so I got a bit of a weird question. Fiddler captures traffic perfectly with test apps that I created. Than i moved this code to a new Windows Service that i created.
For some magic reason I could not see any requests from Win Service in Fiddler.
The code the same, Web API, URL the same... What the difference?
On startup, Fiddler registers itself as a system proxy, running on 127.0.0.1:8888 by default. Most of the processes use the system proxy for network access, but some don't, for example .NET applications and services, or the Mozilla Firefox browser.
To capture the traffic from such processes, you would need to change their proxy configuration settings. For example, for .NET Framework Window service, you could add the following to the App.config file:
<system.net>
<defaultProxy enabled="true">
<proxy proxyaddress="http://127.0.0.1:8888" bypassonlocal="False"/>
</defaultProxy>
</system.net>
Related
I have enabled SSL in my MVC website for IIS Express by setting 'Enable SSL' in the project properties to true. So now I can access my site while debugging over http as well as https (IIS Express's default port 44300). However I'd like to force the default URL to be the SSL one. https://localhost:44300/. Whenever I run the app. from VS it always loads the http URL.
If I try and update the project URL (right click on the project -> click on properties -> navigate to the web tab -> set project URL to https://localhost:44300/) to https, the website fails to load. I just get a 'Page could not be loaded' error in the browser. However if I explicitly add a binding for https to port 44300 in my local IIS instance using IIS Management service it seems to work. I don't think I should have to touch local IIS in any way though.
Am I missing something here? Could someone help me figure this out?
The core of this seems to be finding the applicationhost.config file being passed to IIS, find the section like
<bindings>
<binding protocol="http" bindingInformation="*:62858:localhost" />
and change http to https
If you're using the Rider IDE, open the project properties (right click on solution explorer's icon for the project).
Make sure you add a port number for "SSL" and switch the Url from http://... to https://...
The port must be between 44300 and 44398, otherwise you'll get a connection reset error (see https://stackoverflow.com/a/24957146/423033 )
Sudeep,
If you are using the IIS on your machine (or on your server) you could create a rewrite rule that would intercept any http requests and will replace the http protocol with https.
Here is a link to get you started: http://www.iis.net/learn/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
As for IIS Express, it has its advantages of using it, but on the other side it is missing advanced functionality like URL Rewrite (check this link: http://weblogs.asp.net/scottgu/introducing-iis-express).
Best Regards,
Daniel D.
Figured it out. This tutorial is perfect and walks you through the whole process
http://www.lansweeper.com/kb/54/How-to-configure-SSL-in-IIS-Express.html
I have an Azure Cloud Service Virtual Machine with 2 server:
Java project using Jetty server at http://localhost:8999
ASP.NET MVC project using IIS Express at http://localhost
I am using Http request to make connection between 2 server.
In my VM, inside ASP.NET MVC project, I use http://localhost:8999 to get data from Jetty server. It works perfectly with short response time (from 100ms to 6000ms).
However, when I access the IIS Express via Internet using http://mydomain.cloudapp.net. It does not work anymore.
Then I change my config file in ASP.NET MVC project to use http://mydomain.cloudapp.net:8999. It works but with long response time (from 15s to 40s). This is because of my slow internet connection.
My question is:
If I access IIS Express via Internet, to avoid external internet connection, is there any solution which let IIS Express know that it's target is local?
Which means I can still use http://localhost:8999 in my config file in ASP.NET MVC project, and it still work if I access IIS Express via Internet not only via localhost.
The main question is how you connect between the two servers? From the client side (JavaScript) or the ServerSide (Controller action/private method).
From what you describe it seems that you make XMLHttpRequest (JavaScript, AJAX, jQuery, etc.) call from your client side directly to your Jetty Server. In order to avoid roundtrips, you have to change this and make XMLHttpRequest to Your Server (MVC), then on the MVC backend (Controller action, or private method, or Repository) make the Jetty server call and transparently return the answer to the calling client.
You can also try tweaking your Jetty Server settings to allow for longer script execution.
We're switching our MVC3 application from IIS 6 to 7.5. I'm working on setting up my local development environment on Windows 7. The app works fine for the most part, but I just discovered that ONE out of the many different MVC Areas I have doesn't work.
When I try hit an action under this area, I get a 503 Service Unavailable error back. This does not happen anywhere else in my application.
There is only one application pool for the whole website.
MVC 3
.Net 4.0
64 bit
Failed request tracing doesn't see these requests.
There is nothing relevant in the Windows application or system logs.
The area works fine under visual studio 2010 cassini, problem happens when I run it under local iis 7.5 (not express)
App pool isn't crashing or otherwise stopped
There's nothing in my ELMAH log
Everyone full control on entire tree in the filesystem security
The url is http://localhost/reports
I'm totally stumped. I can't find any evidence that IIS is even getting the request at all. Is there some other log file beside the ones I listed?
[Update]
Is there any way to view the http.sys URL reservations? I have found some talk about SQL Reporting services calling dibs on /Reports url.
I figured it out. It was due to SQL Reporting services having reserved the http://+:80/Reports url in http.sys.
I didn't actually have reporting services installed, but it apparently still reserved the url.
I fixed it with the following command:
netsh http delete urlacl url=http://+:80/Reports
Check the account / IIS -> Application Pool -> Advanced Settings -> Process Model -> Identity under which your pool is running. I had my password changed, and didn't get a log on invalid password, but rather assemlby load failure, which in turn caused the app pool to be shut off, and the "503 Service Unavailable" was given to the user.
Another solution is, I had the same problem with my http://ApplicationURL/Reports
And yes the SSRS was the issue.
A better solution for this one is
OpenReporting Services Configuration Manager.
Connect to your local service usually COMPUTERNAME\MSSQLSERVER
Go to "Report Manager URL" Option
Modify your virtual directory with another name instead of Reports.
Just remember with this change you reports for SSRS will be in the name that you defined.
Carlos
Are you using any ODBC or other components in this area that you are not anywhere else? I have experienced this error (or one similar, can't remember off the top of my head) when running the app pool in 64bit mode and the underlying calls are referencing at 32bit 'something'. You could try enabling 32bit applications in the application pool settings to see if it affects the outcome.
As mentioned before it is related to SQL Reporting services
You can follow this approach to fix this problem:
Log on to the server that hosts SSRS.
Go to Start > Programs > SQL Server 2008 R2 > Configuration Tools > Reporting Services Configuration Manager
Connect to the server in question (usually your local server)
Go to the Web Service URL section
Change the TCP port to an open port other than port 80 (81 happened to work on my server) and hit Apply
Go to the Report Manager URL section
Click Advanced
Click the entry with a TCP port of 80 and then click the Edit button.
Change the TCP Port entry to the same thing you changed it to in the Web Service URL section previously and Click OK.
Click OK again.
I'll start with appologies; I wasn't sure if this was best posted here of Server Fault so if its in the wrong place then please move :-)
Basic information
I have written the first module of a new application at work. This is written using Visual Studio 2010, targetting .net 3.5 (at the moment) and asp.net mvc 2. This has been working fine during development running on the built in Development server from VS but however does not work once deployed to IIS 7/7.5.
To deploy the application, I have built it in release mode and created a deployment package by right clicking on the project in the solution explorer (this will be done with an automated build in tfs once upgrade from the beta). This has then been imported into IIS on the server.
The application is using windows/domain authentication.
Issue #1
I can fire up internet explorer and browse to the application from a client computer as well as on a remote desktop connection. I can execute the code which reads/stores data in Session fine from the IE instance on the remote desktop but if I browse to it from the client pc it seems to lose the session state. I click on the form submit and the page refreshes and doesn't execute the required code. I've tried setting with; InProc, SQLServer and StateServer. but with no luck :-(
Issue #2
As part of the application it views PDF and Tiff documents on the fly which are on a network share on the office network and creates thumbnails if the document hasn't been viewed before. This works if running on the machine the application is deployed to; however when browsing from a client pc I get an error saying:
Access to the path '\\fileserver\folder\file.tif' is denied
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path '\\fileserver\folder\file.TIF' is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
As this is on a different server the user is not accessible. To get round this I have tried:
1 - setting the application pool to run as domain administrator (I know this is a security risk, but I'm just trying to get it to work at the moment!)
2 - to set the log on account for World Wide Web Publishing service to be the domain admin . When trying to restart the service I get ...
Windows could not start the World Wide Web Publishing Service service on the Local Computer.
Error 1079: The account specified for this service is different from the account specified fro the other services running in the same process.
Any pointers/help would be much appriciated as I'm pulling my hair out (of what little I have left).
Update
I've been using this funky little tool I found -
DelegConfig v2 beta (Delegation / Kerberos Configuration Tool). This has been really usefull. So I've got the accessing of the file share working (there is a test page which will read the files) so now I've just got the issue of passing through the users credentials through to the SQL Server (wans't my choice to do it this way!!) to execute the queries etc. but I can't get it to log on as the user. It tries to access it as "NT Authority\Network Service" which doesn't have a sql login (as should be the logged on user).
My connection string is:
<add name="User" connectionString="Data Source=.;Integrated Security=True" providerName="System.Data.SqlClient" />
No initial catalog is specified as the system is over multiple dbs (also wasn't my choice!!).
I really appriciate all the help so far! :-)
Any further hints?!
Issue #2 - Your options are:
Configure delegation (double-hop authentication) - I haven't done this on IIS7 and it's a bit different to 6, but I believe you will need to enable the web server machine account for delegation in AD, and create an SPN for the web server (eg setspn -A http/<Web Server FQDN> <Domain>\<Machine Name>). Troubleshooting Kerberos can be fairly painful.
Grant access to the network resources to the (domain) application pool account and make sure anonymous authentication is turned on ( <anonymousAuthentication enabled="true" userName="" defaultLogonDomain="" /> )
Response to Update:
You will need to make sure Kerberos authentication is working for SQL Server. Run the query select auth_scheme from sys.dm_exec_connections where session_id=##spid; it will return NTLM or KERBEROS. If it's NTLM, you'll need to do some work configuring SQL Server to use Kerberos. Set an SPN in AD for the SQL service account: setspn -A MSSQLSvc/<SQL Server FQDN>:1433 <Domain>\<Sql Service Account>, restart SQL Server and try the query again. You must use TCP/IP as the connection mechanism (this is the default).
If you don't have an initial catalog, you'll need to make sure that all of the user logins have a default database that they have access to. I would personally pick one database to be the initial catalog as you may get different behaviour depending on how the login is configured.
With this small part of information I could only give some hints:
Issue #1:
Maybe you have a misleading URL as action for the form? Or an caught&ignored exception? Do you have an onError-event in your global.asax.vb?
Sub Application_Error()
Dim ex As Exception = Server.GetLastError
' NOW HANDLE THE EXCEPTION --> REPORTING :-)
End Sub
Issue #2:
I recently had the same exception - I had to check the access-rights for users for this folder and set the appPool-identity to "NETWORKSERVICE". In your case you even try to access a network-folder - check the accessrights on the server and try to use the IP instead of the name - it could be a name-resolution-problem?!
Sorry for this small portion of information... This looks like problems only solveable with direct debug-options on the running server.
Finally last thing on Friday I got it working ...
As I said in the update, the tool for sorting out the delegation of credentials was very handy and helped no end to setting the correct SPN records.
I found I also had to set it up for SQL as I was passing through the credentials into the server. The other thing I found stopping the connections was some of the inbound windows firewall settings where causing problems.
For the connection string; I had to update to:
<add name="ConnectionStringName" connectionString="Data Source=.;Integrated Security=SSPI;Trusted_Connection=True" providerName="System.Data.SqlClient" />
Links I found useful:
Kerberos Authentication and SQL Server
DelegConfig
And even tho it mainly talks about Sharepoint ... this was also useful.
Hope this helps people in the future.
I've just built a basic ASP MVC web site for deployment on our intranet. It expects users to be on the same domain as the IIS box and if you're not an authenticated Windows User, you should not get access.
I've just deployed this to IIS6 running on Server 2003 R2 SP2. The web app is configured with it's own pool with it's own pool user account. The IIS Directory Security options for the web app are set to "Windows Integrated Security" only and the web.config file has:
<authentication mode="Windows" />
From a Remote Desktop session on the IIS6 server itself, an IE7 browser window can successfully authenticate and navigate the web app if accessed via http://localhost/myapp.
However, also from the server, if accessed via the server's name (ie http://myserver/myapp) then IE7 presents a credentials dialog which after three attempts entering the correct credentials eventually returns "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials".
The same problem occurs when a workstation browses to the web app url (naturally using the server's name and not "localhost").
The IIS6 server is a member of the only domain we have and has no firewall enabled.
Is there something I have failed to configure correctly for this to work?
Thanks,
I have tried the suggestions from Matt Ryan, Graphain, and Mike Dimmick to date without success. I have just built a virtual machine test lab with a Server 2003 DC and a separate server 2003 IIS6 server and I am able to replicate the problem.
I am seeing an entry in the IIS6 server's System Event Log the first time I try to access the site via the non-localhost url (ie http://iis/myapp). FQDN urls fail too.
Source: Kerberos, Event ID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/iis.test.local. The target name used was HTTP/iis.test.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (TEST.LOCAL), and the client realm.
After extensive Googling I managed to find a solution on the following MSDN article:
How To: Create a Service Account for an ASP.NET 2.0 Application
Specifically the Additional Considerations section which describes "Creating Service Principal Names (SPNs) for Domain Accounts" using the setspn tool from the Windows Support Tools:
setspn -A HTTP/myserver MYDOMAIN\MyPoolUser
setspn -A HTTP/myserver.fqdn.com MYDOMAIN\MyPoolUser
This solved my problem on both my virtual test lab and my original problem server.
There is also an important note in the article that using Windows Authentication with custom pool users constrains the associated DNS name to be used by that pool only. That is, another pool with another identity would need to be associated with a different DNS name.
Sounds like the new Loopback check security feature of Windows Server 2003 SP1. As I understand it, is designed to prevent a particular type of interception attack.
From http://support.microsoft.com/kb/896861
SYMPTOMS
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or IIS 6, you may receive an error message that resembles the following:
HTTP 401.1 - Unauthorized: Logon Failed
This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.
Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.
CAUSE
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
Workaround
Method 1: Disable the loopback check
Method 2: Specify host names
See http://support.microsoft.com/kb/896861 for details.
Edit - just noticed that you said you were seeing this from Client PCs as well... that's more unusual. But I'd still look to test one of these workarounds, to see if it corrected the problem (and if so, might indicate a problem with your DNS config).
It sounds to me as though you've done everything right.
I'm sure you are but have you made sure you are using 'DOMAIN\user' as the user account and not just 'user'?
IE7 only sends Windows credentials (NTLM, Kerberos) if it identifies the server as being on the Intranet. IE7 also added an Intranet zone lockdown feature - if you're not on a domain, by default no servers are in the Intranet zone. This was done to prevent zone-migration attacks.
To change this, go to Tools/Internet Options, Security tab, then click Local Intranet. You can then manually add servers that should be treated as Intranet, by clicking the Sites button, then Advanced, or tell IE not to automatically detect your Intranet and selecting the other checkboxes as appropriate.
I just encountered the opposite problem - my site authenticates externally but not locally.
I compared it to the sites we have working and the difference was that the site that failed to authenticate was using Windows Authentication.
However, other sites I work with (this is a dev server) tend to have Basic Authentication.
Not sure why exactly but this fixed it.
However, at the same time I noticed "Default Domain" and "Realm" settings.
I know it's very unlikely but could these perhaps help at all?