Is there any way to choose the Session State Mode to be "State Server" when using MSBuild Extension Pack? I browsed the source code but there is no reference to state management.
Also, if anyone knows how to do this with the Extension Pack WMI that would be great too. I tried all kinds of queries and methods but couldn't come up with a way of talking to IIS through WMI to set SessionStateSection.Mode property "StateServer" flag as stated in MSDN.
Thanks...!
Related
On Windows Server 2012 R2, after installing update KB4340558 (update history) / KB4338424 (installed updates) we can no longer instantiate .NET .DLLs (interop) in classic ASP in 32-bit mode using server.createobject. We receive the error 0x800A01AD "ActiveX component can't create object"
When we uninstall the update, the error disappears. Despite my best efforts, I was unable to find an alternate solution to uninstalling. We would prefer to reinstall the update and make whatever changes were necessary to Windows Server and/or the DLL's to allow the COM objects to be instantiated properly. There are no clues in the system logs, no clues in the CVE database, and no clues in the errors ASP is generating. Please help!
We were affected with multiple customers too.
I ruled out invalid strong-name signing of our assemblies, since the .NET Assemblies from the Framework itself were affected by that access-denied error too.
Finally I managed to solve the issue by configuration.
Apparently the authenticating identity of the website has now to match the identity of the app-pool. Or IUSR has no longer enough permissions.
EDIT: 19.07.2018
Warning! This change also has a side-effect:
The asp-classic event "Session_OnEnd" was no longer called and therefore resources eventually could no longer be freed.
But there is a fix for that, too!
The ASP-Config-Property "system.webServer/asp/runOnEndAnonymously" has to be "false", then the event fires again.
EDIT 2: 23.07.2018
As Dijkgraaf pointed out, Microsoft now considers this "new behaviour" a bug. So i guess my "solution" should now be considered a workaround until a new patch comes to rescue.
We run our application pool under a specific identity, to enable a network share and database access. I too thought we were stuck after reading #keydon's answer above.
However, there are three places that we must configure the identity:
The Application Pool - should use the specific identity
The Website "Connect As" - should use the "Application pool identity"
The Anonymous Authentication option, under the Authentication feature - should use "Application pool identity"
That last one was the thing that we were missing - years of considering only the first two meant that we mis-read the great advice above.
Microsoft is aware of the issue and the relevant KB is "Access Denied" errors and applications with COM activation fail after installing July 2018 Security and Quality Rollup updates for .NET Framework
This has impacted BizTalk, SharePoint, IIS with classic ASP and .NET application that uses impersonation.
Workarounds for Classic ASP are as follows
IIS Hosted Classic ASP calling CreateObject for .NET COM objects may receive an "ActiveX component can't create object" error:
If your web site uses Anonymous Authentication: Change the Web Site Anonymous Authentication credentials to use the "Application pool identity".
If your site uses Basic Authentication or Windows Authentication: Log into the application once as the application pool identity, then create an instance of the .NET COM component.
Afterwards other site users will be able to active the .NET COM component without the failure.
Alternatively, if you are using Windows Authentication and accessing the web site from the console of the Windows Server where the ASP application runs: Creating an instance of the .NET COM component also resolves error for other site users.
We support a Classic ASP site running in IIS Anonymous Authentication. The application instantiates a DLL .NET object exposed as COM visible.
After applying recent security Windows Updates and reboot OS our application crashed with following error:
Microsoft VBScript runtime error '800a01ad'
ActiveX component can't create object: 'NameOfObjectInDLL'
In our case, this last advice fixed our problems.
IIS > Authentication > Anonymous Authentication - Edit > "Application pool identity"
screenshot1
This is only to confirm the solution provided by keydon, combined by the one provided by TimP. And give them thanks!!
In our case we've changed the following 3 parts (and an additional 4th for new permissions):
Web server Authentication properties: set Anonymous Authentication with "Application pool identity" instead of "Specific User".
Application Pool "Identity" property: set to "ApplicationPoolIdentity" instead of "LocalSystem".
Web Site "Connect As" for physical path: set to "Application user (pass-through authentication)" instead of "Specific User".
Add permissions for "Application Pool Identity user name" in the shared folder where the web application files are. Have a look to https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities#securing-resources
Thank you!!
(I'm sorry I can't vote your solutions because I'm starter and I don't have any reputation)
I am facing the issue while when i am trying to configure the postSharp(3.1.46). Before configuration application working fine.
I found few observation.
Application build on vb.Net 4.0 framework.It is normal web application with visual studio 2010.
Every Page EnableSessionstate =false.
Web service session is enable in "inproc" mode and EnableSessionstate=true.
We configure the POSTSHARP using postsharp.dl only not any postsharp dll like Pattern/modell.
We are using postsharp for capture the log.We are using only this class OnMethodBoundaryAspect.
I found example mention in Postsharp site where example session as "http://samples.postsharp.net/#PostSharp.Samples.SessionState.
I found they are using LocationInterceptionAspect for sessionstate.
I tried all enable and disable session.But error still same as mention below.Please do need fulhelp.
Should i need to enhance our source code to handle LocationInterceptionAspect for session state ?
Error :
"Session state can only be used when enableSessionState is set to true, either in a configuration file or in the Page directive. Please also make sure that System.Web.SessionStateModule or a custom session state module is included in the \\ section in the application configuration."
Given the following
Visual Studio 2015
An ASP.NET Web Application (.csproj project)
.NET 4.5.2
IIS Express is enabled to debug and run the site
Source control in TFS
When I enable the property Development Server > Windows Authentication, the setting cannot be persisted in source control.
Is there a way to configure this setting so that it is applied when retrieving the solution from Source Control?
Workaround: every developer has to enable this individually.
Note: this setting is stored in applicationhost.config
This setting is saved in .vs/config/applicationHost.config. Without checking this file to your source code control, the setting won't be shared. But of course, if you check it in, then all other settings (like bindings/ports) are also shared, and it might lead to other issues.
Mostly caused by IIS Express design, and have to get used to it.
I've just run into one of the problems of using the integrated dev server (Cassini) in VS and would like to see if there are any solutions.
We're using asp.net authentication to secure the site. However, Cassini runs in integrated pipeline mode, meaning that requests for all files go through the asp.net isapi. The result of this is that it's securing files that would otherwise not be secured in a production environment (.htm .js .css etc..).
Now I understand that we can run the project on a local IIS instance, but we would like to avoid this if possible. But, because of the problem above, this is looking like the only solution.
Does anybody have any ideas about how to get Cassini working with authentication that can be easily moved to a production environment when ready. (I'd also like to avoid having a different development web.config that specifically allows access to these files).
We're using VS2010 by the way.
Many thanks.
Instead of using Cassini, you can download and install IIS Express:
IIS Express is a lightweight, self-contained version of IIS optimized for developers. IIS Express makes it easy to use the most current version of IIS to develop and test websites. It has all the core capabilities of IIS 7 as well as additional features designed to ease website development
You can wire up to the HttpApplication.PostAuthenticateRequest event in your global.asax or an IHttpModule. PostAuthenticateRequest event on MSDN
In the event handler, check the file extension for the one that you want to be unsecured. If the file extension is a match then give set the HttpContext.User to an IPrincipal instance that has the roles required for accessing a file in the specified directory.
For a server farm, I would like to install the ASP.Net State Service on a non-web server to share with all the web servers. Is it possible to install the ASP.Net State Service standalone without having IIS installed on its server? If so, how?
According to this blog entry, Enabling ASP.NET Session State without Installing IIS, the answer is yes.
First, you need to make sure the ASP.NET State Service is installed on the computer. (Of course you'll need to have the .NET Framework installed on this computer.) Go to the Services section in the Administration Tools and locate the ASP.NET State Service item. If it's not there, drop to the command line, navigate to %WINDIR%\Microsoft.Net\Framework\*version*\ and enter:
aspnet_regiis -i
Finally, you'll need to allow remote connections to this server. Go to the Registry and set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\AllowRemoteConnection to 1.
Happy Programming!
Please note that I have not tried these steps myself; rather, I am summarizing the discussion from the Enabling ASP.NET Session State without Installing IIS blog entry I cited at the start of this answer...