October 2009 Entries
Static content requires authentication in IIS 7
Posted on Tuesday, October 27, 2009 12:03 AM

When working on an ASP.Net MVC application using Forms Authentication I found that the static content – .css, .jpg etc – was not being displayed for unauthenticated users.  Once the user was logged the static content was successfully retrieved.  As a result the logon page was, to put it politely, extremely plain.  What made this particularly frustrating was that the problem was experienced in my development environment, and that of one or two others, but not on all dev environments and also not on the production environment (which is a good thing…).  The dev environment is IIS7 running on Windows7 (although I suspect the same would be true of Vista machines); the prod environment uses IIS6.

Looking at Firefox’s error console I could see that the browser’s request for the css file was being redirected to the authentication page:

Error: The stylesheet http://localhost/Registration/Login?ReturnUrl=%2fContent%2fstylesheet.css was not loaded because its MIME type, "text/html", is not "text/css".
Source File: http://localhost/Registration/Login?ReturnUrl=%2f
Line: 0

After a bit of digging I found that the problem was due to the permissions granted to the anonymous user identity in IIS7.

By default anonymous users in IIS7 run under the identity IUSR (rather than IIS6’s IUSR_MachineName).  This can be seen in the IIS Manager:

clip_image002

The default anonymous user is defined in a default installation in C:\Windows\System32\inetsrv\config\applicationHost.config

< anonymousAuthentication enabled = "true" userName = "IUSR" defaultLogonDomain = "" />

As the IUSR identity has very limited permissions, it did not have read access to the location of my website’s static content that I had placed in a directory of my choice (in this case D:\...\...\Website\Content) rather than <drive>:\inetpub\wwwroot.  In order to allow anonymous users to access the static content I had to grant IUSR read permission on my \Website\Content directory.

More info on IIS7 (and a comparison with IIS6) can be found at

http://learn.iis.net/page.aspx/140/understanding-the-built-in-user-and-group-accounts-in-iis-70/

http://learn.iis.net/page.aspx/110/changes-between-iis6-and-iis7-security

http://learn.iis.net/page.aspx/139/iis7-security-improvements/

4 Comments
Disable Windows Shut Down button on Start menu
Posted on Monday, October 26, 2009 11:26 PM

 

In order to reduce the opportunity of inadvertently shutting down a remote Windows machine (which may then require a long drive to a remote data centre to switch it on again) it is possible to remove the Shut Down button from the Start menu and Windows Security dialog (ie the dialog displayed when you hit <ctrl><alt><delete>).

  1. From a command prompt or Run box, open the Group Policy Object Editor using the command:

    gpedit.msc

  2. Locate the setting Local Computer Policy –> User Configuration –> Administrative Templates –> Start Menu and Taskbar –> Remove and prevent access to the Shut Down command.
  3. Change the state to Enabled.
  4. Complete the update by running the following command at the command prompt:

    gpupdate /force

image

The machine can still be shutdown or restarted from the command prompt using the shutdown command.  Of course if you issue the wrong command at this point you may still have that long drive ahead of you...

To restart the machine:

shutdown /r

To restart instantly (by default there is a 30 second delay) indicating a planned shutdown for the reason "Reason":

shutdown /r /t 0 /d p:0:0 /c "Reason"

To shutdown the machine:

shutdown /s

Note that just typing shutdown (with no arguments) will display the help items rather than shutting down the machine.

Add Comment
Problems logging on to a Terminal Server
Posted on Monday, October 26, 2009 11:05 PM

 

Something I have been asked about four times in the last week or so is how to log on to a remote server when the following message is displayed:

The terminal server has exceeded the maximum number of allowed connections.

image

There are two ways of dealing with this.

Both techniques use the command prompt. To connect to the machine from the command prompt, you need to run as an administrator identity on that machine. From the run box or a command prompt, open a new command prompt with:

runas /user:domain\administrator cmd

where domain\administrator is a user with administrator privileges on the target machine.

mstsc

First, try connecting to the console session. From the command prompt, type:

mstsc -v:0.0.0.0 /f -console

Where 0.0.0.0 is the IP address or server name. eg:

mstsc -v:172.21.2.3 /f -console

mstsc -v:machinename /f -console

To connect with an admin session:

mstsc -v:172.21.2.3 /f /admin -console

Once logged on to the session go to the Terminal Services Manager and logoff one of the other sessions. You then need to log off this session as, as a rule, you shouldn't log on to the console session as if the console session cannot be connected to as well you could be in all sorts of difficulty. Once logged off of the console session you can now connect to the freed RDP connection.

query

You can query and reset sessions from the command prompt:

  1. Find out which sessions are running:

    query session /server:machinename

  2. Reset one of the sessions:

    reset session 2 /server:machinename

Note that there is no feedback from the reset command, so a second query command will show you the new status.

Add Comment