in

ASP.NET Weblogs

Brian Desmond's Blog

Inherits Network.Admin
Implements IOneManBand

September 2003 - Posts

  • My Versin Saga

    I've been attempting to do something seemingly very simple at the control panel for one of my domains, wpcp.org over at netsol.com for several weeks now. Quite simply, I want to turn their BS web forwarding service up and flip my own DNS on in there. So, I enter my primary and secondary servers “ns.cps.k12.il.us” and “ns1.illinois.net”, respectively. The site shoots back and tells me their invalid.

    After me and several other people trying this for a couple of weeks, on 9/22 I phone Netsol and reach someone who expectedly knows nothing about DNS or anything like that. So, we try resetting internet explorer on my end, even rebooted a machine (beats me why). I still get the error. She several times tries to enter my nameservers in various orders and capitalizations, and finds that she gets the same message too. So, this woman tells me she'll have to escalate my ticket to “engineering”, and they'll fix it within 3 - 5 days.

    7 days later, 5 business days, I'm in the same spot. So, I call up, and reach a gentleman who offers to query his database for the status on my ticket. He can't keep his story right based on what his database says. First he tells me that “engineering” will have to enter my nameservers manually. He quickly forgets this theory and tells me engineering has not opened the ticket since it was created 9/22. I remind him that this is five business days ago. He then decides to “re-escalate” my ticket. After I explained the importance of this getting fixed, the customer service rep promises me that engineering will look at it in 24 - 48 hours. I'm a pessimist, so I'll post more around this time on Wednesday (giving “engineering” a full 48 hours). Note, I am actually waiting a major project on getting this fixed. I need my own MX records to do email.

    I figured that the usual bout of engineers who forgot to allow for us wacky people with stuff like “cps.k12.il.us” as our domain name in their regex work for verisin. So, I just didn't enter ns.cps.k12.il.us, and just plopped in ns1.illinois.net. Site still won't take it. Moral of this story (aside from why VeriSign is VeriSin in my book) is: anyone who regex's email or domain names or otherwise parses them, please don't forget about the governmental sorts with bureaucratically long domain names (i.e. payton.cps.k12.il.us).

    Posted Sep 29 2003, 09:07 PM by bdesmond with no comments
    Filed under:

  • ASP Enterprise Manager

    Ashutosh Nilkanth: “The first is Web Data Administrator (from Micorosft) and the other one is ASP Enterprise Manager. Both are great for basic web-based database administration (i.e. creating tables, SP's, managing users etc.). As a side note, I don't think web-based administration tools for SQL Server have yet reached a level of maturity as with MySQL. I've used phpMyAdmin - a similar administration interface (for MySQL, written in PHP) on some occasions and it rocks! It's far ahead in terms of its feature set and what one can do with a browser-based database administration tool.”

    I've been working on ASP Enterprise Manager v2 in my spare time, but unfortunately, my spare time has been lacking significantly. IF and when I finish it, the new version is really going to rock! If anyone wants to lend a hand and write some code, I'd welcome the help!

    Posted Sep 28 2003, 11:27 AM by bdesmond with no comments
    Filed under:

  • Entire Office 2003 on MSDN

    In case you haven't noticed, the entire Office 2003 suite went active on MSDN today. This includes all of the apps (Frontpage, Onenote, etc).
    Posted Sep 26 2003, 05:30 PM by bdesmond with 1 comment(s)
    Filed under:

  • IIS6 & "Service Unavailable" Errors

    As promised, a Google powered blog entry. One of my previous posts on configuring an ASP App to write to a UNC path had the words “application pool” and “service unavailable” in it quite a bit. The post didn't actually deal with this combination of keywords, but, here it goes:

    Each application pool has an identity (account) under which it runs. By default, this identity is NT AUTHORITY\NETWORK SERVICE. This account is builtin, and entirely controlled by the system. It has all the necessary rights to logon as a service, and the password is internally dealt with. The big problem with this Network Service identity is that it's pretty much useless for accessing remote resources. So, there are more or less two solutions to such an issue - impersonate a user in your application, or make the whole application run under a default account.

    Let's say that Administrator Al sets up a new application pool to run under the account he just created called AlsWebpageServiceAccount. With this all complete, Al browses over to www.AlsHomepage.com. Low and behold, Al's Webpage doesn't show up, but instead, a nice error “Service Unavailable”. Let's take a look at what Al can do to correct this.

    Step one, as always, is to go and take a look at what's going on in the event viewer (start>run>eventvwr.msc). There are a couple entries that will be of  interest to Al. Stop Errors and Warnings in the System Log from W3Svc, and Failure Audits (you should have logon failure auditing enabled) in the System log. Here's a sample of what I produced in my event logs:

    This is the generic IIS Error that says something is screwed up with your app pool settings (probably its identity)
    Event Type: Error
    Event Source: W3SVC
    Event Category: None
    Event ID: 1059
    Date:  9/20/2003
    Time:  11:48:27 AM
    User:  N/A
    Computer: BERYLLIUM
    Description:
    A failure was encountered while launching the process serving application pool 'BlogPostTest'. The application pool has been disabled.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Here's the tip off that it's an identity issue:
    Event Type: Warning
    Event Source: W3SVC
    Event Category: None
    Event ID: 1057
    Date:  9/20/2003
    Time:  11:48:27 AM
    User:  N/A
    Computer: BERYLLIUM
    Description:
    The identity of application pool 'BlogPostTest' is invalid, so the World Wide Web Publishing Service can not create a worker process to serve the application pool.  Therefore, the application pool has been disabled.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Finally, the failure audit in the security log
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 534
    Date:  9/20/2003
    Time:  11:48:08 AM
    User:  NT AUTHORITY\SYSTEM
    Computer: BERYLLIUM
    Description:
    Logon Failure:
      Reason: The user has not been granted the requested
       logon type at this machine
      User Name: AlsWebpageServiceAccount
      Domain:  GREENVIEW
      Logon Type: 4
      Logon Process: Advapi 
      Authentication Package: Negotiate
      Workstation Name: BERYLLIUM
      Caller User Name: BERYLLIUM$
      Caller Domain: GREENVIEW
      Caller Logon ID: (0x0,0x3E7)
      Caller Process ID: 640
      Transited Services: -
      Source Network Address: -
      Source Port: -

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    The security fail audit is really the most useful one here. Take a look at the reason “The user has not been granted the requested logon type at this machine“. The LogonType says that the user is trying to logon as a service. So, combine the reason and the logon type code, and Al now knows that his Website Service Account doesn't have rights to logon as a service. This, is certainly fixable. Here's how:

    Open the server's local security policy (start>run>secpol.msc), expand local polices and browse to User Rights assignment. Once in User Rights Assignment, open up the “Log on as Service“ right. Any account or group in this list will be able to logon as a service. So, click Add User or Group, and then type in/browse for the app pool's new service account. Once the right is granted, Al will need to reboot his server. Security settings are applied during the startup phase of any NT/2000/XP/2003 machine.

    After all this, Al's new website should and mostly likely will work. If there are still issues with Service Unavailable, the next step is to read deeper intot he warning messages from W3Svc - they more than likely contain the problem.

    I hope this info is useful, feel free to leave comments/send mail regarding future break/fix posts.

    Posted Sep 20 2003, 12:03 PM by bdesmond with 26 comment(s)
    Filed under: ,

  • New Content Source

    Well, I've got a new source of content: Interesting problems people Google for, click through to my blog, and don't find anything. It seems I have a couple of long posts with lots of tech keywords (my rant on ms blaster, and my introductory post).

    It looks like the first item will be a how to on pushing a [security] hotfix via group policy. Some application pool fun is next.

    Posted Sep 17 2003, 10:19 PM by bdesmond with no comments
    Filed under: , ,

  • What would you buy?

    As the subjects suggests, I'm looking for stuff to buy. Specifically, software and trinkets useful in an IT department supporting a mid-sized environment (1000 comps/1000 users mac & pc laptop & desktop).

    Anything goes, I'm more on the IT end of the spectrum here, but, as I said, I'd love to hear of anything useful. Please leave comments with suggestions if you want.

    Posted Sep 16 2003, 08:01 PM by bdesmond with 3 comment(s)
    Filed under: , ,

  • Chicago area stuff?

    I read all these posts, etc about the users groups and this and that in various places. I've never heard a single mention of anything in the Chicago area - pretty big city, in my opinion. Are there any events going on around here?
    Posted Sep 13 2003, 11:53 PM by bdesmond with 1 comment(s)
    Filed under: ,

  • File & Share Permissions

    Dave Burke ran into an issue I didn't mention in my previous post on IIS & remote resources: share permissions versus file permissions. Before I start, let's do some acronym vocabulary. There are more or less three things to know:

    ACL (pronounced A - C - L) - “access control list” - a list of permissions for an object
    DACL (pronounched dackle) - “discrentionary access control list“ - a list of permissions for an object set by the owner (or an admin) - we're dealing with this subset of ACLs
    ACE (pronounced as spelled) - “access control entry“ - a permission in an ACL

    There are two types of DACLs on a shared resource - the folder level permissions, and the share level permissions. The rule of thumb is that the most restrictive one wins. So, a user with full control in the share level ACL but only read in the folder level ACL will have solely read rights. It's always better to control this access in the folder/file level permissions. Any user or group that will need to do anything above and beyond reading a file/folder will need change permissions. Otherwise, read permissions are fine. Full Control isn't necessary.

    Posted Sep 13 2003, 09:14 PM by bdesmond with 1 comment(s)
    Filed under: ,

  • Writing to a Remote Resource from an ASP App

    Dave Burke is trying to make his classic ASP app write to a UNC path under IIS6. You can do this! Here's the long and short of what you've got to do, why you've got to do it, and how:

    IIS 6 Apps, by default, run under the Network Service account. This is owned by the NT Authority on the system - it doesn't leave the system, in other words. The Network Service account is kind of like IUSR_MachineName, except it's a lot more secure. The problem is, that the Network Service account is useless when authenticating to another machine. But, there's a fix!

    If the servers are a member of the domain, the best solution is to create an a domain account which the application will run under. This account will need to be granted Log on as Batch Job and Log on as Service rights on the IIS server. I usually create a group on my domain for Service Accounts for specific purposes, i.e. IIS apps, and then grant the group rights via a GPO on the proper server(s). It should also be added to the IIS_WPG local group. The new account should be given the proper permissions to the remote resource, of course.

    The next step is actually getting the ASP app to run under this account. The best solution is to create an Application Pool in IIS Manager, and configure it to run under the new service account. This is pretty straight forward. Make sure the app pool is selected on the application's property page as well. Setting up this new app pool will create a new w3wp process for the application (and anything else in the pool) which runs in the context of the new account.

    If there is not a domain in place, the new account will need to be created locally on each machine with identical username and password. Windows' security mechanisms will automatically try it's current context against the remote resource.

    If there continues to be an issue, check the Application and System event logs, and if need be turn on security auditing (specifically logon failure) auditing on the remote and local machines.

    Posted Sep 13 2003, 12:32 AM by bdesmond with 1 comment(s)
    Filed under: ,

  • ASP.Net Logfile Analyzer

    Scott Galloway mentioned on my second post about AWStats how cool a C# analyzer would be. There is one - it isn't free, though. http://www.sitelog.com/ProductsList.aspx?CategoryID=15. The graphics look really nice, I must say. I'm content with installing Perl on a server and saving $90 for the stats myself.

    Posted Sep 09 2003, 05:45 PM by bdesmond with 3 comment(s)
    Filed under:
More Posts Next page »
Terms of Use