I'm in the process of creating a new web application using classic ASP. I've done this before and have 2 similar websites that have been running for over 2 years. My problem is that the ISP I'm using has me hosted on a system running Server 2008, IIS7, and I cannot rely on session state remaining constant. I use a session variable to pass validated usernames from page to page. I know I can re-write the application to use db storage as an alternative, but I hate to have to modify a working application.
In talking with the ISP they suggested adding a sessionState variable to my web.config file and use stateserver to pass the data to a file on their system (they provided the connection string, etc.). This seems fine, but whenever I add the sessionState line to the web.config the website gets a error 500.19 with an error code of 0x8007000d.
I've tried to add a line on my local PC to simply change the session timeout as a testing methodology, but I get the same error. I'm sure it's something obvious, but I've researched the general topic and it looks like it should work? The simple web.config code is below and any suggestions would be greatfully appreciated (I'm developing a flat spot on my forehead from hitting the desk).
Thanks,
Contents of web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<sessionState timeout="40" />
<defaultDocument enabled="true">
<files>
<clear />
<add value="index.aspx" />
<add value="index.asp" />
<add value="default.htm" />
<add value="default.html" />
</files>
</defaultDocument>
<security>
<authentication>
<basicAuthentication enabled="true" />
</authentication>
</security>
<httpErrors errorMode="Custom">
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="/OaOInternal/DefaultWebs/sedoCurrent/Error404.aspx" responseMode="ExecuteURL" />
</httpErrors>
</system.webServer>
</configuration>
classic ASP sites don't use web.config files
Related
I need to use IIS only for directory browsing. The directory contains ASP.NET Core files and IIS automatically attempts to serve them normally.
Is there a way to force IIS to display all files as static files?
In order to let IIS serves everything as static content, you have to
Keep only Static Files handlers
enable directory browsing
Add mime type for every file. Without that IIS won't know how to serve unknown file type
Disable request filtering to download .config file, bin folder content, etc.
You will find below the corresponding web.config
WARNING : big security issue. Be sure to understand the risk before applying this configuration
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<clear />
<add name="StaticFiles" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
</handlers>
<directoryBrowse enabled="true" />
<staticContent>
<mimeMap fileExtension=".*" mimeType="application/octet-stream" />
</staticContent>
<security>
<requestFiltering>
<hiddenSegments>
<clear />
</hiddenSegments>
<fileExtensions>
<clear />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
I have an asp.net WebApi application where I would like to move any configuration that is likely to change out of web.config into an external configuration file.
This will then allow an install update to overwrite the web.config so that it picks up any newer configuration added between version, but preserve other user settings which may vary between deployments.
I have successfully done this with a few sections, eg appSettings.
For appSettings, I have the folliwing in web.config...
<appSettings configSource="config\appSettings.config"/>
And then the external file has the various settings, eg ...
<?xml version="1.0" encoding="utf-8"?>
<appSettings>
<add key="IISSitePrefix" value="http" />
<!--- Set this to True to emit http request debug information to the Event log -->
<add key="EnableHttpDebugTracing" value="false" />
.... etc
I have been trying to do the same with the two configuration settings we need to change to toggle on/off windows authentication, as some deployments will use this, and others will use token based security. To do this I need to move the following out of web.config...
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
<system.web>
<authentication mode="Windows"/>
</system.web>
So for the first tag, I tried the following....
<authentication configSource="config\authentication.config"/>
with the contents of the external file being..
<?xml version="1.0" encoding="utf-8"?>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
However, when I run this, I get the following error...
The configuration section 'authentication' cannot be read because it is missing a section declaration
I get a similar result when I try the other section.
Does anyone know what this means, or even if it is possible to do the above?
Thanks in advance for any help
[EDIT 1]
After one of the comments I have realised, perhaps my configuration is not quite correct (it was some time ago I first looked at this, and am now revisiting)
Previously, to enable integrated (windows) authentication, I thought you needed two bits of configuration (system.web AND system.webserver)...
<system.web>
<authentication mode="Windows"/>
</system.web>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
BUT now looking at this post, it appears I only need the <system.webServer> and not <system.web> at all
I removed my <system.web> and I could indeed turn off the intergarted authentication using just the <system.webServer> section.
So, now, what I want to configure in the external file is just the following..
ie if possible I'd like to just move out the <security> section, and leave the rest of the <system.webServer> in web.config.
I tried the following ..
<system.webServer>
<security configSource ="config\authentication.config"/>
</system.webServer>
With the contents of authentication.config being...
<?xml version="1.0" encoding="utf-8"?>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
But now when I try to execute a route I get..
Unrecognized attribute 'configSource'
Config Source:
87:
88: <security configSource ="config\authentication.config"/>
89:
So my (modified) question becomes is there a way to move out the above section?
Try changing the external file from
<?xml version="1.0" encoding="utf-8"?>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
to:
<?xml version="1.0" encoding="utf-8"?>
<authentication mode="Windows"></authentication>
It works for me ;)
I've read a lot of documentation on this error and it all seems to point to modifying applicationHost.config. I've made the modifications and mine looks like:
<system.webServer>
<asp />
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
I've restarted the website but still get the same error.
I'm running IIS6. Any ideas what I'm doing wrong?
I found a bug in IIS7 and am looking for a workaround. After turning off client side and server side debugging for clients that still have their Classic ASP sites on my server, I discovered to my horror, that IIS 7 is STILL sending fully detailed messages to the client!
I've specified custom error pages as well (all of which redirect to a generic error page except 404 errors - those just get displayed in full, including the internal path of the websites in question). I can't seem to find a work around or patch or anything.
I did a hack that generates "The page cannot be displayed because an internal server error has occurred." instead of displaying the 404 error by putting the following into the web.config file of the Classic ASP site in question:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<remove value="index.html" />
<remove value="index.php" />
<remove value="default.aspx" />
<remove value="iisstart.htm" />
<remove value="index.htm" />
<remove value="Default.htm" />
<add value="index.asp" />
</files>
</defaultDocument>
<httpErrors errorMode="DetailedLocalOnly" defaultResponseMode="File" >
<remove statusCode="404" />
<error statusCode="404" path="~\error404.htm" />
</httpErrors>
</system.webServer>
</configuration>
Unfortunately, the httpErrors tag doesn't seem to work properly for classic ASP sites, no matter what you put in the path variable, an internal server error will occur. The point is to remove the status code here as there is no way to do this globally in IIS 7 (at least that I can find). The good news is that there is no detailed 404 error, the bad news is that trapping 404 errors is not possible (for ASP).
Any better (working) ideas?
On IIS, go to your Website, go to ASP and change the Debugging Properties like following:
Change all to "False" and done.
I am following Scott gu's trick of placing a App_Offline.htm page at the route of my application to bring it offline - http://weblogs.asp.net/scottgu/archive/2006/04/09/442332.aspx
It does not seem to be working on one of my sites though. I place the file in IIS7 of one my sites, and all traffic is redirected to it.
However in the other site, same server etc, I get a page that contains "The service is unavailable.".
Not sure where I am going wrong - any ideas?
I managed to solve it by putting the following code in my web.config:
<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<defaultDocument>
<files>
<clear />
<add value="index.html" />
<add value="app_offline.htm" />
</files>
</defaultDocument>
<httpErrors errorMode="Custom" existingResponse="Replace">
<clear />
<error statusCode="503" path="App_Offline.htm" responseMode="File" />
</httpErrors>
</system.webServer>
</configuration>
This fix was found by putting together some info from Scott Gu, npiaseck # IIS Forum and Kurt Schindler.
this was my soluton - notice the 503...
<httpErrors existingResponse="Replace" errorMode="Custom">
<remove statusCode="404" subStatusCode='-1' />
<remove statusCode="400" subStatusCode='-1' />
<remove statusCode="500" subStatusCode='-1' />
<remove statusCode="503" subStatusCode='-1' />
<error statusCode="404" path="404.html" prefixLanguageFilePath="" responseMode="File" />
<error statusCode="400" path="404.html" prefixLanguageFilePath="" responseMode="File" />
<error statusCode="500" path="500.html" prefixLanguageFilePath="" responseMode="File" />
<error statusCode="503" path="app_offline.htm" responseMode="File" />
</httpErrors>
I had this issue with a MVC site recently, and I managed to solve it by replacing the web.config I originally had with a clean, minimal one when wanting to use the app_offline.htm file.
<?xml version="1.0"?>
<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
</configuration>
If I had more time I'd go through and find the exact thing in the web.config that was altering the behaviour, but this is worth a shot.
I had the same problem recently when adding a app_offline.htm page to one of my sites.
All the answers here suggest to set the 503 response to the same app_offline.htm, I already have a different 503 page and don't really want to fiddle with that.
Also, I liked to know why this is happening.
The 503 is sent by the AspNetInitializationExceptionModule, I assume if the asp.net runtime detects the app_offline.htm file in the root of the web site, it sends an
503 Service Unavailable
and also does send the content of the app_offline.htm as a response.
However, because it is an error response the IIS error handing kicks in:
<httpErrors existingResponse="Replace">
The Replace here means, ignore whatever ASP.NET sent you and use your own 503 response. By specifying the same page (app_offline.htm) like suggested in the other answers this fixes the problem.
Another way to fix this is to change the existingResponse attribute, like:
<httpErrors existingResponse="Auto">
now IIS honours the response from ASP.NET and shows the content of the app_offline.htm file.
But Auto also means that other ASP.NET error responses may pass through.
Here's how you do it using the GUI (note the last line - that's the one you should add/edit)
All you need to do is rename your web.config to something else like web.config.bak while using the app_offline.htm.