locked
IIS 7 manager - Error remotely administering a Website with no admin rights RRS feed

  • Question

  • User-1642879410 posted

     Dear all,

    I have installed the IIS Manager on Windows XP and I'm trying to administer a website remotely.

    Management service is running, the user (a windows domain user account with no admin permissions in the server) has been added in the "IIS Manager Permissions" for the website and it has read/write permissions in the website folder. I connect to the website in IIS Manager, provide the  username and password, and the connection is stablished. I see the website Home correctly, but when i try to acces any of the features of the website (e.g. Authentication) I get the following error in a pop-up Window:

    _________________________

    Authentication

    There was an error while performing this operation.

    Details:

    Creating an instance of the COM component with CLSID {
     B72133B-3F5b-4602-8952-803546CE3344} from the IClassFactory failed due to the following error: 80070005.

    ________________________ 

     
    Any idea on what is happening? if I use a user with admin rights in the server hosting the website, there is no problem.

     Thank you in advance!
     

    Monday, November 17, 2008 7:14 AM

All replies

  • User989702501 posted

    what's the user role for the remote management? site admin or app admin? I recalled you need to connect to app directly http://site.com/app/ if you are app owner... and not really connecting to the site root.

    Monday, November 17, 2008 7:16 AM
  • User-1642879410 posted

     Hi qbernard,

    The user has been granted site admin privileges.

    Any idea? 

    Monday, November 17, 2008 9:57 AM
  • User-1642879410 posted

     In this post happens something similar:

    http://forums.iis.net/t/1148955.aspx

    I have used procmon as described in the post, and the DENIED ACCESS in my case is in the folder:

    C:\windows\system32\inetsrv\conf\schema

    which is a system folder where I should not change permissions...

    There is also a PATH NOT FOUND error, don't know if has something to do.

     
     The log in procmon is:

    4:24:39.1036522 PM    wmsvc.exe    5452    CreateFile    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\WMSvc\Site\Service.axd\web.config    PATH NOT FOUND    Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a
    4:24:39.3105494 PM    wmsvc.exe    5452    RegOpenKey    HKU\S-1-5-21-119559289-1840127793-336618761-650489    NAME NOT FOUND    Desired Access: Maximum Allowed
    4:24:39.3219671 PM    wmsvc.exe    5452    RegOpenKey    HKU\S-1-5-21-119559289-1840127793-336618761-650489    NAME NOT FOUND    Desired Access: Maximum Allowed
    4:24:39.3342717 PM    wmsvc.exe    5452    RegOpenKey    HKU\S-1-5-21-119559289-1840127793-336618761-650489    NAME NOT FOUND    Desired Access: Maximum Allowed
    4:24:39.3347603 PM    wmsvc.exe    5452    RegOpenKey    HKU\S-1-5-21-119559289-1840127793-336618761-650489    NAME NOT FOUND    Desired Access: Maximum Allowed
    4:24:39.3439839 PM    wmsvc.exe    5452    RegQueryValue    HKLM\SOFTWARE\Microsoft\InetStp\Components\CGI    NAME NOT FOUND    Length: 144
    4:24:39.3444328 PM    wmsvc.exe    5452    RegQueryValue    HKLM\SOFTWARE\Microsoft\InetStp\Components\BasicAuthentication    NAME NOT FOUND    Length: 144
    4:24:39.3446278 PM    wmsvc.exe    5452    RegQueryValue    HKLM\SOFTWARE\Microsoft\InetStp\Components\ClientCertificateMappingAuthentication    NAME NOT FOUND    Length: 144
    4:24:39.3452446 PM    wmsvc.exe    5452    RegQueryValue    HKLM\SOFTWARE\Microsoft\InetStp\Components\DigestAuthentication    NAME NOT FOUND    Length: 144
    4:24:39.3454483 PM    wmsvc.exe    5452    RegQueryValue    HKLM\SOFTWARE\Microsoft\InetStp\Components\Authorization    NAME NOT FOUND    Length: 144
    4:24:39.3463342 PM    wmsvc.exe    5452    RegQueryValue    HKLM\SOFTWARE\Microsoft\InetStp\Components\DirectoryBrowse    NAME NOT FOUND    Length: 144
    4:24:39.3476081 PM    wmsvc.exe    5452    RegQueryValue    HKLM\SOFTWARE\Microsoft\InetStp\Components\HttpRedirect    NAME NOT FOUND    Length: 144
    4:24:39.3484431 PM    wmsvc.exe    5452    RegQueryValue    HKLM\SOFTWARE\Microsoft\InetStp\Components\CGI    NAME NOT FOUND    Length: 144
    4:24:39.3825164 PM    wmsvc.exe    5452    CreateFile    C:\Windows\System32\inetsrv\config\schema    ACCESS DENIED    Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: MYDOMAIN\myuser
    4:24:39.3920411 PM    wmsvc.exe    5452    QueryOpen    C:\Windows\System32\inetsrv\WMSvc.exe    FAST IO DISALLOWED    
    4:24:39.4016599 PM    wmsvc.exe    5452    QueryOpen    C:\Windows\System32\inetsrv\WMSvc.exe    FAST IO DISALLOWED    
    4:24:39.4033917 PM    wmsvc.exe    5452    QueryOpen    C:\Windows\System32\inetsrv\WMSvc.exe    FAST IO DISALLOWED    
    4:24:39.4046784 PM    wmsvc.exe    5452    QueryOpen    C:\Windows\System32\inetsrv\WMSvc.exe    FAST IO DISALLOWED    

     Any idea?

     

    Wednesday, November 19, 2008 11:18 AM
  • User-47214744 posted

    That is weird, could you run:

    icacls.exe %windir%\system32\inetsrv\config\schema

    Also, have you changed the identity that WMSVC runs under? Are you using Shared configuration? Is your virtual directory in a UNC?

    Wednesday, November 19, 2008 11:57 AM
  • User-1642879410 posted

     Hola Carlos, thank you for your answer.

    This is the result of icacls:

    C:\Users\Administrator>icacls.exe %windir%\system32\inetsrv\config\schema
    C:\Windows\system32\inetsrv\config\schema NT SERVICE\TrustedInstaller:(F)
                                              NT SERVICE\TrustedInstaller:(CI)(IO)(F
    )
                                              NT AUTHORITY\SYSTEM:(M)
                                              NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                                              BUILTIN\Administrators:(M)
                                              BUILTIN\Administrators:(OI)(CI)(IO)(F)

                                              BUILTIN\Users:(RX)
                                              BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
                                              CREATOR OWNER:(OI)(CI)(IO)(F)

    Successfully processed 1 files; Failed processing 0 files

     
    WMsvs is running under Local Service, and I'm not using Shared configuration. NNeither using UNC, everything is local. 

    BTW, If I use IIS Manager users it works, but not for Windows users. 

    Wednesday, November 19, 2008 12:18 PM
  • User989702501 posted

    Funny, your icacls result is normal, why still access denied ? I have not got this error myself during testing. Is there any error in the WM log ? you got the latest build ?

    Thursday, November 20, 2008 1:47 AM
  • User-1642879410 posted

    I have new information.

    If I restart the Web Managemet service and try to access to the website remotely with my domain user account (from my windows XP), I get an error:

    Connect to Site

    Could not connect to the specified computer.

    Details: The remote server returned and error: (401) Unauthorized. 

     

    In the Event Viewer of the server I can find the following errors:

    IISWMSVC_LOGIN_UNKNOWN_ERROR

    An unexpected error occurred while retrieving the login information.

    Exception:System.UnauthorizedAccessException: Creating an instance of the COM component with CLSID {228FB8F7-FB53-4FD5-8C7B-FF59DE606C5B} from the IClassFactory failed due to the following error: 80070005.
       at Microsoft.Web.Administration.ConfigurationManager.CreateAdminManager(WebConfigurationMap webConfigMap, String configPathToEdit, Boolean isAdminConfig)
       at Microsoft.Web.Administration.ConfigurationManager.CreateConfiguration(WebConfigurationMap configMap, String configPathToEdit, Boolean isAdminConfig)
       at Microsoft.Web.Administration.ConfigurationManager.GetConfiguration(String rawConfigurationPath, String cacheKey, Boolean isAdminConfig)
       at Microsoft.Web.Administration.ServerManager.get_SitesSection()
       at Microsoft.Web.Administration.ServerManager.get_Sites()
       at Microsoft.Web.Management.Server.ApplicationManagementUnit.EnsureDefinition()
       at Microsoft.Web.Management.Server.ApplicationManagementUnit..ctor(IManagementContext context, String siteName, String applicationPath)
       at Microsoft.Web.Management.Server.WebManagementHttpModule.CreateManagementUnit(HttpRequest request)
       at Microsoft.Web.Management.Server.WebManagementHttpModule.OnApplicationPostAuthorizeRequest(Object sender, EventArgs e)

    Process:WMSvc
    User=MYDOMAIN\myuser

     

    IISWMSVC_AUTHORIZATION_UNABLE_TO_READ_CONFIG

    An unexpected error occurred while retrieving the authorization information.

    Exception:System.UnauthorizedAccessException: Creating an instance of the COM component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from the IClassFactory failed due to the following error: 80070005.
       at Microsoft.Web.Administration.ConfigurationManager.CreateWritableAdminManager(WebConfigurationMap webConfigMap, String configPathToEdit, Boolean isAdminConfig)
       at Microsoft.Web.Administration.ConfigurationManager.CreateConfiguration(WebConfigurationMap configMap, String configPathToEdit, Boolean isAdminConfig)
       at Microsoft.Web.Administration.ConfigurationManager.GetConfiguration(String rawConfigurationPath, String cacheKey, Boolean isAdminConfig)
       at Microsoft.Web.Administration.ConfigurationManager.GetAdministrationConfiguration(WebConfigurationMap configMap, String configurationPath)
       at Microsoft.Web.Administration.ServerManager.GetAdministrationConfiguration()
       at Microsoft.Web.Management.Server.ConfigurationAuthorizationProvider.GetSection(ServerManager serverManager)

    Process:WMSvc
    User=MYDOMAIN\myuser


     IISWMSVC_AUTHORIZATION_FAILED

    The user 'MYDOMAIN\myuser' is not authorized for the path '/testSite2'.

    Exception:System.UnauthorizedAccessException: Creating an instance of the COM component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} from the IClassFactory failed due to the following error: 80070005.
       at Microsoft.Web.Administration.ConfigurationManager.CreateWritableAdminManager(WebConfigurationMap webConfigMap, String configPathToEdit, Boolean isAdminConfig)
       at Microsoft.Web.Administration.ConfigurationManager.CreateConfiguration(WebConfigurationMap configMap, String configPathToEdit, Boolean isAdminConfig)
       at Microsoft.Web.Administration.ConfigurationManager.GetConfiguration(String rawConfigurationPath, String cacheKey, Boolean isAdminConfig)
       at Microsoft.Web.Administration.ConfigurationManager.GetAdministrationConfiguration(WebConfigurationMap configMap, String configurationPath)
       at Microsoft.Web.Administration.ServerManager.GetAdministrationConfiguration()
       at Microsoft.Web.Management.Server.ConfigurationAuthorizationProvider.GetSection(ServerManager serverManager)
       at Microsoft.Web.Management.Server.ConfigurationAuthorizationProvider.IsAuthorized(IPrincipal principal, String configurationPath)
       at Microsoft.Web.Management.Server.ManagementAuthorization.IsAuthorized(IPrincipal principal, String configurationPath)
       at Microsoft.Web.Management.Server.WebManagementAuthorizationModule.IsAuthorized(HttpContext context)

    Process:WMSvc
    User=MYDOMAIN\myuser


    And in the Web Management service logs:

    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
    2008-11-20 09:01:21 10.120.65.14 POST /Service.axd Module=Framework&Method=GetWebManagementInfo&Site=testSite2 8172 mydomain\myuser10.120.65.189 WebManagementShell|7.0.0.0|2.0.50727.1433|System.Windows.Forms.Control 401 0 0 2468
    2008-11-20 09:01:21 10.120.65.14 POST /Service.axd Module=Framework&Method=GetWebManagementInfo&Site=testSite2 8172 rmydomain\myuser 10.120.65.189 WebManagementShell|7.0.0.0|2.0.50727.1433|System.Windows.Forms.Control 401 2 0 93

    But if I access remotely to the site using a user with admin rights on the server I can connect to the website, and after that, I'm also able to access the site with the non priviledged user.

    So It seems as if the non admin user does not have permissions to create the instance of the COM component, but once the admin user has created the COM component, the normal user can access the website. However, with the normal user still have the initial problem when trying to access any of the features of the website.

    In the Web management service logs I do not get 401 status codes any more and all I can see are 200.

     Could this help to find a solution?

    Sorry for the long post....

    Thursday, November 20, 2008 4:06 AM
  • User989702501 posted

    I wish I can test it now.. my w2k8 virtual machine is dead :(
    it has also been a while, I play with this. I know for IIS Manager user once logged on, the request will impersonate from the WMSVC which has the access right on the config files, but for normal Windows user I forgot :)  and what you described it doesn't looks like VMSVC user is doing it but rather your actual windows user. so make sure that the Windows user has access to the site folder...

    also jsut to verify the above, if you add the user to local admin group, it should works, right?

    Friday, November 21, 2008 4:08 AM
  • User-1642879410 posted

     Another clue,

    If I give "list folder contents" permissions to the non admin user on C:\Windows\System32\inetsrv\config , everything works!

    Why should I need to give this permissions to any website administrator?

    Have any of you configured remote site administration for windows users? Did you need to grant this kind of permissions?

     

    Friday, November 21, 2008 4:28 AM
  • User-1642879410 posted

     Hi qbernard,

    Sorry, I was writing my previous post before watching your response.

    The non admin user has modify rights on the website folder.

    If I add the user to the administrators group, everything works.. 

    Friday, November 21, 2008 4:33 AM
  • User989702501 posted

    Cool, so it is definitely permission related issue then.

    I'm not sure what's the 'actual' permissions needed, 'list folder' content sound ok to me...  please take it out from admin group, it is only for testing.

    Sunday, November 23, 2008 11:58 PM
  • User-1642879410 posted

     Hi all,

    Finally I got the solution!

    I compared the security policies of a default Windows 2008 (C:\Windows\inf\deftsv.inf) whith the policies applied on my server using the Security Configuration and Analysis MMC tool, and after a lot of strugling I found the policy causing the problem:

    "Bypass traverse checking"

    This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.

    In my sever, this policy was not set for "Users" group. Then, when my impersonated user tried to access the folder C:\windows\system32\inetsrv\config\schema (where Users are allowed to read) there was a problem because the user did not have permissions on the folder C:\windows\system32\inetsrv\config, and because of the policy the user could not traverse the directory. Just adding Users group to the policy everything worked fine without giving any aditional permission on the config folder.

    Maybe this could help anyone in the same situation in the future :) 

    Monday, December 1, 2008 9:37 AM
  • User-1064949568 posted

    Hi all,

    I got the same error "Retrieving the COM class factory for component with CLSID {2B72133B-3F5B-4602-8952-803546CE3344} failed due to the following error: 80040154." I am using IIS 7 to connect to my own laptop (not trying to access/manage any remote IIS server). I am logged in as Admin user. I have Windows Vista business edition. I got this error today as I want to change a virtual directory name, I am not sure but I think I try to access IIS almost after a month or so. 

    Pease help me...

    Thanks....  

    Monday, January 26, 2009 11:43 AM