While working on installation of Microsoft Identity Manager in IIS server, I came across this error message:

Runtime Error
Description: An exception occured while processing your request. Additionally, another exception occured while executing the custom error page for the first exception. The request has been terminated.

The error message doesn’t tell anything about the root cause. Therefore, I checked the Event Viewer logs.

Event ID 1310
Exception type: ConfigurationErrorsException    
Exception message: An error occurred creating the configuration section handler for customAuthentication: Exception has been thrown by the target of an invocation. (C:\Program Files\Microsoft Forefront Identity Manager\2010\Certificate Management\web\web.config line 582)

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms at System.Security.Cryptography.RijndaelManaged..ctor()

The first part of the warning (An error occurred creating the configuration section handler) is a red herring. There was nothing wrong with the web.config file.

The second part of the warning (This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms) revealed the root cause.

Solution for “This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms” error

The issue was the incompatibility of the FIPS with the Certificate Management of the Identity Manager. After disabling FIPS, the site started working.

I explained how to configure FIPS in this post: Schannel – The internal error state is 10013. Here are the steps:

1. Go to “Control Panel“.
2. Click “Administrative Tools“
3. Double click “Local Security Policy“
4. In “Local Security Settings“, expand “Local Policies“. Then click “Security Options“
5. Double click “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” 
6. Select “Disabled“
7. Click “OK“
8. Restart the server

You can run “gpupdate /force” instead of restarting but I saw changes not going into effect in some cases so I recommend restarting the server.

After the restart, check the FIPS setting and make sure it wasn’t enabled back. If it was, you will need to request Security team to create exception for this server.

Instructions I followed for installation of Identity Manager to IIS server is here.

For more information about FIPS validation check my other post out: FIPS 140-2 Validation and Compliance for Microsoft libraries (DLLs)

The post This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms appeared first on port135.com.

MachineKeys folder stores certificate keys that are used by IIS and Internet Explorer. Because of a permission or application code related issue, this folder may fill up with thousands of files in a short time.

The permanent solution is to correct permissions or fix the code so that the certificate keys in this folder are automatically removed. However, if the permanent fix is taking long time, you will need a practical way of removing old files from this folder.

Run the following command in Command Prompt to remove files older than 90 days in the MachineKeys folder (Make sure to open Command Prompt as Administrator).

ForFiles /p "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" /s /d -90 /c "cmd /c del @file /F /A:S"

Why is MachineKeys older filling up?

There are four common reasons why the files in the MachineKeys folder are not automatically removed:

• There is a permission issue that is preventing OS to remove files from that folder. Compare the folder permissions with the ones listed in this document
• There is a code related issue. The application is not removing X.509 certificates once it uses them for communication. More details
• A security software might be performing SSL check and causing these files to persist. Try disabling this software
• Enterprise CA might be failing to respond the request. Check Event Viewer logs for the failed requests

If a file in MachineKeys is corrupted, check this post for solution: Service-specific error code -2146893818 (Event 7024 Invalid Signature)

When there is a permission issue on MachineKeys folder, you may run into Schannel errors as well. Here are the step-by-step instructions to solve Schannel 10013 error: https://port135.com/2018/11/24/schannel-the-internal-error-state-is-10013-solved/

The post Remove older files in MachineKeys folder appeared first on port135.com.

DebugDiag is one of the main tools to troubleshoot performance, memory, and crash related issues. While using this tool, you may run into a pop-up error saying “System.Exception: AutoUpdate failed“.

One or more errors occured
System.Exception: AutoUpdate failed. Please take steps to enable connectivity to the following URL in order to allow Automatic Update Notifications:
System.Net.WebException: The underlying connection was closed: An unexpected error occured on a send. System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host

Solution for DebugDiag AutoUpdate failed error

DebugDiag AutoUpdate functionality checks if there is a new version. If there is, it provides you a link to download it.

For this functionality to work, you should whitelist the following URL in your firewall:

https://debugdiag.azurewebsites.net/

To download the latest version of DebugDiag: Download

You can use predefined rules to collect dump files. DebugDiag also allows you to collect a manual dump. If you notice a service in “Suspended” state after manual dump collection, check this post out: w3wp.exe is Suspended after dump collection

The post DebugDiag error “System.Exception: AutoUpdate failed” appeared first on port135.com.

IIS comes with a default website as well as default error pages. In order to help developers and server administrators troubleshoot issues, these error pages may provide detailed information about the application and server. Therefore, some penetration testing tools may flag this situation as a vulnerability.

Here is the vulnerability a security scan tool flagged because the default error page was in use:

Missing Custom Error Page (CWE ID 756)
The software fails to return custom error pages to the user, possibly resulting in an information leak.
Ensure that all error pages are customized and default error pages are returned to users.

More information about this type of weakness is here.

Solution for Missing Custom Error Page (CWE ID 756) vulnerability

Unless you enable detailed error pages for remote requests, I wouldn’t classify this situation as a vulnerability. However, if you want your users to see more meaningful error pages and you want to have a clean security scan report, you can create custom error pages.

In the case I worked on, the pentest tool brought up this report for a folder that doesn’t have a default index page. For this situation, there are a few easy workarounds:

1. Add an index.html file to the folder and move index.html to the top in Default Document section of that folder in IIS Manager. This should prevent that URL to be flagged again
2. Customize IIS defaullt page for 403 error (C:\inetpub\custerr\en-US\403.html). Pentest tool is likely to mark the URL pass if that page is customized
3. Enforce custom error pages in web.config

Here are solutions for several other vulnerabilities I have come across in the past:

• Disable HTTP OPTIONS Method for IIS
• Remove the default page or stop/disable the IIS server
• Slow HTTP POST vulnerability Denial of Service (DoS) attack
• Host Header Attack and Vulnerability
• Slow response times and Timer_MinBytesPerSecond in HTTP.SYS logs
• Do not disclose private IP addresses and routing information to unauthorized parties
• HTTP TRACK and TRACE verbs
• HTTP/2 SETTINGS frame bug and related registry keys
• Secure cookie flag
• XSS (Cross Site Scripting) attacks in ASP.NET applications

The post Missing Custom Error Page (CWE ID 756) vulnerability appeared first on port135.com.

HTTP status code 500 (Internal Server Error) points to a range of issues from coding to configuration. Failed Request Tracing (FREB) comes to help to determine the underlying issue which was AspNetInitClrHostFailureModule with 0x80131704 error code (2148734724) in this case.

The full error message from the FREB log:

An error message detailing the cause of this specific request failure can be found in the application event log of the web server. Please review this log entry to discover what caused this error to occur.

ModuleName: AspNetInitClrHostFailureModule
Notification: BEGIN_REQUEST
HttpStatus: 500
HttpReason: Internal Server Error
ErrorCode: 2148734724

This issue started occurring after migrating the application from Windows Server 2008 R2 to Windows Server 2012 R2.

Root cause of 0x80131704 error (2148734724)

The error code 2148734724 translates to 0x80131704 in HEX (Use Windows Calculator in Programmer mode to calculate this value).

0x80131704 HEX code means: “A different runtime was already bound to the legacy CLR version 2 activation policy” (Reference).

As the error message mentions, there is a conflict with the runtime version IIS is trying to use to run the application. Either web.config or another mechanism is forcing the application to run on an unsupported .NET framework version.

In my case, it was w3wp.exe.config (Located in C:\Windows\SysWOW64\inetsrv\). There was this line at the end of the file:

<startup><supportedRuntime version="v2.0.50727"/></startup>

This is what caused the issue. The application was developed to run on .NET Framework 4.0 or a newer version. However, the config line above forced IIS to run this application on .NET Framework 2.0.

Solution for 500 Internal Server Error related to AspNetInitClrHostFailureModule

We removed the supportedRuntime line (full line is above) from the w3wp.exe.config in C:\Windows\SysWOW64\inetsrv\ folder. Then restarted IIS. The application started working afterwards.

Note: This issue surfaced with “Unrecognized attribute ‘targetFramework’” message first. It was complaining about the compilation targetFramework="4.5" line in the web.config. Event Viewer showed “The application has reported as being unhealthy. The worker process will now request a recycle. Reason given: An error message detailing the cause of this specific request failure can be found in the application event log of the web server. Please review this log entry to discover what caused this error to occur. The data is the error.” message. Removing targetFramework line from the web.config revealed the actual issue which I described above (More about targetFramework error).

If you have tried this solution already but still seeing the 0x80131704 error, please check the posts below for other causes and solutions of the 500 Internal Server Error issue:

• 500.19 Internal Server Error (0x8007000d)\
• 500 Internal Server Error if the full path is not entered (0x80070542)
• HTTP Error 500.30 – ANCM In-Process Start Failure (Solved)
• Prevent settings to be overridden by web.config (HTTP Error 500.19)
• IIS logs 500.19 if a client drops connection while loading the website
• WordPress 500 Internal Server Error

The post 500 Internal Server Error for AspNetInitClrHostFailureModule (0x80131704 – 2148734724) appeared first on port135.com.

We use IIS Manager to manage the websites hosted in the web server. What if IIS Manager crashes as soon as you open it? In my case: It showed this error message: There was an error while performing this operation. Unexpected end of file has occurred

Full error message:

There was an error while performing this operation

Filename: C:\windows\system32\inetsrv\config\applicationhost.config
Line number: 1026
Error: Unexpected end of file has occurred. The following elements are not closed: modules, system.webServer, location, configuration. Line 1026, position 252

Solution for the “Unexpected end of file has occurred” error

I like how much details are there in the error message. It tells you which line number (Line 1026) in which file (applicationHost.config) has the issue and what the issue is (modules, system.webServer, location, configuration elements are not closed).

When I looked into the file, I saw that the file was actually cut off at the line 1026. There was nothing else afterwards. Thinking about the issue history (It started occurring after building this server from a virtual machine disk copy), It’s not hard to guess that something went wrong while copying this file.

You can solve this issue by;

• Manually editing the config file (For example: If an element is missing a closing tag, you can add that tag manually)
• Copying the config file from backup, if you have one
• Restoring the virtual machine (Again, if you have backup)
• If there is another server with the same sites and configuration, compare the files and copy/paste the missing lines
• Reinstall IIS and create sites from scratch (Last resort)

If none of these solutions works, check out this post to find out the other common reason config file related IIS Manager crash: The configuration section rewrite/globalRules cannot be read because it is missing a section declaration

The post Unexpected end of file has occurred (There was an error while performing this operation) appeared first on port135.com.

IIS has a component call application pool. This is a container that runs worker processes under certain application and system related settings. In some cases, you may see “W3C Logging Service failed to connect to the pipe server” error in Event Viewer with Event ID 6005 after application pool recycle.

The error message:

W3C Logging Service failed to connect to the pipe server in the worker process with pipe name ‘\.\pipe\iislogpipe6f62391f-d2f8-4a27-bcb0-8388b3j2e8458’.

Root Cause

The process of W3logsvc maintains pipeline to the w3wp.exe process in order to get the detailed information of each request for making the log data.

The event error (6005, W3LOGSVC_EVENT_WP_FAILED_IPM_CONNECT) happens when the pipe connection is not available anymore.

Solution for “W3C Logging Service failed to connect to the pipe server” error (Event ID 6005)

If this error happens during application pool recycle but it doesn’t cause any application availability issues, it’s okay to ignore it.

In my case, it happens every day after 4am which is the time for the periodic application pool recycle. It happens sometimes during the day as well. When I look into those occurrences, I saw that there are application recycles right before the Event ID 6005 is recorded so they are also expected.

This issue started occurring after system admins migrated the application from Windows Server 2012 R2 to 2019. This means there was a change in regards to the handling of W3C Logging Service.

If you think this error is related to application unresponsiveness and 503 error, check out this post for the solution: HTTP 503 Service Unavailable (Application pool has been disabled)

The post W3C Logging Service failed to connect to the pipe server (Event ID 6005) appeared first on port135.com.

System administrators use IIS Manager to manage the applications they host in web servers. If IIS Manager doesn’t open because of an error such as “Creating an instance of the COM component with CLSID failed (800700b7)”, it may cause delays in maintenance and migrations.

The error message:

There was an error when trying to connect. Do you want to retype your credentials and try again?

Details:
Creating an instance of the COM component with CLSID from the IClassFactory failed due to the following error: 800700b7. Cannot create a file when that file already exists. (Exception from HRESULT: 0x800700B7).

Solution for the “Creating an instance of the COM component with CLSID failed (800700b7)” error

This issue occurs when there is a missing, corrupt or duplicate library that prevents IIS Admin Service from running. It may happen after an in-place upgrade, migration, Windows updates or any other operation that works with system libraries.

There are a couple things to check if you run into this issue:

• Have a look at Application and System sections in Event Viewer to find out information about the root cause
• Collect a trace by using Process Monitor and look for any failures. It’s possible that the root cause hides behind a SUCCESS message so don’t be surprised if everything looks good in the trace (Example). Take another trace from a working server and compare them

If you can’t find out the root cause from logs and traces, here are a few things to try for solving this issue (Check if IIS Manager opens successfully after each step):

1. Uninstall and install IIS Management Tools
2. Try to start IIS Admin Service in Services window
3. Run iisreset in admin Command Prompt
4. Run aspnet_regiis -I in admin Command Prompt
5. Reinstall .NET Framework version you have
6. Check the permissions on this folder: c:\programData\Microsoft\crypto\RSA\machineKeys
   Make sure Everyone has Read/Write and Administrators have all permissions (A related forum post)
7. If nothing works, uninstall and install IIS back (Similar issue)

If the error message mentions a problem with local activation, check this post out for the troubleshooting steps: DCOM 10016 Local Activation permission for the COM Server

The post Creating an instance of the COM component with CLSID failed (800700b7) appeared first on port135.com.

From application slowness to 500 errors, we use Failed Request Tracing logs to get clues about the root cause of website related issues. However, the tracing itself may be subject of the troubleshooting efforts because of an error like “Cannot add duplicate collection entry of type (0x800700b7)”.

This the error message I saw for one of the applications after I enabled Failed Request Tracing in the IIS server:

Cannot add duplicate collection entry of type ‘add’ with unique key attribute ‘path’ set to ‘*’

Error code: 0x800700b7

Solution for the “Cannot add duplicate collection entry of type (0x800700b7)” error

The error message mentions a duplicate record so the first thing to try is checking the web.config for identical definitions:

1. Enable Failed Request Tracing
2. Add a rule
3. If the issue occurs, check web.config file. Are there two sets of Failed Request Tracing rules even though you added only one?

If there are no duplicate entries, check the tracing module in all application, site, and server levels in IIS Manager. Make sure there are no conflicting rules. Do the same for applicationHost.config file. Make sure tracing for the same site is not enabled more than once.

After making sure there is only one rule, if the issue persists, add the line below into web.config. It will remove all existing rules to prevent duplication (Related forum post).

<remove path="*" />

The entire configuration of the Failed Request Tracing rule in the web.config:

<configuration>
    <system.webServer>
        <tracing>
            <traceFailedRequests>
                <remove path="*" />
                <add path="*">
                    <traceAreas>
                        <add provider="ASP" verbosity="Verbose" />
                        <add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
                        <add provider="ISAPI Extension" verbosity="Verbose" />
                        <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket" verbosity="Verbose" />
                    </traceAreas>
                    <failureDefinitions statusCodes="500" />
                </add>
            </traceFailedRequests>
        </tracing>
   
    </system.webServer>
</configuration>

A side note: In my case, the environment this issue occurred had two IIS servers pointing to the same web.config (located in a network share). This made it the issue more complicated.

There could be more than one root causes of the 0x800700b7 error. If the issue is still occurring after the config change above, check this post out: Creating an instance of the COM component with CLSID failed (800700b7)

The post Cannot add duplicate collection entry of type (0x800700b7) appeared first on port135.com.

Numerous Microsoft products rely on IIS to perform fundamental functions. One of these products is SCCM (System Center Configuration Manager). Its management points run on IIS. If wmsvc service doesn’t start because of an error like “The Web Management Service could not be started (2147483656)”, management points may run into issues.

Web Management Service enables remote administration of IIS. Therefore, It is crucial in many scenarios.

Here is the error PowerShell displayed when I tried to run Web Management Service:

Solution for the error “The Web Management Service could not be started (2147483656)”

Follow the steps below to solve this issue:

• In IIS Manager, go to Management Service Delegation and make sure “Allow administrators to bypass rules” is checked (in Edit Feature Settings window)

• Go to “Management Service” and select the self-signed certificate. If there is no self signed certificate, create one in “Server Certificates” window
• Try to enable Management Service again

If you come across to this issue while trying to deploy an application from Visual Studio, check this post out for the solution: Web Deploy experienced a connection problem (ERROR_CONNECTION_TERMINATED)

The post The Web Management Service could not be started (2147483656) appeared first on port135.com.

While trying to connect Dynamics 365 from a WCF service hosted in IIS, I came across to this error message:

Message Metadata contains a reference that cannot be resolved: ‘https://url.dynamics.com/XRMServices/2020/Organization.svc?wsdl&sdkversion=9’. >> StackTrace at System.ServiceModel.Description.MetadataExchangeClient.MetadataRetriever.Retrieve(TimeoutHelper timeoutHelper)\r\n at System.ServiceModel.Description.MetadataExchangeClient.ResolveNext(ResolveCallState resolveCallState)\r\n at System.ServiceModel.Description.MetadataExchangeClient.GetMetadata(MetadataRetriever retriever)\r\n at System.ServiceModel.Description.MetadataExchangeClient.GetMetadata(Uri address, MetadataExchangeClientMode mode)\r\n at Microsoft.Xrm.Sdk.Client.ServiceMetadataUtility.RetrieveServiceEndpointMetadata(Type contractType, Uri serviceUri, Boolean checkForSecondary)\r\n

We also saw the error below during testing:

InnerException System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)\r\n at

Root Cause

As mentioned in this Microsoft article, Dynamics 365 started requiring TLS 1.2 after version 9.x (For Government edition, version 8.2). Therefore, connections that don’t use TLS 1.2 started failing after this update.

Any connections to Dynamics 365 (online) version 9.x or Dynamics 365 (online) Government version 8.2 will fail if they do not use TLS 1.2 security protocol.  This will impact several Dynamics services (listed below), including access to the Dynamics 365 Customer Engagement web application.  

Solution for “Message Metadata contains a reference that cannot be resolved” error

You can solve this issue by forcing WCF service to use TLS 1.2. Sample code is below.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

If the issue still persists, check out the other TLS related errors below.

• The missing Server Hello in TLS handshake (ERR_SSL_PROTOCOL_ERROR)
• Security Scan (Qualys SSL Labs) shows TLS 1.0 and 1.1 are enabled
• TLS fatal error code 20. The Windows SChannel error state is 960
• SSL Certificate Settings deleted for endpoint (Event ID 15300)

The post Message Metadata contains a reference that cannot be resolved appeared first on port135.com.

In a case I worked on, the error message “Invalid length for a Base-64 char array or string” has been logged by the application hundreds of times a day. There were no user side issues but the monitoring tool (DynaTrace) kept reporting this error.

Root Cause

In order to understand this error message, we should first understand the encoding from ASCII text to Base64. Long story short: Each character is represented by 8 bits in ASCII text. However, each of them is represented by 6 bits in Base64 string. Because of the conversion of characters from 8 bits to 6 bits, some padding characters (=) may need to be added to the end of the Base64 encoded string.

Wikipedia explains this conversation very well with examples: Base64

The application throwing this error is probably using Convert.FromBase64String method to decode the Base64 string. If you log the encrypted string somewhere when this exception is thrown, you can find out what is wrong with this string. However, without looking at the string, I can tell that the issue is probably the length of the string as the error message points out. The length of the Base-64 string should be multiple of 4. If it’s not, the padding chracter (=) should be added to the end. 

More information about the method: FromBase64String

Solution for the “Invalid length for a Base-64 char array or string” error

Implement the code block below to check the string length and add padding characters if needed:

int mod4 = encryptedtext.Length % 4;

if (mod4 > 0 )
{
  encryptedtext += new string('=', 4 - mod4);
}
  
byte[] encryptedBytes = Convert.FromBase64String(encryptedtext);

You can also use HttpUtility.URLDecode to solve this issue.

Still Seeing the Error?

The second most common root cause of the Base-64 related errors is the space character in the encrypted string. In order to solve this issue, replace space with plus (+) sign.

Sample code:

string stringToDecrypt = CypherText.Replace(" ", "+");
byte[] inputByteArray = 

Convert.FromBase64String(stringToDecrypt); 

If you are receiving “400 Bad Request” message along with the Base64 error, check this post out: HTTP 400 Bad Request (Request header too long)

The post Invalid length for a Base-64 char array or string appeared first on port135.com.

IIS depends on World Wide Web Publishing service to host websites. And this service has a dependency to Windows Process Activation Service (WAS). In some cases, WAS may not start because of the “Error 13: The data is invalid” error.

The error messages:

“Windows could not start the Windows Process Activation Service service on Local Computer. Error 13: The data is invalid:

Event 7023 for Service Control Manager: “The Windows Process Activation Service service terminated with the following error: The data is invalid.”

Solution for Error 13: The data is invalid

If you see “The data is invalid” error with WAS server, the first thing to check is the IIS configuration file (applicationHost.config) file. This file is probably corrupted. Any issues with the file will prevent IIS functioning.

Go to C:\Windows\System32\inetsrv\config\ folder and open applicationHost.config file. Make sure you see <configuration> in the beginning and </configuration> at the end. Most of the time, you won’t see the closing tag. Instead, there will be unknown characters that mean the file is corrupted. Sometimes, you may not see any content at all which is also an issue.

Screenshot of a corrupted applicationHost.config file:

If there is something wrong with this file, your options are

• If there is a backup of this file, replace it
• Even if you don’t have a backup of the file, you may have a backup of the entire server. Try to get the file from that backup
• If there is another server hosting the same websites with the same configuration, try to get the parts of the file from that server to fix the corruption in the non-working server
• In case you don’t have backup or another server, you can try to fix the corrupted part manually. Sometimes, only a few closing tags are missing. You can easily fix the issue if that’s the case. However, if a big portion of the file is corrupted, this method may not work
• If the file is completely empty and you don’t have a backup or another server, you will need to uninstall and install IIS back. This will create a brand-new configuration file. However, you will need to create the sites and application pools from scratch

If you are seeing “The Windows Process Activation Service encountered an error trying to read configuration data” error, check this post out for the solution: Windows Process Activation error (NetFx40_IIS_schema_update.xml)

Error 13 may refer to a coding issue as well. More information: Type mismatch

The post Error 13: The data is invalid (WAS service) appeared first on port135.com.

Many companies create custom error pages to provide a more meaningful message to users if there is an issue with the website. IIS provides an easy way to add custom error pages in IIS Manager. However, using IIS Manager to for adding a custom page for 401 errors may break Windows Authentication.

If your website keeps prompting credentials even though you enter the correct username and password, your custom error page might be the one causing the issue.

What to Do If The Custom Error Page for 401 Status Breaks Windows Authentication

This behavior is by design. It is expected for Windows Authentication to break if there is a new custom error page for 401 errors. 401 challenge is not designed to work with customized error pages.

You may try some workaround suggested on internet like the ones here but it’s unlikely that a new page will work with 401 challenge.

Instead of trying to add a new custom error page, I would recommend editing the IIS default error page located at %SystemDrive%\inetpub\custerr\en-US\401.htm

Simply open this file in notepad and make changes. You may want to enter a user-friendly message with contact information of the IT Support. Then save it as htm file. Replace the existing one.

If the sub-status code for 401 error is 2, the issue might be different. Check this post out for the solution: IIS binding limit (401.2 Windows Authentication error)

The post Adding a Custom Error Page for 401 Error Breaks Windows Authentication appeared first on port135.com.

Application Request Routing (ARR) is a feature that allows IIS to work as load balancer. By using this feature, IIS can route traffic to multiple web servers based on the specific rules. This is a module that doesn’t come with IIS by default so you will need to install it separately. However, even if you install it, it may not show up in IIS Manager.

Here is how a server farm looks like when ARR settings don’t show up:

Solution for Making Application Request Routing Available in IIS Manager

Something probably went wrong during the ARR installation. The steps below should fix the issue and make ARR settings available in IIS Manager.

1. Remove ARR from Add/Remove Programs
2. Remove the server farm
3. Install ARR back
4. Restart IIS
5. Close and open IIS Manager

If you remove ARR and install it back without removing the server farm, IIS Manager will still be broke. So it’s important to follow the steps above in order.

In case you are not sure if ARR is installed or not, How to check if ARR (Application Request Routing) extension is installed in IIS?

The post Application Request Routing is Not Available in IIS Manager appeared first on port135.com.

IIS attaches a set of headers like Content-Type and X-Powered-By to the response by default. In addition to these headers, developers can also add custom headers. If you want to change or remove one of these response headers, you can use URL Rewrite rules in IIS Manager.

Change Response Headers using URL Rewrite

Follow the steps below to change the value of a response header. Please note that these steps won’t remove a response header. They will only change the value.

For this post, I changed the value of ETag header. It’s one of the default headers.

There are two high-level steps:

• Add a server variable
• Add a URL Rewrite rule to edit this server variable

Steps to add a server variable

1. If you haven’t already, install URL Rewrite and reopen IIS Manager
2. Click on the website
3. Double click on URL Rewrite
4. On the right side, click View Server Variables
5. Click Add
6. Enter RESPONSE_ETag and click OK

Steps to add a URL Rewrite rule

1. In IIS Manager, click on the website
2. Double click on URL Rewrite
3. On the right side, click Add Rule(s)
4. Select Blank rule in Outbound Rules section and click OK
5. Fill out the fields with the following values
   • Precondition: None
   • Matching scope: Server Variable
   • Variable name: RESPONSE_ETag
   • Variable value: Matches the Pattern
   • Using: Regular Expressions
   • Pattern: .*
   • Ignore case: checked
   • Conditions: none
   • Action type: Rewrite
   • Value: newvalue
   • Replace existing server variable value: checked
6. On the right side, click Apply
7. Clear the cache and refresh the page (or hit Ctrl + F5). ETag header should have “newvalue” now

Here is how the Match section of the rule looks like:

Action section:

New value:

If you want to change a header to prevent Host Header Attack, check this post out: Solution for Host Header Attack and Vulnerability. Other useful links: Post 1, Post 2

The post How to Change or Remove Response Headers using URL Rewrite in IIS appeared first on port135.com.

While trying to set application pool identity in IIS Manager, I came across “Keyset does not exist” error. When I looked at the Event Viewer, I saw this message:

ERROR ( hresult:80090016, message:Failed to commit configuration changes. Keyset does not exist)

Solution for “Keyset does not exist” error (hresult:80090016)

This issue occurs when there is a problem with the machine keys. These keys are located at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

There are three machine keys IIS uses for encryption. The first thing to check is if these files exist. If they don’t, you will need to reinstall IIS for the files to be recreated.

If the files exist in MachineKeys folder, check their security permissions. In my case, these files didn’t have owners.

After taking the ownership, I saw that only IIS_IUSRS account was in the permission list. I added DatabaseAdministrators group to the Security list. This brought back other required permissions as well. We were able to change application pool identity password afterwards.

Note: If you see 0x8009000D error along with “Keyset does not exist” message, please check this post.

If there is a huge amount of files (thousands of them) in the MachineKeys folder, there might be another issue. More details: Remove older files in MachineKeys folder

The post Failed to commit configuration changes. Keyset does not exist (80090016) appeared first on port135.com.

Whiling logging to an application or navigating after login, the page was spinning for about a minute and giving a timeout error. The error message:

The open operation did not complete within the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. The socket transfer timed out after 00:01:00. You have exceeded the timeout set on your binding.

The application utilizes a WCF service. We collected a dump file from both the ASPX page and WCF service while the page was spinning. Here are the exceptions we saw in the dump files:

Exception Type : System.Net.Sockets.SocketException
Message: An existing connection was forcibly closed by the remote host
InnerException: <none>
StackTrace:
System.ServiceModel.Channels.SocketConnection.Write(Byte[], Int32, Int32, Boolean, System.TimeSpan)

Exception Type : System.ServiceModel.CommunicationException
Message: The server did not provide a meaningful reply; this might be caused by a contract mismatch, a premature session shutdown or an internal server error.
InnerException: <none>
StackTrace:
System.Runtime.AsyncResult.End[[System.__Canon, mscorlib]](System.IAsyncResult)
System.ServiceModel.Activation.WorkerProcess.EndDispatchSession(System.IAsyncResult)

Exception Type : System.IO.PipeException
Message: There was an error reading from the pipe: The pipe has been ended. (109, 0x6d).
InnerException: <none>
StackTrace:
System.ServiceModel.Channels.PipeConnection.OnAsyncReadComplete(Boolean, Int32, Int32)

The Event Viewer showed these errors as well:

Solution for The Timeout Error Caused by Idle Time-Out Action Suspend

For this website, Idle Time-out Action in the application pool settings was set to “Suspend”. This option isn’t helpful in many scenarios. I don’t recommend using it.

Setting Idle Time-out Action to Terminate solved the issue. Website started displaying pages without any issues.

Note: For this IIS server, there was a separate issue. The appdomain was being recycled intermittently. We figured this was because of the antivirus software. It is recommended to exclude certain folders from antivirus scan in IIS servers.

If you like to find out who change the application pool settings, please check this post out.

For a timeout issue related to the communication with database, please have a look at the steps in this post: The timeout period elapsed prior to obtaining a connection from the pool

The post Timeout Error Caused by Idle Time-Out Action Suspend appeared first on port135.com.

While analyzing IIS logs, system admins may come across a specific IP address that is generating an unusual amount of traffic. If you think this is s malicious activity, you can easily block the IP address using a built-in IIS feature.

Block an IP address in IIS Manager

Here are the high-level steps for using IP and Domain Restrictions module to block an IP address.

1. Install “IP and Domain Restrictions” using Server Manager
2. Close and reopen IIS Manager
3. Click on the website. Go to “IP Address and Domain Restrictions”
4. Add a Deny rule with the IP address
5. Once you add the rule, the client with that IP address will see 403 Forbidden error

The user whose IP address is blocked will see “403 – Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied” message. If you want to change this message, check out this tutorial.

For other IP address related management activities in IIS, please check the related posts below.

The post How to Block an IP address in IIS using IP and Domain Restrictions? appeared first on port135.com.

In a case I worked on, the error message “Invalid length for a Base-64 char array or string” has been logged by the application hundreds of times a day. There were no user side issues but the monitoring tool (DynaTrace) kept reporting this error.

Root Cause

In order to understand this error message, we should first understand the encoding from ASCII text to Base64. Long story short: Each character is represented by 8 bits in ASCII text. However, each of them is represented by 6 bits in Base64 string. Because of the conversion of characters from 8 bits to 6 bits, some padding characters (=) may need to be added to the end of the Base64 encoded string.

Wikipedia explains this conversation very well with examples: Base64

The application throwing this error is probably using Convert.FromBase64String method to decode the Base64 string. If you log the encrypted string somewhere when this exception is thrown, you can find out what is wrong with this string. However, without looking at the string, I can tell that the issue is probably the length of the string as the error message points out. The length of the Base-64 string should be multiple of 4. If it’s not, the padding chracter (=) should be added to the end. 

More information about the method: FromBase64String

Solution for the “Invalid length for a Base-64 char array or string” error

Implement the code block below to check the string length and add padding characters if needed:

int mod4 = encryptedtext.Length % 4;

if (mod4 > 0 )
{
  encryptedtext += new string('=', 4 - mod4);
}
  
byte[] encryptedBytes = Convert.FromBase64String(encryptedtext);

You can also use HttpUtility.URLDecode to solve this issue.

Still Seeing the Error?

The second most common root cause of the Base-64 related errors is the space character in the encrypted string. In order to solve this issue, replace space with plus (+) sign.

Sample code:

string stringToDecrypt = CypherText.Replace(" ", "+");
byte[] inputByteArray = 

Convert.FromBase64String(stringToDecrypt); 

If you are receiving “400 Bad Request” message along with the Base64 error, check this post out: HTTP 400 Bad Request (Request header too long)

The post Invalid length for a Base-64 char array or string appeared first on port135.com.