Right, this is driving me insane. This works fine locally with Excel 2013, but when the website is published to a remote server with Excel 2010 it fails. From what I can see the DCOM configuration is the same locally as remote.
After fighting with Excel 2010 and DCOM permissions for over an hour now the best I have got is this exception: System.Runtime.InteropServices.COMException (0x80070BBC): Office has detected a problem with this file. To help protect your computer this file cannot be opened.
This is the result of a web application trying to open a *.xls file from a location it has just uploaded to. The application pool is running under ApplicationPoolIdentity and I have set the permissions for this specific app pool under mmc -32 on Launch and Activation Permissions so there's no problem running Excel. What I think I'm facing here is protected mode issues as the file is definitely not corrupt.
I've gone into Excel and Trust Centre settings and have added the location where the *.xls file is uploaded to (and subsequently opened) as a trusted location. If I open the file on the hosting server (under my domain account) I don't get the protected view block on the file - however, the Identity on the DCOM configuration is set to the launching user. So, what does this mean from the following (or something I haven't listed):
I need to add this location as trusted at a group policy level because the account launching the actual application doesn't have this configuration in its profile?
I need to create an actual account on the server and use this account as the Identity for running the application?
... ?
Just to clarify I've already been down the DCOM Security config route and RIDICULOUS issues with C:\Windows\System32\config\systemprofile\Desktop and C:\Windows\SysWOW64\config\systemprofile\Desktop. The configuration is:
.NET 4.5 (classic pipeline) app pool running under ApplicationPoolIdentity
DCOM Config > Security > Launch and Activation Permissions all set for this specific identity (Access Permissions and Configuration Permissions all set to Use Default)
File is uploaded correctly and appears in destination, opening on the server itself (under my domain account) respects the Trusted Location and doesn't give protected mode warning
Process to parse fails with the above exception.
Here is a screenshot of the Interop assembly I'm using if this is pertinent.
Ok... for anyone stumbling on this issue I have bitten the bullet and had to do the following:
Create a local account (AutomatedOffice in my instance) and set DCOM config to run Excel under this account
Log in as above account and change Excel settings to add folder in application root to trusted location and disable protected mode messages
Allow "Network Service" to invoke DCOM processes locally (through server DCOM config and not CLSID config)
Add NTFS permissions for this account on C:\Windows[System32|SYSWOW64]\config\systemprofile\Desktop paths
What was weird, after creating the account I was getting the following exception Retrieving the COM class factory for component with CLSID {00024500-0000-0000-C000-000000000046} failed due to the following error: 80070005 Access is denied. which was resolved by adding HOST\Users and HOST\NetworkServices group to DCOM security (local only!!!) settings.
You need to add in trust center, security locations the folder where your website is published, for examplo if your website reads a file from c:\temporal\ you must put on excel, security locations that folder name
Related
I have previously deployed an MVC application to Azure.
Under Publish -> Settings -> Databases, I include connection strings.
I have been using the following: Data Source=tcp:servername.database.windows.net,1433;Initial Catalog=dbname;User ID=username;Password=password;Encrypt=True;TrustServerCertificate=False
The problem with specifying a user is that stored procedures run as the user specified.
This results in CreatedBy/ModifiedBy values set to this same user, instead of the user that created/modified the record.
I previously tried the following: Data Source=tcp:servername.database.windows.net,1433;Initial Catalog=dbname;Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Authentication="Active Directory Integrated"
However, I receive the error "The format of the specified domain name is invalid." after the application is deployed. Even though I test the connection with Active Directory Integrated in the Destination Connection String window, and it works.
As given in this MS Doc, if you’re using the AD Integrated type of Authentication in the Azure, then either you should have domain-joined device for accessing the Web Application linked with SQL Database or make the device as federations with ADFS.
So, if you are accessing the Azure Applications from other machines, use the AD-password type authentication mode and its connection string format is given in the same MS Document and this Doc2 for more relevant information on configuring the AD Integrated / Password Type of Authentication mode on Azure Data sources and applications.
AD Password Type Authentication Format:
Server=demo.database.windows.net; Authentication=Active Directory Password; Encrypt=True; Database=sample_db; User Id=your_username#domain.com; Password=<Your__Password>
C# ASP.NET MVC web application - I followed all the steps from https://blogs.iis.net/davidso/azurefile in order to be able to access my Azure location by unc.
My newly created local user is in the IISUSER Group and has the same username and pwd (storage key).
I then created an application in my website using a new APP Pool (integrated) w/said local user.
I ran the caspol command as well.
The issue I run into is when trying to do a file.SaveAs, I get an error
Incorrect username or password
Server.MapPath({application}) returns the correct unc path but doing a Directory.Exists won't locate the path.
When viewing the "connect as" with specified user in IIS I get no issues, additionally I can access the unc path directly from my local machine with same creds.
I tried going to the app pool of the application and set the user directly but no change there. Are there changes I need to make on the Website configuration that the application sits in? Prior to converting this to an application I initially had it configured as a virtual directory and got the same error.
Set the load user profile to "True" in the application pool:
try to set the azure user in iis anonymous authentication by clicking on the edit:
On our TFS build server, we're getting the following error most builds (so not ALL builds, sometimes the build runs perfectly!)
"The identity of application pool application_pool_name is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number."
Since it runs some builds, we know the identity is in fact not invalid and that it's not a code problem. Does anybody know if there are any other cases where you can get this specific error? We've had this problem for several months now...
EDIT: We've also found out it started after MS updates KB4015547 and KB4015550, but uninstalling them didn't help. Re-entering the user or using another user didn't work either.
The identity of all application pools should be set to the
correspondingservice account that you specified when you installed
Team Foundation Server (TFSService).
Change the identity and then try to stop and restart the application pool. For this, open Internet Information Services (IIS) Manager, expand the local computer and open Application Pools. Open the navigation menu and choose Stop or Start.
Restart the application pool so that Windows Process Activation Service (WAS) can determine the correct state of the protocol.
If above is still not working, you could also try reset the IIS entirely. More ways you could take a look at this thread: An application pool is not configured correctly
I have created the IIS site and pointed it at the deployment folder. I have enabled stdout logging and this is the error:
info: Microsoft.Extensions.DependencyInjection.DataProtectionServices[0]
User profile is available. Using 'C:\Users\No Managed Code\AppData\Local\ASP.NET\DataProtection-Keys' as key repository and Windows DPAPI to encrypt keys at rest.
fail: Microsoft.EntityFrameworkCore.Query.Internal.QueryCompiler[1]
An exception occurred in the database while iterating the results of a query.
System.Data.SqlClient.SqlException: Cannot open database "KeyStoneDb" requested by the login. The login failed.
Login failed for user 'IIS APPPOOL\No Managed Code'.
So, I added the login to SQL with all the necessary rights. Retested in DEV - fine, but when running IIS I still get the issue. The Application Pool being used is 'No Managed Code'.
Why cant the app not connect to the database?
IIS AppPool accounts are virtual accounts, therefore, they don't actually exist as a normal user on the system.
You can not give access to networked resources using that identity. Shared\network resources like file shares and databases that need to communicate with these accounts need to have the 'domain\machinename$' with appropriate permissions.
Give 'domain\machinename$' appropriate permissions on your DB. That should do it.
I developed an application in Delphi 2010 that reads XML data from a transactional queue. It works fine if the queue is local or remote and I don't have to set permissions in both cases.
Now I have to convert that application into a Windows Service. I copied and pasted the same application into the service code, but when I try to read the queue I get the "Access denied" error. I'm doing the tests on my local machine.
Some people say that it's a matter of permissions. I found here in Stack Overflow some posts to the same problem but I didn't find the solution.
Any ideas? I'm using Windows 7 as well.
If you are running the application locally, you are running it under your Windows logon credentials. Services by default are launched under a different user account which may not have the same rights as your account does.
Bring up the service manager (start->services.msc), find your service in the list, right click it and select Properties. Then select the Log On tab and change it to a specific account name/password. (Use your account name / password.) You'll then be executing the code using the same credentials so your Access Denied error should go away.