I developed an ASP.NET web application that is installed on a "live" IIS 7.5. The web app uses http sessions to pass parameters between pages for logged in users. This works great on my development machine (tested with local IIS in VS2010 IDE), but when this web app is uploaded to a client's IIS and they start using it (Google Chrome and IE browsers), at some random moments the session variables seem to disappear. My first guess was to increase the session timeout setting via web.config file by adding this line:
<configuration>
<system.web>
<sessionState timeout="20"></sessionState>
</system.web>
</configuration>
But that doesn't seem to fix the issue. So it made me wonder, what other settings are there concerning sessions? Something like an internal folder that keeps a cache of all sessions that gets overflown on an actual IIS? Any ideas?
EDIT: Following #wy__'s suggestion, I modified the web.config file and started seeing the same issue on my dev machine. Here's the whole system.web section as I have it now:
<system.web>
<compilation targetFramework="4.0" debug="false"/>
<pages validateRequest="false"/>
<httpRuntime requestValidationMode="2.0" executionTimeout="110" maxRequestLength="262144"/>
<sessionState timeout="20" cookieless="true" regenerateExpiredSessionId="true"></sessionState>
</system.web>
I also checked and there's only one w3wp.exe process running.
By default, the session uses cookies to track user sessions. If you are not sure whether users turn them off or not, you can configuring cookieless session.
i.e.
<configuration>
<system.web>
<sessionState cookieless="true" regenerateExpiredSessionId="true" />
</system.web>
</configuration>
Related
I have a simple MVC web api 2 IIS hosted application which I want to enable windows authentication (initially not using Owin). I am running this on my development machine and running as local IIS.
So, from what I could find, I need to add the following to the web.config
1: to the following section the authentication mode="Windows"
<system.web>
<compilation debug="true" targetFramework="4.5.1"/>
<httpRuntime targetFramework="4.5.1"/>
<authentication mode="Windows" />
</system.web>
2: Then add the following
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
When I add the above and run the application (in debug from Dev studio), I get the following error
HTTP Error 500.19 - Internal Server Error
Config Error This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
and then it specifically points to this web config entry
Config Source:
37: <authentication>
38: <windowsAuthentication enabled="true"/>
39: </authentication>
Anyone have any ideas why I would be getting this?
Also, I noticed when I switch to IIS express, that in the project properties, the Windows Authentication is set to disabled, and grayed out so I cannot set it here either.
Thanks in advance for any help!
If you read applicationHost.config, you will see that authentication related sections are locked down and cannot be overridden in web.config,
<section name="windowsAuthentication" overrideModeDefault="Deny" />
Thus, you need to specify that in applicationHost.config, instead of web.config. Both IIS and IIS Express have such restriction.
I was read tons of articles where is specified that I can disable ASP.NET application recycling after file changes using fcnMode="Disabled". I need applicaiton state (for example errors statistics).
Nice, but how to disable FCN on /bin but enable on /Views to update views.
The most strange is that IIS 8.5 after fcnMode="Disabled" blocks recycling in /bin and /Views but not updates views adter update *.cshtml from /Views.
IIS Express do the same apart updates views after update *.cshtml that is what I need.
I prepare such configuration for IIS.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.7.2"/>
<httpRuntime targetFramework="4.7.2" fcnMode="Disabled"/>
</system.web>
</configuration>
I have written an asp.net application that only hosts a series of web services (.asmx) .
I would like to be able to use a custom basic authentication mechanism to authenticate requests.
I have found this article that describes how to do that :
I have written a HttpModule as It said and I have added it in my web.Config. No authentication scheme is set in web.config (no authentication tag) and also there's no authorization tag in web.config.
The problem is this module never hit no matter if I enable basic authentication in IIS or disable it (and enable anonymous access).
The question is what am I doing wrong or missing ?
UPDATE :
config file :
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<httpModules>
<add name="BasicAuthHttpModule" type="WebServiceWrapper.BasicAuthHttpModule, WebServiceWrapper"/>
</httpModules>
</system.web>
The problem
Last month we move our asp.net website farm from Server 2008 R2 to Server 2012 R2 and upgraded to asp.net 4.5. We are using cookied forms authentication to prevent unauthorized access to the website.
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
We have certain assets and pages (ex: sign in page) that are whitelisted in the web.config:
<location path="signin">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Over the last few months we've been noticing that IIS/Asp.net randomly stops obeying the whitelist and assume everything needs to be authenticated. All requests to the site on that server will be redirected to the signin page which then throws a 500 error. No whitelisted assets can be retrieved.
There are then 2 errors in the event viewer that we can see when IIS is messed up. The first:
Exception type: NullReferenceException
Exception message: Object reference not set to an instance of an object.
at System.Web.PipelineModuleStepContainer.GetNextEvent(RequestNotification notification, Boolean isPostEvent, Int32 eventIndex)
at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
This second one doesn't show up all the time:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
The iis process will be working find for hours then all the sudden start doing this weirdness. As soon as we recycle the app pool, or even just modify the web.config the site starts working again.
Things we've tried
Honestly we are quite stumped. This wasn't happening on our old servers, but we've made quite a few changes to our site since then but nothing related to authentication.
We are in a webfarm and we define our machine key inside of our web.config.
<machineKey validationKey="XXX" decryptionKey="XXX" validation="SHA1" decryption="AES" />
We are targeting asp.net 4.5
<httpRuntime targetFramework="4.5" executionTimeout="120" maxQueryStringLength="4096" minFreeThreads="72" minLocalRequestFreeThreads="88" maxRequestLength="32768" />
We recreated the application pool within IIS.
Not sure if it matters but we use IIS Shared Config and shared certificates.
The issue is happening on all of the web servers in the farm, not just one.
We reinstalled the OS on one of the servers yesterday... so we'll see if that fixes anything.
It doesn't seem to be tied to memory usage. Sometimes iis is only using 4gb, sometimes 6gb.
It doesn't seem to be tied to a certain page execution that we can tell.
I've run debug diag against a memory dump and there aren't any threads that are running long nor crazy memory usage.
Yea, we are stumped. Any help is appreciated.
I had a similar experience, changing IIS to allow anonymous authentication solved it for me. In your case, I would recommend 2 things:
Try Enabling Anonymous Authentication in IIS (Visit http://technet.microsoft.com/en-us/library/cc770966%28v=ws.10%29.aspx to see how)
Modifiy your code as shown below
<location path="signin">
<system.web>
<authorization>
<allow users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
I hope this helps
I'll answer my own question with what we did to solve the issue, even though we never did find the root cause. We noticed that the server would start ignoring the whitelist rules when it got too heavy under load. Not much load, maybe 40% utilization over the course of 5 minutes. After that it would start ignoring things.
The simple solution for us was to throw more hardware at the issue. We are running 6 webservers instead of 3. We haven't seen the whitelist issue since then. So honestly... we have no idea what's up.
While I can't say exactly what the issue is, I can share a similar experience.
We had a site that used forms authentication and also assumed it was failing and forcing everyone to authenticate. What we discovered was that the website was crashing and IIS was returning the default website instead. It took us a while to figure out. You might want to check to make sure you're not looking at a similar situation.
Can you show your Authentication node from your web.config ?
It should be something like this :
<authentication mode="Forms">
<forms name="Logon" loginUrl="~/Logon.aspx" protection="All" timeout="60" defaultUrl="~/Default.aspx" />
</authentication>
Are you using the asp.net session state server ? If you do check if the service asp.net state server is started.
I'm working on a website that has been coded by someone else. The application contains three layers. A website, a web service and a library. The Web service is up for other application to call methods and everything. The website is used by workers to performs queries and everything.
The problem is : The website use the web service that use the library instead of going directly to the library. I want to remove the web service usage and use the library straight away instead. Unfortunately, the library isn't able to connect an external server when called directly from the web site.
The web service used the impersonate method in his web config like so :
<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Windows" />
<identity
impersonate="true"
userName="USERNAME_HERE"
password="PASSWORD_HERE" />
<sessionState
mode="InProc"
stateConnectionString="tcpip=10.96.8.37:42424"
sqlConnectionString="data source=10.96.8.37;Trusted_Connection=yes"
cookieless="false"
timeout="20" />
</system.web>
When the web service use the library, the library identity turns out to be the username specified in the web.config. But when I call it from the website directly the user turns out to be : MY_COMPUTER\ASPNET
How can I sucessfully impersonate within the library itself?
Thanks!
EDIT
Ok, I thought of adding the impersonate piece of code in the website's web.config instead. It turned out that the library used the correct user but the request takes forever and never end. Do you know what could be wrong?
At first glance, you could use these entries in the web.config of your transactional website.
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Windows" />
<identity
impersonate="true"
userName="USERNAME_HERE"
password="PASSWORD_HERE" />
However you want to be really sure this is the right thing to do before you do it.
Security is a big thorny problem that can turn around and bite you in the ass pretty hard. Whichever user you use here should be single purpose. It should have exactly the permissions you need and no more.
Why can't you give the MY_COMPUTER\ASPNET user permissions on the external server?
There are ways to impersonate for a short time which will probably solve your problem more cleanly. I will let someone who actually knows that answer tell you what it is though.