Sitecore Azure sets incorrect file system permissions in Microsoft Azure environment


Description

When performing a regular deployment to an Editing or Delivery Farm using the Sitecore Azure module, the file system permissions are incorrectly set in Azure environment for the NETWORK SERVICE identity, which is used for Sitecore's application pool. As a result, the "access denied" errors may occur. For example:

Error #1:

[UnauthorizedAccessException: Access to the path 'E:\approot\UTI\css\combinedMain.css' is denied.]
   System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost)
   System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize)
   System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding)
   SquishIt.Framework.Files.RetryableFileOpener.OpenTextStreamWriter(String filePath, Int32 retry, Boolean append)
   SquishIt.Framework.Files.FileWriterFactory.GetFileWriter(String file)
   SquishIt.Framework.Renderers.FileRenderer.WriteFiles(String output, String outputFile)
   SquishIt.Framework.Base.BundleBase`1.RenderRelease(String key, String renderTo, IRenderer renderer)
   Web.UTI.Layouts.Home.Page_Load(Object sender, EventArgs e)
   System.Web.UI.Control.LoadRecursive()
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

Error #2:

ERROR Exception in alarm clock event subscriber.
Exception: System.UnauthorizedAccessException
Message: Access to the path 'E:\approot\App_Data\Submit Queue\0000000006' is denied.
Source: mscorlib
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
   at Sitecore.Analytics.Data.DataAccess.SubmitQueue.FileSubmitQueue.GetDequeueingStream()
   at Sitecore.Data.DataProviders.Retryer.Execute[T](Func`1 action, Action recover)
   at Sitecore.Analytics.Data.DataAccess.SubmitQueue.FileSubmitQueue.Dequeue()
   at Sitecore.Analytics.SubmitQueueService.WakeUp()
   at Sitecore.Services.AlarmClock.Heartbeat_Beat(Object sender, EventArgs e)

Error #3:

ERROR Could not update device detection database
Exception: System.Net.WebException
Message: An exception occurred during a WebClient request.
Source: System
   at System.Net.WebClient.DownloadFile(Uri address, String fileName)
   at Sitecore.CES.DeviceDetection.Netbiscuits.DeviceDetectionClient.Downloader.Download(String databaseLink, String targetPath)
   at Sitecore.CES.DeviceDetection.Netbiscuits.DeviceDetectionClient.Update()
Nested Exception
Exception: System.UnauthorizedAccessException
Message: Access to the path 'E:\approot\App_Data\DeviceDetection\DeviceDetectionDB-20160413.db' is denied.
Source: mscorlib
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access)
   at System.Net.WebClient.DownloadFile(Uri address, String fileName)

This issue affects Azure module 3.0 and later versions.

Solution

To resolve the issue, proceed as follows:

  1. Modify the \App_Data\AzureOverrideFiles\bin\Startup.cmd script as shown below:
    IF "%ComputeEmulatorRunning%" == "true" (
:: do not remove the echo string or else you will get an exception
ECHO  ComputeEmulatorRunning environment
    
) ELSE (
    
ECHO  Azure environment
    
  CACLS ../../approot /t /e /p "Network Service":c        
  %windir%\system32\inetsrv\appcmd set config -section:applicationPools -applicationPoolDefaults.processModel.idleTimeout:00:00:00
)
EXIT /b 0
  2. In the Sitecore Azure application, run the Upgrade Files operation against an existent Editing or Delivery Farm.