Web Farm deosn't keep server affinity.

April 26, 2016, 8:40 pm

≫ Next: PlayReady DRM server error 0x8004c600

≪ Previous: VPN Service On Another Machine, IIS Redirect To It?

Good afternoon.

Following my previous thread, here is the other problem we are having with our new 2012 R2 core servers.

We have two load balancing servers in a cluster, and two web front ends that host the apps. Our ARR version is 2.5 (but it also does it in 3.0).

It seems that server affinity is not kept client side. We will have web sites that will throw errors once in a while when our session gets picked up by another server. We can see in the log files of the web app that we are testing that both servers are being poked, when only one should.

Right now our current 2008 R2 servers are working properly, as in we do not see this issue (they are running ARR 2.0).

We've tried with and without machine keys, and the error still presents itself. Now, our sites internally are accessed using the following url examples:http://[webappname]-[environment]. There is no . in the URL, so it might be this that is causing the issues (there is an article out there stating that this could cause the cookies not to be created). Could this be the issue?

If not, what else do I need to check?

Thank you

↧

PlayReady DRM server error 0x8004c600

April 29, 2016, 7:20 pm

≫ Next: ModSecurity and ARR

≪ Previous: Web Farm deosn't keep server affinity.

Hello,

I have a client which requests a license to decrypt a Smooth streaming content (live channel).

When the server receives the requests, it returns this error:

<faultstring>System.Web.Services.Protocols.SoapException: Internal service error
   at Microsoft.Media.Drm.RightsManager.ConvertRmServerExeception(RMServerException ex)
   at Microsoft.Media.Drm.RightsManager.AcquireLicense(XmlDocument challenge)</faultstring>
           <faultactor>http://10.10.33.221/PlayReady/rightsmanager.asmx</faultactor>
           <detail>
               <Exception>
                   <StatusCode>0x8004c600</StatusCode>

According to the code it means this:

This indicates a server problem. Device should silently retry 3 times. If failure persists, user must be informed about a server failure and to try again later

Would you have an idea on how to fix this?

Thanks,

↧

ModSecurity and ARR

April 30, 2016, 11:00 am

≫ Next: CG

≪ Previous: PlayReady DRM server error 0x8004c600

Fairly sure I know the answer to this but i thought I'd put it out there in case I'm missing something. Tested in the lab and it doesn't appear to work.

Is it possible to have the ModSecurity module process requests before they are handed off to URL Rewrite module?

I've moved the module to the top of the order list and I can see the events being logged in the app log on the ARR box but the request still gets routed to the web server as if the module didn't return a pattern match.

*Fixed - This does work. I'd not enabled the rules fully. Module order doesn't matter. Just change SecRuleEngine to On

↧

CG

April 30, 2016, 9:52 pm

≫ Next: Removing "=" from the end of the URL

≪ Previous: ModSecurity and ARR

WM_MESSAGE

↧

Removing "=" from the end of the URL

April 30, 2016, 11:58 pm

≫ Next: Fresh IIS Install on Windows 10 - DefaultAppPool problems

≪ Previous: CG

Hi,

I'm trying to create rewrite pattern that will redirect all URLs that have empty parameter at the end; specifically that have sub= at the end of the URL.

Old URL : www.example.com/loremipsum?sub=
New URL : www.example.com/loremipsum?sub

From my understanding, rewrite patter should be similar to removing trailing slash but I just cannot get it working.

Any thought would be appreciated.

Many thanks,
Nevena

↧

Fresh IIS Install on Windows 10 - DefaultAppPool problems

April 27, 2016, 7:42 pm

≫ Next: _vti_bin/ListData.svc/$metadata error when trying to update web reference to a traditional webservice(asmx)

≪ Previous: Removing "=" from the end of the URL

I just did a fresh install of IIS on Windows 10 Pro for the first time this system has ever had IIS installed. I used the Turn Windows Features on or off to install it. When it was done and I rebooted, I tried to access http://localhost and I get the error:

The current identity (IIS APPPOOL\DefaultAppPool) does not have write access to 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files'.

Now this is a brand-new install - why wouldn't the installer have created everything it needs in order to get localhost to work? I shouldn't have to go in and manually create folders and assign permissions, should I? Are there other options I need to install to get it working? Why wouldn't the default of just installing IIS without customization work?

Thank you for your help!
Cindy

↧

_vti_bin/ListData.svc/$metadata error when trying to update web reference to a traditional webservice(asmx)

April 27, 2016, 3:25 pm

≫ Next: Failed to run operation 'RunRemote'. Failed to run method 'Microsoft.Web.Farm.GetInstalledProductsRemoteMethod' on server 'abc.xyz.com'.

≪ Previous: Fresh IIS Install on Windows 10 - DefaultAppPool problems

We're upgrading all our servers from 2003 to 2012R2. We're having some random issues and the only thing I'm able to reproduce is when I go a update web reference in visual studio connecting to one of our .asmx web services, it says it completes, but I'm getting.

/jobslip_update.asmx/_vti_bin/ListData.svc/$metadata

System.ServiceModel.EndpointNotFoundException

The service '/jobslip_update.asmx/_vti_bin/ListData.svc' does not exist.

at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath, EventTraceActivity eventTraceActivity)
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.HandleRequest()
at System.ServiceModel.Activation.HostedHttpRequestAsyncResult.BeginRequest()

If I then change my host file to point to one of the IIS6 ones, I get no such error. Is the newer IIS trying to turn it into WCF?

↧

Failed to run operation 'RunRemote'. Failed to run method 'Microsoft.Web.Farm.GetInstalledProductsRemoteMethod' on server 'abc.xyz.com'.

May 2, 2016, 7:55 am

≫ Next: Web Farm Framework 2.2 Installation Problems

≪ Previous: _vti_bin/ListData.svc/$metadata error when trying to update web reference to a traditional webservice(asmx)

Hi,

We are getting this error in every 6-8 hours on our Web farm, application and platform provisioning both has been disabled.

Failed to run operation 'RunRemote'. Failed to run method 'Microsoft.Web.Farm.GetInstalledProductsRemoteMethod' on server 'abc.xyz.com'. Remote agent (URL http://abc.xyz.com:8173/WEBFARMAGENTSERVICE/) could not be contacted. Make sure the remote agent service is installed and started on the target computer. Unable to connect to the remote server. No connection could be made because the target machine actively refused it x.x.x.x:8173. Remote agent (URL http://abc.xyz.com:8173/WEBFARMAGENTSERVICE/) could not be contacted. Make sure the remote agent service is installed and started on the target computer. Unable to connect to the remote server. No connection could be made because the target machine actively refused it x.x.x.x:8173.

I have checked the Apphost.config , application and platform provisioning are in disabled in config as well. I don't why we are getting this error. Please find the below apphost config entry

↧

Web Farm Framework 2.2 Installation Problems

July 12, 2012, 8:02 pm

≫ Next: Invalid credentials

≪ Previous: Failed to run operation 'RunRemote'. Failed to run method 'Microsoft.Web.Farm.GetInstalledProductsRemoteMethod' on server 'abc.xyz.com'.

I have an IIS 7 environment running on Server 2008 R2. I have tried to install Web Farm Framework 2.2 with no luck. I have tried using the Web Platform Installer 4.0, I have launched the Web Farm Framework 2.2 app for the Web Platform Installer, and have tried the WebFarm2_x64.msi directly. Every time I initiate an install, it fails saying that: " This product did not install successfullly: Web Platform Installer is a pre-requisite for installing Web Farm Framework. Please install the Web Platform Installer from.." That's the message I get from the Web Platform Installer. I have the error log as well if it helps. Thanks in advance, Nate

↧

Invalid credentials

May 2, 2016, 7:28 pm

≫ Next: IIS 8.5 Configuration Editor settings problem

≪ Previous: Web Farm Framework 2.2 Installation Problems

I have an IIS 8 site that needs to read files from a location on the network part of a separate v lan. I can map the network location and read/write files using an account from that domain, however if I try to run my site under the same account at the same location it gives me username or password is incorrect.

↧

IIS 8.5 Configuration Editor settings problem

May 2, 2016, 2:33 pm

≫ Next: Application pool issue in failover

≪ Previous: Invalid credentials

I’d like to use IIS 8.5 built into Server 2012 R2 to perform client authentication and authorization, and am having difficulty finding a way to accomplish it.

I have a website configured with a server certificate, and the SSL settings require SSL and require a client certificate. I want to be able to specify which certificates are accepted. I can restrict the set of valid certificates to those that have been issued by a specific CA, but we need more granularity. Specifically, I want to be able to restrict specific web pages and web actions (e.g. POST) to users who supply a certificate with a specific content in their SubjectDN Common Name of their certificate.

I’ve used the IIS Configuration Editor for this web instance to enable:

clientCertificateMappingAuthentication,

iisClientCertificateMappingAuthentication, and

manyToOneMappings>

I want users whose CN starts with “no” and ends with “ocp” to be permitted to access a webpage, and any other certificate presented to be denied access. So these CNs should be permitted to access the website content:

cn-nob-12345-rocp

cn-nod-67890-wocp

cn-nop-33333-qocp

and these should not be permitted to access that content:

cn-xwy-12345-rocx

cn-xod-67890-wocp

cn-nop-33333-qocx

Here’s a snip from the applicationHost.config file in C:\Windows\System32\inetsrv\config

<system.webServer>

<rules>

</rules>

</add>

</manyToOneMappings>

</iisClientCertificateMappingAuthentication>

</authentication>

</security>

</system.webServer>

</location>

<system.webServer>

<rules>

</rules>

</add>

</manyToOneMappings>

</iisClientCertificateMappingAuthentication>

</authentication>

</security>

</system.webServer>

</location>

The two problems I’m having is that with this is (1) all trusted certificates are being accepted to have access to the web page, and the log file shows that a client cert that matches that criteria does not map to the webwriter account. I configured the log to report the IIS system variable for the client certificate subject DN.(2) The log file shows the correct Subject DN, but it does not show it being mapped to the “webwriter” account, as I expected.

Please let me know what I am doing wrong, and how to accomplish my goal.

↧

Application pool issue in failover

May 2, 2016, 1:55 pm

≫ Next: Menu driven Site creation?

≪ Previous: IIS 8.5 Configuration Editor settings problem

Hi,

I setup fail over in iis using ARR on two servers and it is working fine.

I am getting issue when the application pool is stopped. Let me explain you the sceniro.

I hosted a web site on two clusters, my aim is when the first server is down automatically the site in second server has to be online, and it is working as desired thing is when the application pool is stopped in the first server the site is not getting accessed from the server. it is just display http error 503: the service is unavailable. How can i fix this with out using shared configuration.

Note: i am not using Shared configuration.

↧

Menu driven Site creation?

March 2, 2012, 11:41 am

≫ Next: Struggling DBA lost in IIS

≪ Previous: Application pool issue in failover

So we would like to automate simple site creation as much as possible. I was thinking a simple HTA that would allow someone to fill in some blanks and then press a button to create a site.

Basicaly the HTA would "build" the Powershell command line with variables.

The command line would look like this:

$SN = Site Name

$SP = Port

$SPP = physical Drive

New-Item iis:\Sites\$SN -bindings @{protocol="http";bindingInformation=":$SP:`$SN"} -physicalPath $SPP

I have built an HTA that will do this, but now I am having problems getting it to run in the correct context.

1. I need to run the HTA as an administrator

2. It needs to call Powershell as an administrator

3. I believe it needs to run the commands in the iisconsole.

It's 2 and 3 that I don't know how to do.

If the HTA is not the way to go with this, then can someone suggest some other menu system?

↧

Struggling DBA lost in IIS

April 14, 2016, 8:14 pm

≫ Next: Open source version written in .Net

≪ Previous: Menu driven Site creation?

Hi,

From time to time we are running into an issue where we have many requests with the following state in IIS: RequestAcquireState.

We are using SqlSessionStateStore to manage sessions. When we have many requests in this state they eventually time out and go away. Sometimes they are there for over an hour.

What I do see when we have these hung sessions is an increase in the executions of the stored procedure TempGetStateItemExclusive3 in the ASPState database. Up to 2,000 every few seconds. Not good.

I was hoping someone could help me with the following questions:

1. How do these sessions hang

2. Do they cause any harm other than the increased db activity

3. Is it possible to kill the individual requests safely

4. Many people suggest a restart of the AppPool this is not good for people currently using the system

5. Is there a way of identifying these sessions in the ASPState database and what happens if you delete them

Thanks in advance for any help.

↧

Open source version written in .Net

May 3, 2016, 5:41 am

≫ Next: Webdav bewteen 2 domains with a 1 way trust.

≪ Previous: Struggling DBA lost in IIS

There are so many things I wish that the IIS Rewrite Module could do. I have thousands of rewrite rules after several big migrations of the site, and it takes way too long to execute all the rules for every request.

Instead of complaining about it, I decided to start an open source project to build a better URL Rewriter in .Net. It's reached version 1.0 and you can get the source code from here: https://github.com/Bikeman868/UrlRewrite.Net or you can install it into Visual Studio with the NuGet command "Install-Package UrlRewrite.Net".

I think it does everything that the standard IIS one does, it has a ton of features that the standard one doesn't, and it's several times faster (about 5x on my rewrite rules - let me know how well it does on yours). Take a look at the readme.md at the URL above to find out all the good stuff, and contact me if you think there is any way to make it better.

Thanks.

↧

Webdav bewteen 2 domains with a 1 way trust.

May 2, 2016, 4:19 pm

≫ Next: Failed Request Tracing in IIS 8

≪ Previous: Open source version written in .Net

Here is something that I am struggling with:

I have a IIS server running on windows 2008 on my DMZ – domain = EXTDOMAIN

I have a windows 2008 r2 file server in my LAN – domain = INTDOMAIN

There is a one way trust from INTDOMAIN to EXTDOMAIN.

I cannot publish a share via WebDAV from my INTDOMAIN file server to the IIS server on the EXTDOMAIN.

I opened a case with Microsoft, they are saying that the only way to get this to work is by establishing a 2 way trust, however, our security team does not allow there to be a 2 way trust between the domains.

Is there a work around that will work with a 1 way trust?

BTW -> This scenario worked under windows 2003 IIS, upgrading to windows 2008 broke the previously working setup.

Thanks!

Kevin

↧

Failed Request Tracing in IIS 8

May 3, 2016, 1:49 pm

≫ Next: testing

≪ Previous: Webdav bewteen 2 domains with a 1 way trust.

Hi,

I'm trying to get the username and client IP of the mailbox which has caused the failed log tracing. I tried failed OWA attempt but the usernaem which will be present in the buffer parameter is not present and the client IP which will be present as RemoteAddress is also absent. Those two parameters were present in IIS 7.5 but they are missing now in IIS 8. Do I have to do any additional configurations to get them in IIS 8 failed logs ?

Thanks in advance

↧

testing

May 3, 2016, 9:15 pm

≫ Next: HTTP to HTTPS rewrite - Exclude URLs

≪ Previous: Failed Request Tracing in IIS 8

this is test

↧

HTTP to HTTPS rewrite - Exclude URLs

April 23, 2016, 8:31 pm

≫ Next: Application Initialization Woes

≪ Previous: testing

Sorry, IIS rewrite newb here... please bear with me...Thanks!

Have a client that is using SharePoint 2013 and wanted to implement SSL using a wildcard cert. No problem, got that configured.
They want to redirect request to HTTPS, so installed URL Rewrite module and it works as expected, but it caused an issue that breaks SP search.

There is a Host Named Site Collection at the root, and they use a few MySites.

With the URL Rewrite in place it is redirecting the http://companyroothnsc.companyname.local to https://companyroothnsc.companyname.com . Note: the wildcard is *.companyname.com, so as the hnsc is a .local address, it doesn't resolve.

Also redirecting mysites.companyname.com to https, and the MySites SC is not (at least now) set up to use ssl.

Is there a way to use a condition in the redirect rule to exclude these two paths? Wondering if a {REQUEST_URI} could do that, bit I am not understanding how to configure the pattern for a specific path.

Thank you

↧

Application Initialization Woes

May 3, 2016, 7:20 pm

≫ Next: Remove all occurrences of special character from URL string

≪ Previous: HTTP to HTTPS rewrite - Exclude URLs

I'm testing out getting AI working on a Server 2012 R2/IIS 8 box. I've followed all the steps and successfully get the app pools to load items into the .NET cache when they're started.

My problem is when adding initialization pages, none of them seem to be called at all. I'm not sure what exactly I'm doing wrong, so I have a few questions;

Where exactly is the right place to add the initialization page params in the config? I've tried it at different levels/apps within the site but nothing seems to work.

What is the best way to validate the request is being sent to the page? Shouldn't I see these in the IIS log?

↧