ASP.NET account problems

Here's the scenario:

we run our application in IIS6 on win2k3. We have application pools that run as specific users. These application pool users are granted rights on various databases.

When i try to run AntsProfiler in IIS6 mode (no option to change the username/password), i get errors that [domain]\[machineName]$ does not have permissions on the database.

If i try to run in IIS5 mode and specify the username and password, Ants throws an error that it can't log in as the specified user.

Has anyone run into this? any suggestions?

Comments

  • Morning,

    You've hit a slight limitation with the way we profile IIS. If you're profiling IIS6 in native mode, we'll either be running the application pool as the user you're running ANTS as (v3.0), or as LOCAL SYSTEM (v3.1). If you're running in IIS5 mode, it'll try and impersonate the user that IIS was configured to use.

    The problem with not being able to log on as the specified user in IIS5 mode is probably caused by that user not having the "log on as a batch job" right. Granting that right should help.

    In IIS 6 native mode, something you could try if you have v3.1 is changing the account the ANTS Profiler Service runs under, to the account you want the application pool to run under. You'll almost certainly have to give that account administrative rights temporarily, and I make no promises that it'll work, but it might be worth a shot.

    Hope that helps,
    Robert
    Robert Chipperfield
    Red Gate
  • OK. i switched the user that the service runs as and i get this error:

    Unable to start profiler - exception details System.NullReferenceException: Object reference not set to an instance of an object.

    Server stack trace:
    at RedGate.Profiler.Engine.ProfileIISController._1(WebApplicationDefinition )
    at RedGate.Profiler.Engine.ProfileIISController.StartProfilingIIS(String currentUserName, String& url, WebApplicationDefinition appDef)
    at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
    at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(RuntimeMethodHandle md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
    at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext)

    Exception rethrown at [0]:
    at RedGate.Profiler.Engine.ProfilingSession.StartProfiler()
    at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
    at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(RuntimeMethodHandle md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
    at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)

    Exception rethrown at [1]:
    at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
    at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
    at System.Windows.Forms.MethodInvoker.EndInvoke(IAsyncResult result)
    at _5._4(IAsyncResult )
  • OK, that worked less well than I'd hoped :-( (it's not something I'd tried before - and by the looks of things not something I'll be trying again either!)

    I'd give the "log on as a batch job" idea a go with IIS 5 mode, and see if that's any more successful.

    Thanks,
    Robert
    Robert Chipperfield
    Red Gate
  • OK. that first one was my fault. i hadn't set the application to be profiled to the correct port. switching the port got me a little further along but now it's timing out waiting for IIS to start.

    Unable to start profiler - exception details RedGate.Profiler.Engine.IIS.PortTimeoutException: Timed out waiting for port 8013 on 192.168.1.63 to become available

    Server stack trace:
    at RedGate.Profiler.Engine.IISUtilities.WaitForPort(IPAddress address, Int32 port, Int32 timeout)
    at RedGate.Profiler.Engine.IISUtilities.WaitForPort(String hostname, Int32 port, Int32 timeout)
    at RedGate.Profiler.Engine.ProfileIISController.StartProfilingIIS(String currentUserName, String& url, WebApplicationDefinition appDef)
    at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
    at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(RuntimeMethodHandle md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
    at System.Runtime.Remoting.Messaging.StackBuilderSink.SyncProcessMessage(IMessage msg, Int32 methodPtr, Boolean fExecuteInContext)

    Exception rethrown at [0]:
    at RedGate.Profiler.Engine.ProfilingSession.StartProfiler()
    at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
    at System.Runtime.Remoting.Messaging.StackBuilderSink.PrivateProcessMessage(RuntimeMethodHandle md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]& outArgs)
    at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)

    Exception rethrown at [1]:
    at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)
    at System.Runtime.Remoting.Proxies.RemotingProxy.Invoke(Object NotUsed, MessageData& msgData)
    at System.Windows.Forms.MethodInvoker.EndInvoke(IAsyncResult result)
    at _5._4(IAsyncResult )
  • I'm guessing that's a permissions issue that time. Does the user you're running the service as have administrative privileges?

    You might want to check the Windows event log, though sometimes if you try and start an IIS 6 Worker Process without the right access, it just exits silently, which isn't the most helpful thing when it comes to diagnosing problems :-) (this is why we use a service running as LOCAL SYSTEM by default).

    Robert
    Robert Chipperfield
    Red Gate
  • OK.

    Adding the user to the administrators group didn't help. i did notice a bunch of these messages in the System logs whenever i tried to start profiling:

    The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {61738644-F196-11D0-9953-00C04FD919C1}
    to the user OC\store-artistname SID (S-1-5-21-606747145-1972579041-682003330-6609). This security permission can be modified using the Component Services administrative tool.


    does that help?
  • Hmm... I'm afraid not. It's not even the CLSID of the ANTS Profiler Core, which would've been what I'd assumed.

    I guess you could try granting it that permission, but it'd be a bit of a stab in the dark on my part, and it's feeling like we're twiddling too many bits of configuration at this point...

    Taking a step backwards, I assume that using SQL Server authentication rather than integrated windows authentication isn't an option for your web application?

    Robert
    Robert Chipperfield
    Red Gate
  • Hi guys,

    If you want to get an IIS app pool to run as a named user, which is what I think you want to do, the user needs 'act as part of the operating system' rights. Normally you'd be granted this by being a member of the Administrators group.

    In some web applications (I'm thinking of Sharepoint, which is a complete NIGHTMARE), you have to edit the application's web.config and set debug=true, otherwise you can't hook Profiler into it. If you have any trust configuration in Web.config, you may want to loosen those a bit. For instance, some web applications can't use any unmanaged code unless the trust level is medium or higher. I think the web app security may consider the profiler dll inside its' process as a bit of unmanaged code.

    If you're using impersonation in the web app, that may cause additional complications and you may try setting identity impersonate with a hard-coded username and password or set impersonate=false and use one of the web application's users as the identity to run the application pool as (by setting the ANTS Profiler 3 service to run as this user).

    Sorry there is no straight answer for this one -- complicated web applications introduce these kinds of problems and you just have to play them by ear.
  • Hmmm..nothing there seemed to help.

    as an fyi, i'm also seeing this error in the application log:
    The worker process failed to initialize the http.sys communication or the w3svc communication layer and therefore could not be started. The data field contains the error number.

    just before the ants profiler message that it timed out.

    i googled this and found an article about granting "Bypass Traverse Checking" right but the Everyone and Users group do have this right.

    any more thoughts?
  • Hi,

    You've pretty much hit the same wall we hit in ANTS Profiler which we worked around by starting the IIS worker process from a service running as localsystem. I'm told that the rights you have are sufficient to start an IIS app pool, but for some reason it doesn't work anyway.

    Is there any way you can let the application pool run as localsystem and turn on impersonation rather than using the app pool Windows identity to log into the SQL Server? Or can you configure the web application to use SQL authentication?
  • Alright!

    setting the service back to run as SYSTEM and adding

    <identity impersonate="true"
    userName="doman\username"
    password="password" />

    to the System.web section of the web.config seems to be working now.

    Thanks for the help!
  • Excellent! Well done, you had me stumped there :-)

    Cheers,
    Robert
    Robert Chipperfield
    Red Gate
Sign In or Register to comment.