no graphs when log in remotely

Post support questions that relate to the Windows 2003/2000/XP operating systems.

Moderators: Developers, Moderators

Post Reply
airwalk
Cacti User
Posts: 103
Joined: Fri Aug 18, 2006 11:22 am
Location: MSK, RU

no graphs when log in remotely

Post by airwalk »

That's me again.

Now it's a runtime problem. =)

All the graphs are OK when you log on to cacti from localhost. But If you log in remotely no graphs are populated, just "broken links".

Is it an IIS problem?
Attachments
broken.links.PNG
broken.links.PNG (12.9 KiB) Viewed 3013 times
User avatar
BSOD2600
Cacti Moderator
Posts: 12171
Joined: Sat May 08, 2004 12:44 pm
Location: USA

Post by BSOD2600 »

Please read the steps in http://forums.cacti.net/viewtopic.php?t=11747 , specifically what the graph debug says.
airwalk
Cacti User
Posts: 103
Joined: Fri Aug 18, 2006 11:22 am
Location: MSK, RU

Post by airwalk »

OK, I've found the source of the problem. Here it goes.

RRDTool debug says:
"Warning: fgets(): supplied argument is not a valid stream resource in C:\Inetpub\wwwroot\cacti\lib\rrd.php on line 117"

In this line "fgets" tries to open "rrdtool.exe". I've checked permissions for rrdtool folder. Everything was fine and according to the guide.

Then i tried "filemon" and found that whenever rrdtool tries to graph the image w3wp.exe tries to open cmd.exe. And access is denied. But the thing is that w3wp.exe tries to open it using the domain credentials of the user who tries to view the graphs remotely. Not Internet Guest Account and not LOCAL SYSTEM account!!! Of course this user has no rights to cmd.exe. If I add permissions manually then everything goes fine and i see the graphs.

What this behavior comes from and how to work around it? Any ideas?
Attachments
w3wp.PNG
w3wp.PNG (5.39 KiB) Viewed 2998 times
Last edited by airwalk on Wed Sep 06, 2006 5:37 am, edited 2 times in total.
grumpf-dream
Posts: 14
Joined: Wed Sep 06, 2006 12:59 am

Post by grumpf-dream »

maybe you got a domain policy (gpo) blocking acces to cmd.exe for basics users?
airwalk
Cacti User
Posts: 103
Joined: Fri Aug 18, 2006 11:22 am
Location: MSK, RU

Post by airwalk »

grumpf-dream wrote:maybe you got a domain policy (gpo) blocking acces to cmd.exe for basics users?
"cmd.exe" is strictly local file as it should be used only by local processes(like "w3wp.exe" in my case). so by default only local users may have access to it.

Even if i had such gpo then it should have overrided my local policy. But it isn't.
User avatar
BSOD2600
Cacti Moderator
Posts: 12171
Joined: Sat May 08, 2004 12:44 pm
Location: USA

Post by BSOD2600 »

You enabled interactive user authentication in IIS?
Have you given the IUSR account read/execute rights on cmd.exe/rrdtool.exe ?
airwalk
Cacti User
Posts: 103
Joined: Fri Aug 18, 2006 11:22 am
Location: MSK, RU

Post by airwalk »

BSOD2600 wrote:You enabled interactive user authentication in IIS?
Have you given the IUSR account read/execute rights on cmd.exe/rrdtool.exe ?
Yes, I've enabled Integrated Windows authentication in IIS. So the solution to work around the problem was that I'd enabled anonymous access using IUSR account. But is it really a good solution?

Is there any way to stick to windows auth additionally? As far as I understand the same problem will arise if I would use LDAP authentication in cacti.
User avatar
BSOD2600
Cacti Moderator
Posts: 12171
Joined: Sat May 08, 2004 12:44 pm
Location: USA

Post by BSOD2600 »

airwalk wrote:So the solution to work around the problem was that I'd enabled anonymous access using IUSR account. But is it really a good solution?
Thats the standard practice, as far as I've read/heard online. If you want to try and set up IIS so each authenticated domain user runs cmd.exe/rrdtool.exe, among with all the other needed files, good luck. If you don't like the IIS security, then you could also go the Apache route.
airwalk
Cacti User
Posts: 103
Joined: Fri Aug 18, 2006 11:22 am
Location: MSK, RU

Post by airwalk »

BSOD2600 wrote: Thats the standard practice, as far as I've read/heard online. If you want to try and set up IIS so each authenticated domain user runs cmd.exe/rrdtool.exe, among with all the other needed files, good luck. If you don't like the IIS security, then you could also go the Apache route.
I wish I could... :-?
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest