“Timeout expired” errors may be result of a wide range of issues such as network delays, application hangs, database locks. I have recently worked on an issue that was the result of ADO.NET database pool exhaustion.

The entire error message we captured in the DebugDiag dump file:

Exception Details

System.InvalidOperationException

Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached.

System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(System.Data.Common.DbConnection

Root cause of ADO.NET database pool exhaustion

Looking at the dump file analysis above, I saw that the MaxPoolSize was reached for ADO.NET connections. This points out a coding issue.

From the application code, I noticed that a SqlDataReader object is created but never closed in the authentication function. I also didn’t see that connection is closed. It means the application is creating a new connection each time this function is called (probably in every page). Therefore, the connection pool is adding up quickly. The default MaxPoolSize is 100. When this limit is reached, new requests are queued until the time-out occurs which is 15 seconds by default.

This is the reason a user is waiting for the page to load for a while. Since there is still no availability in the connection pool after waiting for 15 seconds, the request is timing out and the page is redirected to the custom error page.

It explains why this issue happens intermittently. If you spend time in the application for a long time until exhausting the connection pool, you will come across this issue with every user account.

In addition to the connection pool issue, if you see assembly related database connection issue, check this post out: Solved: “Could not load file or assembly ‘Microsoft.SqlServer.Management.Sdk. The system cannot find the file specified”

Solution for “The timeout period elapsed prior to obtaining a connection from the pool”

As a temporary solution, you can recycle the application pool. It clears the connection pool.

In order to fix this issue permanently, the ADO.NET connection function should be edited. The connection and dataReader objects should be closed after each transaction as mentioned in this article:

We strongly recommend that you always close the connection when you are finished using it so that the connection will be returned to the pool. You can do this using either the Close or Dispose methods of the Connection object, or by opening all connections inside a using statement in C#, or a Using statement in Visual Basic. Connections that are not explicitly closed might not be added or returned to the pool. For more information, see using Statement or How to: Dispose of a System Resource for Visual Basic.

A related StackOverflow post and Microsoft blog post may shed more light on the issue.

If you are seing this issue while working with AD RMS, check this post out for a solution: How to clear AD RMS super user group membership cache

The post The timeout period elapsed prior to obtaining a connection from the pool appeared first on port135.com.

IIS Shared Configuration allows system administrators to use multiple IIS servers sharing the same configuration file. If you want to keep this configuration file in an Azure file share, there is a specific procedure you need to follow. Step-by-step procedure is in the Solution section below.

You can also try to use “Map network drive” feature in Windows File Explorer or the New-PSDrive command below. In my case, neither of these options provided a permanent solution.

New-PSDrive -Name Z -PSProvider FileSystem -Root "\\name.file.core.windows.net\sms-standard-storage" -Credential $credential -Persist -Scope global

If you are seeing too many requests from an Azure service in your IIS server, check this post out: IIS receives too many requests from the user-agent Edge+Health+Probe

Step-by-step instructions for using Azure file share in IIS Shared Configuration

Please use the steps below to link your Azure file share to your IIS.

1. Go to your Azure dashboard
2. Click “Storage accounts > name-of-the-storage > Access keys”
3. Copy the storage account name and key to notepad
4. Login to the web server in which IIS is installed
5. Run the command below to create a network share that will be used by IIS Shared Configuration
   net use * \\name.file.core.windows.net\sms-standard-storage /User:your-storage-account-name your-key
6. Create a local user account in “Windows Server (Computer Management > Local Users and Groups > Users > Right click > New User)“
7. The user name should be exactly the same as your storage account name
8. The password should be exactly the same as your storage account’s key
9. Check “User cannot change password” and “Password never expires” options. Click OK
10. Add this account to the IIS_IUSRS group (Computer Management > Local Users and Groups > Groups > IIS_IUSRS > Properties > Add)
11. The rest of the steps are for setting up IIS Shared Configuration. Let me know please if you want to have detailed instructions (The article explains as well)

The main point is that creating a local user account that has the same username and password (key) as your storage account in Azure.

After configuring your application in Azure, you may run into a connection issue while trying to publish your application in Visual Studio. Check this post out for a solution: (Solved) Could not reach the Web Deploy endpoint on the specified virtual machine

The post How to use Azure file share in IIS Shared Configuration? appeared first on port135.com.

Advanced Logging is an additional IIS feature that helps administrators customizing web server logs. IIS 7, 7.5, and 8 used this feature as a detailed and customized logging option. With IIS 8.5, Enhanced Logging which is a built-in feature in IIS was introduced.

In this post, I will explain a solution for the scenario where Advanced Logging is not recording any logs. I will also provide a trick to enable it per websites.

What to do if Advanced Logging is not working

First of all, check the module in IIS to make sure it’s enabled.

If everything looks good on the window above, check your applicationHost.config file. In my case, it was not working because enabled-"true" attribute were not present. After adding it as shown below, it started logging.

How to enable or disable Advanced Logging per website

It sounds straightforward but -unfortunately- it isn’t because the suggested solution in the official documentation results in the error below.

There was an error while performing this operation.

Details:

The request is not supported. (Exception from HRESULT: 0x80070032)

Suggested solution which DOES NOT WORK:

The Advanced Logging feature can be enabled or disabled at the server level in IIS Manager, which also enables or disables logging at lower levels (matching the server-level setting).
1- In the Connections pane, click the Web site or directory for which you want to disable logging.
2- In the Web site or directory Home page, double-click the Advanced Logging icon.
3- In the Advanced Logging feature page, click the log definition, and then in the Actions pane, click Edit Log Definition.
4- In the Log Definition page, clear the Enabled check box.
5- In the Actions pane, click Apply.
6- Repeat steps (3) through (5) for additional log definitions, if desired.

The trick that works

Instead of disabling Advanced Logging per site, you can create a filter for sites that we don’t want logs for.

For example: In my test environment, let’s say I don’t want logs for MigrationTest site. So created a filter as shown below. It doesn’t log for that site anymore (If there is no log file in the folder, it creates a new file. However, it doesn’t log requests in this file)

In order to create a filter to disable logging for a site:

1. Go to IIS Manager
2. Click the server name
3. Double click Advanced Logging
4. Double click the log definition (%COMPUTERNAME%-Server)
5. Click Edit Filter
6. Click Add Expression
7. From Field list, select Site Name
8. From Operator list, select Not Equals
9. In the Value field, type the site name
10. Click OK to close Edit Log Definition Filter window
11. Click Apply
12. Repeat Step 6-9 for the other sites you want to disable logging for
13. Reset IIS

You can use Advanced Logging to actual client IP address when there is a load balancer in between. Here is how to make this configuration: How to log actual client IP address in IIS?

The post Advanced Logging is not working – Enable Advanced Logging per site appeared first on port135.com.

System administrators use IIS Manager to host and manage their web applications in IIS. In the majority of the companies I worked with, administrators use a local or domain account that has local admin rights to use IIS Manager. How about non-admin accounts? Can a non-administrator account use IIS Manager?

The answer is YES depending on what you want to manage and how you want to access IIS Manager.

If you login to Windows Server with a non-admin account and open IIS Manager, you can only manage

• Websites
• Applications

Non-admin accounts can’t manage application pools locally. This is by-design.

If you open IIS Manager in another server and connect it to your actual server, you can manage

• Application pools
• Websites
• Applications

In the next section, I will briefly explain how to manage websites and applications locally with a non-admin account.

Manage IIS websites and applications locally with a non-admin account

The steps below are for a website. You can use similar steps for applications.

1. Go to IIS Manager
2. Click the website. Open “IIS Manager Permissions”
3. Click “Allow User”. Add your domain or local users (In the screenshot below, I used IISTEAM domain)
4. Log off administrator. Log in with non-admin user
5. Go to IIS Manager
6. Select “File > Connect to Site”
7. Enter “localhost” as a server name and enter your site name. Click “Next”
8. Enter username and password (a user from IIS Manager Permissions). Click “Finish”
9. The website will show up in IIS Manager

For managing application pools with a non-admin user remotely, add users to IIS Manager Permissions just like we did above. Additionally, go to “IIS Manager > Management Service” and enable it. After this, you can open IIS Manager in another server and add this server as a new connection. Here is a good blog post about this.

After connecting to IIS Manager, you may see that some bindings are missing. Check this post out for the root cause and solution: Missing bindings in IIS (net.tcp, net.pipe, net.msmq, msmq.formatname)

The post How to manage IIS locally with a non-admin account? appeared first on port135.com.

You may run into “The file has not been pre-compiled, and cannot be requested” error intermittently while accessing your ASP.NET application. The intermittent nature of the issue makes it hard to troubleshoot but there are a couple of common causes of this issue. Let’s have a look a them and the possible solutions.

The error message

Here is the full error message from Event Viewer (Event ID is 1309):

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 8/13/2019 5:30:37 PM
Event time (UTC): 8/13/2019 9:30:37 PM
Event ID: fb6cbd06310e4e1691aea324e43874ae
Event sequence: 5
Event occurrence: 3
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT/ApplicationX-1-132102041647233704
Trust level: Full
Application Virtual Path: /ApplicationX
Application Path: E:\inetpub\wwwroot\ApplicationX \
Machine name: ServerX

Process information:
Process ID: 2276
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: HttpException
Exception message: The file ‘/ApplicationX/Login.aspx’ has not been pre-compiled, and cannot be requested.
at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)
at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)

Root cause and solution for “The file has not been pre-compiled, and cannot be requested” error

This issue occurs because the application is not able to load one or more libraries it needs. Most of the time, an assembly that web.config references is not available in the application directory or GAC.

Here are the most common causes of the issue:

1. There is a known bug in .NET Framework 4.7.x that causes this issue. There is a public post here in regards to this bug
2. Web.config file references an assembly but this assembly doesn’t exist in the application folder or GAC
3. There is an assembly file in the application folder but it is not referenced by the web.config file

For the 2nd and 3rd causes, I would recommend turning on Assembly Binding Logging to see which assembly is causing this issue: How to enable Assembly Binding Logging (Fusion Log Viewer – fuslogvw.exe)?

Other causes:

1. Incorrect version of the assemblies are being used
2. PrecompiledApp.config file exists
3. It’s a 32-bit application and “Enable 32-bit applications” is set to false
4. Temporary ASP.NET files are causing the issue (C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root)
5. There are extra files in the publish location. “Remove additional files at destination” is not selected in the Visual Studio Publish Profile
6. If there is a script used for deployment, it may not be clearing the target folder properly or it may not be copying all the files from the source
7. There is not enough disk space in IIS

I won’t be able to provide solution for each of these causes but I am hoping that knowing these possible causes will help narrowing the issue down.

Here are a helpful StackOverflow post, an ASP.NET forum topic, and a MSDN blog post about this issue.

If you find yourself troubleshooting an assembly related issue, this post may help: How to find out the Public Key Token for an assembly (DLL) file?

The post The file has not been pre-compiled, and cannot be requested (Solved) appeared first on port135.com.

When it comes to finding out an external website’s speed, Pingdom Website Speed Test is the first tool that comes to mind. Google PageSpeed Insights and GTmetrix are other useful tools to measure and troubleshoot your external site’s speed.

What about internal sites? Since these sites are not open to public, tools like Pingdom or GTmetrix won’t be able to analyze them. I will mention a quick way of measuring your website’s speed in this post.

Measure website speed in internal network

Determining your website’s load speed is as easy as running a small PowerShell script. Well, technically, you can just load it on a browser and check the timing in a chronometer but it wouldn’t give precise results.

I developed two PowerShell scripts for this purpose:

1. Show the speed of an URL. Check only once
2. Show the average speed of an URL after checking it for X number of times

Speed of an URL (One check only)

Copy the following code and paste it in a notepad file. Save it as ps1 file (Example: SiteTest.ps1). Then run it to see the exact load speed of your website.

$url = 'http:\\localhost'

$timeTaken = Measure-Command -Expression {
    $site = Invoke-WebRequest -Uri $url
}

$seconds = [Math]::Round($timeTaken.TotalSeconds, 4)

"The page took $seconds seconds to load" 

If you are not happy with your IIS website speed and you want to improve it, check this detailed article about performance improvement: 9 Easy and Practical Recommendations to Improve IIS Performance

Average speed of an URL (Check X times)

By enhancing the code in the previous section, we can test the URL multiple times and calculate the average. For example, the code below checks the speed 100 times and shows the average value along with each test’s result.

# CHANGE THESE TWO VALUES #
$url = 'http://localhost/'
$totalRequest = 100
 
# NO NEED TO MAKE A CHANGE BELOW THIS LINE #
$totalSeconds=0
$individualRequests = ""
 
For ($i=0; $i -lt $totalRequest; $i++)  {
 
    $timeTaken = Measure-Command -Expression {
        $site = Invoke-WebRequest -Uri $url
    }
 
    $roundedSecond = [Math]::Round($timeTaken.TotalSeconds, 4)
    $totalSeconds += $roundedSecond
    $individualRequests += $roundedSecond.toString() +  "  -  "
 
    Start-Sleep -m 200
}
 
$averageSeconds = $totalSeconds / $totalRequest
""
"Average of $totalRequest requests is $averageSeconds"
""
"Individual requests: $individualRequests" 

Please make sure to update url and totalRequest variables before running the script.

Another way of monitoring your site speed is that using performance counters in Windows. Check this post out for more information: 5 Useful Performance Counters to Monitor for IIS

The post How to measure website speed in your internal network? appeared first on port135.com.

Microsoft releases Windows updates every second Tuesday of the month. Most of the time, these updates require a restart. Therefore, you may see some unexpected behavior the very next day of the updates and restart. The issues are not necessarily caused by Windows updates. Sometimes, a past configuration change takes effect after the updates because the machine is restarted.

In this post, you will find information about an issue that came out after updating .NET Framework in Windows Server.

Error message (Event ID 5172)

Here is the error message from Event Viewer:

SystemSource: Microsoft-Windows-WAS
Event ID: 5172
Task Category: None
Level: Error
Keywords: Classic
Description: The Windows Process Activation Service encountered an error trying to read configuration data from file 'C:\Windows\system32\inetsrv\config\schema\NetFx40_IIS_schema_update.xml', line number '1'.  The error message is: 'Configuration file is not well-formed XML'.  The data field contains the error number. 

You may see the following errors as well because Windows Process Activation Service fails to start. World Wide Web Publishing Service fails as well since it depends on Windows Process Activation Service.

Log Name: System
Source: Service Control Manager
Event ID: 7023
Task Category: None
Level: Error
Keywords: Classic
Description: The Windows Process Activation Service service terminated with the following error: The data is invalid. 

Log Name: System
Source: Service Control Manager
Event ID: 7001
Task Category: None
Level: Error
Keywords: Classic
Description: The World Wide Web Publishing Service service depends on the Windows Process Activation Service service which failed to start because of the following error: The data is invalid. 

Since this configuration file is corrupted, you probably won’t be able to use IIS Manager:

In addition to this xml error, if your application pools are disabled, I recommend checking this post out: HTTP 503 Service Unavailable (Application pool has been disabled)

Solution for NetFx40_IIS_schema_update.xml error

The good news is that Windows backs up IIS configuration files before making any changes to them as part of Windows updates. NetFx40_IIS_schema_update.xml is one of these files.

Backup folder is C:\inetpub\history

In order to solve this issue, copy the last good of .NET Framework IIS scheme file (NetFx40_IIS_schema_update.xml) to the path mentioned in the error message (C:\Windows\system32\inetsrv\config\schema\). Then restart IIS.

Still seeing the error?

If you are still getting this error, try deleting the xml file. Windows should create a new one automatically. This post mentions that this workaround worked.

If you are using Shared Configuration in IIS, the root cause of the issue might be different than what I mentioned above (Windows updates). There might be an issue with file synchronization. For more details, check this post out: Configuration file is not well-formed XML (IIS Shared Configuration)

The post Windows Process Activation error (NetFx40_IIS_schema_update.xml) appeared first on port135.com.

Long story short: Bit Rate Throttling extension is reaching the end of support period (Maybe it did, while you are reading this). The support ends on January 14th, 2020. Therefore, the executable file is not available in the official site anymore.

This extension helped server administrators to limit download speeds of media and data files. Here is an excerpt from the official extension page:

Bit Rate Throttling saves network bandwidth costs by controlling the rate at which media is delivered over HTTP. The throttling rate can be configured using server-side rules or by automatically adjusting the download rate for detected media files based on format and encoded bit rate. When it is not used, content is downloaded at the maximum possible speed. If a user watches only 20% of a video clip, the host would have paid bandwidth for content that was never watched.

When it is used, a few seconds of content is sent to the client at the highest possible data rate before throttling down delivery to the encoded bit rate so that users experience a “Fast Start” of the content they want to watch.

What to use instead of Bit Rate Throttling?

Use Azure Media Services instead. Since it’s a cloud-based service, you may need to do some architectural changes in your environment but it will provide more seamless experience once you implement it.

For more information about IIS Media Services, here is the Readme page.

Looking for more information about ARR (Application Request Routing) extension? Check this post out: How to check if ARR (Application Request Routing) extension is installed in IIS?

The post What happened to Bit Rate Throttling extension in IIS appeared first on port135.com.

IIS can perform Windows Authentication to allow your users to a web application. This authentication process can take place on the user-mode (IIS worker process) or kernel-mode (HTTP.SYS).

If you configure IIS to perform it in kernel-mode, you can add maximum 64 bindings to your site. If you add 65 or more bindings, IIS will show “401.2 Unauthorized: Logon Failed Due to Server Configuration with No Authentication” error even though the credentials you submit are correct.

Microsoft has confirmed this limitation. A change for Windows Server 2008 R2 or Windows Server 2012 R2 is not expected.

Workaround for IIS binding limit

The workaround is that using user-mode authentication for your application which has Windows Authentication on.

In order to use user-mode authentication instead of kernel-mode:

1. Go to IIS Manager
2. Click on the website
3. Double click on “Authentication“
4. Select “Advanced Settings” on the right side
5. Uncheck “Enable Kernel-mode authentication“

Afterwards, continue with these steps:

1. Go to IIS Manager
2. Click the website name
3. Double click on “Configuration Editor“
4. Select “system.webServer/security/ authentcation/windowsAuthentication” from the path
5. Set “True” for “useAppPoolCredentials“
6. Set “False” for “useKernelMode“
7. Click “Apply“

A discussion about the binding limit on IIS forum.

If Windows Authentication is failing and you are using IBM Cognos, check this post out: Windows Authentication is failing for IBM Cognos.

Another possible cause for Windows Authentication failure is the February updates. More information: Authentication stops working after installing February 2019 updates.

The post IIS binding limit (401.2 Windows Authentication error) appeared first on port135.com.

When a user tries to access a website, the browser sends Host Header to inform which address the user wants to visit. Just like other headers, attackers can temper Host Header to manipulate how the application works. In this post, I will explain a way to prevent this kind of a Host Header attack.

Scenario

In a nutshell, here is how this attack occurs:

1. Attacker changes Host Header (Example: malicious-site.com)
2. Attacker makes a request to visit this site
3. The web server receives this Host Header (malicious-site.com)
4. If the application is using this Host Header to build a link, the attacker’s site will appear in this link. For example, the application may call a JavaScript file with Host Header string in the URL. In this case, the website will call an address such as:
   <script src="http://malicious-site.com/script.js">
5. Since the website called attacker’s JavaScript, the attacker can do plenty of “bad things”

This type of attack can affect password reset forms and X-Forwarded-Host header as well. For more information about Host Header Attack, visit Reference 1, Reference 2, Reference 3, and Reference 4.

Host Header Vulnerability

Your security scan tool may flag Host Header related findings as a vulnerability. In my case, I had this report from the Cisco vulnerability scan:

Cisco observed that the application is not validating the host header on the following endpoints:

https://domain.com/folder1/page1.aspx
https://domain.com/folder2/page2.aspx

In the absence of host header validation, certain implementations can lead to cache poisoning attacks, allowing attackers to potentially compromise sensitive data. Please also refer to the “Insufficient Cache Control Headers” finding

Have you received a warning about usage of HTTP TRACK or TRACE headers in your web server? Check this post out for more information: How to disable HTTP TRACK and TRACE verbs in IIS?

How to Prevent Host Header Attacks?

There are a couple of best practices for preventing attackers using Host Header to manipulate your application:

• Do not use Host Header in your application code
• If you have to use it, validate it in every page
• Make sure all of your IIS websites have a hostname
• Disable support for X-Forwarded-Host header

How to Fix Host Header Vulnerability?

You can use URL Rewrite rules in IIS to find malicious host headers. Perform the steps below:

1. Go to IIS Manager
2. Click on the site
3. Double click on “URL Rewrite” (it should be installed)
4. Click “Add Rule(s)” on the right side
5. Select “Blank rule”. Click “OK”
6. Give a name to the rule
7. In “Match URL” section, enter (.) in “Pattern” field
8. In “Conditions” section, click “Add”
9. Enter {HTTP_HOST} into “Condition input” field
10. Select “Does Not Match the Pattern” option from “Check if input string” list
11. Enter ^([a-zA-Z0-9-_]+.)domain.com$ into “Pattern” field (change domain to your actual domain)
12. In the “Action” section, select “Redirect” from the “Action type” list
13. Enter your domain address (https://domain.com/) in the “Redirect URL” field
14. Select “Permanent (301)” from the “Redirect type” list
15. Click “Apply” on the right side

In addition to the Host Header vulnerability, your security scan tool may flag “Disclosure of private IP address” finding as well. Check this post out to find out the steps to mitigate it: Do not disclose private IP addresses and routing information to unauthorized parties

The post Solution for Host Header Attack and Vulnerability appeared first on port135.com.

IIS uses worker process (w3wp.exe) to work on requests from clients. Because of a variety of reasons, w3wp.exe may crash which makes the web application unresponsive. Heap Corruption (0xC0000374) is one of the common causes of w3wp.exe crashes. You will find the solution here for an issue caused by a specific bug in System Center Operations Manager.

In the case I worked on, w3wp.exe was crashing every a few minutes. Here is a sample Event Viewer log:

Event ID 1000 – Application Error

Faulting application name: w3wp.exe
Faulting module name: mscorwks.dll
Exception code: 0xc0000005

Root Cause of the w3wp.exe crash

Upon checking the dump file we collected using DebugDiag crash rule, we saw heap corruption.

In w3wp__SharePoint_PID.dmp the assembly instruction at ntdll!RtlReportCriticalFailure+62 in C:\Windows\System32\ntdll.dll from Microsoft Corporation has caused a corrupted heap exception (0xC0000374) when trying to perform an unknown operation on memory location 0x00000000 on thread 105

Heap corruption was detected in w3wp__SharePoint_PID.dmp. However page heap was not enabled in this dump. Please follow the instructions in the recommendation section for troubleshooting heap corruption issues.

Current NTGlobalFlags value: 0x0

An exception thrown by a heap memory manager function indicates heap corruption. Please click the ‘PageHeap Flags…’ button in the DebugDiag crash rule configuration dialog to enable PageHeap for the target process and collect another dump. For more information, review the following documents:
How to Use the Debug Diagnostic Tool v1.1 (DebugDiag) to Debug User Mode Processes
Debugging Heap corruption with Application Verifier and Debugdiag

The stack trace showed MicrosoftInstrumentationEngine_x64 which points out the bug mentioned here.

Stack trace:

ntdll!RtlReportCriticalFailure+62
ntdll!RtlpReportHeapFailure+26
ntdll!RtlpHeapHandleError+12
ntdll!RtlpLogHeapFailure+a4
ntdll!RtlFreeHeap+72
ole32!CoTaskMemFree+36
mscorwks!DebuggerMethodInfo::SetInstrumentedILMap+20
mscorwks!Debugger::SetILInstrumentedCodeMap+a1
mscorwks!ProfToEEInterfaceImpl::SetILInstrumentedCodeMap+5d
mscordbc!CorProfInfo::SetILInstrumentedCodeMap+2b
MicrosoftInstrumentationEngine_x64!DllRegisterServer+1dec0
MicrosoftInstrumentationEngine_x64!DllRegisterServer+842d
mscordbc!EEToProfInterfaceImpl::JITCompilationStarted+d3

Solution for w3wp.exe crash caused by Heap Corruption

In order to solve this issue, you should uninstall Microsoft Monitoring Agent (SCOM agent) and restart the machine.

If you need to install it back, install it by using the command provided by Microsoft:

msiexec /i MonAgent.msi NOAPM=1

If this doesn’t solve the issue, please check this post out for other possible reasons of w3wp.exe crashes: 0xc0000005 exception code causes w3wp.exe crashes.

Corruption of the heap may occur because of issues other than the bug I mentioned above. Here is a good post about other root causes: w3wp.exe crashes every 5 minutes with error code 0xc0000374

The post w3wp.exe crash caused by Heap Corruption (0xC0000374) appeared first on port135.com.

Certain changes such as updates to IIS configuration schema, registry keys or .NET assemblies in GAC requires restarting IIS (iisreset). Alternatively, you can recycle application pools.

While trying to restart IIS, you may come across to the error message below. I will explain the troubleshooting steps for this issue in this post.

Restart attempt failed. The IIS Admin Service or the World Wide Web Publishing Service, or a service dependent on them failed to start. The service, or dependent services may had an error during its startup or may be disabled

Solution for “Restart attempt failed” error

IIS depends on the certain services to function properly. As the error message mentions, the root cause of this issue is probably a failed dependent service.

Make sure the services below are running in the server:

• World Wide Web Publishing
• IIS Admin Service
• Net.Msmq Listener Adapter
• Net.Tcp Listener Adapter
• Net.Pipe Listener Adapter
• Net.Tcp Port Sharing Service
• Messaging Queuing
• W3SVC Service

In my case, Net.Msmq Listener Adapter service was not running. When I tried to start it, I got this error:

Error 1075: The dependency service does not exist or has been marked for deletion

In the Event Viewer, I saw this message:

The Net.Msmq Listener Adapter service depends on the following service: msmq. This service might not be installed.

Net.Msmq Listener Adapter and MSMQ

This message indicated that MSMQ may not exist in the server. MSMQ (Microsoft Message Queuing) is a messaging protocol that applications use for running on separate servers and processes. Net.Msmq Listener Adapter uses this protocol to receive activation requests and then pass them to Windows Process Activation Service (WAS).

For more details about this listener adapter and protocol, check Microsoft Message Queuing and MSMQ Activation.

Solution for “Error 1075: The dependency service does not exist”

This issue occurs if the Message Queuing is missing in the server. Follow the steps below to install it.

1. Open Server Manager
2. Go to “Manage > Add Roles and Features Wizard”
3. Click “Next” four times to go to “Server Roles” section
4. Select “Message Queuing”
5. Click “Next” and then click “Install”

After the installation is completed, try to start Net.Msmq Listener Adapter service again. It should start successfully. Then try iisreset again.

Even after installing Message Queuing, you may see that this protocol doesn’t exist in Binding window. If run into this issue, check this post out for the solution: Missing bindings in IIS (net.tcp, net.pipe, net.msmq, msmq.formatname)

The post (Solved) Restart attempt failed. The IIS Admin Service or the World Wide Web Publishing Service, or a service dependent on them failed to start appeared first on port135.com.

There are two ways to reference a file in your code: Using an absolute path (Ex: /folder/file) or using a relative path (Ex: ../folder/file). If you use a relative path in your ASP code but your IIS server is not configured properly, you may come across to “Disallowed Parent Path” error (ASP 0131 ASP_LOG_ERROR).

An example include statement that uses a relative path:

<!--#include file="../file.asp"-->

Another example of the relative path usage:

<%
   Response.Write Server.MapPath("../example.asp")
%>

This error message shows up as “500 – Internal Server Error” which is a generic error message IIS displays for code and configuration related issues. In order to dig deeper in the 500 error, enable Failed Request Tracing in IIS and collect logs.

Here is a sample Failed Request Tracing log that shows “Disallowed Parent Path” error:

Solution for Disallowed Parent Path error (ASP 0131 ASP_LOG_ERROR)

There are two alternative solutions to fix this issue:

1. Change the application code to use absolute paths instead of relative paths
2. Allow the usage of relative paths by changing configuration of IIS (By default, IIS doesn’t allow it)

In most cases, the second option (Changing the IIS configuration)nis preferred because it provides a faster solution.

Allow Relative Paths in IIS

Follow the steps below to allow relative paths so that IIS won’t throw “Disallowed Parent Path” error anymore:

1. Go to IIS Manager
2. Click on the website name
3. Double click ASP icon
4. Set “Enable Parent Paths” to “True“

For more information on ASP parent paths, please refer to this Microsoft article. This article was written long time ago for IIS 6 and earlier versions but it still applies to newer IIS versions.

After changing the IIS configuration, you may come across a configuration file related error if the change hasn’t been done properly. Check this post out for step-by-step solution instructions: Configuration file is not well-formed XML (IIS Shared Configuration)

The post (Solved) Disallowed Parent Path error (ASP 0131 ASP_LOG_ERROR) appeared first on port135.com.

IIS relies on libraries that contains functions to host ASP.NET, PHP or other types of web applications. If a library is missing or corrupt in the server, your application may not function properly and throw an error such as “The program can’t start because MSVCR71.dll is missing“.

The error messages browsers display to the user aren’t always helpful. This is because either the application uses custom error pages or IIS and the application is not aware of the underlying error.

In this post, I will list the error messages first. These messages led us to the solution. Please jump to “Solution” section to pass the error details.

The Issue with PHP File Upload

In my case, users were trying to upload files to the application but they were failing. There were no visible error message on the application. However, F12 Developer Tools showed “500 – Internal Server Error“. We also saw the message below in Event Viewer:

Faulting application name: php-cgi.exe, version 5.2.11.11
Faulting module name: php-cgi.exe, version 5.2.11.11
Exception code: 0xc0000005
Faulting offset: 0x0000191a
Faulting process id: 0x1280
Faulting application path: C\php\php-cgi.exe

PHPINFO Error (The FastCGI process exited unexpectedly)

If you come across an issue with php-cgi.exe in IIS, I would recommend checking if PHP is functional first. You can do this by deploying a simple PHP file in the application root folder. Here is a sample code for your PHP file:

<?php
phpinfo();
?>

phpinfo() class displays information about the current status of PHP. More information is on the official PHP site.

In the server I troubleshot, the PHP page failed with the error below.

HTTP Error 500.0 – Internal Server Error
c:\php\php-cgi.exe – The FastCGI process exited unexpectedly

If the issue in your environment is about the PHP application itself rather than the IIS configuration, check this post out: How to debug PHP projects?

Final error: The program can’t start because MSVCR71.dll is missing

In order to narrow down the issue, I tried to run php-cgi.exe file located under C:\php folder. Here is the error message I got:

The program can’t start because MSVCR71.dll is missing from your computer. Try reinstalling the program to fix this problem.

Root Cause

In my scenario, this issue (missing MSVCR72.dll) occurred because -probably- the latest Windows security patches somehow deleted this file in the attempt to place a new version but the newer version wasn’t copied.

We saw that security patches and a new version of Visual C++ Redistributable installed in the server at the same time the issue (file upload failure) started occurring.

Solution

Search for the missing file (MSVCR72.dll) in other servers and even client machines. If you find it, copy it to C:\Windows\SysWOW64 folder. This solved the issue in my case.

Alternatively, you can uninstall the latest security patches and Visual C++ Redistributable that likely to caused the issue. However, It’s unlikely to solve the missing DLL issue (I tried). I have also tried sfc and dism tools. They didn’t solve the issue neither.

If you can’t find the missing DLL in other machines, I would recommend installing (or reinstalling) the correct version of Visual C++ Redistributable.

Here are related Stackoverlow and IIS Forum posts.

During the troubleshooting process, you may need to determine processor architecture for certain DLL files. Here is an easy way to find out this information: How to find out processor architecture (x86, x64) of dll and exe files?

The post The program can’t start because MSVCR71.dll is missing appeared first on port135.com.

In order to host websites in a web server, we create bindings in IIS Manager, For example, we can configure a website called MySite to be accessible on port 80 via HTTP protocol. If you browse to the IP address of the server or the hostname of the website, IIS will display MySite.

What if the site is not accessible even though you have the correct binding? I came across to this issue recently. F12 Developer Tools was showing “Aborted” for the request. The solution is below.

Make sure that IIS listens port 80 and 443

If you are sure that your IIS binding looks good, check which ports are being listened in the server. Open a Command Prompt and run

netstat -an -p TCP | find /I "listening"

This command will list only the ports the server listens to:

If you don’t see port 80 or 443 in the list, run the netsh commands below one after another to check if there is an explicitly entry in HTTP listener. If there is one, you should remove it.

netsh
http
show iplisten

In order to remove explicit entries, run the command below (in netsh http> mode). Make sure that the IP address is as the same as the one showed up in the output (You may need to change 127.0.0.1 below).

delete iplisten ipaddress=127.0.0.1

Once you show IPs again, there shouldn’t be any entry:

I had a similar issue in the past as well. In that case, Windows Admin Center was redirecting the ports. Check this post out for more details: Solved: 503 Service Unavailable error related to Windows Admin Center

The post Port 80 and 443 are not listened in IIS server appeared first on port135.com.

IIS has several features such as WebSocket Protocol, Tracing or Request Monitor that you can install when you need these additional capabilities. You can install them by using Server Manager (That where I run into 0x800f0922 error).

I came across to the error message below in Event Viewer while trying to install Request Monitor in a freshly installed Windows Server 2016

Update IIS-RequestMonitor of package IIS-WebServer-Core-Package failed to be turned on. Status: 0x800f0922

Server Manager displayed this error:

The request to add or remove features on the specified server failed. Installation of one or more roles, role services, or features failed. Error: 0x800f0922

We also tried installation it via PowerShell. Here is the result:

Enable-WindowsOptionalFeature: Enable-WindowsOptionalFeature failed. Error code = 0x800f0922 at line: 1 char:1

+ Enable-WindowsOptionalFeature -Online -FeatureName IIS-RequestMonitor

+ CategoryInfo: NotSpecified: [Enable-WindowsOptionalFeature], COMException

+ FullyQualifiedErrorId: Microsoft.Dism.Commands.EnableWindowsOptionalFeatureCommand

Troubleshooting of the failed feature installation

Collect and analyze the following logs to get troubleshooting started:

• CBS logs (C:\Windows\Logs\CBS)
• DISM logs (C:\Windows\Logs\DISM)
• ApplicationHost.config file (C:\Windows\System32\inetsrv\config)
• The output of Dism /Online /Cleanup-Image /ScanHealth command
• Procmon logs (Use Process Monitor tool)

The answers to the questions below also help narrowing the issue down:

• Are you able to install Request Monitor by logging in with another user?
• Are you able to install Request Monitor in another server?
• Are there other roles apart from IIS installed in the server?
• Make sure there is enough space in the disks (Right click on Start menu icon > Computer Management > Disk Management)
• If not installed yet, install .NET Framework and try again (Reference)

In my case, CBS logs showed “Process”

CSI 00000034 Calling generic command executable (sequence 3): ‘C:\Windows\System32\inetsrv\iissetup.exe’
CmdLine: ‘”C:\Windows\System32\inetsrv\iissetup.exe” /launch C:\Windows\System32\inetsrv\appcmd.exe install module -name:RequestMonitorModule -image:C:\Windows\System32\inetsrv\iisreqs.dll -add:false -lock:true’
CSI 00000035 Performing 1 operations as follows: (0) LockComponentPath: flags: 0 comp: {l:16 b:f1be012b658ed5015e0000007c205818} pathid: {l:16 b:f1be012b658ed5015f0000007c205818} path: [l:115]’\SystemRoot\WinSxS\x86_microsoft.windows.s..ation.badcomponents_31bf3856ad364e35_10.0.14393.0_none_09e78f632173f4c5′ pid: 207c starttime: 132168329134154628
CSI 00000038@2019/10/29:14:28:44.182 Beginning NT transaction commit…
CSI 00000039@2019/10/29:14:28:44.363 CSI perf trace:CSIPERF:TXCOMMIT;194557
CSI 0000003a (F) Done with generic command 3; CreateProcess returned 0, CPAW returned S_OK Process exit code 13 resulted in success? FALSE Process output: [l:22 [22′[gle=0x80004005]
Error [0x018007] CSI 0000003b (F) Failed execution of queue item Installer: Generic Command ({81a34a10-4256-436a-89d6-794b97ca407c}) with HRESULT HRESULT_FROM_WIN32(14109). Failure will not be ignored: A rollback will be initiated after all the operations in the installer queue are completed; installer is reliable[gle=0x80004005]

More importantly, Procmon logs showed PARSE_ERROR_INFO while reading applicationHost.config file which points out an issue with this file.

641 2:08:09.7690809 PM appcmd.exe 10992 1052 ReadFile C:\Windows\System32\inetsrv\config\applicationHost.config SUCCESS Offset: 0, Length: 63,692, Priority: Normal
8 KernelBase.dll ReadFile + 0x74
9 nativerd.dll CONFIG_XML_DOM::ParseXmlFile + 0xac
10 nativerd.dll CONFIG_FILE::ParseConfigFile + 0x148
642 2:08:09.7692157 PM appcmd.exe 10992 1052 CreateFile C:\Windows\System32\inetsrv\en-US\iisres.dll.mui SUCCESS Desired Access: Generic Read, Disposition: Open, Options: , Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
17 nativerd.dll AdminFormatMessage + 0x4c
18 nativerd.dll PARSE_ERROR_INFO::SetErrorInfo + 0x2d
19 nativerd.dll CONFIG_XML_DOM::GenerateDom + 0x10939
20 nativerd.dll CONFIG_XML_DOM::ParseXmlFile + 0xbf

Solution for 0x800f0922 error

As the Procmon logs point out a parsing issue while trying to read applicationHost.config file, we tried to open this file. As expected, it was corrupted:

We didn’t have a backup of this file so we reinstalled IIS. This fixed the issue. We successfully installed Request Monitor feature after reinstalling IIS.

Once you have your IIS up and running, it may fail when you try to reset IIS. Check this post out for more details: Restart attempt failed. The IIS Admin Service or the World Wide Web Publishing Service, or a service dependent on them failed to start

The post 0x800f0922 Update IIS-RequestMonitor of package IIS-WebServer-Core-Package failed appeared first on port135.com.

As Microsoft continues to improve IIS, certain third-party components become incompatible with the new versions. I have recently worked on case where we tried to install an authentication module into a server with IIS 10. It threw this error message:

DIGIPASS Authentication for IIS Basic 3.4.0 Setup Information

This version of DIGIPASS Authentication for IIS Basic requires Microsoft Internet Information Services (IIS) 7. The setup will now terminate

Solution for “his version requires IIS 7. The setup will now terminate” error

The root cause of the issue is pretty obvious. The component is not compatible with the IIS version of the server which is IIS 10. The best practice would be finding a newer version of the component that is compatible.

If you there is no compatible version or you are not able to use it for some reason, you can try the workarounds below.

Compatibility Setting

Play with the compatibility setting in the Properties windows of that exe file. Choosing an older version of the OS may result in a successful installation.

IIS version

Change the IIS version value in the Registry. If the component requires IIS 7, you can change the registry value to 7. This may cause the installer to think there is IIS 7 installed.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

For a list of IIS versions, check this post out: A summary of IIS versions

Three related links from Microsoft websites:

• Make older apps or programs compatible with Windows 10
• IIS Version showing worng in Windows Registry
• Description of the registry keys that are used by IIS 7.0, IIS 7.5, and IIS 8.0

The post This version requires IIS 7. The setup will now terminate appeared first on port135.com.

IIS Admin Service enables the administration of IIS metabase which stores the configuration of SMTP and FTP services. If you see this service stopped in the Services window, it means that the server is unable to configure SMTP or FTP.

When you try to start IIS Admin Service, you may come across this error message:

Windows could not start the IIS Admin Service on Local Computer. For more information, review the System Event log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2146893818.

The Event Viewer also records an error similar to the message above:

Event 7024
The IIS Admin Service service terminated with the following service-specific error: Invalid Signature

Root Cause

“Service-specific error code -2146893818” occurs when the machine key that is used for decryption/encryption is corrupted. You will probably see numerous Schannel errors because of this corrupted file.

Go to MachineKeys folder (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys) and check the Last Modified Date of the file that has a name starting with c23. If the date is newer than the date IIS server is installed, it means something (an update or installation) caused this file to change and get corrupted.

If you are trying to manage IIS with a non-admin account, check this post out: How to manage IIS locally with a non-admin account?

Solution for 2146893818 error (Event 7024 Invalid Signature)

Follow the possible solutions below in the given order to fix this issue.

Restore the machine key

If you have a backup of the machine key starting with c23, restore it to the MachineKeys folder.

Some resources also mention restoring the Metabase.XML and MBSchema.XML from the History folder (C:\Windows\System32\Inetsrv\History)

Reinstall IIS 6 Metabase Compatibility

If the restore option didn’t work, follow the steps below to reinstall IIS 6 Metabase Compatibility feature. This feature recreates a machine key so that IIS Admin Service should start successfully afterwards.

1. Remove the machine key starting with c23 from the MachineKeys folder (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys)
2. Uninstall IIS 6 Metabase Compatibility (Server Manager > Manage > Remove Roles and Features)
3. Restart the server

After restarting the server, install IIS 6 Metabase Compatibility (Server Manager > Manage > Add Roles and Features). Make sure that the machine key with c23 name is created.

Go to Services window. IIS Admin Service should already running.

Check permissions

If IIS Admin Service is still not starting, check the permissions of the MachineKey folder. Make sure that Administrators and System both have Full Control permissions.

References:

• Technet article
• Microsoft blog post
• SharePoint blog post

After implementing and testing the solution, you may come across an error mentioning IIS Admin Service while restarting IIS. Here is the solution: Restart attempt failed. The IIS Admin Service or the World Wide Web Publishing Service, or a service dependent on them failed to start

The post Service-specific error code -2146893818 (Event 7024 Invalid Signature) appeared first on port135.com.

In majority of the IT infrastructures, there are network devices such as load balancers, proxies, and firewalls in fron of the web servers. These devices may edit requests and responses while transmitting them.

I have recently troubleshot a web application that was taking too much time to load. In the logs, we saw this error:

Microsoft.OData.Client.DataServiceRequestException: An error occured while processing this request
System.Net.WebException: “The server committed a protocol violation. Section=ResponseStatusLine”

Root Cause

One of the most common cause of the “The server committed a protocol violation” is the corrupt or missing headers in the request.

When IIS receives a request, it checks if headers are complete. If there is an issue with headers, it may reject the request and throw an exception.

Based on my experience, the change in the requests and responses are made by mostly network devices in between the client and IIS server.

Solution for “The server committed a protocol violation” error

Review the flow of the traffic. If the flow is similar to the one below, try to bypass network devices one by one and see if the application works.

User -> Load Balancer 1 -> API consumer application -> Middle-ware -> Load Balancer 2 -> Web Service -> Database

In my case, the application worked without issues when we bypassed Load Balancer 2. We also performed a test by replacing it with another load balancer. It also worked. These tests showed that there is an issue with the load balancer.

Workarounds on IIS side

There are ways for IIS to ignore corrupted/missing headers. However, these are workarounds/patches. They don’t solve the root cause which is -possibly- caused by a network device.

I am listing these workaround below but I don’t recommend implementing them in most scenarios as they may cause unforeseen issues in the future.

• Set UseUnsafeHeaderParsing value to “true” in web.config. This will ignore the header validation errors.

<system.net>
    <settings>
        <httpWebRequest useUnsafeHeaderParsing="true" />
    </settings>
</system.net>

• Set KeepAlive to “false”. This will prevent keeping the connection open which is mentioned to solve the violation error in many resources

<configuration>
   <system.webServer>
      <httpProtocol allowKeepAlive="false" />
   </system.webServer>
</configuration>

• Set Expect100Continue to “true”. This will ensure that the client doesn’t send the entire data before getting confirmation from the server about request headers

<system.net>
     <settings>
        <servicePointManager expect100Continue="false"/>  
     </settings>
</system.net>

Here are a related StackOverflow and MSDN Forum post.

Another issue I came across with network devices is that extreme health probe requests which flooded IIS logs. Here are the details: IIS receives too many requests from the user-agent Edge+Health+Probe

The post The server committed a protocol violation (Section=ResponseStatusLine) appeared first on port135.com.

If you are hosting SSRS environment on multiple IIS servers, you will need to use a common State Server or SQL Server to store session data. In this post, I will share some tips about this scenario.

Please note that using In-Process mode or using State Server Mode in the server itself will cause session errors such as “ASP.NET Session has expired“

Tips to avoid “ASP.NET Session has expired” and other session issues

In the web.config file:

• Make sure to set enableSessionState to True. Example:

<pages buffer="true" validateRequest="true" enableSessionState="false" enableViewState="true" viewStateEncryptionMode="Always" controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID">

• Make sure that Session State is not disabled in individual pages. If there is enableSessionState parameter in the Page directive, it should be set to True. Example:

<%@Page enableSessionState="true"> 

• Make sure there is stateConnectionString defined in the. IIS servers should point to a common server to store session information. A sample for the correct definition:

<sessionState mode="StateServer" stateConnectionString="tcpip=SampleStateServer:42424" cookieless="false" timeout="20"/>

• In order to set up a separate server as State Server, install .NET Framework and set the registry key below to “1”. Make sure that ASP.NET State Service is running.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\AllowRemoteConnections

References:

• State Server Mode with the sample configuration
• Planning for State Server
• Step-by-step instructions to use State Server

Once you implement the session state mode correctly, you may run into another issue which is generating a new session ID in every postback. Here is the solution: ASP.NET application generates a new session ID after every postbacks

The post How to use State Server for storing SSRS session info appeared first on port135.com.