minutes and another 24H)
any ideas what else do i need to configure in facebook?
when im trying to log in to my application the "user_birthday" does not appear.
Are you triggering the login from within your app’s code yourself?
In my App permissions configuration i added "user_birthday"
These settings are for Authenticated Referrals only. Unless your login is triggered by those, these settings will have no effect.
If you are triggering login yourself, you have to request the permission via the scope parameter.
I think what you're missing out the fact that the
permission scope
is by default not set on facebook's development plattform. It's usually done though the login link.
If you want every user to be prompted for certain permissions you need to enable "authenticated referrals" as described here.
All SDK's allow a scope parameter for the login link. You can add the scope manually to every link using a scope parameter, like so:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&redirect_uri=YOUR_REDIRECT_URI
&client_secret=YOUR_APP_SECRET
&code=CODE_GENERATED_BY_FACEBOOK
&scope=user_about_me,user_birthday
On this page, it talks about Windows NT, 2000, XP and 2003. Fortunately, I have a Windows 7 machine.
The very first line says:
In User Manager for Domains, create a local user for the ColdFusion
service to log in as.
I don't see a "User Manager for Domains", so do they mean just "Add a new user"?
If it DOES mean that, can I use my own user account as the ColdFusion user, or should I specifically create a new account just for ColdFusion?
If you are creating a domain account it has to be created ON the domain - using user manager for domains connected to your domain controllers. If that's what you need then a sys admin has to help.
If you are doing a "local" user on a windows 7 I always end up hunting around for the right view of user manager before I get it right :) Here are the steps that I use:
Search from start and open the "user accounts" cpl.
Click on "Manage User Accounts"
Click on the "advanced" tab
Click on the "advanced" buttton.
This takes me to the mmc-like view of users that I'm accustomed to where I can add a user, change membership, set passwords etc.
Hope this helps :)
You can use your own username or you can create one for CF to run as. Creating a user to run CF as probably more closely replicates your production environment ( an assumption ) so if production for example writes to a UNC path the coldfusion user must have acces. You could
Mimic this locally.
You can use either an account local to the OS where ColdFusion is running, or a domain account if the OS is joined to a domain. In your case, you can just create a local user on your Windows 7 OS and run the ColdFusion Application Service as that user. The user account will need access to ColdFusion's installation folder, as well as read access to the webroot.
The whole idea is to run the ColdFusion service as a user with the minimum privileges necessary to handle requests and prevent access to other resources in the event of a data breach or remote code execution (e.g. someone exploits an upload form and manages to get their own CF code to run on your server; it's not pretty but can be somewhat restricted by running the CF service under a user account with restricted access).
As someone else mentioned, if CF needs access to other network resources, the user account will need to be granted access to those resources as well (either by using a domain account or having a local account with the same username and password on the remote system).
Just did this on Windows 2008 R2 with CF 10. The trick was to change the ownership of the c:\windows and c:\windows\system32 directories as outlined here.
change ownership from trustedInstaller
I have a basic requirement - to run my application smoothly on Windows by creating firewall rules when prompted, that has windows firewall turned-ON.
When I log in to my system as an user with Admin privileges when I run my application the first time, the firewall comes up with a prompt, I inform it to allow my app and create a rule, nice.
However when I turn-on my PC, log in as a non-Admin user, and I run my application, the firewall shows up with a prompt as expected; however when I click on the same options as I did from the Admin user, the firewall prompt keeps popping up continuously even though I clicked on Allow /ok every time the prompt appears. The prompt only goes away when I click on "Cancel / Block" the application from running, which is obviously not what I want to do.
So here comes the million $ question, What and How should I change my application code to run smoothly by creating the firewall rule successfully the first time I click on the firewall prompt to allow my application; exactly the same way it is working when I run my application as an user with Admin privileges.
I have done my bit of searching online and have come to understand that Non-admin users cannot modify firewall rules (cannot even create them???). BTW I have tested this scenario on Windows XP, Vista 7 both x86 and x64 with same results.
If someone has encountered and / or solved similar issues please share your knowledge. If I am missing something, please make me understand what I am missing.
Thanks
I don't think what you are trying is possible in a non-admin account. What you may try is to gain admin privilege by using the windows runas feature by creating a new process, so that the user is prompted for the username and password of the Admin Account, which would give your program the required access to create firewall rules for your program.
You may also take a look into CreateProcessAsUser or LogOnUSer . Basically in order to succeed in what you are trying to do, you need a token that represents the Administrator account or an account which has admin privileges.