Getting 401 errors when trying to use ASP.NET back end in load balanced environment (2 web servers). Windows log says:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
Event time: 6/6/2012 10:34:27 AM
Event time (UTC): 6/6/2012 5:34:27 PM
Event ID: de68a535d53e4bdfb11ace24a97c63c9
Event sequence: 18
Event occurrence: 7
Event detail code: 50201
Machine key on both IIS applications configured to be same. What else can cause this problem?
As it turned out two web servers had slightly different set of windows patches installed. As soon as we installed all same patches on both of them - problem was solved.
Related
We are getting the following error on our web server. We are also observing a strange problem leading to a virtual shuttpown to our asp.net web application. It does not crash. It simply stops processing requests. this happen regardless of the load of the server. It happens periodically, sometime every 90 minutes or 2 hours. Sometime also when no one is logged on.
We are caching certain data in memory to minimize database round trips . Could this happen when the cache expires and need to be reloaded due to something not configured properly?
Event code: 4010
Event message: An unhandled security exception has occurred.
Event time: 21/05/2014 08:57:36
Event time (UTC): 21/05/2014 06:57:36
Event ID: 9106022293a944059cd7a35dbdc48024
Event sequence: 262
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/3/ROOT-1-130451258156698671
Trust level: Full
Application Virtual Path: /
Application Path: D:\FolderXXX\
Machine name: MachineXXXX
Process information:
Process ID: 6664
Process name: w3wp.exe
Account name: UserXXX
Request information:
Request URL:
Request path:
User host address:
User:
Is authenticated: False
Authentication Type:
Thread account name: UserXXX
Custom event details:
Yes, it could happen when the cache expires and needs to be reloaded again and the account has no rights. Either check how you reload cache and if account has rights or enable tracing for more information.
Read about similar issue at http://forums.asp.net/t/1629856.aspx
How to: Enable Tracing for an ASP.NET Application
We're seeing lots of events like these even though we have authentication set to "None":
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied was invalid.
Event time: 12/3/2013 12:50:06 PM
Event time (UTC): 12/3/2013 6:50:06 PM
Event ID: 9a0cc0c93a964b1c9bd7126dc367b09b
Event sequence: 163807
Event occurrence: 23853
Event detail code: 50201
Application information:
Application domain: /LM/W3SVC/1/ROOT/BG-4-130305700816025855
Trust level: Full
Application Virtual Path: /BG
Application Path: D:\inetpub\wwwroot\BG\
Machine name: ***
I even double-checked in IIS Manager at the site and server level and the GUI shows Forms Authentication set to Disabled.
This is using asp.net 4.0 running on Server 2008 R2. I tried adding a machineKey to machine.config just to test but it still fails. It doesn't seem like all requests are failing since I only see the error once a minute but I can't isolate which ones are failing. I even tried using Fiddler to send a bogus .ASPXAUTH cookie but I didn't see any new errors in the event log that match up with my request.
Anyone have any ideas?
Thanks,
tim
We have a standard ASP.NET MVC 3 website. From a few days ago some uses cannot login or recover password anymore.
When trying to login they get the following error:
Login failed. Please correct the errors and try again.
•The user name or password provided is incorrect.
When trying to recover password they get the following error:
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
In the web server event viewer we see:
Event code: 4006
Event message: Membership credential verification failed.
Event time: 4/29/2013 4:22:16 AM
Event time (UTC): 4/29/2013 8:22:16 AM
Event ID: 2b0b4500be674969a5962608df7b18fd
Event sequence: 142
Event occurrence: 2
Event detail code: 0
If we try to register a new user afterward we can login and reset password without problems.
Why only some users get the issue above?
We checked many articles on the internet but explain only to solve this issue for all users, not only for some of them.
Thanks.
For some reason we where not getting the LockedOut exception but simply the "Invalid username or password" error. Now we will investigate on the reason.
On II7 we host a WCF/asp.net based API. In order to allow users of a classic asp application to connect to the API we had to publish a version we refer to as "transport". This Transport version is written in asp.net too, it points to the same assembly , its just the security layer is different to allow classic asp to authenticate. Transport level security is used as opposed to message based security.
When using a browser to load the service reference i can loading the svcutil.exe ... WDSL page.
When using my test asp page to call a web method from this reference i get the following returned:
Finished calling Web Service.
Status = Internal Server Error
ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
This suggests that the authentication is failing. When testing using asp.net or the application WCF storm to contact the normal API everything works well.
The API was recently migrated , it would appear something has not been setup correctly but i am at a loss to explain what.
I can browse to the svcutil.exe ... WDSL service reference, when selecting it via the browser i get the expect XML response.
The USER NAME and password utilised work when using the non-classic asp publicaiton of the API using the message based secuirty.
Would it be possible to post some troubleshooting tip that may help diagnoise the issue please specifically regarding transport level security fault finding and setup ?
Thank you
Scott
EDITED TO ADD THE FOLLOWING UPDATE:
Attempted to use the Default App Pool and a new App Pool but same problem persists.
My test page error: ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
IIS LOG shows:
v3/transport/testclassicasptransportwcfservice.asp ( 200 0 0 ) (i.e iis 200)
/V3/Transport/DeviceService.svc/DeviceService (500 0 0) (i.e iis error 500)
note: virtual dir defined on TRANSPORT and V3. V3 works ok using .net as opposed to classic asp to authenticate.
EVENT LOG:
The Template Persistent Cache initialization failed for Application Pool 'transport' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes.
This reference appears to suggest a fix but many of the DIR paths and references in "appcmd" dont exist.
_http://theether.net/kb/100127
REF http://theether.net/kb/100127
load cmd prompt
CD to C:\Windows\System32\inetsrv
enter: appcmd list config -section:system.webServer/asp
the following path is displayed: c:\inetpub\conf\temp\ASP compiled templates
check path exists (it does)
Check if the NETWORK SERVICE has permissions to access "ASP compiled templates" If not from appcmd execute;
icacls "c:\inetpub\conf\temp\ASP Compiled Templates" /grant "NETWORK SERVICE:(OI)(CI)(M)"
should read "sucessfully processed 1 files"
restarted app pool.
THE "InvalidSecurityAn error occurred when verifying security for the message" problem still persists but the "COULD NOT CREATE A DISK CACHE SUB-DIRECORY .... " error from the eventlog is no longer occurring.
Sorry another update. The network service permission change DID NOT resolve the issue , changeing to the DEFAULT APP POOL solved the problem.
Got a lead at last. Examined:
ServiceSecurityAudit set in service behaviour. Ref http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/#
IIS logs (simply shows the non-specific error 500.)
Fault tracing enabled( also shows error 500).
Custom errors were off
Friendly IE messages were off
Asp client side and server side debugging on
ProcessMon running , no errors.
Web.config httpErrors errorMode="Detailed" /> +
ServiceSecurityAudit found me an "Object reference not set to an instance of an object" so sounds like our app has a bug.
Follow up (17/08/11):
Service Security Audit documented here:
http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/
Was the key for us to resolve this issue. Uncovered the Object Reference Error which indicated out Business Objects and Data Access dlls were out of alignment. Using CLASSIC ASP to contact the WCF.NET API using TRANSPORT AUTHENTICATION there was abolutely no indication of this error until Service Security Audit was enavled on the behaviour.config file in the WCF deployment.
I'm running IIS5.0 and I am trying to change the ASP.NET process account to my domain user account.
I have followed everything possible here.
When I browse the .svc file (this is a wcf service) I am getting this error:
Server Application Unavailable The
web application you are attempting to
access on this web server is currently
unavailable. Please hit the "Refresh"
button in your web browser to retry
your request.
Administrator Note: An error message
detailing the cause of this specific
request failure can be found in the
application event log of the web
server. Please review this log entry
to discover what caused this error to
occur.
Eventlog says:
aspnet_wp.exe could not be started.
The error code for the failure is
80070522. This error can be caused when the worker process account has
insufficient rights to read the .NET
Framework files. Please ensure that
the .NET Framework is correctly
installed and that the ACLs on the
installation directory allow access to
the configured account.
When I run the client, I get the following error:
The content type text/html;
charset=utf-8 of the response message
does not match the content type of the
binding (application/soap+xml;
charset=utf-8). If using a custom
encoder, be sure that the
IsContentTypeSupported method is
implemented properly. The first 872
bytes of the response were: '
From ASP.NET 2.0 onwards, the correct method to ensure that a user account has the correct rights to run as the worker process identity is to run this command:
aspnet_regiis -ga [account]
You need to run the aspnet_regiis command that matches the ASP.NET version you plan on running:
ASP.NET 2.0 -
%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -ga [account]
ASP.NET 4.0 -
%SYSTEMROOT%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -ga [account]
If you put your Domain Account under IIS_WPG group, it should ideally work. If it doesn't work, there is a sure shot way of fixing it.
In IIS 6... step 1 is applicable... since you are on IIS 5, ignore step 1
Run it with Local System to begin with. If the applications runs, it means your IIS is configured well and you can proceed with the step 2.
Change the account to your domain account, and ensure that you have put the account in IIS_WPG as well. After that, run the tool called Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Browse the application now. If you still get the error, switch to the Process Monitor and stop capture [menu option].
Search for Access denied and fix it. Link