Our .Net Framework 4.8 web application suddenly began to generate the following build-time error on our team city build server:
error ASPCONFIG: Unable to open configSource file ‘sessionState.config’.
Our web.config references an external session state file:
<sessionState configSource="sessionState.config" />
The project is under active development, however no related changes have been recently made to the application. We initially thought it was a configuration issue on the build server, however we realised that we could replicate the same issue on our development machines if we "Published" the project and ticked the option to "merge all outputs into a single assembly". We published to a local file to replicate what was happening on our build server.
Modifying the Build Action of the sessionState.config file from None to Content removed the problem, but this had the effect of copying our sessionState.config file to the deployment package, which we didn't want.
We spent many hours trying to investigate this problem and finally decided to try uninstalling recent Microsoft Updates. This resolved it! I'm posting this here in the hope that it will save at least one other person the time we spent.
This specific October 13, 2020 update was the cause, however, it didn't come up for us when we searched https://support.microsoft.com/en-us/help/4578974/kb4578974-cumulative-update-for-net-framework
After you apply this October 13,
2020 Security and Quality Rollup for .NET Framework 4.8, some ASP.Net
applications fail during precompilation. The error message that you
receive will likely contain the words “Error ASPCONFIG.”
An invalid configuration state in either the "sessionState,"
"anonymouseIdentification," or "authentication/forms" sections of
"System.web" configuration. This might occur during build-and-publish
routines if configuration transformations leave the Web.config file in
an intermediate state for precompilation.
Note their spelling error in anonymousIdentification
The solution is to add this appSettings key to your web.config
<configuration>
<appSettings>
<add key="aspnet:DisableAppPathModifier" value="true" />
</appSettings>
</configuration>
The article notes that setting the value to either "true" or "false" will avoid the issue. It was recommended to set this value to "true" for sites that use cookies for the session state id.
We use cookies, so added this to our web.config with a true value, and it resolved the problem.
I'm getting errors with a MVC web application which deployed to a host provider.
1) About the application
I had problems with deploying more complex applications also, but to make sure, I have created a simple application. Every info I will provide here will be about that simple application.
a) How did application created?
The application is a very simple .NET MVC Web Application created just for deploying test.
The application created with Visual Studio Express 2012 for Web, as ASP.NET MVC 4 Web application, and uses .NET Framework 4.
The application created on 'Basic' project template, then I added just one controller, and one view. That's all.
There's nothing else in the view than a header which says TESTING PAGE.
b) How did application deployed?
I used only FTP technique, with two tools.
I deployed the application manually with using FileZilla.
I get reference from an article about which files to upload. And also then confirmed the file list was matching with files uploaded with Visual Studio 2012, which I described below.
I deployed the application using Visual Studio 2012;
With using built-in Publish action,
Created new publish profile
Used FTP publish method,
No errors occurred. All succeed. And confirmed that directory has created and files has copied to server.
2) About the Host
Host I used is bought from an ordinary hosting provider.
It says it supports Asp / Asp.Net / Php5
There's nothing on my control panel except links to sections of: other packages hosting company provides, domains, my password and my personal info.
There's an ASP.NET website running on same host without any problem.
I'm trying to upload to a sub directory of an existing html website. e.g. www.example.com/theApplication
On the error I see, version information looks like this;
Version Information: Microsoft .NET Framework Version:4.0.30319;
ASP.NET Version:4.0.30319.272
3) About the Problem
When I browse the directory I have published the application to, I see an error message;
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
(Error is on line 24)
Line 22: <customErrors mode="Off"/>
Line 23: <compilation debug="true" targetFramework="4.0" />
Line 24: <authentication mode="Forms">
Line 25: <forms loginUrl="~/Account/Login" timeout="2880" />
Line 26: </authentication>
And below that, error correctly points to root web.config file of the application.
And there's another 4 errors printed under 'Show Additional Configuration Errors:' title at the bottom, pointing to 4 different lines on the same web.config file. They are like this one;
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS. (C:\webroot\site.com\wwwroot\test\web.config line XX)
Lines on the web.config file that errors points to;
(All inside xml tags)
profile defaultProvider="DefaultProfileProvider"
membership defaultProvider="DefaultMembershipProvider"
roleManager defaultProvider="DefaultRoleProvider"
sessionState mode="InProc" customProvider="DefaultSessionProvider"
4) What I have tried so far?
I'm an absolute beginner on .NET platform. So I cannot think of a possible cause or possible action.
Still, I have looked into many articles for two days, but cannot find anything useful. Google suffocates my searches with articles which all describes the solution of the same problem, but for hosting to local server. I could not found anything for this particular issue.
This is the problem:
I'm trying to upload to a sub directory of an existing html website
It sounds like you haven't setup this subdirectory as it's own application in IIS, which would cause you to see this error.
I am building a local intranet web application which uses the current user's AD credentials to access the system. My web server is running IIS 7.5 on Server 2008.
My AD is configured with two groups, Users and Admins, both of which I want to access my web application and I have added the two groups (read/execute permissions) to my directory in IIS. My web.config is pretty standard and I do not have any additional filters in my Global.asax file.
I am able to access my application if I use my user or admin account, but my coworker can not, which further complicates things. My accounts do not have any permissions on the folder - only the groups to which they belong.
Authentication mode is set to Windows, but unfortunately every attempt as my coworker to access the website fails with the following:
HTTP Error 401.0 - Unauthorized
You do not have permission to view this directory or page.
The "most likely cause" box suggests:
The authenticated user does not have access to a resource needed to process the request.
I just can not figure this out. If I create a sample mvc3 application and deploy it in the same directory, I can authenticate and view pages fine as any user.
There can be many reasons for this.
Your controller needs to be decorated with appropriate authorization attribute like following
[Authorize(Roles = "Administrator")]
In your web.config, you need to have following code inside your system.web configuration
<roleManager enabled="true" defaultProvider="YourRoleProvider">
Finally you need to see if that user has been added to their respective roles
I'd the exact same issue. After having few hours of research, it seems to be very easy way to deal with this issue.
<system.webServer>
<modules>
<!--<remove name="FormsAuthentication" />-->
</modules>
</system.webServer>
I'd to remove <remove name="FormsAuthentication" /> statement from modules attribute in Web.config file which was added by default while creating default MVC website.
I had the same problem in MVC 4, and I have resolved it with this:
[AllowAnonymous]
(Add this line in controller, above action you are calling when this error appears.)
First of all, this is my third question on the similar topic.. and still I have no answer, maybe only approaching it (see first, second).
My web application (ASP.NET MVC3 under IIS 7.5) runs git to access some github repositories. After I upgraded my workstation to Windows SP1 it stopped to work. The reason was that as soon as git started, it actually runs ssh.exe to communicate with github. The ssh.exe appears to hangs up, so all application hangs.
The application pool used by that application use the same process identity as myself. But using ProcessHacker I can see following picture:
Because of USERPROFILE is pointed to /system32/config/systemprofile ssh.exe is expecting to have .ssh folder, that contains public/private keys. Since keys are not there it hangs.
But keys are typically in ~/.ssh (in my case c:\users\alexander.beletsky.ssh). As soon as I copied keys into /system32/config/systemprofile application started to work as expected.
My question is, why does w3wp.exe thinks that its profile in /system32/config/systemprofile? is it possible to change that? it is expected behaviour for application pool or just issue of my machine?
Waiting for any clues!
EDIT
Load User Profile property of Application Pool is set to TRUE.
ssh.exe is actually using HOME environment variable. Check if it set correctly.
As my machine on which this works has the same value in enviroment page of process hacker, and still
Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) has value of my user appData, and I have SP1, I think that it should not be related to it, but to something in your configuration that could have been changed. Check if your inetmgr has properly set identity for your application. Open C:\inetpub\temp\appPools\yourAppPoolName\yourAppPoolName.config and check if this setting exists:
<configuration>
....
<system.applicationHost>
<sites>
<site name="Default Web Site" id="1" serverAutoStart="true">
<application path="/yourAppPath" applicationPool="yourAppPoolName">
<virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\yourAppPath" userName="yourUserName" password="[enc:AesProvider:someHashHere=:enc]" />
</application>
...
</site>
</sites>
<system.applicationHost>
<configuration>
If not, you can configure it there (put password in plain text or you can configure it using inetmgr like I described in my answer to your other question).
So I've created a new ASP.NET MVC project using the intranet template. web.config contains the appropriate values (e.g. <authentication mode="windows"/>).
If I fire up the web app using the VS webserver, it all looks fine - the page shows my Windows domain and username and all. However, this works in Opera and Safari as well as IE and FF, which says to me it's not using Windows auth at all (since to the best of my knowledge this doesn't work in any browser except IE/FF).
Next step is to get it working through local IIS. I create a hosts file entry pointing www.mysite.mydomain to 127.0.0.1. So in IIS I create website with a binding to www.mysite.mydomain and enable Windows authentication and disable anonymous authentication.
I have set up IE and FF to enable Windows auth as follows:
IE
Add URL to intranet group
Ensure Windows auth is enabled in the advanced settings
FF
Put 'www.mysite.mydomain' into network.automatic-ntlm-auth.trusted-uris config setting.
But when I dial up www.mysite.mydomain in IE / FF I get a login prompt. Interestingly, even when I type in my Windows login here, it still fails and shows me the login prompt again.
We don't have active directory here but my understanding is that it should work fine with a local account.
I can't think of anything else I need to do. Any suggestions?
Edit: we've recently switched to using Active Directory and the problem remains.
Edit: when I cancel the login prompt, I get taken to an 'IIS 7.5 Detailed Error' page with the following information:
HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.**
You have to whitelist a domain specified in the hosts file in order for windows authentication to work:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Right-click Parameters, click New, and then click DWORD (32-bit) Value.
Type DisableStrictNameChecking and press ENTER.
Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, click OK
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Right-click MSV1_0, point to New, and then click Multi-String Value.
Type BackConnectionHostNames, and then press ENTER.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
Quit Registry Editor, and then restart the IISAdmin service.
NOTE:
The original Microsoft KB links on this answer were broken and have been removed.
This article provided the instructions for setting DisableStrictNameChecking.
I recently spent three days trying to solve the same problem and it drove me crazy. It was happening on a load-balanced setup where one of the servers was authenticating correctly while the other failed. Investigating the problem - and eventually solving it - it turned out to be unrelated to the load-balanced environment, it could happen with any server when authenticating using Windows Authentication and the server is called with a name other than the one recognized by Active Directory
1. Enable Kerberos logging
To correctly diagnose your issue, you will need to enable Kerberos logging on the machine hosting your IIS site. To do so, add the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Add Registry Value LogLevel with ValueType REG_DWORD and value
0x1.
Once you turn on logging, then you try to authenticate, you will get errors logged in your Windows Application Log. You can ignore the error KDC_ERR_PREAUTH_REQUIRED (this is just part of the handshake) but if you get the error KDC_ERR_C_PRINCIPAL_UNKNOWN that means your AD controller doesn't recognize your server therefore you need to follow the steps below.
2. KDC_ERR_C_PRINCIPAL_UNKNOWN
if you're getting KDC_ERR_C_PRINCIPAL_UNKNOWN, that means the name "mysite.mydomain.com" is different from how the AD recognizes your machine so it's unable to provide a valid kerberos ticket. In that case, you need to register a Service Principal Name (SPN) for " 'www.mysite.mydomain" on the AD.
On your AD controller, run this command - you will need Domain Admin privilege:
Setspn -A HTTP/mysite.mydomain YOUR_MACHINE_HOSTNAME
3. Use a custom identity for your Application pool
Finally, make you Application pool use a custom account that belongs to the Active Directory instead of using NetworkService. This can be done in advanced settings of your application pool.
and .. voila.
Notes: The problem could (unlikely) be related to having multiple SPNs registered to the same machine, in that case you will need to run a command to remove duplicate SPNs, but I doubt this is the case. Also try adding a different binding to your site (that doesn't use a custom name) something like htttp://localhost:custom_port_number and see if authentication works. If it works, this is an extra indication that you're suffering from the same problem I had.
Did you try putting the domain in front of the user name?
DOMAIN\username
If you don't have a domain account, try prefixing your username with the machine name:
MYCOMPUTER\myusername
You should check to see if you have Windows Authentication installed/enabled. That may sound weird but in IIS 7 you have to install and enable the various authentication methods. Check out http://support.microsoft.com/kb/942043/ for more info, see quoted section below.
Cause 1
The Web application is configured to use Integrated Windows
authentication. However, the Windows Authentication feature is not
turned on. Or, the Integrated Windows authentication native module
section of the ApplicationHost.config file or of the Web.config file
is not valid. To resolve this problem, see Resolution 1.
Original
Usually when you try to view an asp.net web page hosted on IIS and receive a login prompt it doesn't mean your credentials weren't received or that you aren't authenticated. What it means is that the account that your website is running under doesn't have the right permissions to work with the files.
In IIS 6 and 7 you can easily change the user account that your app pool runs under. Try changing the app pool identity to an account with more access specifically designed for this. Or if you want to stick with the existing account (IUSR_? Network Service?) you can grant that account more permissions on the directory where your website is stored.
This article is specifically targeted at BizTalk but has almost no references to it and focuses on troubleshooting permissions issues with IIS and app pools: http://msdn.microsoft.com/en-us/library/aa954062.aspx
Why local IIS? Can you use local IIS Express?
If so, try this. It seems that IIS Express by default has Windows Authentication set to false.
Change
<windowsAuthentication enabled="false">
to "true" in applicationhost.config file (under 'C:\Users[Profile]\Documents\IISExpress\config' folder). This works for me.
To ensure that IIS uses Windows Authentication, I think you should try to turn of other authtentication methods. If Anonymous Authentication is enabled, Windows authentication will not work. You can also read this Microsoft Support Article which describes IE and IIS requirements in details.
I got this error when I enabled Windows authentication. I wanted to authorize the user based on Windows login and there is no login page in my application.
I got the error fixed by adding the below in my Web config file.
Under the tag system.web, I changed authentication mode="None" to
authentication mode="Forms".
Under the tag appSettings, I added add key="owin:AutomaticAppStartup" value="false"
After reading the answer of Espen Burud, I solved my problem by changing in the root's web.config:
<allow users="*" />
to
<deny users="?" />
The page that needs Windows Authentication is not in the root, but in a sub directory with its own web.config with deny users ? but that did not make Windows Authentication working. Apparently, you need to deny users in the root for that to work.
The IIS config has Anonymous Authentication enabled; that did not matter. After the above change of web.config, Windows Authentication worked.
For Dot Net Core 2.2 and running on IIS, I was having issues with 401.2 Unauthorized when I would check the Enable Windows Authentication within my application. It was a exceedingly simple test website that did basically nothing, just to try and get windows authentication to work. I finally got the auth to work, and here's what you'll need:
Within Startup ConfigureServices:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
Open the application's Properties, click Debug option on the left and make sure you check Enable Windows Authentication.
But here's the kicker that I had forgotten... Configure your system to have Windows Authentication installed on IIS. This was never setup on my machine, and regardless what I did, I would always get a 401 unauthorized error. After installing this (Win 10, IIS v10.0.18362.1) I now get a login prompt. This isn't exactly what I need at this point, but at least it's not the unauthorized error. Good luck and hopefully this helps.