We are trying to use a WebpageControl from a TFS 2015 update 3 Work item. The control references a small web site that allows the user to create a set of Task associated with a PBI or Bug.
When you click on the tab the web page goes and gets the work item data currently displayed, retrieves any Tasks that currently exist and presents a list of Tasks with different names which can be created. The list items are check boxes. If a Task with a name as one of the selection items already exists the checkbox is grayed out.
Once the user has checked the Tasks they want created they click on a button which calls back to the web site, creates the Tasks, Reloads the task list, and redisplays.
It all works great. Sometimes. There appears to be a problem with the fact the TFS Servers are in a cluster with a common URL routed through an F5. Users address TFS with http://tfs.mycompany.com:1234/tfs/.... but this is routed to SERVER1.mycompany.com OR SERVER2.mycompany.com.
The Code for the WebpageControl in TFS is
<Tab Label="Task Gen">
<Control Type="WebpageControl" LabelPosition="Left">
<WebpageControlOptions AllowScript="true" ReloadOnParamChange="true">
<Link UrlRoot="http://SERVER02.mycompany.com:8001" UrlPath="?WIT={0}&CollectionName=XXX">
<Param Index="0" Value="System.Id" />
</Link>
</WebpageControlOptions>
</Control>
</Tab>
Sometimes the user will get a message :
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
then
[ViewStateException: Invalid viewstate.
Client IP: 10.11.12.13
Port: 56587
Referer: http://SERVER2.mycompany.com:8001/?WIT=123456&CollectionName=xxxx
Path: /default.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; AcanoClient; Zoom 3.6.0)
ViewState: v+KaQTHxuY9zf11uYfES7....
I have added the machine key to my small web site but the error sometimes continues. I have specified a specific server to be used in the Web Page control.
Does the Machine Key need to be on the TFS Server?
It is really trying to contact a different server and if so why?
According to the error info Validation of viewstate MAC failed.
There are multiple causes such as
Cause 1: The web application is running in a farm (multi-server
environment)
Cause 2: The worker process uses the IIS 7.0 application pool
identity
.... more
The issue most due to cause1, you could give a try with Resolution 1a: Create an explicit element and Resolution 1b: Enable affinity in the load balancer. More details about the resolution please refer this topic from MSDN: Resolving view state message authentication code (MAC) errors
Related
Running Microsoft Server 2012 RC using Oracle's free VirtualBox Application. Used a Bridged Network adapter type in the VirtualBox settings. Installed AD and DNS, IIS. Under the IIS options, Management Tools, clicked the box for Management Services. This allowed me to use the "Web Deploy" feature in Visual Studio 2012 RC. On the guest OS, I run Windows 7 Ultimate.
I was able to successfully deploy the MVC 4 Application to IIS Default Web Site, but it wasn't displaying. Instead, the default IIS home page was. I disabled the default home page and refreshing the page displayed a 403 page. I tried typing in one of the Views and a 404 page displayed.
I spent 2 days trying to find a solution to this, and finally did. Wanted to share with the community in case it helps anyone else.
All the articles and forum messages I ran across on the Internet started to mirror each other in one form or another.
One solution talked about making sure you have the right Application Pool configuration, using 4.0 framework and integrated. [x] Confirmed already set correctly.
Another solution extended direction to use "aspnet_regiis -i" or "aspnet_regiis -ir" which doesn't work on Microsoft Server 2012.
Another solution talked about adding the following to the web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
However, IIS 8 serves up a response to this saying something to the effect those settings are locked from a higher configuration level and can't be used at the Application level. Meh, ok.
I ultimately tracked down an article that lead me to the following page:
http://learn.iis.net/page.aspx/1097/iis-80-using-aspnet-35-and-aspnet-45
The solution was to go back to the Microsoft Server 2012 Dashboard and select the "Add Roles" feature. Scroll down to the root "Web Server (IIS)", expand "Web Server", expand "Application Development" and select "ASP.NET 3.5" and "ASP.NET 4.5" and "Install".
What confused me originally was I hadn't expanded "Application Development", but selected IIS and continued. On the next step, "Features", ".NET Framework 4.5 Features" was selected by default so I selected ".NET Framework 3.5 Features" and thought all would be fine.
After installing the selections under "Application Development", the MVC 4.5 Applications work just the way they were designed. I hope this helps anyone who may have become stuck, like I was.
I selected ".NET Framework 3.5 Features" and thought all would be fine !!!
No other actions have not helped. When this problem appeared "suddenly". For a while everything worked. But after the next publishing the app worked for a few minutes, then went into error 403.14
All you need is just to change compilation debug mode to true in web config and keep other property same.
Open your Publish Folder and open Web Config file.
<configuration>
<compilation debug="true">
</compilation>
</configuration>
We're switching our MVC3 application from IIS 6 to 7.5. I'm working on setting up my local development environment on Windows 7. The app works fine for the most part, but I just discovered that ONE out of the many different MVC Areas I have doesn't work.
When I try hit an action under this area, I get a 503 Service Unavailable error back. This does not happen anywhere else in my application.
There is only one application pool for the whole website.
MVC 3
.Net 4.0
64 bit
Failed request tracing doesn't see these requests.
There is nothing relevant in the Windows application or system logs.
The area works fine under visual studio 2010 cassini, problem happens when I run it under local iis 7.5 (not express)
App pool isn't crashing or otherwise stopped
There's nothing in my ELMAH log
Everyone full control on entire tree in the filesystem security
The url is http://localhost/reports
I'm totally stumped. I can't find any evidence that IIS is even getting the request at all. Is there some other log file beside the ones I listed?
[Update]
Is there any way to view the http.sys URL reservations? I have found some talk about SQL Reporting services calling dibs on /Reports url.
I figured it out. It was due to SQL Reporting services having reserved the http://+:80/Reports url in http.sys.
I didn't actually have reporting services installed, but it apparently still reserved the url.
I fixed it with the following command:
netsh http delete urlacl url=http://+:80/Reports
Check the account / IIS -> Application Pool -> Advanced Settings -> Process Model -> Identity under which your pool is running. I had my password changed, and didn't get a log on invalid password, but rather assemlby load failure, which in turn caused the app pool to be shut off, and the "503 Service Unavailable" was given to the user.
Another solution is, I had the same problem with my http://ApplicationURL/Reports
And yes the SSRS was the issue.
A better solution for this one is
OpenReporting Services Configuration Manager.
Connect to your local service usually COMPUTERNAME\MSSQLSERVER
Go to "Report Manager URL" Option
Modify your virtual directory with another name instead of Reports.
Just remember with this change you reports for SSRS will be in the name that you defined.
Carlos
Are you using any ODBC or other components in this area that you are not anywhere else? I have experienced this error (or one similar, can't remember off the top of my head) when running the app pool in 64bit mode and the underlying calls are referencing at 32bit 'something'. You could try enabling 32bit applications in the application pool settings to see if it affects the outcome.
As mentioned before it is related to SQL Reporting services
You can follow this approach to fix this problem:
Log on to the server that hosts SSRS.
Go to Start > Programs > SQL Server 2008 R2 > Configuration Tools > Reporting Services Configuration Manager
Connect to the server in question (usually your local server)
Go to the Web Service URL section
Change the TCP port to an open port other than port 80 (81 happened to work on my server) and hit Apply
Go to the Report Manager URL section
Click Advanced
Click the entry with a TCP port of 80 and then click the Edit button.
Change the TCP Port entry to the same thing you changed it to in the Web Service URL section previously and Click OK.
Click OK again.
Starting form now, for the first time, I am getting this error when I start debugging my MVC application
Validation of viewstate MAC failed. If
this application is hosted by a Web
Farm or cluster, ensure that
configuration specifies
the same validationKey and validation
algorithm. AutoGenerate cannot be used
in a cluster.
Full stack trace
[ViewStateException: Invalid viewstate.
Client IP: 127.0.0.1
Port:
Referer:
Path: /Login/LogOn
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
ViewState: Fvq7WNUu+qCC00VbTIOTUuBvK4YHjxp3RubwsrFYW93hKlF7I4GLzaNHceRqjjJB0GwvRPWwlwE6brhAZAo+Mp191B/C+l8Dw/w7aQBDCpWGC3ox6hkSeZp10vbjm9eJFQZmGSPyC1rKYwApBBaz0Q==]
[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +198
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +14
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +274
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +4
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +176
What does this means?
Please note: the error happens only during debug. When I deploy the app on local IIS everything works. It appears on the following code in my master page
<form id="__AjaxAntiForgeryForm" action="#" method="post">
<%= Html.AntiForgeryToken() %>
</form>
The immediate reason why this is happening is because of the antiforgery cookie getting invalidated. Closing and reopening the browser should fix the issue. You could alternatively try deleting the cookie associated with your test site.
Now for the underlying cause, this usually happens either because
you are in a web farm scenario and your various servers are not confiured the same way (but you're saying that's not the case)
the application changes the autogenerated MAC because of changes you are making to your apps configuration
you recently applied a patch to fix the Asp.Net ViewState encryption vulnerability (which changed the way that encryption is performed in asp.net).
Any of this sound familiar?
We had a similar issue after patching the server to fix the ASP.NET vulnerability when viewed on machines without KB2416471 installed.
I'll start with appologies; I wasn't sure if this was best posted here of Server Fault so if its in the wrong place then please move :-)
Basic information
I have written the first module of a new application at work. This is written using Visual Studio 2010, targetting .net 3.5 (at the moment) and asp.net mvc 2. This has been working fine during development running on the built in Development server from VS but however does not work once deployed to IIS 7/7.5.
To deploy the application, I have built it in release mode and created a deployment package by right clicking on the project in the solution explorer (this will be done with an automated build in tfs once upgrade from the beta). This has then been imported into IIS on the server.
The application is using windows/domain authentication.
Issue #1
I can fire up internet explorer and browse to the application from a client computer as well as on a remote desktop connection. I can execute the code which reads/stores data in Session fine from the IE instance on the remote desktop but if I browse to it from the client pc it seems to lose the session state. I click on the form submit and the page refreshes and doesn't execute the required code. I've tried setting with; InProc, SQLServer and StateServer. but with no luck :-(
Issue #2
As part of the application it views PDF and Tiff documents on the fly which are on a network share on the office network and creates thumbnails if the document hasn't been viewed before. This works if running on the machine the application is deployed to; however when browsing from a client pc I get an error saying:
Access to the path '\\fileserver\folder\file.tif' is denied
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path '\\fileserver\folder\file.TIF' is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via , the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
As this is on a different server the user is not accessible. To get round this I have tried:
1 - setting the application pool to run as domain administrator (I know this is a security risk, but I'm just trying to get it to work at the moment!)
2 - to set the log on account for World Wide Web Publishing service to be the domain admin . When trying to restart the service I get ...
Windows could not start the World Wide Web Publishing Service service on the Local Computer.
Error 1079: The account specified for this service is different from the account specified fro the other services running in the same process.
Any pointers/help would be much appriciated as I'm pulling my hair out (of what little I have left).
Update
I've been using this funky little tool I found -
DelegConfig v2 beta (Delegation / Kerberos Configuration Tool). This has been really usefull. So I've got the accessing of the file share working (there is a test page which will read the files) so now I've just got the issue of passing through the users credentials through to the SQL Server (wans't my choice to do it this way!!) to execute the queries etc. but I can't get it to log on as the user. It tries to access it as "NT Authority\Network Service" which doesn't have a sql login (as should be the logged on user).
My connection string is:
<add name="User" connectionString="Data Source=.;Integrated Security=True" providerName="System.Data.SqlClient" />
No initial catalog is specified as the system is over multiple dbs (also wasn't my choice!!).
I really appriciate all the help so far! :-)
Any further hints?!
Issue #2 - Your options are:
Configure delegation (double-hop authentication) - I haven't done this on IIS7 and it's a bit different to 6, but I believe you will need to enable the web server machine account for delegation in AD, and create an SPN for the web server (eg setspn -A http/<Web Server FQDN> <Domain>\<Machine Name>). Troubleshooting Kerberos can be fairly painful.
Grant access to the network resources to the (domain) application pool account and make sure anonymous authentication is turned on ( <anonymousAuthentication enabled="true" userName="" defaultLogonDomain="" /> )
Response to Update:
You will need to make sure Kerberos authentication is working for SQL Server. Run the query select auth_scheme from sys.dm_exec_connections where session_id=##spid; it will return NTLM or KERBEROS. If it's NTLM, you'll need to do some work configuring SQL Server to use Kerberos. Set an SPN in AD for the SQL service account: setspn -A MSSQLSvc/<SQL Server FQDN>:1433 <Domain>\<Sql Service Account>, restart SQL Server and try the query again. You must use TCP/IP as the connection mechanism (this is the default).
If you don't have an initial catalog, you'll need to make sure that all of the user logins have a default database that they have access to. I would personally pick one database to be the initial catalog as you may get different behaviour depending on how the login is configured.
With this small part of information I could only give some hints:
Issue #1:
Maybe you have a misleading URL as action for the form? Or an caught&ignored exception? Do you have an onError-event in your global.asax.vb?
Sub Application_Error()
Dim ex As Exception = Server.GetLastError
' NOW HANDLE THE EXCEPTION --> REPORTING :-)
End Sub
Issue #2:
I recently had the same exception - I had to check the access-rights for users for this folder and set the appPool-identity to "NETWORKSERVICE". In your case you even try to access a network-folder - check the accessrights on the server and try to use the IP instead of the name - it could be a name-resolution-problem?!
Sorry for this small portion of information... This looks like problems only solveable with direct debug-options on the running server.
Finally last thing on Friday I got it working ...
As I said in the update, the tool for sorting out the delegation of credentials was very handy and helped no end to setting the correct SPN records.
I found I also had to set it up for SQL as I was passing through the credentials into the server. The other thing I found stopping the connections was some of the inbound windows firewall settings where causing problems.
For the connection string; I had to update to:
<add name="ConnectionStringName" connectionString="Data Source=.;Integrated Security=SSPI;Trusted_Connection=True" providerName="System.Data.SqlClient" />
Links I found useful:
Kerberos Authentication and SQL Server
DelegConfig
And even tho it mainly talks about Sharepoint ... this was also useful.
Hope this helps people in the future.
I've just built a basic ASP MVC web site for deployment on our intranet. It expects users to be on the same domain as the IIS box and if you're not an authenticated Windows User, you should not get access.
I've just deployed this to IIS6 running on Server 2003 R2 SP2. The web app is configured with it's own pool with it's own pool user account. The IIS Directory Security options for the web app are set to "Windows Integrated Security" only and the web.config file has:
<authentication mode="Windows" />
From a Remote Desktop session on the IIS6 server itself, an IE7 browser window can successfully authenticate and navigate the web app if accessed via http://localhost/myapp.
However, also from the server, if accessed via the server's name (ie http://myserver/myapp) then IE7 presents a credentials dialog which after three attempts entering the correct credentials eventually returns "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials".
The same problem occurs when a workstation browses to the web app url (naturally using the server's name and not "localhost").
The IIS6 server is a member of the only domain we have and has no firewall enabled.
Is there something I have failed to configure correctly for this to work?
Thanks,
I have tried the suggestions from Matt Ryan, Graphain, and Mike Dimmick to date without success. I have just built a virtual machine test lab with a Server 2003 DC and a separate server 2003 IIS6 server and I am able to replicate the problem.
I am seeing an entry in the IIS6 server's System Event Log the first time I try to access the site via the non-localhost url (ie http://iis/myapp). FQDN urls fail too.
Source: Kerberos, Event ID: 4
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/iis.test.local. The target name used was HTTP/iis.test.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (TEST.LOCAL), and the client realm.
After extensive Googling I managed to find a solution on the following MSDN article:
How To: Create a Service Account for an ASP.NET 2.0 Application
Specifically the Additional Considerations section which describes "Creating Service Principal Names (SPNs) for Domain Accounts" using the setspn tool from the Windows Support Tools:
setspn -A HTTP/myserver MYDOMAIN\MyPoolUser
setspn -A HTTP/myserver.fqdn.com MYDOMAIN\MyPoolUser
This solved my problem on both my virtual test lab and my original problem server.
There is also an important note in the article that using Windows Authentication with custom pool users constrains the associated DNS name to be used by that pool only. That is, another pool with another identity would need to be associated with a different DNS name.
Sounds like the new Loopback check security feature of Windows Server 2003 SP1. As I understand it, is designed to prevent a particular type of interception attack.
From http://support.microsoft.com/kb/896861
SYMPTOMS
When you use the fully qualified domain name (FQDN) or a custom host header to browse a local Web site that is hosted on a computer that is running Microsoft Internet Information Services (IIS) 5.1 or IIS 6, you may receive an error message that resembles the following:
HTTP 401.1 - Unauthorized: Logon Failed
This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address.
Note You only receive this error message if you try to browse the Web site directly on the server. If you browse the Web site from a client computer, the Web site works as expected.
CAUSE
This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.
Workaround
Method 1: Disable the loopback check
Method 2: Specify host names
See http://support.microsoft.com/kb/896861 for details.
Edit - just noticed that you said you were seeing this from Client PCs as well... that's more unusual. But I'd still look to test one of these workarounds, to see if it corrected the problem (and if so, might indicate a problem with your DNS config).
It sounds to me as though you've done everything right.
I'm sure you are but have you made sure you are using 'DOMAIN\user' as the user account and not just 'user'?
IE7 only sends Windows credentials (NTLM, Kerberos) if it identifies the server as being on the Intranet. IE7 also added an Intranet zone lockdown feature - if you're not on a domain, by default no servers are in the Intranet zone. This was done to prevent zone-migration attacks.
To change this, go to Tools/Internet Options, Security tab, then click Local Intranet. You can then manually add servers that should be treated as Intranet, by clicking the Sites button, then Advanced, or tell IE not to automatically detect your Intranet and selecting the other checkboxes as appropriate.
I just encountered the opposite problem - my site authenticates externally but not locally.
I compared it to the sites we have working and the difference was that the site that failed to authenticate was using Windows Authentication.
However, other sites I work with (this is a dev server) tend to have Basic Authentication.
Not sure why exactly but this fixed it.
However, at the same time I noticed "Default Domain" and "Realm" settings.
I know it's very unlikely but could these perhaps help at all?