I'm getting the following error randomly, sometimes works, but sometimes it fails:
Unable to make the session state request to the session state server.
Please ensure that the ASP.NET State service is started and that the
client and server ports are the same. If the server is on a remote
machine, please ensure that it accepts remote requests by checking the
value of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\AllowRemoteConnection.
If the server is on the local machine, and if the before mentioned
registry value does not exist or is set to 0, then the state server
connection string must use either 'localhost' or '127.0.0.1' as the
server name.
My sessionState configuration in the Web.config is the following:
<sessionState cookieless="UseCookies" mode="StateServer" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" stateConnectionString="tcpip=127.0.0.1:42424" timeout="20" />
I have double-checked that the ASP.NET state server is up & running. Also I've checked that the ASP.NET state server is running on port 42424. In fact, sometimes work. My IIS application pool is .NET 4 integrated pipeline.
I have also checked this article from Microsoft, that suggest to increase the stateNetworkTimeout. But seems not to be a good solution for me since the server is not under heavy load.
When I go to the event viewer, I see the following warnings:
Event code: 3009
Event message: Unable to make the session state request to the session state server. Details: last phase='Sending request to the state server', error code=0x80072749, size of outgoing data=0
Event time: 8/27/2014 4:38:04 PM
Event time (UTC): 8/27/2014 2:38:04 PM
Event ID: 848eadc753cf4e99aee72824d1d7fc85
Event sequence: 239
Event occurrence: 12
Event detail code: 50016
Application information:
Application domain: /LM/W3SVC/2/ROOT/download-7-130536222982810000
Trust level: Full
Application Virtual Path: /download
Application Path: C:\inetpub\vhosts\plasticscm.com\httpdocs\download\
Machine name: main
Process information:
Process ID: 4124
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: HttpException
Exception message: Unable to make the session state request to the session state server. Please ensure that the ASP.NET State service is started and that the client and server ports are the same. If the server is on a remote machine, please ensure that it accepts remote requests by checking the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\AllowRemoteConnection. If the server is on the local machine, and if the before mentioned registry value does not exist or is set to 0, then the state server connection string must use either 'localhost' or '127.0.0.1' as the server name.
What things can I do to further investigate this?
Related
I have an issue I have been working on for a couple of weeks that has me stumped.
We are moving our dev environments from on premises to AWS EC2 instances, including our IIS server. This hosts a number of webservices, ASP.Net and .Net Core intranet applications.
The majority of these use Windows Authentication, and none are outside world facing.
Some of the applications work fine in both environments, but a number of them work in the on premises environment but not in the AWS environment and I either get a windows authentication pop up, or a 401 (unauthorized) "The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'".
All of the applications run under a specific domain account with delegation privileges, and there is an SPN set up for that account to the SQL server that hosts the various application databases (also in AWS).
Under providers all applications have Negotiate first, then NTLM.
Most of the applications have only Windows Authentication enabled, some have ASP.Net impersonation
enabled as well but there is no correlation with those have this set and that work and those that don't.
I tried setting DisableStrictNameChecking per this post: Unable to get windows authentication to work through local IIS
Other SO posts I have read:
ASP.net kerberos dropping down to NTLM sporadically
Add a Kerberos authentication to existing WebService in asp.net c#
WCF service access from client application when user is behind proxy
Error: The remote server returned an error: (401) Unauthorized
Many Web Service calls caused 401 Unauthorized response randomly
(401) Unauthorized error : WCF security/binding
One of the apps had the below sections in the web.config:
<system.web>
<authorization>
<allow users="*" />
<!-- Allowing all users. If the users dont have access then they see this page.. -->
</authorization>
</system.web>
</location>
<system.web>
<compilation targetFramework="4.7" />
<authentication mode="Windows" />
<identity impersonate="true" />
<customErrors mode="Off" />
<authorization>
<allow roles="XXXX\Development/>
<deny users="*" />
</authorization>
</system.web>
This app worked in AWS, and I got to the NoAccess.aspx page (I am not a member of the Development AD group). I then removed "location path" section of the config, restarted the app pool and got a login prompt (as expected).
When I added that section back in and restarted the app pool I no longer reach that page, just get an immediate 401 error with "The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'".
Anyone have any ideas why this happens? I can't find a common tread between those apps that work and those that don't.
I turned on enhanced logging, and have seen the below warnings when running one of the apps that does not work. Interesting it shows I am authenticated (and I have rights to run that app).
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 6/8/2021 12:09:45 PM
Event time (UTC): 6/8/2021 12:09:45 AM
Event ID: fd6819aa0e4e4011a54d98790112c2f8
Event sequence: 8
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/3/ROOT/ContactManagementApp-1-132675845823847857
Trust level: Full
Application Virtual Path: /ContactManagementApp
Application Path: D:\Applications\ContactManagementApp\
Machine name: SRV123
Process information:
Process ID: 1224
Process name: w3wp.exe
Account name: DOMAIN\SRV123-iis
Exception information:
Exception type: WebException
Exception message: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
Request information:
Request URL: http://SRV123/ContactManagementApp/contact.aspx
Request path: /ContactManagementApp/contact.aspx
User host address: 123.123.123.123
User: DOMAIN\userName
Is authenticated: True
Authentication Type: Negotiate
Thread account name: DOMAIN\SRV123-iis
Thread information:
Thread ID: 7
Thread account name: DOMAIN\SRV123-iis
Is impersonating: False
Stack trace: at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
Custom event details:
Any ideas what I need to look at for this? Could there be a timeout issue with kerberos?
I managed to fix this by setting up a Read Only Domain Controller in AWS. Working theory is that there is some sort of timeout issue with kerberos when talking back to the on premises DC's.
Unable to process more than one MB file by ASMX Service even though the file limit set upto 10 MB. Getting the following exception:
Event code: 3001
Event message: The request has been aborted.
Event time: 10/1/2019 8:58:14 AM
Event time (UTC): 10/1/2019 6:58:14 AM
Event ID: cb5b16e465ee4a0cb4885c8e8fdddfrd
Event sequence: 982
Event occurrence: 35
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/3/ROOT-1-132143473094866215
Trust level: Full
Application Virtual Path: /
Process information:
Process ID: 22352
Process name: w3wp.exe
Exception information:
Exception type: HttpException
Exception message: Request timed out
Thank You.
The reason for the warning is that the execution time exceeds the currently set ASP.NET request execution timeout value.
You need to increase the execution time out value.
set below code in your web.config file:
<system.web>
<httpRuntime executionTimeout="180" />
</system.web>
also increase iis site connection time out value.
Open your IIS, right-click on your site name.
Then open property "Manage Web Site".
Then click on "Advanced Settings".
Expand the "Limits" section,you can set your "connection
time out".
after doing changes restart the iis server.
I am deploying a version of my website which I have developed AppFabric integration into, instead of using the ASP.NET Memory Cache (we're going to load balance a few web servers, so need distributed caching as opposed to local RAM caching).
Locally, I have AppFabric 1.1 installed, and my website communicates with it over 'localhost' (AppFabric installed on the same computer as the website runs out).
<dataCacheClient>
<hosts>
<host name="localhost" cachePort="22233" />
</hosts>
<securityProperties mode="None" protectionLevel="None" />
</dataCacheClient>
When I deploy this site to one of the test servers in our hosting environment (with AppFabric 1.1 also installed locally on that server), the site in IIS immediately fails, in under one second. If I stop IIS and then start it again, and then refresh the page locally, I get the IIS generic "HTTP Error 500.0 - Internal Server Error" in 800ms. This surprised me - I thought the site would be spinning up ASP.NET stuff and not actually running "user code" in that quick of a time.
So all the site's data access has changed to the pattern of, "check AppFabric for object, if it doesn't exist, retrieve from DB & store inside AppFabric" - so it seems
If I deploy a version of the site to the exact same folder, with all of the AppFabric caching changed to use the in-memory ASP.NET cache, then the site loads with no issues, so the problem is 100% related to AppFabric.
There is no exception logged, I simply see the generic "HTTP 500.0 Internal Server Error" message. If I check the Event Viewer then I can see an exception logged:
Event code: 4011
Event message: An unhandled access exception has occurred.
Event time: 01/12/2017 12:37:19
Event time (UTC): 01/12/2017 12:37:19
Event ID: 84321f68413340daaf0badf122ceed87
Event sequence: 4
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT-3-131566054392620836
Trust level: Full
Application Virtual Path: /
Application Path: ..\..\..\..httpdocs-shared-cache\
Machine name: machine
Process information:
Process ID: 26752
Process name: w3wp.exe
Account name: -
Request information:
Request URL: https://localhost:443/Index.aspx
Request path: /Index.aspx
User host address: ::1
User:
Is authenticated: False
Authentication Type:
Thread account name: -
Custom event details:
There is no stacktrace to show WHERE the failure is occurring.
I have configured AppFabric's security like this (as a test) - and as shown in the web.config, we talk to AppFabric with 'None' for both security mode & protection level.
Set-CacheClusterSecurity -SecurityMode None -ProtectionLevel None
I have hit a brick wall with this and am not sure where else to turn. I tried to install AppFabric 1.0 on the server but it is no longer supported on Windows 2016.
Locally I am using AppFabric 1.1 and am running on Windows 10. As stated, if I deploy the exact same codebase, just with AppFabric communication replaces with .NET memory cache then the site loads okay on the server, which is why I'm convinced it's related to AppFabric.
Does anyone have any pointers as to where I can start to look into this further? I tried
Turns out, ELMAH was catching the exception and still creating the XML log file. This pointed me towards 'Access to the 'global' registry key is denied' - you have to add the application pool user to the 'performance log' and 'performance monitor' user groups.
In short it seems that ASP.NET fails to read encrypted connection string for session state if connection string is long enough.
Here are details:
We are upgrading simultaneously to Windows Server 2008 and ASP.NET 4 and can't set up our dev environment. We store our session state in SQL Server and have corresponding configuration in web.config
<sessionState mode="SQLServer" sqlConnectionString="registry:HKLM\Software\SomeAppName\SessionState\ASPNET_SETREG,sqlConnectionString" cookieless="false" timeout="640" allowCustomSqlDatabase="true" />
We created entry in registry with
aspnet_setreg.exe -k:Software\SomeAppName\SessionState -c:"data source=SomeSqlServer\INST3;initial Catalog=AspStateDb;user id=some-user;password=some-password"
and copied it from WOW6432NODE to proper place and applied proper permissions (gave Full Control to NETWORK_SERVICES to whole subtree HKLM\Software\SomeAppName).
And this is where weird things starts. When we try to open the application in browser we get "Error reading configuration information from the registry." error pointing to sesssionState configuration. Here are details from the EventViewer
Event code: 3008
Event message: A configuration error has occurred.
Event time: 9/8/2011 7:32:02 AM
Event time (UTC): 9/8/2011 2:32:02 PM
Event ID: 6e68be241c3d4105a0dec4de7b3724d0
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/blah-blah-blah
Trust level: Full
Application Virtual Path: /SomeAppName
Application Path: C:\inetpub\wwwroot\SomeAppName
Machine name: SomeWebServer
Process information:
Process ID: 4044
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: ConfigurationErrorsException
Exception message: Error reading configuration information from the registry. (C:\inetpub\wwwroot\SomeAppName\web.config line 89)
Request information:
Request URL: http://SomeWebServer/SomeAppName/default.aspx
Request path: /SomeAppName/default.aspx
User host address: 10.X.X.X
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
Thread ID: 3
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Web.Configuration.ConfigsHelper.GetRegistryStringAttribute(String& val, ConfigurationElement config, String propName)
at System.Web.SessionState.SqlSessionStateStore.OneTimeInit()
at System.Web.SessionState.SqlSessionStateStore.Initialize(String name, NameValueCollection config)
at System.Web.SessionState.SqlSessionStateStore.Initialize(String name, NameValueCollection config, IPartitionResolver partitionResolver)
at System.Web.SessionState.SessionStateModule.InitModuleFromConfig(HttpApplication app, SessionStateSection config)
at System.Web.SessionState.SessionStateModule.Init(HttpApplication app)
at System.Web.HttpApplication.InitModulesCommon()
at System.Web.HttpApplication.InitInternal(HttpContext context, HttpApplicationState state, MethodInfo[] handlers)
at System.Web.HttpApplicationFactory.GetNormalApplicationInstance(HttpContext context)
at System.Web.HttpApplicationFactory.GetApplicationInstance(HttpContext context)
at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
The weird thing is that this error seems to be dependent on the length of the sql connection string content. We used SysInternals ProcMon and see that w3wp.exe actually does successfully read the registry key. The only difference between "working" and "not working" seems to be that in working case w3wp.exe reads it in one attempt while in "not working" first attempt fails with buffer overflow (might be totally unrelated but looks suspicious).
Our current solution is as weird as behavior we see: we explicitly added entry to the hosts file to make shorter alias for the "SomeSqlServer" as just "s" (one character). This seems to reduce connection string enough to make it work. However it is not clear what happens and why this helps at all.
Our "not-working" connection string is about 90 characters long. The "working" one is less than 80. We didn't spend time to find exact edge.
We also tried to shorten connection string in the registry (set with aspnet_setreg.exe) in other ways:
We temporary created a SQL Server user "a" with password "a" and use him in connection string. This also seems to "fix" the issue.
We put wrong 1 character-long password for existing user into the connection string and error expectedly changed to failure to log into SQL Server.
We put plainly wrong (but short) connection string and error changed to something about bad string format.
Every evidence we have now points us that there is something wrong with relatively long encrypted connection strings in registry but it is not clear what and why. And why we don't have anything like this in our previous environment (Windows Server 2003 + ASP.NET 2.0)? Actually it is quite hard to believe in such a strange bug but we have no other ideas for now.
Has anybody seen anything like this before? Do you have any suggestions? It is hard to google this error because there are a log of similar complains that are fixed by given proper permissions in registry but we are quite sure that this is not our case.
It is not clear what was this. We can't reproduce it anymore. The best explanation we have for now is that we somehow managed to mess up with permissions.
I have an ASP.NET application that executes a WMI call to a remote system. The application Web.config contains <identity impersonate="true"> and <authentication mode="Windows"> options which, as I understand, should force the application code to be executed on behalf of the application user.
The problem is that I get "Access is denied" error, despite the fact I can successfully execute the my WMI request from PowerShell console on the same host under the same user to the remote server in question.
// this doesn't work
ManagementScope scope = new ManagementScope();
scope.Path.NamespacePath = "root\\virtualization";
scope.Path.Server = "vs01";
scope.Connect(); // <-- here comes exception
# this works just fine
Get-WmiObject -Namespace 'root\virtualization' -Class Msvm_ComputerSystem -ComputerName vs01
Dumping HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, System.Threading.Thread.CurrentPrincipal.Identity.Name properties suggest that impersonation works as expected.
Ideas? Could the issue be some kind of .NET or IIS security?
You need to have a domain administrator enable Delegation for your web server machine. This is a security feature of Kerberos. By default an intermediate server (in this case your web server) is not allowed to pass the impersonation context of a client to the remote server unless it has been given Delegation permission. If you don't do this the remote target server will see the request coming in as Anonymous User... which if its properly secured will be denied access.
Note its a common policy to only allow an intermediate server to delegate to specific target servers (called constrained delegation), so if your web app needs to be able to call WMI on any server in your network you may have problem. Talk to your domain admin.