Deploying Orchard to VPS IIS 7.5 Access Denied Error

Feb 13, 2011 at 10:27 PM

Hi,

I have everything working fine locally. I copied the files to my VPS (Win Server 2008 R2, IIS Express) and I setup a site manually in IIS and restored the db. Navigated to the site and received the below. I granted the DefaultAppPool identity Read/Write on the App_Data folder and confirmed all the files are not set as read-only but the error remains. Are there any other settings I'm missing?

Server Error in '/' Application.
Access to the path 'C:\inetpub\wwwroot\DigitalWood\App_Data\Dependencies\Orchard.Blogs.dll' is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 
Exception Details: System.UnauthorizedAccessException: Access to the path 'C:\inetpub\wwwroot\DigitalWood\App_Data\Dependencies\Orchard.Blogs.dll' is denied. 
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user. 
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
Source Error: 
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace: 

[UnauthorizedAccessException: Access to the path 'C:\inetpub\wwwroot\DigitalWood\App_Data\Dependencies\Orchard.Blogs.dll' is denied.]   System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) +12892935   System.IO.File.Delete(String path) +250   Orchard.FileSystems.AppData.AppDataFolder.MakeDestinationFileNameAvailable(String destinationFileName) in d:\TeamCity\Projects\Orchard-1.x\src\Orchard\FileSystems\AppData\AppDataFolder.cs:70
[OrchardCoreException: Unable to make room for file "C:\inetpub\wwwroot\DigitalWood\App_Data\Dependencies\Orchard.Blogs.dll" in "App_Data" folder]   Orchard.FileSystems.AppData.AppDataFolder.MakeDestinationFileNameAvailable(String destinationFileName) in d:\TeamCity\Projects\Orchard-1.x\src\Orchard\FileSystems\AppData\AppDataFolder.cs:73   Orchard.Environment.Extensions.ExtensionLoaderCoordinator.ProcessContextCommands(ExtensionLoadingContext ctx) in d:\TeamCity\Projects\Orchard-1.x\src\Orchard\Environment\Extensions\ExtensionLoaderCoordinator.cs:292   Orchard.Environment.Extensions.ExtensionLoaderCoordinator.SetupExtensions() in d:\TeamCity\Projects\Orchard-1.x\src\Orchard\Environment\Extensions\ExtensionLoaderCoordinator.cs:74   Orchard.Environment.DefaultOrchardHost.BuildCurrent() in d:\TeamCity\Projects\Orchard-1.x\src\Orchard\Environment\DefaultOrchardHost.cs:85

Developer
Feb 14, 2011 at 1:18 AM

Hi!

Which user have you granted the read/write permissions to? IUSR_<MACHINE_NAME> is the default account you should add permissions to. Check whether this user has read/write access to the whole Orchard directory (DigitalWood in your case) - not only to the AppData folder. The good practice from the security perspective is to create a seperate user account (local or domain if you're using AD) to sole purpose of running your app pool with Impersonate=true property set. It makes it clear who should you grant privileges to.

Cheers, Piotr

Apr 17, 2011 at 12:22 AM

I had the same problem on the rackspace cloud, even though the user I specified in my identity impersonate tag had read/write permissions (and was the owner).. I had to set read/write for the group as well... I have an open ticket for this.

Apr 20, 2011 at 5:42 PM

See the following section of the documentation on installing Orchard manually to run under IIS.  It suggests several specific Orchard folders for which you need to enable "write permissions" for the account that is configured as the identity for the app pool.  For example, the "modules" and "themes" folders need this configuration.  I would check and make sure you have all these folders configured as suggested. 

http://orchardproject.net/docs/Manually-installing-Orchard-zip-file.ashx#Running_the_Site_Using_IIS_1

Jun 25, 2012 at 12:59 PM

I have the same problem on my ISP and got this response:

The stacktrace confirms what I suspected (and the information that you sent does as well), which is that it's trying to write to files when the application starts, before the point where ASP.Net impersonation kicks in. This means it's trying to write as the application pool user, rather than as your domain user, so doesn't have access. Scripts should never try to write to files before impersonation kicks in.

It can be fixed by setting the permissions to allow writing to your domain by the application pool user, but we accept no responsibility for any damages caused, as it means that security is reduced as any other user on the server will also be able to write to it. This is why writing to files should always be done after impersonation.

Hence my account has write permission but this is happening at a lower level/outside of my accounts privileges.

Is there a way round this??

Coordinator
Jun 26, 2012 at 5:29 AM

"Scripts should never try to write to files before impersonation kicks in.": that's what they say. Why are they using impersonation? I don't know of a good reason for a hosting company to do that. It certainly is not more secure if the server is otherwise well configured. I think your best option is to move to a better hosting company.

Jun 26, 2012 at 5:52 AM

I'm trying to find a new hosting company in the UK now. If anybody can recommend one please let me know. I'm finding it difficult to work out if Orchard will work with any particular providers, suggestions welcome...

Dec 22, 2012 at 11:05 AM

I have same problem. When i assign full permission to module and theme folders my error changes to this:

 

Server Error in '/' Application.

The resource cannot be found.

Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly.

Requested URL: /


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.272

 

There is any suggestion for me?

Developer
Dec 23, 2012 at 7:53 AM

That 404 could indicate there's an error going on early in the request life cycle. Is there anything in the Orchard log files?

Feb 14, 2013 at 8:11 PM
I've got precisely the same issue with the same history. The orchard logs are apparently generated daily at midnight(?). So, if I check it tomorrow, error info will be in there? There's nothing in the existing logs from prior days; all blank.

Thanks for any tips on this!
Coordinator
Feb 14, 2013 at 11:06 PM
No, logs are generated as errors happen. What can happen is that your hosting company does not give you direct access to those logs, and use some kind of replication instead. I've seen that with Gearhost for example. Very frustrating when debugging something that only happens on the live environment.
Feb 15, 2013 at 6:24 AM
I have the same, or maybe similar problem:

The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Requested URL: /

Log;
2013-02-15 00:00:29,105 [5] Orchard.Environment.DefaultOrchardHost - A tenant could not be started: Default
NHibernate.HibernateException: Could not create the driver from Orchard.Data.Providers.SqlCeDataServicesProvider+OrchardSqlServerCeDriver, Orchard.Framework, Version=1.6.0.0, Culture=neutral, PublicKeyToken=null. ---> System.Reflection.TargetInvocationException: Ein Aufrufziel hat einen Ausnahmefehler verursacht. ---> System.UnauthorizedAccessException: Zugriff verweigert (Ausnahme von HRESULT: 0x80070005 (E_ACCESSDENIED))
bei System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
bei System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode)
bei System.Data.SqlServerCe.UnmanagedLibraryHelper..ctor(String fileName)
bei System.Data.SqlServerCe.NativeMethodsHelper..ctor(String modulePath)
bei System.Data.SqlServerCe.NativeMethods.LoadValidLibrary(String modulePath)
bei System.Data.SqlServerCe.NativeMethods.LoadNativeBinariesFromPrivateFolder(String privateInstall)
bei System.Data.SqlServerCe.NativeMethods.LoadNativeBinaries()
bei System.Data.SqlServerCe.SqlCeCommand..ctor()
--- Ende der internen Ausnahmestapelüberwachung ---
bei System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
bei System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache)
bei System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipVisibilityChecks, Boolean skipCheckThis, Boolean fillCache)
bei System.Activator.CreateInstance(Type type, Boolean nonPublic)
bei NHibernate.Bytecode.ActivatorObjectsFactory.CreateInstance(Type type)
bei NHibernate.Driver.ReflectionDriveConnectionCommandProvider.CreateCommand()
bei NHibernate.Driver.ReflectionBasedDriver.CreateCommand()
bei NHibernate.Driver.SqlServerCeDriver.Configure(IDictionary2 settings)
bei Orchard.Data.Providers.SqlCeDataServicesProvider.OrchardSqlServerCeDriver.Configure(IDictionary
2 settings) in c:\Users\sebros\My Projects\Orchard\src\Orchard\Data\Providers\SqlCeDataServicesProvider.cs:Zeile 78.
bei NHibernate.Connection.ConnectionProvider.ConfigureDriver(IDictionary2 settings)
--- Ende der internen Ausnahmestapelüberwachung ---
bei NHibernate.Connection.ConnectionProvider.ConfigureDriver(IDictionary
2 settings)
bei NHibernate.Connection.ConnectionProvider.Configure(IDictionary2 settings)
bei NHibernate.Connection.ConnectionProviderFactory.NewConnectionProvider(IDictionary
2 settings)
bei NHibernate.Cfg.SettingsFactory.BuildSettings(IDictionary2 properties)
bei NHibernate.Cfg.Configuration.BuildSettings()
bei NHibernate.Cfg.Configuration.BuildSessionFactory()
bei Orchard.Data.SessionFactoryHolder.BuildSessionFactory() in c:\Users\sebros\My Projects\Orchard\src\Orchard\Data\SessionFactoryHolder.cs:Zeile 86.
bei Orchard.Data.SessionFactoryHolder.GetSessionFactory() in c:\Users\sebros\My Projects\Orchard\src\Orchard\Data\SessionFactoryHolder.cs:Zeile 64.
bei Orchard.Data.SessionLocator.For(Type entityType) in c:\Users\sebros\My Projects\Orchard\src\Orchard\Data\SessionLocator.cs:Zeile 29.
bei Orchard.Data.Repository
1.get_Session() in c:\Users\sebros\My Projects\Orchard\src\Orchard\Data\Repository.cs:Zeile 26.
bei Orchard.Data.Repository1.get_Table() in c:\Users\sebros\My Projects\Orchard\src\Orchard\Data\Repository.cs:Zeile 30.
bei Orchard.Data.Repository
1.Fetch(Expression1 predicate) in c:\Users\sebros\My Projects\Orchard\src\Orchard\Data\Repository.cs:Zeile 126.
bei Orchard.Data.Repository
1.Get(Expression1 predicate) in c:\Users\sebros\My Projects\Orchard\src\Orchard\Data\Repository.cs:Zeile 91.
bei Orchard.Data.Repository
1.Orchard.Data.IRepository<T>.Get(Expression`1 predicate) in c:\Users\sebros\My Projects\Orchard\src\Orchard\Data\Repository.cs:Zeile 60.
bei Orchard.Core.Settings.Descriptor.ShellDescriptorManager.GetDescriptorRecord() in c:\Users\sebros\My Projects\Orchard\src\Orchard.Web\Core\Settings\Descriptor\ShellDescriptorManager.cs:Zeile 57.
bei Orchard.Core.Settings.Descriptor.ShellDescriptorManager.GetShellDescriptor() in c:\Users\sebros\My Projects\Orchard\src\Orchard.Web\Core\Settings\Descriptor\ShellDescriptorManager.cs:Zeile 30.
bei Orchard.Environment.ShellBuilders.ShellContextFactory.CreateShellContext(ShellSettings settings) in c:\Users\sebros\My Projects\Orchard\src\Orchard\Environment\ShellBuilders\ShellContextFactory.cs:Zeile 66.
bei Orchard.Environment.DefaultOrchardHost.CreateShellContext(ShellSettings settings) in c:\Users\sebros\My Projects\Orchard\src\Orchard\Environment\DefaultOrchardHost.cs:Zeile 174.
bei Orchard.Environment.DefaultOrchardHost.CreateAndActivateShells() in c:\Users\sebros\My Projects\Orchard\src\Orchard\Environment\DefaultOrchardHost.cs:Zeile 134.

Any idea what could be the problem? I use orchard 1.6

Thanks
Coordinator
Feb 15, 2013 at 6:29 AM
Looks like a file permission issue.
Feb 15, 2013 at 6:23 PM
Thanks, it works now. but now I have another problem.

When I want to login, the username and password ist accepted, but noting happend, I am not get logged in.

thanks
Coordinator
Feb 16, 2013 at 1:33 AM
Sep 25, 2013 at 10:35 AM
For those who might have trouble similar to this (i.e. write access errors although files/folders seem to have the correct permission settings) after VS Web Deploy:

http://www.smarterasp.net/support/KB/a245/acl-was-altered-after-using-vs-web-deploy.aspx