I'm developing a website for a client of ours and have been having a nagging issue for weeks. The problem is intermittent and might happen twice in a day or once in 2 weeks.
When it happens, the client will start getting 401.3 "Unauthorized" errors when trying to load static script or style tags on the page. It's always a .css or .js file that gets denied and setting <modules runAllManagedModulesForAllRequests="false" /> hasn't fixed the problem. When the problem happens it effectively blocks the file until the application pool is restarted.
The site is using Forms Authentication with the stock "AspNetSqlMembershipProvider". The site has protected files in an /Accounts folder, styles in /Styles, and scripts in /Scripts. The site has anonymous access enabled and has a separate web.config in the /Accounts folder which deny's access to anonymous users (though that shouldn't even matter with runAllManagedModulesForAllRequests=false).
I've looked through the event logs and I see this:
2012-06-06 14:23:32 [ipaddress] GET /subfolder/Styles/Site.css ver=11 443 - [ipaddress] Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:12.0)+Gecko/20100101+Firefox/12.0 https://thesitename.net/subfolder/Account/Login.aspx 401 3 5 1493 429 62
Sometimes after a short period of time it fixes itself or if I restart the application pool I get this:
2012-06-06 14:30:30 [ipaddress] GET /subfolder/Styles/Site.css ver=11 443 - [ipaddress] Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:12.0)+Gecko/20100101+Firefox/12.0 https://thesitename.net/subfolder/Account/Login.aspx 200 0 0 2533 455 78
I finally got the hosting provider to enable failed request tracing and finally got a trace of the error:
Every failed request tracing file I got this time said the failure happens right after the "FILE_CACHE_ACCESS_END" event. What is this event doing and why would access be denied?
EDIT:
You should probably try following the "failed request tracing" instructions here. The error is almost certainly NTFS permissions related.
Looks like you are getting a Win32 "path not found" error in the problem line (the 3 right after the HTTP status code, field sc-win32-status).
Are these files on a network share? It looks like there might be some connectivity issues between the web server and the drive hosting these files. This might be in the form of an authorization error for the IIS user when attempting to read those files, which would explain the 401 error.
W3C Extended Log File Format (IIS 6.0) here: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true
Win32 status codes here: http://msdn.microsoft.com/en-us/library/ms681382.aspx
I would look into the reason for that error in the health monitoring logs (event code 3005: System.Data.Linq.ChangeConflictException) before anything else. If your problems start to occur after this error, then there is a good chance that eliminating this error will resolve your problems.
Here are some pages that discuss this error and might be of help to understand the error and how to fix it:
http://blogs.microsoft.co.il/blogs/bursteg/archive/2007/11/25/linq-to-sql-concurrency-changeconflictexception-row-not-found-or-changed.aspx
http://sebastienlachance.com/post/SystemDataLinqChangeConflictException-Row-not-found-or-changed.aspx
http://weblogs.asp.net/okloeten/archive/2008/04/28/6139181.aspx
I've been struggling with this error for longtime.
One of the strange causes of this error is when the resources (files or folders) are in a share (SMB share) with limited or no access rights to "everyone". This overrides the rights you may specifically add to the folder or files and causes a 401.3 error for anonymous access.
Related
Someone any idea, I’ve been struggling with this for some time.
I'm using SignalR (Asp.net 5). when I try to debug local (ISS 10.0 express) everything is working fine. SignalR is working (Long poll).
Now when I publish the app to Azure it I can access : .azurewebsites.net/signalr/hubs
but I cannot access .azurewebsites.net/signalr/hubs/negotiate
it returns:
The specified CGI application encountered an error and the server terminated the process.
When my web app calls $.connection.hub.start() it will fail.
GET XHR http://xxxx.azurewebsites.net/signalr/negotiate [HTTP/1.1 502 Bad Gateway]
I’m running out of idea's. Don't know how I can get more debug information.
Small selection of my ‘already tried’ list:
Set $.connection.hub.url path manual to http://xxxx.azurewebsites.net/signalr/
Enable/Disable websockets
Removed forwardWindowsAuthToken from the web.config httpPlatform
EDIT:
Now getting more details on this error:
CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating.
Still absolutely no idea how to solve this!
Solved by using appBuilder.UseAesDataProtectorProvider();
(from Owin.Security.AesDataProtectorProvider;)
I have no idea if this is the best solution.
I have 2 buckets for my application:
- gambify-dev-devil ( for development)
- gambify-prod (for production)
I have set them up absolutely identical, but for my production I have issues accessing some ressources. My production environment is a pagodabox. I use Gaufrette, LiipImagine and Vichuploader for my File handling. The issue I have is that in my production environment seems that either my application requests the wrong ressources or that there is an access issue. Because I have a lot logs indicating the an AccessDenied error within my bucket:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>D90C05F182C91003</RequestId>
<HostId>
i7SkwNCbyUnCCBCnkyyrv7x9pOLGtr4sUgqWYkJMqk0X0lXYIW5zeu4688FCqBiA
</HostId>
</Error>
In order to investigate this issue further (I really have no idea where it is coming from because its working fine in every other environment and also in production it was working fine 2 weeks ago), I would like to see which ressource was requested. Is there a chance to find the URL that was requested or who tried to request what, that caused this issue? Because if I provide a correct path to an existing ressouce the bucket works fine:
e.g: https://s3-eu-west-1.amazonaws.com/gambify-prod/profile/default.png
Update:
Now I found the real error message that is causing me problems:
04fadbab7a82c23143855d5c918e1ba8fa32ef1d622c00a3daa9fcdc6daf5d90
gambify-prod [05/Aug/2013:19:03:57 +0000] 173.193.185.250 -
133EF43443891C63 REST.HEAD.OBJECT
profile_thumb_small/51e9a03453c80.jpeg "HEAD
/profile_thumb_small/51e9a03453c80.jpeg HTTP/1.1" 403
SignatureDoesNotMatch 1015 - 7 -
"https://gambify-prod.s3.amazonaws.com/profile_thumb_small/51e9a03453c80.jpeg"
"aws-sdk-php/1.5.17.1 PHP/5.3.23 Linux/2.6.32-042stab068.8 Arch/x86_64
SAPI/fpm-fcgi Integer/9223372036854775807 Build/20121126140000
simplexml/0.1 json/1.2.1 pcre/8.31 spl/0.2 curl/7.19.7 openssl/0.9.8k
apc/3.1.9 pdo/1.0.4dev pdo_sqlite/1.0.1 sqlite/2.0-dev sqlite3/0.7-dev
zlib/1.1 memory_limit/200M date.timezone/Europe.Berlin
open_basedir/off safe_mode/off zend.enable_gc/on" -
I still have no idea what is causing the initial issue.
Moved the discussion about the signature error to: Amazon S3 signature not working with SDK
If you haven't already done so, you can configure your production bucket to keep a log of all the requests made against it, similar to an Apache or other web server access log.
http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
Once you have logging enabled, you will be able to find out the URL of the request, who requested it and when it was requested.
Update:
If an AccessDenied error is returned when trying to access the S3 server log files through the API or the AWS console, the problem is caused by missing permissions (ACLs) on the log files.
To access those log files, the Open/Download permission should be granted for the user that owns them. Having a bucket policy with public read enabled is not enough to get access to the server log files.
More details on the issue are available in the comments below.
These look like responses that S3 sends back when the ACL/Grant permissions aren't set correctly. I'd check those first. If your bucket is behind a CloudFront distribution, make sure you invalidate the CloudFront cache as well.
asp.net app (c#) worked fine in debug mode; published, getting 401.1 error (unauthorized).
When I put in the url, a dialog asks for username & password. Put it in 3x, error.
It's an internal app, using Windows authentication only.
IIS 7.5, using ApplicationPoolIdentity.
SQLServer Database
Specific Error Message from 401.1 page:
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x8009030e
Requested URL http://smalltools.dbsvc.com:80/ Ap
Physical Path C:\inetpub\SmallTools
Logon Method Not yet determined
Logon User Not yet determined
The app has a users table to determine the "role" of that user. I put a method in the master page that queries the table based on authenticated user, and returns the role. This, in turns, determines which buttons are visible on the navigation bar.
Looked in the security log, and found the following 3 entries:
2012-07-20 14:55:11 10.0.1.38 GET / - 80 - 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 401 2 5 15
2012-07-20 14:55:20 10.0.1.38 GET / - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 500 0 0 125
2012-07-20 14:55:20 10.0.1.38 GET /favicon.ico - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 404 0 2 0
Any idea what might be causing the inability to log in? Any clues what I can fix to make it work? I've researched all day and haven't found what might be the problem.
Any information is gratefully received.
Thanks
Cindy
I've successfully solved the issue; I had to allow impersonation, and make an adjustment to the AD group.
The article in the following link helped a great deal:
http://msdn.microsoft.com/en-us/library/bsz5788z.aspx
If this is an external site, then Windows authentication isn't really the way to go. But you can still do it, here's some links I found that should help.
Q&A about similar issue
Microsoft guide on how to implement
Typically Windows Authentication is used with internal systems because the users are logged on directly to the system and all their credentials are right there. However for external apps this isn't always the case, since your home Windows account and work windows account aren't the same, in addition you may not even be using windows from the external location.
Another gotcha I came across is the local loopback address security check when you setup a DEV instance and modify hosts file to use Fully Qualified Domain Name (FQDN) or simply when you browse IIS site with custom headers and the name does not match the server hostname. While this is necessary for production servers it is a problem when setting up Developer environments.
"This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address"
There are two main methods to resolve the issue:
Specify host names (Preferred method if NTLM authentication is desired) by creating/updating the Multi-String value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Disable the loopback check (less-recommended method - do not use on production servers) by setting the following registry DWORD value to 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck
Please refer to this HTTP 401.1 - Unauthorized: Logon Failed - Microsoft Support article for detailed overview and registry settings.
I have a very weird behavior from Coldfusion 8 and IIS 7.
On the IIS, a site is declared and one of the subsirectories is a virtual directory poiting to a local filesystem. Everything is working except for a subdirectory. All of the sudden, I get an error 403 Access Denied as soon as I try to access a subfolder.
I place a simple CFM page to make my tests:
<html>
<head>
</head>
<body>
<cfoutput>Test</cfoutput>
</body>
</html>
This request works: http://myserver/vDir/fckeditor/editor/test.cfm
While this one triggers a 403: http://myserver/vDir/fckeditor/editor/filemanager/test.cfm
I checked the following and could not find any difference:
NTFS rights -> same on both directories. The user running the
ColdFusion service has 'Full Control'
IIS Authentication -> same on both folders
Authorization Rules -> same on both folders
Handler Mappings -> same on both folders
I turned on the Failed Request Tracing and added a rule to capture the event. It appears that the wildcard Coldfusion ISAPI filter is actually throwing the exception:
CALL_ISAPI_EXTENSION:
DllName ColdfusionInstallationPath\runtime\lib\wsconfig\1\jrun_iis6_wildcard.dll
MODULE_SET_RESPONSE_ERROR_STATUS:
ModuleName IsapiModule
Notification 128
HttpStatus 403
HttpReason Access denied.
HttpSubStatus 0
ErrorCode 0
ConfigExceptionInfo Notification
EXECUTE_REQUEST_HANDLER ErrorCode The operation completed successfully. (0x0)
Do anyone have a clue on how to solve this?
P.S. this post is cross-posted on ServerFault at https://serverfault.com/questions/307204/error-403-while-getting-cfm-page
This is definitely an IIS 7/7.5 issue - try modifying permissions on the whole folder - you might need to restart IIS just in case the permissions need to be applied.
On II7 we host a WCF/asp.net based API. In order to allow users of a classic asp application to connect to the API we had to publish a version we refer to as "transport". This Transport version is written in asp.net too, it points to the same assembly , its just the security layer is different to allow classic asp to authenticate. Transport level security is used as opposed to message based security.
When using a browser to load the service reference i can loading the svcutil.exe ... WDSL page.
When using my test asp page to call a web method from this reference i get the following returned:
Finished calling Web Service.
Status = Internal Server Error
ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
This suggests that the authentication is failing. When testing using asp.net or the application WCF storm to contact the normal API everything works well.
The API was recently migrated , it would appear something has not been setup correctly but i am at a loss to explain what.
I can browse to the svcutil.exe ... WDSL service reference, when selecting it via the browser i get the expect XML response.
The USER NAME and password utilised work when using the non-classic asp publicaiton of the API using the message based secuirty.
Would it be possible to post some troubleshooting tip that may help diagnoise the issue please specifically regarding transport level security fault finding and setup ?
Thank you
Scott
EDITED TO ADD THE FOLLOWING UPDATE:
Attempted to use the Default App Pool and a new App Pool but same problem persists.
My test page error: ResponseText = a:InvalidSecurityAn error occurred when verifying security for the message.
IIS LOG shows:
v3/transport/testclassicasptransportwcfservice.asp ( 200 0 0 ) (i.e iis 200)
/V3/Transport/DeviceService.svc/DeviceService (500 0 0) (i.e iis error 500)
note: virtual dir defined on TRANSPORT and V3. V3 works ok using .net as opposed to classic asp to authenticate.
EVENT LOG:
The Template Persistent Cache initialization failed for Application Pool 'transport' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes.
This reference appears to suggest a fix but many of the DIR paths and references in "appcmd" dont exist.
_http://theether.net/kb/100127
REF http://theether.net/kb/100127
load cmd prompt
CD to C:\Windows\System32\inetsrv
enter: appcmd list config -section:system.webServer/asp
the following path is displayed: c:\inetpub\conf\temp\ASP compiled templates
check path exists (it does)
Check if the NETWORK SERVICE has permissions to access "ASP compiled templates" If not from appcmd execute;
icacls "c:\inetpub\conf\temp\ASP Compiled Templates" /grant "NETWORK SERVICE:(OI)(CI)(M)"
should read "sucessfully processed 1 files"
restarted app pool.
THE "InvalidSecurityAn error occurred when verifying security for the message" problem still persists but the "COULD NOT CREATE A DISK CACHE SUB-DIRECORY .... " error from the eventlog is no longer occurring.
Sorry another update. The network service permission change DID NOT resolve the issue , changeing to the DEFAULT APP POOL solved the problem.
Got a lead at last. Examined:
ServiceSecurityAudit set in service behaviour. Ref http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/#
IIS logs (simply shows the non-specific error 500.)
Fault tracing enabled( also shows error 500).
Custom errors were off
Friendly IE messages were off
Asp client side and server side debugging on
ProcessMon running , no errors.
Web.config httpErrors errorMode="Detailed" /> +
ServiceSecurityAudit found me an "Object reference not set to an instance of an object" so sounds like our app has a bug.
Follow up (17/08/11):
Service Security Audit documented here:
http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/
Was the key for us to resolve this issue. Uncovered the Object Reference Error which indicated out Business Objects and Data Access dlls were out of alignment. Using CLASSIC ASP to contact the WCF.NET API using TRANSPORT AUTHENTICATION there was abolutely no indication of this error until Service Security Audit was enavled on the behaviour.config file in the WCF deployment.