1

This question is related to another question I wrote:

Trouble using DOTNET from PHP.

Where I was using the DOTNET() function in PHP to call a DLL I had written.

I was able to get it working fine by running php.exe example.php from the command line (with the DLL's still in the PHP folder).

I moved the php file to an IIS 7 webserver folder on the same machine (leaving the DLLs in the same php folder), but I keep getting a 500 internal service error.

I've checked the server logs (in c:\inetput\logs\ and in c:\windows\temp\php53errors) but there doesn't seem to be any relevant information about what caused the error. I even tried to change the php.ini settings to get more error feedback, but that doesn't seem to help.

I can only guess that the issue may be related to:

  1. that php file not having the proper permissions (my dll does some file reading/writing)
  2. php can't find the DLLs

The actual error I get is:

The FastCGI process exited unexpectedly.

Any idea on how to debug this problem?

Improve this question
0

1 Answer 1

Reset to default
1

The problem here is almost certainly related to file permissions.

When you run php.exe from the command line you run as your own logged-in user. When running a PHP script from IIS, in response to an http request, php.exe runs as a different user. Depending on your version of Windows it could be

  • IUSR_machine - on IIS6 and prior
  • IUSR on IIS7 and later

These users need permissions on the php file to be executed.

Read more about it

On IIS7 and later I use a command-line tool called icacls.exe to set the permissions on directories or files that need to be read by IIS and the processes it starts (like php.exe). This security stuff applies to all IIS applications: PHP, ASPNET, ASP-classic, Python, and so on.

IIS also needs to be able to read static files, like .htm, .js, .css, .jpog, .png files and so on. You can set the same permissions for all of them: Read and Execute.

You can grant permissions directly to the user, like this: 

 icacls.exe  YOUR-FILE-GOES-HERE  /grant "NT AUTHORITY\IUSR:(RX)"

You can also grant permissions to the group, to which IUSR belongs, like this: 

 icacls.exe YOUR-FILE-HERE  /grant "BUILTIN\IIS_IUSRS:(RX)"

In either case you may need to stop and restart IIS after setting file-level permissions.

If your .php script reads and writes other files or directories, then the same user needs pernissions on those other files and directories. If you need the .php script to be able to delete files, then you might want 

 icacls.exe YOUR-FILE-HERE  /grant "BUILTIN\IIS_IUSRS:(F)"

...which grants full rights to the file.

You can grant permissions on an entire directory, too, specifying that all files created in that directory in the future will inherit the file-specific permissions set on the directory. For example, set the file perms for the directory, then copy a bunch of files into it, and all the files get the permissions from the parent. Do this with the OI and CI flags (those initials stand for "object-inherit" and "container-inherit").

 icacls.exe DIRECTORY  /grant "BUILTIN\IIS_IUSRS:(OI)(CI)(RX)"
 copy FILE1 DIRECTORY
 copy FILE2 DIRECTORY
   ...

When I want to create a new vdir in IIS, to allow running PHP scripts, or ASPX or .JS (yes, ASP Classic) or Python or whatever, I do these steps: 

appcmd.exe add app /site.name:"Default Web Site" /path:/vdirpath /physicalPath:c:\docroot
icacls.exe DIRECTORY  /grant "BUILTIN\IIS_IUSRS:(OI)(CI)(RX)"

Then I drop files into the directory, and they get the proper permissions.

Setting the ACL (access control list) on the directory will not change the ACL for the files that already exist in the directory. If you want to set permissions on the files that are already in the directory, you need to use icacls.exe on the particular files. icacls accepts wildcards, and it also has a /t switch that recurses.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Thanks Cheeso -- seems like you're everywhere! It appears there is still an error. "Failed to instatiate dot net object" that doesn't exist when I call php from the command line. Know of any reason why that might be?
Hmmm. did you Check that IIS has perms on the DLL? Beyond that, If it were me I'd try the simplest possible thing first. I think in your other question you said that the .NET component did some various things with the filesystem or some other protected resource (can't recall now). In order to diagnose "Failed to instantiate .NET object" I'd recommend making the .NET object as simple as possible, first. Make sure you can connect PHP to .NET. Only after you get that working, add the logic into the .NET code that does the interesting work. Break it down, and get one thing working at a time.
Also - You can debug errors loading .NET assemblies with the Fusion log, but it's tricky and I would not suggest starting there.
Sorry, i was trying to edit my previous comment but stackoverflow wouldn't let me. That error, "failed to instantiate" seems like it's due to something unrelated and whatever is causing my error isn't being written anywhere. I tried giving permission to the DLL's as well. Do you recommend leaving the DLL's in the php folder or giving them a strong name and adding them to GAC?
The error is "C:\Program Files (x86)\PHP\v5.3\php-cgi.exe - The FastCGI process exited unexpectedly"...I'm going to try simplifying and see what I can figure out (although I would hope there is some better way : / )
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.