A troubleshooter's blog

A Troubleshooter's Blog

A Troubleshooter's Blog

Saturday, January 22, 2005

ASP.NET and access to Oracle files

When you are using oracle with ASP.NET you might get some access problemes to the oracle files. By default the ASP.NET user don’t have access to required oracle files.

This is the oracle folders you should make sure you have access to:
\bin
\oracaore\zoneinfo\
\ocommon\nls\ADMIN\DATA
\network\ADMIN
\rdbms\mesg

You can find the orahome directory in registry:
HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOME0\ORAHOME

On windows 2000 and Windows XP it’s the ASP.NET user that needs access to these files. On Windows 2003 it’s the user running the application pool(account running w3wp.exe) that needs access (by default it’s network service). On pre-ASP.NET sites, make sure that IUSER and IWAM has access. To find exactly what files you need access to you can always run filemon, and you will get a “ACCESS DENIED” message on the files where access is denied.

You will see the line below in filemon if network service don’t have access to oci.dll (Oracle Call Interface).

1:55:28 PM w3wp.exe:2696 OPEN C:\oracle\ora92\bin\oci.dll ACCESS DENIED NT AUTHORITY\NETWORK SERVICE

Filemon.exe can be download for free from www.sysinternals.com

Possible error messages returned
If there is not access to oci.dll (orahome\bin), you will receive the following error message (ASP.NET):
"System.Data.OracleClient requires Oracle client software version 8.1.7 or greater."

If you have access to oci.dll but are missing access to other oracle files needed by the Oracle Call Interface, you will se the message:
"Could not create an environment: OCIEnvCreate returned -1. "

Remember that it might be needed to delete temporary files and run iisreset after you have changed access to oracle files.

posted by Baaschi at 1/22/2005 05:49:00 PM | 1 comments

Monday, January 17, 2005

More W2003SP1 Info

Lot's of info and links on the w2003Sp1 in Nick MacKechnie's WebLog

posted by Baaschi at 1/17/2005 09:59:00 PM | 0 comments

Sunday, January 16, 2005

CAS and a .NET app. run from a share.

With .NET something called CAS(Code Access Security) is introduced. This is a great way for you to make sure that the user is actually running your code, and that no one has made changes to it. But from a software distribution kind of view it is another issue to think about when you are relasing the product.

I’m gonna talk a bit about the scenarion where you have client/server environment where the client is running your app from a share on the server, and I’m assuming that your assemblies are “strong named”

In this scenarion the code needs to be trusted on the client computer to be able to run your application. Another option is to turn off CAS on the client, but that’s not what we want to tell the customer, right .

On the client you need to set up a code group for your applications code. You can do this from the MS .NET configuration tool (located in administrative tools), or you can do it by command using the commandline tools caspol.exe. (as in CodeAccessSecurityPolicy ;-)) I’m not going to go in detail on how to set up code group, but from caspol you could do something like below to create a code group for your application.

________________________________________________________________________
Caspol -enterprise -addgroup 1. -strong -file \\\bin\Your.Assembly.dll -noname -noversion FullTrust -n CodeGroupName –LevelFinal on
________________________________________________________________________

This will create a code group on the enterprise level. Strongname is selected as condition type. You are getting the public key from an assembly in the network share, you are giving the code full trust on the client computer, the name of the code group is CodeGroupName, you have given the code group the LevelFinal attribute.

Giving the code group the level final attribute will prevent policy levels below this level from being evaluated. On the enterprise level this must be done, or the default machine level policies will prevent the enterprise level policies from being applied.

Giving FullTrust to the code group is not the best solution in most cases, you can create your own permission sets where you can give select what you code should have access to do. But in some cases where assemblies for instance are called from C++ code, giving “full trust” to you code might be the only solution. (C# folks might prefer to call C++ C—these days)

It’s is highly recommended that you create a new code group and use the strong name membership condition when trusting code (in this client/server network share scenario). But there are also other options. These options should only be used for troubleshooting or as workarounds. Only turn .NET Security off for troubleshooting purposes

__________________________________________________________________________
Turn .NET Security off:
Caspol –s off

Give full trust to the Local Intranet Zone:
.NET Configuration tool:
1. Right-click on the LocalIntranet_Zone policy
2. Select the permission set tab
3. change the permission set to Full Trust

Or from caspol:
caspol.exe -machine -chggroup LocalIntranet_Zone FullTrust

Give full trust to the central configuration path
.NET Configuration tool:
1. Create a new code group
2. Select URL as condition type, and set the url to the central configured folder: etc: file://
3. set permission set to “full trust”(or your permission set)
4. Remember to set the option “policy levels below this level will not be evaluated”(Level Final attribute)

How to distribute these policies to the clients is another problem, especially if the client user is not local administrator. I’m going to talk a little bit about this another day.

posted by Baaschi at 1/16/2005 11:59:00 PM | 0 comments

Saturday, January 15, 2005

w3wp.exe PID

Have you ever wondered what w3wp.exe process that belongs to the different application pools? In the system32 directory on windows Server 2003 there is a vbscript called iisapp.vbs that lists the PIDs of the different w3wp.exe processes. Then just open task manager and locate the w3wp.exe process you are looking for.

Speaking of taskmanager, you should use process explorer if you want the advanced version, everyone should be familiar with process explorer, a fantastic application made by Mark Russinovich. Download it here: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml


Here is a list of all the IIS configuration vbscripts provided by MS



posted by Baaschi at 1/15/2005 02:32:00 PM | 2 comments

Saturday, January 08, 2005

Not indexed by google :-(

I dont't think I'm going to post much more until I get the site indexed by google. It's realy no point in just talking to my self :-)

But I guess it will be indexed soon. I have registered the address in googles own service, but it can take months until they get sites indexed, and some don't get indexed at all. A better option is to post links in various forums that get index by google.

Kind of strange that they don't add blogger sites automatically though.

I have just added a statcounter to the site to, so I'll soon see if I'm just talking to myself or not :-)

I'm using www.statcounter.com to track access to this site. It's a free service and it looks OK so far. Just had to add these few lines of code:

<!-- Start of StatCounter Code -->
<script type="text/javascript" language="javascript">
var sc_project=509668;
var sc_partition=3;
</script>

<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img src="http://c4.statcounter.com/counter.php?sc_project=509668&amp;amp;java=0" alt="hidden hit counter" border="0"></a> </noscript>

<!-- End of StatCounter Code -->

posted by Baaschi at 1/08/2005 11:56:00 PM | 1 comments

Tuesday, December 21, 2004

RSS readers

Okay, In a previous post I said I preferred Sharpreader as my RSS aggregator. But now I went back to feedreader again. SharpReader is just eating up to much memory. I'm mean, I'm just using the default refresh rate (once an hour), but still it's constantly using to much resources compared with feedreader. Hope it get's fixed in the future though.

posted by Baaschi at 12/21/2004 09:02:00 PM | 0 comments

Sunday, December 19, 2004

Prepared for Windows Service Packs.

New Microsoft OS Service Packs these days means tighter security. And hey! That’s good! Don’t you think?

But the new default settings can always get you in trouble. It’s not fun when your software no longer works after the customer downloaded the latest windows service pack. So make sure that you are prepared. I think it’s great with improved security, but I’m not always to happy with the documentation for their changes.

Windows 2003 SP1 RC is ready for download and has been for some time.

The changes you saw on WinXPSP2 are now implemented on the server side (and other changes as well). But the default settings are not the same as on XPSP2. Things like the RestrictRemoteClients policy is at a level that will not change the default settings like it did on XPSP2.

The have a new policy: “Restrict anonymous access to named pipes and shares”. This one is enabled by default on the Release candidate of SP1. If you use some anonymous access (in some remote callbacks or something) you will have to set this one to disabled. As on XPSP2 they have introduced the option to set a limit to DCOM security on machine level.


posted by Baaschi at 12/19/2004 05:22:00 PM | 0 comments