Once all AFP files including tables have been added to the Web server, the AFP standard configuration might serve you best, unless there are additional security requirements. In the standard configuration, the AFP will run as a service under the user account LocalSystem or SYSTEM, depending on your Windows version. In some cases you will have to make adjustments.
Normally, IIS will run the ISAPI library AFP3.DLL as user IWAM_Machine. If the application security level is low, the account IUSR_Machine will be used. AFP3.DLL has certain dependencies to the C runtime library, i.e. to MSVCR70.DLL or MSVCR71.DLL, depending on which AFP version is being deployed. If you call an AFP page, and HTTP 500 Error displays in the typical IIS lay-out, the Web server may not have the appropriate privileges to load the library. The tool FILEMON of http://www.sysinternals.com lets you ascertain the files to which there is no access.
For security reasons we do not recommend the execution of the AFP under the user SYSTEM, even though that configuration may be simpler. It will be better to set up the user AFPUser (or any other name) with the following settings.
Access Control Lists (ACL) for AFPUser
The user account AFPUser must be part of the group User and/or have identical access privileges. This applies in particular to the access privileges for the Windows directory and the registry. The following table lists the additional privileges required by the AFPUser user account. "RX" refers to the privileges "Read&Execute", "List Folder Contents" and "Read". "Modify" covers all privileges of "RX" plus "Write" and "Modify".
|
Directory |
Privileges |
|
C:\Program Files\AFP3\Log\ |
Modify |
|
C:\Program Files\AFP3\Cache\ |
Modify |
|
C:\Program Files\AFP3\Common\ |
Modify |
|
C:\Program Files\AFP3\Session.* |
Modify |
|
Root of %WINDIR% (e.g. C:\) |
RX |
Access Control Lists (ACL) for IUSR_Machine and IWAM_Machine
RX access to AFP3.DLL is required.
Authorizations
If AFP is to run as a service it needs authorization to Log on as Service. If AFP3Host.EXE is being used (afp/config/server/isolated="true"), all versions up to and including 3.0.456 must have the authorization to Run as Batch Job.
DCOM (through v. 3.0.456)
The AFP user also needs Launch and Access privileges for AFP3Host.EXE (AFP 3 out-of-process host) up to and including v. 3.0.456. There is no DCOM in higher versions; thus no specific configuration will be required.
Activating the User
Go to Start > Settings > Control Panel > Administration > Services and enter the user you created in the service "Active FoxPo Pages" under "Login", then re-start the AFP service. Now, check the event viewer for error messages from the AFP.
To check your settings you can also test the AFP interactively under the desired user. Use the following command line in the prompt to check whether the AFP can be started with the new user account:
RUNAS /User:AFPUser C:\Program Files\AFP3\AFP3.EXE
You will be prompted for the user password. The AFP should now make an error-free start and display a small window. The event viewer for the application should only display the entry "AFP Server 3.0 started" without further error message. Neither should the system event viewer display an error message for the RunAs Service.
If AFP was started error-free and an AFP Service is still running, terminate the service. As long as AFP3.EXE is running, all AFP pages should continue to be functional If unexpected error messages display claiming non-existing files, tables allegedly being in use or cache access errors, this is an indication that some of the required privileges have not been assigned. If your AFP application accesses data on another machine in your network, please make sure to read the chapter "Accessing the Network".
Shutting down the AFP Engine
Generally, AFP runs very stable. Nevertheless you might be forced to shutdown an AFP process. Usually, you do this by stopping the AFP Service or by quitting the AFP Server. If these options are not working as expected, you need to terminate AFP in the Task Manager. Stop all AFP3.7.EXE and AFP3.8.EXE applications.
If you run AFP as a services using one of the default accounts SYSTEM, LocalService, or NetworkService, you as an administrator do not have sufficient privileges to kill these processes. In this case you can use a neat trick to give yourself SYSTEM privileges. Please note that you must be logged on as an administrator for this trick to work. Launch the Command Prompt and enter the following statement:
AT hh:mm /INTERACTIVE CMD.EXE
Replace hh:mm with the current time plus one minute. After at latest one minute a new Command Prompt window comes up that runs as SYSTEM. Close any open Task Manager window and execute a new instance with the following line in the Command Prompt window:
TASKMGR.EXE
Now you can kill any process in the system. Please take especially care that you don't kill any system process like KERNEL32.EXE, because this time it is possible.