Manager error when setting up Multi-server configuration
We are trying to set up a multi-server Essentials 4.2 configuration in our development environment and have run into what looks like a permission error on one of the servers. On the first server everything installed okay and we were able to read/write to the Sites and Temp shared folders using the UNC path.
On the second server however, as soon as we try to change the web.config in the Manager folder to point to the UNC path for gcx.io.fileSystem.path and gcx.io.tempFileManager.commonTempFolder, the browser retuns the message "Access Denied. You have not been granted access to this application." after entering the username / password. If we put the local path names back into the web.config file, everything works correctly again. We are attempting to log in using an AD account (domain\username) if that makes any difference. Anonymous and Windows Authentication are enabled in IIS (same as on first server).
/customer/servlet/servlet.FileDownload?file=00P6000000em1WCEAY
We created a new IIS Application Pool for the REST and RestManager virtual directories, which uses the same username/password that the UNC share has permission to access. This is all working from the first server. The REST endpoint URL on the second server also works just fine (it shows the sites from the shared folder) - it's just an issue with logging into Manager. I have trying monitoring with Process Monitor to see if there were any permission issues (can't access) but everything looks okay. Likewise, there are no errors in the Windows Event Viewer logs (Application and Security). On the remote server that hosts the shared directories, Windows Event Viewer shows successful authentications from the remote server using the correct username.
The Manager log files show the following error message:
<Event Timestamp="2015-01-28T09:39:20.8184481-05:00" Level="INFO"><Message>Application Start: 3693ms</Message></Event>
<Event Timestamp="2015-01-28T09:39:25.3425351-05:00" Level="ERROR"><Message>[2015-01-28 09:39:25,295][ERROR][7 ][ ][Geocortex.GAS.Node.NodeEnvironment] Exception determining GasHome.
System.ArgumentNullException: Value cannot be null.
Parameter name: path1
at System.IO.Path.Combine(String path1, String path2)
at Geocortex.GAS.Node.NodeEnvironment.CreateLogDirectory()
at Geocortex.GAS.Node.NodeEnvironment.CreateCompressedLogDirectory()
at Geocortex.GAS.Node.NodeEnvironment..cctor()</Message></Event>
<Event Timestamp="2015-01-28T09:39:54.4370946-05:00" Level="WARN"><Message>Claim resolution failed: System.Security.Authentication.AuthenticationException: Logon failure: unknown user name or bad password.
---> System.DirectoryServices.DirectoryServicesCOMException: Logon failure: unknown user name or bad password.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
--- End of inner exception stack trace ---
at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
at Geocortex.Core.Security.Integration.Windows.NativeMethods.GetForestRoot(String domainName)
at Geocortex.Core.Security.Integration.Windows.NativeMethods.MoveToForestRoot(DirectorySearcher searcher, String domainName)
at Geocortex.Core.Security.Integration.Windows.NativeMethods.ResolveClaims(WindowsIdentity identity)</Message></Event>
Has anyone run into this before or know where I might look for more info given the above description and error message?
-
You may need to manually grant access permission to the UNC directory to the Appliction Pool Identity user, such as the "EssentialsAdmin" by default.
0 -
We have checked the permissions on the UNC share and the connections are being made okay according to the Windows Event Viewer Security log. The problem seems to lie on the Essentials server (rather than the UNC share server).... maybe (see below). The application pool runs under a local account on the Essentials server, which has been replicated on the file share server, using the same username/password. The REST endpoint works fine - it shows all the sites in the shared 'Sites' folder. It just seems to be an authentication issue with Manager.
I did try using a UNC share on the Essentials server and that did work okay, which would lead me to think that the problem lies with the shared folder - but the first Essentials server works just fine pointing to the share using the same AppPool account name /password. There are no other errors in any Windows event logs that point to a different account than that which the AppPool is running under.
0 -
Hi, Peter,
I had the similar issue after I installed the Essential 4.2.x. While I never had problem with older versions, I discovered that the new version "disabled" the Forms Authentication and "Enabled" the Windows authentication after comparing the manger application 's authentication method from IIS. My local server browser does not allow AD checking while the pool user is the local user, thus problem occured. After disable the Windows Authentication, no error returns any more. I haven't found any impacts on the application so far.
Not sure if this helps your problem though.
Helen
0
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
3 Kommentare