Access denied on a configuration file

May 4, 2015 at 8:08 AM
Edited May 4, 2015 at 2:07 PM
I modified the source code to use git-credential-winstore in the context of a web server. The program should not display a window to ask the user's credentials (he could'nt see it).

The web application call git and if no credentials exists, the program returns an empty password, so git authentication is refused. In this context, the web application ask password to the user, then call git-credential-winstore to store it. The next call to git works fine (unless if the password is wrong).

I get an "access denied error" on the "store" command (all works fine on my workstation). I think the user Identity of the IIS pool should have some rights. But what rights exactly ? Anyone can help ?
Unhandled Exception: System.Configuration.ConfigurationErrorsException: Configuration system failed to initialize ---> System.Configuration.ConfigurationErrorsException: An error occurred loading a configuration file: Access is denied.
---> System.Security.SecurityException: Access is denied.

at System.Security.Principal.WindowsIdentity.SafeImpersonate(SafeTokenHandle userToken, WindowsIdentity wi, StackCrawlMark& stackMark)
at System.Security.Principal.WindowsIdentity.Impersonate(IntPtr userToken)
at System.Configuration.ClientConfigurationHost.Impersonate()
at System.Configuration.BaseConfigurationRecord.Impersonate()
at System.Configuration.BaseConfigurationRecord.InitConfigFromFile()
--- End of inner exception stack trace ---
at System.Configuration.ConfigurationSchemaErrors.ThrowIfErrors(Boolean ignoreLocal)
at System.Configuration.BaseConfigurationRecord.ThrowIfParseErrors(ConfigurationSchemaErrors schemaErrors)
at System.Configuration.ClientConfigurationSystem.EnsureInit(String configKey)
--- End of inner exception stack trace ---
at System.Configuration.ClientConfigurationSystem.EnsureInit(String configKey)
at System.Configuration.ClientConfigurationSystem.System.Configuration.Internal.IInternalConfigSystem.GetSection(String sectionName)
at System.Configuration.ConfigurationManager.GetSection(String sectionName)
at System.Configuration.PrivilegedConfigurationManager.GetSection(String sectionName)
at System.Diagnostics.DiagnosticsConfiguration.Initialize()
at System.Diagnostics.TraceInternal.InitializeSettings()
at System.Diagnostics.TraceInternal.get_Listeners()
at System.Diagnostics.Trace.get_Listeners()
at Git.Credential.WinStore.Program.TraceParameter(String prefix, String key, String value)
at Git.Credential.WinStore.Program.ReadGitParameters()
at Git.Credential.WinStore.Program.Main(String[] args)
May 21, 2015 at 2:45 PM
Pool account needs to gain access to its user profile.
So we need to connect one time to a Windows Session to create user profile (I think it's necessary). Next in the Advanced Settings of the dedicated Application Pool, set "Load User Profile" = true.

Note about credentials : Windows credential target must be changed to manage different users in the same Windows vault. I change "git:https://remote-host" by "git_USERID:https://remote-host" in the GetTargetName() function :
private static string GetTargetName(Uri url,string userName)
        {
            // Trim the trailing slash, since that's what we've been doing previously and we don't want to break it.
            return string.Format("git_{0}:{1}", userName, url.AbsoluteUri.TrimEnd('/'));
        }
Marked as answer by pdebrabant on 5/21/2015 at 7:45 AM