September 2003 - Posts
I've been attempting to do something seemingly very simple at the control panel for one of my domains, wpcp.org over at netsol.com for several weeks now. Quite simply, I want to turn their BS web forwarding service up and flip my own DNS on in there. So, I enter my primary and secondary servers “ns.cps.k12.il.us” and “ns1.illinois.net”, respectively. The site shoots back and tells me their invalid.
After me and several other people trying this for a couple of weeks, on 9/22 I phone Netsol and reach someone who expectedly knows nothing about DNS or anything like that. So, we try resetting internet explorer on my end, even rebooted a machine (beats me why). I still get the error. She several times tries to enter my nameservers in various orders and capitalizations, and finds that she gets the same message too. So, this woman tells me she'll have to escalate my ticket to “engineering”, and they'll fix it within 3 - 5 days.
7 days later, 5 business days, I'm in the same spot. So, I call up, and reach a gentleman who offers to query his database for the status on my ticket. He can't keep his story right based on what his database says. First he tells me that “engineering” will have to enter my nameservers manually. He quickly forgets this theory and tells me engineering has not opened the ticket since it was created 9/22. I remind him that this is five business days ago. He then decides to “re-escalate” my ticket. After I explained the importance of this getting fixed, the customer service rep promises me that engineering will look at it in 24 - 48 hours. I'm a pessimist, so I'll post more around this time on Wednesday (giving “engineering” a full 48 hours). Note, I am actually waiting a major project on getting this fixed. I need my own MX records to do email.
I figured that the usual bout of engineers who forgot to allow for us wacky people with stuff like “cps.k12.il.us” as our domain name in their regex work for verisin. So, I just didn't enter ns.cps.k12.il.us, and just plopped in ns1.illinois.net. Site still won't take it. Moral of this story (aside from why VeriSign is VeriSin in my book) is: anyone who regex's email or domain names or otherwise parses them, please don't forget about the governmental sorts with bureaucratically long domain names (i.e. payton.cps.k12.il.us).
Ashutosh Nilkanth: “The first is Web Data Administrator (from Micorosft) and the other one is ASP Enterprise Manager. Both are great for basic web-based database administration (i.e. creating tables, SP's, managing users etc.). As a side note, I don't think web-based administration tools for SQL Server have yet reached a level of maturity as with MySQL. I've used phpMyAdmin - a similar administration interface (for MySQL, written in PHP) on some occasions and it rocks! It's far ahead in terms of its feature set and what one can do with a browser-based database administration tool.”
I've been working on ASP Enterprise Manager v2 in my spare time, but unfortunately, my spare time has been lacking significantly. IF and when I finish it, the new version is really going to rock! If anyone wants to lend a hand and write some code, I'd welcome the help!
In case you haven't noticed, the entire Office 2003 suite went active on MSDN today. This includes all of the apps (Frontpage, Onenote, etc).
As promised, a Google powered blog entry. One of my previous posts on configuring an ASP App to write to a UNC path had the words “application pool” and “service unavailable” in it quite a bit. The post didn't actually deal with this combination of keywords, but, here it goes:
Each application pool has an identity (account) under which it runs. By default, this identity is NT AUTHORITY\NETWORK SERVICE. This account is builtin, and entirely controlled by the system. It has all the necessary rights to logon as a service, and the password is internally dealt with. The big problem with this Network Service identity is that it's pretty much useless for accessing remote resources. So, there are more or less two solutions to such an issue - impersonate a user in your application, or make the whole application run under a default account.
Let's say that Administrator Al sets up a new application pool to run under the account he just created called AlsWebpageServiceAccount. With this all complete, Al browses over to www.AlsHomepage.com. Low and behold, Al's Webpage doesn't show up, but instead, a nice error “Service Unavailable”. Let's take a look at what Al can do to correct this.
Step one, as always, is to go and take a look at what's going on in the event viewer (start>run>eventvwr.msc). There are a couple entries that will be of interest to Al. Stop Errors and Warnings in the System Log from W3Svc, and Failure Audits (you should have logon failure auditing enabled) in the System log. Here's a sample of what I produced in my event logs:
This is the generic IIS Error that says something is screwed up with your app pool settings (probably its identity)
Event Type: Error
Event Source: W3SVC
Event Category: None
Event ID: 1059
Date: 9/20/2003
Time: 11:48:27 AM
User: N/A
Computer: BERYLLIUM
Description:
A failure was encountered while launching the process serving application pool 'BlogPostTest'. The application pool has been disabled.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Here's the tip off that it's an identity issue:
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 1057
Date: 9/20/2003
Time: 11:48:27 AM
User: N/A
Computer: BERYLLIUM
Description:
The identity of application pool 'BlogPostTest' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool. Therefore, the application pool has been disabled.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Finally, the failure audit in the security log
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 534
Date: 9/20/2003
Time: 11:48:08 AM
User: NT AUTHORITY\SYSTEM
Computer: BERYLLIUM
Description:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: AlsWebpageServiceAccount
Domain: GREENVIEW
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: BERYLLIUM
Caller User Name: BERYLLIUM$
Caller Domain: GREENVIEW
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 640
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The security fail audit is really the most useful one here. Take a look at the reason “The user has not been granted the requested logon type at this machine“. The LogonType says that the user is trying to logon as a service. So, combine the reason and the logon type code, and Al now knows that his Website Service Account doesn't have rights to logon as a service. This, is certainly fixable. Here's how:
Open the server's local security policy (start>run>secpol.msc), expand local polices and browse to User Rights assignment. Once in User Rights Assignment, open up the “Log on as Service“ right. Any account or group in this list will be able to logon as a service. So, click Add User or Group, and then type in/browse for the app pool's new service account. Once the right is granted, Al will need to reboot his server. Security settings are applied during the startup phase of any NT/2000/XP/2003 machine.
After all this, Al's new website should and mostly likely will work. If there are still issues with Service Unavailable, the next step is to read deeper intot he warning messages from W3Svc - they more than likely contain the problem.
I hope this info is useful, feel free to leave comments/send mail regarding future break/fix posts.
Well, I've got a new source of content: Interesting problems people Google for, click through to my blog, and don't find anything. It seems I have a couple of long posts with lots of tech keywords (my rant on ms blaster, and my introductory post).
It looks like the first item will be a how to on pushing a [security] hotfix via group policy. Some application pool fun is next.
As the subjects suggests, I'm looking for stuff to buy. Specifically, software and trinkets useful in an IT department supporting a mid-sized environment (1000 comps/1000 users mac & pc laptop & desktop).
Anything goes, I'm more on the IT end of the spectrum here, but, as I said, I'd love to hear of anything useful. Please leave comments with suggestions if you want.
I read all these posts, etc about the users groups and this and that in various places. I've never heard a single mention of anything in the Chicago area - pretty big city, in my opinion. Are there any events going on around here?
Dave Burke ran into an issue I didn't mention in my previous post on IIS & remote resources: share permissions versus file permissions. Before I start, let's do some acronym vocabulary. There are more or less three things to know:
ACL (pronounced A - C - L) - “access control list” - a list of permissions for an object
DACL (pronounched dackle) - “discrentionary access control list“ - a list of permissions for an object set by the owner (or an admin) - we're dealing with this subset of ACLs
ACE (pronounced as spelled) - “access control entry“ - a permission in an ACL
There are two types of DACLs on a shared resource - the folder level permissions, and the share level permissions. The rule of thumb is that the most restrictive one wins. So, a user with full control in the share level ACL but only read in the folder level ACL will have solely read rights. It's always better to control this access in the folder/file level permissions. Any user or group that will need to do anything above and beyond reading a file/folder will need change permissions. Otherwise, read permissions are fine. Full Control isn't necessary.
Dave Burke is trying to make his classic ASP app write to a UNC path under IIS6. You can do this! Here's the long and short of what you've got to do, why you've got to do it, and how:
IIS 6 Apps, by default, run under the Network Service account. This is owned by the NT Authority on the system - it doesn't leave the system, in other words. The Network Service account is kind of like IUSR_MachineName, except it's a lot more secure. The problem is, that the Network Service account is useless when authenticating to another machine. But, there's a fix!
If the servers are a member of the domain, the best solution is to create an a domain account which the application will run under. This account will need to be granted Log on as Batch Job and Log on as Service rights on the IIS server. I usually create a group on my domain for Service Accounts for specific purposes, i.e. IIS apps, and then grant the group rights via a GPO on the proper server(s). It should also be added to the IIS_WPG local group. The new account should be given the proper permissions to the remote resource, of course.
The next step is actually getting the ASP app to run under this account. The best solution is to create an Application Pool in IIS Manager, and configure it to run under the new service account. This is pretty straight forward. Make sure the app pool is selected on the application's property page as well. Setting up this new app pool will create a new w3wp process for the application (and anything else in the pool) which runs in the context of the new account.
If there is not a domain in place, the new account will need to be created locally on each machine with identical username and password. Windows' security mechanisms will automatically try it's current context against the remote resource.
If there continues to be an issue, check the Application and System event logs, and if need be turn on security auditing (specifically logon failure) auditing on the remote and local machines.
Scott Galloway mentioned on my second post about AWStats how cool a C# analyzer would be. There is one - it isn't free, though. http://www.sitelog.com/ProductsList.aspx?CategoryID=15. The graphics look really nice, I must say. I'm content with installing Perl on a server and saving $90 for the stats myself.
More Posts
Next page »