mainesysadmin.com

I manage several IIS servers and from time to time I struggle with permissions and web apps. Some situations are more unique than others, but usually I run into problems when a webserver is running a .NET appliaction and trying to reach across the network to capture some data from a network share on another server.

This is the error you might be familiar with:

ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true">, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user. </identity>

To get your webapp to work correctly you have to decide how secure you need the webapp.  If this application does not require security you’ll need to:

1.  Create a domain user (remember the password…duh)
2. Under IIS directory security click “Edit” for Authentication and access control.
3. Check allow anonymous access and browse to the domain user, enter the password you gave the user
4. Sometimes optional.  Create new application pool and set the identity to the domain user you created and browse to the webapp you’re working with in IIS and select properties and the virtual directory tab.  Set the app to run as the new application pool you created.  This will ensure IIS will use the user you created.
5. Browse to the network resource on the other server and add the created user to the share and ntfs permissions of that file/folder you need to access (give appropriate permissions, if you don’t require write don’t give it!)
6. Edit the web.config file for the app you’re working and set <identity impersonate=”false”/>

If you require to secure the webapp to a select group of individuals it is slightly different.

1. Give the group/users appropriate ntfs permissions to the web app
2. Under IIS browse to the application and select properties and Directory Security.  Uncheck anonymous access (this will capture the windows user authenticated that’s opening the web application).
3.  Make sure the network share/folder/file has the required users/groups and appropriate permissions.
4. Edit the web.config file for the app you’re working with and set <identity impersonate=”true”/>
5. While you’re in web.config you’re going to need to familiarize  yourself with the following two tags to secure your applications:
6. <allow roles=”Active Directory group”>
7. <deny users=”*”/>
8. That will check the user authenticated for the correct group membership as assigned in Active Directory and the file permissions on your network resource and will deny all users that aren’t members.

Side note….I’m not a programmer just a SysAdmin.  I’m sure there are all kinds of ways to get around this or perhaps even do it better.  The above is just what I’ve encountered while working with internal portal applications.  There are definitely not enough hours in the day to fully understand ASP.NET application and IIS security but I think that’s a pretty good stab at it.  Whenever I google for results I have a hard time remembering the differences between the Impersonate user so hopefully now I won’t forget!

Quick note… Use  <identity impersonate=”false”/> when you want to use IIS anonymous security and  <identity impersonate=”true”/> when you want to ensure your application is most secure!

The Ubuntu website has a good tutorial on chmod.

https://help.ubuntu.com/community/FilePermissions

I’m happy to report that upgrading vmware esx from 3.01 to 3.02 was a breeze. I was able to utilize maintenance mode and for the first time in my career do mid day operating system upgrades with zero affected production systems! I was also successful in upgrading Virtual Center from 2.0 to 2.02.

I utilized the patch update program I previously mentioned for the esx upgrades… flawless.

During our VMware VI3 deployment I’ve been very impressed with Virtual Center. I was however very surprised to not find a patching or update mechanism that is so ancient. One must run commands from the console to query what patches are installed and maintain their own local patch repository if they have more than one esx servers and require speedy patching. Crazy! Us windows admins have been point and clicking updates since Win2k!

VMTS came to my rescue..A patch program for ESX that utilizes Virtual Center. The program has been great so far and have erased a nightmare that is CLI patching. Besides…have you seen how many patches were released for 3.0.1? Give me a break!

If you want to make you’re life easier like mine check out: http://vmts.net

I stole the below information from vmtn.net to assist in my ntp configuration with vmware vi3 esx and windows guest o/s vm’s.

http://www.vmware.com/community/message.jspa?messageID=577447

Once you SSH to the ESX server console and logon as root you need to edit the file /etc/ntp.conf. There are a few editors you can use. I prefer the nano editor.

From the command prompt type “nano /etc/ntp.conf”
Scroll down until you see the lines that read.

server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

Just below this section add these lines.

restrict 192.168.11.5 mask 255.255.255.255 nomodify notrap noquery
server 192.168.11.5

Replace 192.168.11.5 with the IP address of your ntp server.

That is all that needs to be done in /etc/ntp.conf.
Exit the editor with a ctrl-x, Y to save changes, enter to confirm the filename. You should now be back at the command shell.

Next Step…
type in “nano /etc/ntp/step-tickers”
There should only be one line 192.168.11.5 (replace with the IP of your NTP server)
Exit the editer the same way as above.

Final Steps….
Type in all these commands in order.

esxcfg-firewall enableService ntpClient
service ntpd restart
chkconfig level 345 ntpd on
ntpdate -q 192.168.11.5
hwclock systohc

guest o/s and what to do with time sync:

What tool should I use to synchronize a Windows guest operating system with real time? Does the Windows Time service work in a virtual machine?
Solution

The most accurate way to keep guest operating system time synchronized with real time is to use the VMware Tools time synchronization function. You should not use the Windows Time service or other form of clock synchronization meant for physical machines to set the time in the guest operating system. Unlike a physical machine, a virtual machine is not always loaded and running on a CPU. A virtual machine’s clock can’t run when the virtual machine is not running. When the virtual machine gets to run on a CPU again, the virtual machine’s clock needs to catch up to real time. The Windows Time service attempts to synchronize the virtual clock to an external time source on the network; it is not aware of the unusual clock behavior of a virtual machine, however, so it does not synchronize accurately. In some cases, the Windows Time service can do more harm than good. The VMware Tools time synchronization feature is aware of the built-in clock catch-up function in a virtual machine and can accurately synchronize the guest’s clock to the host’s clock. To enable VMware Tools time synchronization in the guest:

1. Right-click the VMware icon in the System tray on the task bar and choose Open VMware Tools.
2. On the Options tab, check the Time synchronization between the virtual machine and the host operating system box.
3. Click OK to close the dialog box.

You can disable the Windows Time service from the Services control panel in the guest.

1. Right-click My Computer and choose Manage.
2. Double-click Services and Applications.
3. Double-click Services.
4. Scroll to Windows Time; right-click and choose Properties.
5. Click the Startup type selection box and choose Disable.
6. If the service status is Started, click Stop.
7. Click OK to close the Properties dialog box.

It’s a good idea to run a time synchronization tool on the host, for best accuracy. On Windows hosts, you can use the Windows Time service or other tool of your choice. On Linux hosts and in the ESX Server service console, you can run NTP. To install and configure NTP on an ESX Server machine, refer to www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1339.

When You Must Run Windows Time Service
If you use a virtual machine as a primary domain controller for a Windows network, the primary domain controller must run the Windows Time service as a time server, to provide time to secondary domain controllers and other hosts on the network. However, that primary domain controller does not need to use the Windows Time service as a client to receive time synchronization input for its own clock. You can still use VMware Tools to synchronize the virtual machine’s clock while running the Windows Time service in a server-only mode. For instructions on setting up the Windows Time service this way, see the Microsoft document titled “The Windows Time Service,” at download.microsoft.com/download/2/0/f/20f61625-7b2a-4531-b007-1c714f1e51b7/wintimeserv.doc. Search the document for the NoSync registry option.

TAC9858: Patching and Updating VMware ESX Server 3
Evan Chan, VMware and Govindarajan Soundararajan, VMware

http://download3.vmware.com/vmworld/2006/tac9858.pdf