Handy for a batch maintenance operation a customer had to run on a few hundreds servers: they basically needed to do what’s described in this article but in a script rather than from the IIS GUI. From Shared Configuration (Appendix 3): By default, IIS includes two main providers for securing properties. These providers are located in the applicationHost.config file’s <configProtectedData> configuration section and are defined in the <providers> element. The AesProvider is specific to dealing with encryption and decryption for properties that are in the system.webServer section. The IISWASOnlyRsaProvider is specific to dealing with encryption and decryption for properties that are in the system.applicationHost section. These keys are in the iisConfigurationKey and iisWasKey key containers and are machine-specific. In a Web farm scenario, if encryption is required, then a key from one machine – usually the one that created the applicationHost.config file – is exported and brought into the other machines so that secure properties can be decrypted and used by the Web server So just copy the .config files from “C:\Windows\System32\Inetsrv\config” and use aspnet_regiis –px to export the Keys: aspnet_regiis -px “iisConfigurationKey” “D:\iisConfigurationKey.xml” -pri To import the Keys on another machine run the following: aspnet_regiis -pi “iisConfigurationKey” “D:\iisConfigurationKey.xml” The…
-
-
Error 502 – Web server received an invalid response while acting as a gateway or proxy server
I saw this error some time ago while working on an eCommerce solution. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server. Redirect/move happens like it should, but after approximatively 2 minutes after posting an order the user receives an http error 502. The order is correctly processed by SAP but the web applications is built in a way that the user is getting a confirmation page when the order is processed: this page is never presented to the user due to the 502 error. FREB gave us further details about the error: 502.3, 2147954417 which translates into ERROR_INTERNET_OPERATION_CANCELLED. This lead me to this post which describes a different error but based on the same principle and the solution still applies to our scenario: we increased the proxy timeout to 5 minutes to accommodate all reasonably long running requests and the problem was solved. appcmd.exe set config -section:system.webServer/proxy /timeout:"00:05:00" /commit:apphost Carlo It’s not the size of the dog in the fight, it’s the size of the fight in the dog. Mark Twain
-
Moving to Windows 2008: smartcard slow performance?
Suppose you have a web application which authenticates clients through a smartcard certificate and everything is working fine, then you decide to move your web application to Windows Server 2008 (which is a good decision in many ways ?) but your users are suddenly complaining about slow performance, pages are loading slower than they used to do and you cannot find any explanation on the network infrastructure, everything seems to be properly configured on the client and on the server… what is happening? Well, as you can imagine this is what happened to a customer I worked with recently. A closer look at the client showed that every time a new object in the page was loaded (images, script files, css…) the smartcard was checked for the certificate, resulting in a major performance loss. To make the story short, the behavior is controlled by client certificate negotiation, specifically by SSLAlwaysNegoClientCert which in IIS 7 has been moved to http.sys (see http://learn.iis.net/page.aspx/110/changes-between-iis-60-and-iis-7-security/); you can configure the <access> element as described or using netsh with a command such as the following: netsh http add sslcert ipport=0.0.0.0:$port certstorename=MY certhash=$Certhash appid=$Appnr sslctlidentifier=$CTLlijst sslctlstorename=CA clientcertnegotiation=enable Carlo Quote of the day: Human beings are perhaps never…
-
Sometimes they come back
Stephen King fans like me for sure know Night Shift, a collection of 19 short stories I first read almost (oh, my…) almost 20 years ago. In Italian the title of this collection has been translated as “A volte ritornano” which literally means Sometimes they come back. This is exactly what I thought yesterday when I got yet another version of the “503 Service Unavailable” error: after I have already written about this error here and here, I’m writing the third post about it. I’m wondering if I’ll end up with a 19 post collection as Night Shift has… 😏 Anyway, here’s the new story: the application pools of this web server were failing with the following error (eventid 281) The worker process for application pool ‘MSExchangeOWAAppPool’ encountered an error ‘Unrecognized attribute ‘precondition’ trying to read global module configuration data from file ‘\\?\C:\inetpub\temp\apppools\MSExchangeOWAAppPool.config’, line number ‘281’. Worker process startup aborted. As you can see the precondition keyword is mistyped (it should be preCondition, capital “C”) and if we changed the .config file mentioned in the error message we were able to start our application pool but randomly (most of the time after a reboot, though) the problem came back. Interesting…
-
IDEVDataCollector adds IIS6 support
It took me some time (mostly because of other demanding tasks and commitments I have for my daily job) but finally I have just updated IDEVDataCollector to support IIS 6, it’s available at the tool main page: https://www.cloudnotes.io/idevdatacollector/. Give it a try and let me know what you think ? P.s. Yes, I’m planning to release the source code too, stay tuned! Carlo Quote of the day: Clothes make the man. Naked people have little or no influence on society. – Mark Twain
-
Which files to collect? Here’s a tool for you
Over the last couple of months among other things I’ve been working on a tool to automatically the logs and information in my team we usually ask at the beginning of a new Support Call: all standard things such as IIS logs, event logs, .config files etc… Not all of those files are necessary for every case (as usual it depends on the problem at hand), but experience tells me the more information we have about the environment, the more chances we have to spot small inconsistencies, configuration problems etc… that sometimes can lay unnoticed and interfere with our work. So, enter our guest: IDevDataCollector I tried to keep the UI as simple and organized as possible, utilization is very easy, just run it and click the “Collect” button, sit there a couple of minutes (how much exactly will depend on the logs collected) and you’re done ?. Please note that I’m still working on it, this is just a preview release but I’d love to have your feedback/bug reports/feature requests etc…, keeping in mind that the scope of this tool is to facilitate troubleshooting and data collection for IIS/ASP.NET related problems, I am not interested (and probably do not…
-
Missing ASP.NET Tab (this time on Windows 2000)
I already wrote a post on this matter some time ago, but this week worked on the same problem on a Windows 2000 Server, of course 32 bit. Running aspnet_regiis -i did not help so we tried to run the script Tom provides in his post, but we got the error here below: Line 41 is “Set objIIS = GetObject(“IIS://” & strComputer & “/W3SVC/AppPools”)”, this path does not exist in IIS 5 metabase, hence the error. To adapt it to IIS 5 we removed the script section that checks for Enable32BitAppOnWin64. We run the script again and got this message: PASS: The current value of Restrict_Run is: 0 PASS: Successfully registered mmcaspext.dll PASS: Successfully registered AspNetMMC Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.1433 Copyright (C) Microsoft Corporation 1998-2004. All rights reserved. Types registered successfully Assembly exported to ‘C:\WINNT\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.tlb’, and the type library was registered successfully PASS: Successfully registered Assembly Running aspmantst.exe to test the ASP.NET Tab snap-in Attempting to create the object as CLSCTX_LOCAL_SERVER. Create failed. hr: 80070005. QIhr: 80070005. GLE: 1008 Attempting to create the object as CLSCTX_REMOTE_SERVER to <machine_name>. Create failed. hr: 80070005. QIhr: 80070005. GLE: 1008 Attempting to create the object as CLSCTX_INPROC_SERVER. Object created. Attempting…
-
ASP.NET 1.1 not configurable in IIS Manager?
If you search the Internet you’ll likely find a good number of articles and blog posts about how to configure ASP.NET 1.1 on IIS 7, here are a couple of good examples: How to install ASP.NET 1.1 with IIS7 on Vista and Windows 2008 Workaround: Running ASP.NET 1.1 on Vista SP2/WS08 SP2 Thread: Running ASP.NET 1.1 with Windows 2008 64 bit and IIS 7.0 Something I have not found written elsewhere is why it is not possible configure ASP.NET properties from the IIS Manager interface? Even if you correctly configure the application pool (32 bit, Classic pipeline), use the workaround to avoid the error on applicationHost.config, add the IgnoreSectionHandler to avoid ASP.NET 1.1 runtime exceptions due to the not recognized IIS 7 configuration tags and finally the ASP.NET 1.1 pages works fine and are served correctly, you’ll not have the “ASP.NET” icon group in IIS Manager: As you can imagine, if you move the application to an application pool where you are running ASP.NET 2.0, the icon group appears where you expect it to be: Well, it turns out that ASP.NET 1.1 configuration is not supported by InetMgr.exe (the IIS Manager), you have to use appcmd.exe using /commit:machine (for machine.config)…
-
Three errors, one cause: me!
A few days ago I was working on a repro I got from a customer as I very often do, and for some reason after a while my IIS started to behave oddly, pages where not served, the application pool was stuck doing “something” and whenever I tried to open the IIS Manager I got the error “There was an error when trying to connect. Do you want to retype your credentials and try again? Cannot create a file when that file already exists”: Needless to say that being IIS on my local machine and I have not made any changes to the security/ACLs/DCOM etc… there should be no need to retype my credentials; and by the way, even retyping them did not help. By the way, if I tried to remotely connect to another machine of mine, I got the message “The type initializer for ‘Microsoft.Web.Management.Remoting.HttpChannel’ threw an exception”: My next step has been to try to restart the World Wide Web Publishing Service: it was (oddly?) stopped, but again I got an error “Windows could not start the World Wide Web Publishing Service service on Local Computer. Error 1068: The dependency service or group failed to start”: The…
-
IIS logs around midnight
Recently I had an interesting discussion with a friend of mine about IIS logging: basically he configured his web server to create a new log every day and then wanted to use a third party tool to extract some statistics and graphics from the logs. Unfortunately the tool often has troubles and gets weird results because sometime at the end of the old log file (the one about the ending day) they have some records whose date and time is into the new day. Something like the following: #Software: Microsoft Internet Information Services 7.0 #Version: 1.0 #Date: 2009-03-06 23:59:53 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2009-03-06 23:59:59 ::1 GET /MidnightTest/Never+doubt+thy+debugger.htm - 80 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+InfoPath.2;+FDM;+.NET+CLR+3.5.21022;+.NET+CLR+1.1.4322;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618;+OfficeLiveConnector.1.3;+OfficeLivePatch.0.0;+MS-RTC+EA+2;+MS-RTC+LM+8) 200 0 0 15 2009-03-06 23:59:59 ::1 GET /MidnightTest/Never+doubt+thy+debugger_files/global.js - 80 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+InfoPath.2;+FDM;+.NET+CLR+3.5.21022;+.NET+CLR+1.1.4322;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618;+OfficeLiveConnector.1.3;+OfficeLivePatch.0.0;+MS-RTC+EA+2;+MS-RTC+LM+8) 200 0 0 15 2009-03-06 23:59:59 ::1 GET /MidnightTest/Never+doubt+thy+debugger_files/light_sidebar_left_wide.css - 80 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+InfoPath.2;+FDM;+.NET+CLR+3.5.21022;+.NET+CLR+1.1.4322;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618;+OfficeLiveConnector.1.3;+OfficeLivePatch.0.0;+MS-RTC+EA+2;+MS-RTC+LM+8) 200 0 0 15 2009-03-06 23:59:59 ::1 GET /MidnightTest/Never+doubt+thy+debugger_files/customcss.css - 80 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+InfoPath.2;+FDM;+.NET+CLR+3.5.21022;+.NET+CLR+1.1.4322;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618;+OfficeLiveConnector.1.3;+OfficeLivePatch.0.0;+MS-RTC+EA+2;+MS-RTC+LM+8) 200 0 0 15 2009-03-06 23:59:59 ::1 GET /MidnightTest/Never+doubt+thy+debugger_files/vjr6phmypy.cache - 80 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+InfoPath.2;+FDM;+.NET+CLR+3.5.21022;+.NET+CLR+1.1.4322;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618;+OfficeLiveConnector.1.3;+OfficeLivePatch.0.0;+MS-RTC+EA+2;+MS-RTC+LM+8) 404 3 50 0 2009-03-06 23:59:59 ::1 GET /MidnightTest/Never+doubt+thy+debugger_files/msAnalytics.cache - 80 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+WOW64;+Trident/4.0;+SLCC1;+.NET+CLR+2.0.50727;+InfoPath.2;+FDM;+.NET+CLR+3.5.21022;+.NET+CLR+1.1.4322;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30618;+OfficeLiveConnector.1.3;+OfficeLivePatch.0.0;+MS-RTC+EA+2;+MS-RTC+LM+8) 404 3 50 0 2009-03-06 23:59:59…