This project is read-only.

Login: Access Denied after successful installation

Topics: Administration, Installing Orchard
Nov 20, 2012 at 8:30 AM
Edited Nov 20, 2012 at 3:55 PM

I can't log into Orchard after installation. I get Access Denied error. I've tried install it twice and still the same errors so I know I typed in the correct username and password.

Screenshot of error


The sever is Win2k3 Standard, IIS6, .Net 4, MVC 2 and 3 installed. MS SQL2005 standard. I've give full permission to Orchard folders to Network Services and IUSR account.


Any ideas?

Nov 20, 2012 at 10:45 AM
Edited Nov 20, 2012 at 10:48 AM

I had the same problem on a local installation: try to set the Machine Key.

Jul 1, 2013 at 12:39 AM
I have the exact same issue. The logon.cshtml view code for the <h1 class="page-title">@Html.TitleForPage((string)Model.Title)

displays at the access denied. Logging in does not allow users to log in.

I have the machine key set per the suggestion above, but I have spend way to much time on this. Searching and searching, testing, re installing.

I am new to MVC, but imagine that the code is trying to read a file that does not exists, or the impersonated user cannot access. I currently have my impersonated user as a domain admin, and in the ISURS group. Trying to do anything just so I can see Orchard actually work.

Any suggestions would be great. To many days working on this.
Jul 1, 2013 at 1:09 AM
Other things to check: you are using the right password and the user you are trying to log in actually is valid. If you lost the admin password somehow, you can hack it back:

What makes you think it's trying to read a non-existing file?

That thing about impersonation sounds suspect. Try to turn that off.
Jul 1, 2013 at 2:27 AM
So what I needed to do is assigned the user directly to the folder, instead of a group the user belonged to. not sure why windows was processing security the way it was.

But I still get an access denied for the title of page when logging in. This is find, I will just hard code in the title to the view as it is a view specific to the login so no reason to have it dynamic anyways, unless of coarse the login view is used in other area's. But if I label the h1 simply Login page, it will not matter if it is used in other places.

Recap of issues, there were two.

Issue One
When at the login page, the screenshot error above would display for me. This was simple the title not rendering correctly. The code which does not render is below.

<h1 class="page-title">@Html.TitleForPage((string)Model.Title)</h1> </code>

Issue Two
Even though I had my IIS application folder path impersonation user belonging to a group which had read/write permissions to all the files in the web application, authorization and the MVC result actions will not occur. Once I assigned the actual account directly to the root folder of the web application, the web application would actually redirect the login attempt after authentication.
Jul 1, 2013 at 10:37 PM

turns out this issue is still not solve, just reared an ugly new head.

So when I am on the console of the web server, I can log in to the Orchard web interface just fine after make the change I listed above (added the IIS app impersinated user directly to the IUSR Group). And after doing that, I don't see the "Access Denied" message on the login page where the Page title should be, I see the actual page title. i am able to login just fine too.

If I go to the login page of the orchard web site from a remote PC/MAC I still see the "Access Denied" where the page title should be, and I cannot log into the Orchard CMS management interface. no errors, just cycles back to the login page with the access denied title name page.

so has to be something with a resourec that I HAVE THE DOMAIN/COMPUTERNAME assigned to. more hunting and update to come.
Jul 2, 2013 at 12:56 AM
What do you mean by impersonation? There is an IIS feature where the server impersonates the connected logged in user. This is not supported. What is supported is to configure the application pool to be a specific user. You then need read/write access to app_data for that user, and also on media if you intend on uploading any media, and modules and themes if you are going to install new modules and themes from the admin.
Jul 2, 2013 at 1:09 AM
If in [IIS >> web application >> Advanced Settings >> General >> Physical path Credentials] you enter in credentials, the web application will impersonate using that user when accessing the actual file folders and files rather than the application pool user account.

I can try and set the "Physical path Credentials" back to the application Pool, and then change the user account on the application pool to a specific user, then verify permissions. Will post results in a few.
Jul 2, 2013 at 1:20 AM
Edited Jul 2, 2013 at 1:30 AM
When I made the change, I no longer can view orchard. receive a "Service Unavailable" HTTP Error 503. The service is unavailable

Security log has a 4625 Audit Failure for Logon for the account I setup in the application pool. The user has not been granted the requested logon type at this machine. the Type is 4 which is Logon as batch job.

Also, there is an error that says
"Application Pool [the pool name] has been disabled. Windows Process Activation (WAS) encountered a failure when it started a worker process to serve the application pool.

Normally this means that the account used for the application pool is not in the local policy Logon as batch job. so adding that now.

Information about the Application Pool
.NET 4.0
Identity: domain\username (account is not locked, belongs to domain users group)

IIS Web App notes
The web application is using host headers, and is its own web application and not in the default web site.
Jul 2, 2013 at 1:49 AM
That did it. Thanks BertandLeRoy.

For the others out there so you don't struggle like I did searching a bunch of locations. Here is something I think will help you.
  1. Create an AD users specific for your web application
  2. Create application pool, set pool "Basic Settings" to .NET 4.0 because it will default to 2.0
  3. Change the "Advanced Settings >> process Model >> Identity" application pool so the account you created in step 1 is being used
  4. Go to the IIS server Administrative Tools >> Local Security Policy >> Security Settings >> Local Policies >> user rights Assignment >> Log on as a batch job and add that user to the local policy
  5. If you web server has multiple web applications sharing the same IP and port number, make sure to add your host header to the IIS >> Sites >> [your web app] >> Bindings. in IIS 7 and up the change "Host Header" name to "Host Name", but its the same thing as Host headers in IIS 6.
  6. unzip your Orchard zip file to your web app folder. Set permissions so that your user in step 1 can have read rights to all folders/files in your web application folder
  7. Specify different permissions to a couple sub folders. you will have to break inheritance to do this right. Give update permissions to your account you created in step 1 to the media, themes, and appdata and modules folder. (Keep in mind that if you are not updating themes, or uploading images, you don't need to allow for update rights to those folders.
  8. Also, make sure to add your account you created in step 1 to the IUSR group. If you don't you will get an error talking about permissions error writing to a .NET temporary folder. %windir%\Microsoft.NET\Framework\ <VERSION> \Temporary ASP.NET Files