May, 2008

May, 2008

  • Care, Share and Grow!

    SSL Troubleshooting for IIS Web Sites contd...

    • 17 Comments

    Recently a colleague of mine was working on a customer's case which was a Critical level incident. High pressure job, huhh!

    The issue was with SSL not working for one of their web sites. They were seeing "Page cannot be displayed" when trying to access this site over SSL. It worked just fine over HTTP.

    In the System event log we were seeing this intermittently:

    Event Type: Error
    Event Source: W3SVC
    Event Category: None
    Event ID: 1114
    Description:
    One of the IP/Port combinations for site 'NNNNN' has already been configured to be used
    by another program. The other program's SSL configuration will be used.

    We troubleshot on this issue for hours without luck :-(. We tried all the steps I guess as mentioned here .

    Here is what all we tried:

    • Checked the Certificate properties to ensure it was a valid one. It was good.
    • Yet, replaced the current certificate with a new one, still no luck.
    • Here customer had all the sites running under different IP addresses. Rest of the other sites were working over SSL, except this one :-(.
    • We ran SSLDiag which gave a misleading error.
    • We tried running the site on a different SSL port, still no luck.
    • We setup the securebindings metabase property for the web site in question, still no luck.
    • We ran netstat -ano to check for any other process listening on this port, everything looked clean. refer this.
    • We disabled all the 3rd party non-MS services, restarted Windows Server in selective startup mode, no luck.
    • We installed Windows Server 2003 Service Pack 1 32-bit Support Tools on the server, ran the httpcfg query iplisten. It gave a clean output, no specific IP entries listed by it.
    • Restarted IIS/HTTP services umpteen number of times during the course of troubleshooting, no luck whatsoever. Even reboot was done a couple of times.

    Finally after few hours of troubleshooting we decided to run this site on a different IP address (we had thought of this earlier but our customer was under a constraint) and hurray it worked this time!!!. Now everything was set but we had a lingering question in mind as to why, why, why this site did not work on that IP address we had. It had an entry in the Advanced TCP/IP Settings, was a valid one in all the sense to our best knowledge.

    Finally we figured out that there was a problem with the IIS SSL listener.

    To get a list of IP and port configuration binded to a certificate, run "httpcfg query ssl". Here is an excerpt from a technet article:

    The HTTP API enables applications to communicate over HTTP without using Microsoft Internet Information Services (IIS). Applications can register to receive HTTP requests for particular URLs, receive HTTP requests, and send HTTP responses. The HTTP API includes SSL support so applications can also exchange data over secure HTTP connections without depending on IIS. It is also designed to work with I/O completion ports.....Such meta-information is maintained by the HTTP API in a metastore, and is used to locate certificates for certificate exchange in HTTPS sessions.

    Below is a sample of a working and non-working scenario:
    ------------------------------------------------------------------------------

    \Program Files\Support Tools> httpcfg.exe query ssl

    Working scenario:

    IP                      : 192.168.100.118:443
    Hash                  : c96667684997887f 5b889b7b3f737c8c4da5f16
    Guid                  : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    CertStoreName           : MY
    CertCheckMode           : 0
    RevocationFreshnessTime : 0
    UrlRetrievalTimeout     : 0
    SslCtlIdentifier        :
    SslCtlStoreName         :
    Flags                   : 0

    Non-working scenario:

    IP                     : 192.168.100.234:443
    Hash                :
    Guid                : {00000000-0000-0000-0000-000000000000}
    CertStoreName : (null)
    CertCheckMode : 0
    RevocationFreshnessTime : 0
    UrlRetrievalTimeout : 0
    SslCtlIdentifier : (null)
    SslCtlStoreName : (null)
    Flags : 0

    Here Hash will have the same value as the Thumbprint in your SSL certificate. You will notice that the Guid is all zero in a non-working scenario. You may see the Hash either having some value or blank. Even if we remove the certificate from the web site, and then run "httpcfg query ssl", the site with all Guid as all "0" will still be listed. If you see the GUID as "{0000...............000}, there is a problem.

    We need to remove this entry by running the command "httpcfg delete ssl -i <IP:Port Number>". In the above example, we need to type "httpcfg delete ssl -i 192.168.100.234:443". Once we remove it, then we need to reinstall the certificate back on to the web site.

    Also once certificate is installed, in the cmd prompt type in "httpcfg query ssl" to confirm the GUID is no longer all 0.

    This fixed the issue for the web site on the failing IP address.

    Hope this helps someone.

    Till next time, Cheers!

     

  • Care, Share and Grow!

    My IIS 6.0 Web Manager - Manage your Web Sites, Application Pools from any where on the Web.

    • 9 Comments

    A Web administrator has to have access to the IIS server in order to ensure that any diagnostic/preventive measures can be performed at any point of time. One has to ensure all the web sites are running up and fine during the course of a day. Activities like recycling Application pools, starting/stopping Web sites etc. are an essential part of this process. This may be most painful when you are away having a good time and you get a call that the web sites are having performance issues etc, and you are required to ensure they are recycled, restarted etc. etc.

    I have written this Web application to ensure one has access to their IIS 6.0 Web server from any part of the world. I have used WMI features built on top of .Net. It has the following features at this point.

    Application Pool related activities

    · Recycle/Start/Stop Application Pool(s)

    · Change Application Pool Identity.

    · Check features like Application Pool Recycling options, Current state of an Application Pool and current Application Pool Identity.

    · Enumerate an Application Pool to see the Web applications running underneath it.

    Web Site related activities

    · Start/Stop Web Site(s)

    · Check features like current Web Site state, and some configuration related settings like Web Site physical path, Server Bindings, Secure Bindings, Authentication method, SSL access, Application Pool etc.

    IISRESET

    · At times the only way to recover from a problem is to restart IIS services. You can restart all IIS services like IISADMIN, SMTP and World Wide Web Publishing service from any where through this application.

    There are tools available like MS Administration site, but it had somewhat limited features in my opinion. I intend to modify the existing features in my application as time permits.


    Pre-requisites

    · You need to have .Net Framework 2.0 installed on the IIS web server.

    · If AJAX-enabled version of this application is deployed, you need to have Microsoft ASP.Net 2.0 AJAX Extensions 1.0 installed on the server for it to work.

    Steps to deploy the application

    1. Download the ZIP file attached with this post.

    2. Extract all the contents to some physical folder on the IIS Web server.

    3. Create a new web site (or better in my opinion, a new virtual Directory under any of your existing Internet-facing Web sites) and point it to this physical path for the extracted files/folders.

    4. ***ENSURE that you create a new application Pool for this Virtual Directory, and put the application under this application pool. In such a scenario this application will not interfere with any of your existing web applications running on the server.

    5. This application is built using ASP.Net 2.0 and has two flavors, AJAX-enabled and non-AJAX based. if you are using AJAX-enabled application you need to ensure Microsoft ASP.Net 2.0 AJAX Extensions 1.0 is installed on the server.

    6. Open the web.config file associated with this application and modify the <appSettings> to reflect the name of your Application Pool and name of the Web site under which this application is running [Attached ZIP file contains a word document as well with detailed steps for deployment].

    I have covered the essential features required for a web server management and plan to modify it with more granular features with time.

    Here are some screen captures related to usage

    image

    image

    image

    image

    image

    ****Ensure the application pool Identity entered forms a part of Local IIS_WPG group on the server.

    image

    image

    Click on IIS Reset shown below to restart all IIS services like IISADMIN, FTP, SMTP and WWW.

    image

    When you reset IIS, you won't be able to browse to the Web application for a minute or so, depending upon how long it takes for the IIS services to stop and then start back running.

    In this interval if you try to access the site you will see the following error:

    For AJAX-enabled version, you will get a pop up as shown below:

    image

    For Non-AJAX version you will see the following page:

    image

    At any point you can check the status of the selected Application Pool and the selected Web site.

    image

    image


    This is provided "AS IS".

    Any constructive feedback is appreciated ;-)

    Till next time, Cheers! 

     


     

    Links for download:

    AJAX enabled version: http://cid-d6e3b4cd95f9d0f2.skydrive.live.com/self.aspx/Public/AJAX%20enabled%20version.rar

    Non-AJAX version: http://cid-d6e3b4cd95f9d0f2.skydrive.live.com/self.aspx/Public/Non-AJAX%20version.rar

    Steps for Deployment: http://cid-d6e3b4cd95f9d0f2.skydrive.live.com/self.aspx/Public/Steps%20for%20Deployment.doc

    *You can also download the AJAX version from here www.iis.net/downloads

Page 1 of 1 (2 items)