azure file share access via web application - asp.net-mvc

C# ASP.NET MVC web application - I followed all the steps from https://blogs.iis.net/davidso/azurefile in order to be able to access my Azure location by unc.
My newly created local user is in the IISUSER Group and has the same username and pwd (storage key).
I then created an application in my website using a new APP Pool (integrated) w/said local user.
I ran the caspol command as well.
The issue I run into is when trying to do a file.SaveAs, I get an error
Incorrect username or password
Server.MapPath({application}) returns the correct unc path but doing a Directory.Exists won't locate the path.
When viewing the "connect as" with specified user in IIS I get no issues, additionally I can access the unc path directly from my local machine with same creds.
I tried going to the app pool of the application and set the user directly but no change there. Are there changes I need to make on the Website configuration that the application sits in? Prior to converting this to an application I initially had it configured as a virtual directory and got the same error.

Set the load user profile to "True" in the application pool:
try to set the azure user in iis anonymous authentication by clicking on the edit:

Related

Publish Azure App With Database Connection String Using Active Directory Integrated Not Working

I have previously deployed an MVC application to Azure.
Under Publish -> Settings -> Databases, I include connection strings.
I have been using the following: Data Source=tcp:servername.database.windows.net,1433;Initial Catalog=dbname;User ID=username;Password=password;Encrypt=True;TrustServerCertificate=False
The problem with specifying a user is that stored procedures run as the user specified.
This results in CreatedBy/ModifiedBy values set to this same user, instead of the user that created/modified the record.
I previously tried the following: Data Source=tcp:servername.database.windows.net,1433;Initial Catalog=dbname;Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Authentication="Active Directory Integrated"
However, I receive the error "The format of the specified domain name is invalid." after the application is deployed. Even though I test the connection with Active Directory Integrated in the Destination Connection String window, and it works.
As given in this MS Doc, if you’re using the AD Integrated type of Authentication in the Azure, then either you should have domain-joined device for accessing the Web Application linked with SQL Database or make the device as federations with ADFS.
So, if you are accessing the Azure Applications from other machines, use the AD-password type authentication mode and its connection string format is given in the same MS Document and this Doc2 for more relevant information on configuring the AD Integrated / Password Type of Authentication mode on Azure Data sources and applications.
AD Password Type Authentication Format: 
Server=demo.database.windows.net; Authentication=Active Directory Password; Encrypt=True; Database=sample_db; User Id=your_username#domain.com; Password=<Your__Password>

ASP.NET web app loads as local user instead of Azure AD login

I'm trying to migrate from local NLTM authentication to Azure AD login for an on premise app. I have set up the connected service, but everytime the SignIn method is called:
The request is already authenticated and it's using my local PC name, so the O365 log in is never triggered. Debugging doesn't help as the User info and Request don't seem to exist outside of the AccountController. Does anyone know what is going on and how I can get it to load up the login instead?
If anyone else finds this, check and triple check your web config and project files for any lingering windows authentication variables. Failing that try creating a new project with authentication and then copy the content of the old project across bit by bit. It turned out for me to be something dodgy in the project, but even using a comparison tool afterwards showed no discernible differences.
Only thing I can think of is that the Authentication with Azure Active Directory Connected Services made changes that broke something, but using the auth option during project creation did it properly.

Deployment to Server fails with local Administrator

When trying deploy my Release to a Server using a local Admin Account at the Server i get the Message:
7-05-09T08:12:50.6866361Z 2017/05/09 10:12:50 ERROR 5 (0x00000005) Getting File System Type of Destination \\server\C$\temp\
2017-05-09T08:12:50.6866361Z Access is denied.
during the robocopy to the remote server.
When trying to use my domain Account (also Administrator) it works without any problems.
What am i missing?
Make sure that the UNC path \\server\C$\temp\ could be achieved by the local account you used as build service account.
I suggest that you use domain user to access the domain resources. Or you could share that folder \\server\C$\temp\ to Everyone and give the Read and Write permission.
If you insist to use a local account, as a workaround:
local accounts on each member server where the shared folders are
stored will have to be created to directly map to the same
username/password combinations the users are using on each local
machine. For example, on client 1, local user named A, password xxxx,
on the server which stores the shares, you need to create a local user
named A with the same password xxxx.

Aspnet core deployment to IIS - HTTP Error 502.3

I have created the IIS site and pointed it at the deployment folder. I have enabled stdout logging and this is the error:
info: Microsoft.Extensions.DependencyInjection.DataProtectionServices[0]
User profile is available. Using 'C:\Users\No Managed Code\AppData\Local\ASP.NET\DataProtection-Keys' as key repository and Windows DPAPI to encrypt keys at rest.
fail: Microsoft.EntityFrameworkCore.Query.Internal.QueryCompiler[1]
An exception occurred in the database while iterating the results of a query.
System.Data.SqlClient.SqlException: Cannot open database "KeyStoneDb" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\No Managed Code'.
So, I added the login to SQL with all the necessary rights. Retested in DEV - fine, but when running IIS I still get the issue. The Application Pool being used is 'No Managed Code'.
Why cant the app not connect to the database?
IIS AppPool accounts are virtual accounts, therefore, they don't actually exist as a normal user on the system.
You can not give access to networked resources using that identity. Shared\network resources like file shares and databases that need to communicate with these accounts need to have the 'domain\machinename$' with appropriate permissions.
Give 'domain\machinename$' appropriate permissions on your DB. That should do it.

Excel 2010 interop issues

Right, this is driving me insane. This works fine locally with Excel 2013, but when the website is published to a remote server with Excel 2010 it fails. From what I can see the DCOM configuration is the same locally as remote.
After fighting with Excel 2010 and DCOM permissions for over an hour now the best I have got is this exception: System.Runtime.InteropServices.COMException (0x80070BBC): Office has detected a problem with this file. To help protect your computer this file cannot be opened.
This is the result of a web application trying to open a *.xls file from a location it has just uploaded to. The application pool is running under ApplicationPoolIdentity and I have set the permissions for this specific app pool under mmc -32 on Launch and Activation Permissions so there's no problem running Excel. What I think I'm facing here is protected mode issues as the file is definitely not corrupt.
I've gone into Excel and Trust Centre settings and have added the location where the *.xls file is uploaded to (and subsequently opened) as a trusted location. If I open the file on the hosting server (under my domain account) I don't get the protected view block on the file - however, the Identity on the DCOM configuration is set to the launching user. So, what does this mean from the following (or something I haven't listed):
I need to add this location as trusted at a group policy level because the account launching the actual application doesn't have this configuration in its profile?
I need to create an actual account on the server and use this account as the Identity for running the application?
... ?
Just to clarify I've already been down the DCOM Security config route and RIDICULOUS issues with C:\Windows\System32\config\systemprofile\Desktop and C:\Windows\SysWOW64\config\systemprofile\Desktop. The configuration is:
.NET 4.5 (classic pipeline) app pool running under ApplicationPoolIdentity
DCOM Config > Security > Launch and Activation Permissions all set for this specific identity (Access Permissions and Configuration Permissions all set to Use Default)
File is uploaded correctly and appears in destination, opening on the server itself (under my domain account) respects the Trusted Location and doesn't give protected mode warning
Process to parse fails with the above exception.
Here is a screenshot of the Interop assembly I'm using if this is pertinent.
Ok... for anyone stumbling on this issue I have bitten the bullet and had to do the following:
Create a local account (AutomatedOffice in my instance) and set DCOM config to run Excel under this account
Log in as above account and change Excel settings to add folder in application root to trusted location and disable protected mode messages
Allow "Network Service" to invoke DCOM processes locally (through server DCOM config and not CLSID config)
Add NTFS permissions for this account on C:\Windows[System32|SYSWOW64]\config\systemprofile\Desktop paths
What was weird, after creating the account I was getting the following exception Retrieving the COM class factory for component with CLSID {00024500-0000-0000-C000-000000000046} failed due to the following error: 80070005 Access is denied. which was resolved by adding HOST\Users and HOST\NetworkServices group to DCOM security (local only!!!) settings.
You need to add in trust center, security locations the folder where your website is published, for examplo if your website reads a file from c:\temporal\ you must put on excel, security locations that folder name

Resources