Integrating ASP app – Users and more users, more permissions and 401s

Posted on by

When you integrate a site onto its final server – things with windows get hairy. Here are some notes to get out of trouble

  • seeing a 401 for anonymous user? Are your permissions for IUSR set to read, write, execute (ref)? This is for anonymous user. For a dynamic user, then you have to add permissions for NetworkService (see small note in this reference) (6.1 – or see this article for 7.5). For this, I had an account called (built in account: ApplicationPoolIdentity – this not correct – I will keep digging)
    • you might also require the group IIS_IUSRS to have read, write, execute. It depends on your version of IIS (see this link – this is succinct)
    • ensure BOTH the user accessing the page and the AppPoolIdentity user BOTH have NTFS permissions set to the directory and subsequent web pages (reference)
    • Do NOT set Everyone to Full – but it is a good test to see if the above will work.
  • I used the Login security stuff that came with the default forms. Now the server I was going to already had SQLSERVER pre-installed (VS2012 Express)
  • The aspx debug version worked great – no issues … untilI published that part to the server (everything else worked)
    • First, FTP will not copy over your App_Data folder stuff. It is in the fine print when you set up your publishing scheme. Copy those over using a manual method (ironically FTP)
    • The default website did NOT have a DefaultConnection String so I added it
      • <add name=”DefaultConnection” providerName=”System.Data.SqlClient” connectionString=”Data Source=1KX8JZ;Initial Catalog=aspnet4;AttachDBFilename=|DataDirectory|\aspnet.mdf; User Id=usernameaccount; password=xxxxxx” />
      • HOWEVER you will see it has a username and password that I then have to add into SQL Server – again a pain and more fiddling but it works (I can’t find the web article that led mere here – sorry – it is on Stack Overflow). This guy did get it to work
      • Then I added this user ‘usernameaccount’ to the SQL Database (using Management Studio) – note that I could NOT have a database pre-created called aspnet4. Why? Because it uses the file in the connection string under the App_Data directory called aspnet.mdf and fakes it in SQL Server as aspnet3
      • this username ‘usernameaccount’ had to have the following roles added for the master database
        • server roles: dbcreator
        • database role membership for master: db_securityadmin
        • database roles for the aspnet4? leave this alone – it configures itself
      • THEN I had to have full access to the App_Data directory for the user NT SERVICE\MSSQLSERVER so that SQL could marry the real dB with the virtualized one (aspnet4).
        • you can find this user by running services.msc (Start->Control Panel->Administrator Tools->Services->SQL Server (XXXX)->Properties->Logon Tab
      • What a pain! This took me only 5 hours to figure out, hack and clean things up (broke a few things again- learned more – wrote it here). I hope it helps someone.
        • db_securityadmin

        Because everything in release vs. test was different, I had to use the Web.release.config transform file to put custom connection strings for the release server. I had to change my publish to “Release” under properties.

      Once I require a password reset – one needs to configure an email server and few other options. This is all summed up nice in this article. http://www.codeproject.com/Articles/15693/Password-Recovery is also good but incomplete (needs some work) All I did was add an smtp server and added the       passwordFormat=”Hashed” attribute in Web.config to the <membership><providers> xml node.

  • Other Links
  • http://www.itnota.com/setup-user-access-and-roles-sql-server/
  • rolling out own WSAT: http://aspnet.4guysfromrolla.com/articles/052307-1.aspx