« Previous Next »

• 02-05-2009, 1:06 PM

  Wylbur Joined on 02-04-2009, 3:58 PM Posts 15

  Built-in Super-administrator Account??? Reply Contact   Hi all; Riddle me this: When is an administrator NOT an administrator? When it is not THE Administrator. I've just learned that Vista has a built-in Super-administrator account that is disabled by default. WTH??? Should I have enabled that account, then logged in as the Super-administrator before performing the install/activation of IIS7? (I HATE Vista - I really do.) Any advice on this would be appreciated. I've just tried entering http://localhost/ into the address bar, and I've gotten the following: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Server Error in Application "DEFAULT WEB SITE" Internet Information Services 7.0 Error Summary HTTP Error 403.14 - Forbidden The Web server is configured to not list the contents of this directory. Detailed Error Information Module    DirectoryListingModule Notification    ExecuteRequestHandler Handler    StaticFile Error Code    0x00000000 Requested URL    http://localhost:80/ Physical Path    C:\inetpub\wwwroot Logon Method    Anonymous Logon User    Anonymous Failed Request Tracing Log Directory    C:\inetpub\logs\FailedReqLogFiles Most likely causes:     * A default document is not configured for the requested URL, and directory browsing is not enabled on the server. Things you can try:     * If you do not want to enable directory browsing, ensure that a default document is configured and that the file exists.     * Enable directory browsing using IIS Manager.          1. Open IIS Manager.          2. In the Features view, double-click Directory Browsing.          3. On the Directory Browsing page, in the Actions pane, click Enable.     * Verify that the configuration/system.webServer/directoryBrowse@enabled attribute is set to true in the site or application configuration file. Links and More Information This error occurs when a document is not specified in the URL, no default document is specified for the Web site or application, and directory listing is not enabled for the Web site or application. This setting may be disabled on purpose to secure the contents of the server. View more information » -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  ... so I'm not able to access IIS with an administrator account?

• 02-05-2009, 3:21 PM

  In reply to

  t-gemcgr Joined on 01-15-2009, 11:50 AM Posts 37

  Re: Built-in Super-administrator Account??? Reply Contact "The Web server is configured to not list the contents of this directory" This is purley a http error and nothing to do with being an Administrator or not. It's not a permissions error in sense that the Administrator does not have access to this site. The site has been set to not list the content directory. If you want to get rid of this error you need to set a default document. Cheers George McGraffin

• 02-05-2009, 3:41 PM

  In reply to

  Wylbur Joined on 02-04-2009, 3:58 PM Posts 15

  Re: Built-in Super-administrator Account??? Reply Contact t-gemcgr: "The Web server is configured to not list the contents of this directory" This is purley a http error and nothing to do with being an Administrator or not. It's not a permissions error in sense that the Administrator does not have access to this site. The site has been set to not list the content directory. If you want to get rid of this error you need to set a default document. Hi gemcgr; That's cool - but what about my larger issue? ASP.NET is unable to use the Temporary Log folder due to a lack of access permission. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Compiler Error Message: BC31019: Unable to write to output file 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\root\26676eb7\92c7e946\App_Web_example01.aspx.cdcab7d2.0ogjpxwi.dll': Access is denied. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- http://forums.iis.net/t/1154963.aspx -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Upon further investigation, I've discovered that I am missing a process - the one that should have started with w3wp.exe - and the file is nowhere to be found on my hard drive. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- http://forums.iis.net/t/1154992.aspx -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- That executable is for the worker process for the application pools, so I would suspect that the reason why ASP.NET is not able to write to the temporary log folder is because that process is not there to facilitate it - or does that make sense to you? If it isn't there, then perhaps it was never installed in the first place, and that leads me to question as to whether or not I was using the right account (Super-administrator) in performing the installation/activation. I'm very interested in getting your opinion (gemcgr) and anyone else's on this matter. THANKS for the response!!!

• 02-06-2009, 11:03 AM

  In reply to

  t-gemcgr Joined on 01-15-2009, 11:50 AM Posts 37	Re: Built-in Super-administrator Account??? Reply Contact Can you confirm the identity of which the app pool is running under? To do this, click on the app pool in IIS7, then click on advanced settings (on the pane down the right hand side) You should se the "identity", Change it to Network service if it's not already set. Cheers George McGraffin

• 02-06-2009, 3:53 PM

  In reply to

  Wylbur Joined on 02-04-2009, 3:58 PM Posts 15

  Re: Built-in Super-administrator Account??? Reply Contact t-gemcgr: Can you confirm the identity of which the app pool is running under? To do this, click on the app pool in IIS7, then click on advanced settings (on the pane down the right hand side) You should se the "identity", Change it to Network service if it's not already set. Hi gemcgr; If the app pool for wwwroot is DefaultAppPool, then the identity for it is indeed "NetworkService". I've set security permissions on the temporary folder for both NETWORK SERVICE and IUSR to "modify" - with no result; ASP.NET is still unable to write to the temporary folder. (I did think to restart IIS after making this change.) THANKS!!!

• 02-07-2009, 6:28 AM

  In reply to

  t-gemcgr Joined on 01-15-2009, 11:50 AM Posts 37	Re: Built-in Super-administrator Account??? Reply Contact 1. Delete everything in the asp.net temporary folder. 2. browse to C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215 run > aspnet_regiis -ga "NT Authority\Network Service" this will grant network service with all of the correct permisisons Cheers George McGraffin

• 02-07-2009, 11:55 AM

  In reply to

  Wylbur Joined on 02-04-2009, 3:58 PM Posts 15

  Re: Built-in Super-administrator Account??? Reply Contact t-gemcgr: 1. Delete everything in the asp.net temporary folder. 2. browse to C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215 run > aspnet_regiis -ga "NT Authority\Network Service" this will grant network service with all of the correct permisisons Hi George; It didn't work. I can't tell you how disappointed I am. What you had suggested looked good. These are the messages that were issued when I ran the command: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Start granting NT Authority\Network Service access to the IIS metabase and other directories used by ASP.NET. Finished granting NT Authority\Network Service access to the IIS metabase and other directories used by ASP.NET. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- I was hopeful after seeing that - but no. When I tried to open the .aspx page in Internet Explorer, it created a folder called "root" within the Temporary folder (after I had cleaned it out beforehand)  - along with a few other folders and files within that folder - but it still generated the same "Access is denied" error (CS0016). I ran Process Monitor while loading the page last night, and I see that w3wp.exe is not finding several files while it is running. I can send you the log that was generated if you would like to send to me a valid email address (mine is wylbur [at] peoplepc [ dot] com). I'd post that log to the forum, but it's over 6 MB. I really do appreciate your efforts in this matter - THANK YOU!!! (I'm wondering if I should send a message to someone at Microsoft at this point - but whom?)

• 02-10-2009, 4:43 AM

  In reply to

  t-gemcgr Joined on 01-15-2009, 11:50 AM Posts 37	Re: Built-in Super-administrator Account??? Reply Contact Try using procmon to identify any Access Denied warnings. Check your event logs to see if there is further information about the access denied. Cheers George McGraffin

• 02-10-2009, 6:17 AM

  In reply to

  Wylbur Joined on 02-04-2009, 3:58 PM Posts 15

  Re: Built-in Super-administrator Account??? Reply Contact t-gemcgr: Try using procmon to identify any Access Denied warnings. Check your event logs to see if there is further information about the access denied. Hi George; I tried that, and I did not see anything with "access denied". One thing that I did notice is that the explorer process had A LOT of "file not found" entries associated with it. Is that significant? I dunno. Perhaps what I need to do is to start going through the docs for procmon and learn how to use it better. THANKS for the response!!!!

• 02-11-2009, 4:36 AM

  In reply to

  Leo Tang - MSFT Joined on 12-11-2008, 9:47 PM Posts 875

  Re: Built-in Super-administrator Account??? Reply Contact Hi, Could you set the application pool identity as local system temporary, then test if the problem still persist? About detecting permission issues, you can look at the following article in steve's blog Detecting permission issues using auditing and process monitor http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx Edit: Wylbur: One thing that I did notice is that the explorer process had A LOT of "file not found" entries associated with it. Is that significant? I dunno. This behavior is normal, because process will search more than one locations to find the right file.   Leo Tang Microsoft Online Community Support Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• 02-12-2009, 3:10 PM

  In reply to

  Wylbur Joined on 02-04-2009, 3:58 PM Posts 15

  Re: Built-in Super-administrator Account??? Reply Contact Hi Leo; Leo Tang - MSFT: Hi, Could you set the application pool identity as local system temporary, then test if the problem still persist? I'm not sure what you mean by that. Are you telling me to set "DefaultAppPool" identity to "LocalSystem"? (It is currently set to "NetworkService".) I want to make sure that we are clear on this before I do anything. Leo Tang - MSFT: About detecting permission issues, you can look at the following article in steve's blog Detecting permission issues using auditing and process monitor http://weblogs.asp.net/steveschofield/archive/2008/03/07/detecting-permission-issues-using-auditing-and-process-monitor.aspx I read that, and it's not very specific - I'm not clear as to what it is that I need to do. Which processes should I set my filters for? I set auditing for "Network Service" and "IUSR" on the C drive, and there were no entries in the security log for either of them when I ran the aspx webpage through Internet Explorer. There were a few audit failures, but they had to do with the firewall being unable to issue messages to the user - not especially relevant to my problem. Leo Tang - MSFT: Edit: Wylbur: One thing that I did notice is that the explorer process had A LOT of "file not found" entries associated with it. Is that significant? I dunno. This behavior is normal, because process will search more than one locations to find the right file. OK - glad we got that cleared up. THANKS for the response!!!