I have some code that wraps the PayflowPro .NET API. It essentially posts to a HTTPS address (a payment gateway) from C#. I can run this code locally and it works nicely. I can run it in my MSUnit tests and it works, and I can run it from a console application on my test environment and it also works.
I have a workflow hosted in IIS 6.1, which instantiates a class which in turn calls this code. When this workflow is started the code fails everytime; I get an error like System.Exception: Failed to connect to host Input Server Uri = https://pilot-payflowpro.paypal.com/ from the API object.
This exception is coming from the API, but I am completely lost as to how I can succesfully post from a console application but not from an IIS process.
The class is exactly the same, word for word.
I log in as administrator, so the console app is running as administrator. Therefore I have tried using the administrator account for the application pool for the website (for this testing only, obviously)
The console app can post so therefore the firewall / proxy aren't interfering... right?
Is there anything I need to adjust in IIS to allow an application to communicate outside? Are there any obvious security settings that I'm overlooking? Any suggestions for test cases to run to find out what might be going on?
edit: Turns out that this problem is somehow related to the VM environment in which the server is running. This problem doesn't occur on my development box, the test server or the production server - it's only occurring on the integration server. The cause is still unknown but I am no longer working on it.
This might be caused by an ASP.NET trust configuration issue. To check the trust level open the following file in an editor:
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config (if ASP.NET 2.0)
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\CONFIG\web.config (if ASP.NET 4.0)
You may also need to edit the C:\WINDOWS\Microsoft.NET\Framework64 versions of these if you're running on 64 bit Windows.
Scroll down to the <securityPolicy> configuration section which looks like:
<location allowOverride="false">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal"/>
<trustLevel name="High" policyFile="web_hightrust.config"/>
<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
<trustLevel name="Low" policyFile="web_lowtrust.config"/>
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
</securityPolicy>
<trust level="Medium" originUrl=""/>
</system.web>
</location>
If you see anything other than <trust level="Full" originUrl=""/> it means the server is running under Partial Trust.
Open the .config file specified by the relevant policyFile attribute, for example web_mediumtrust.config if level="Medium".
It's highly unlikely that the server will be running under anything less than Low Trust.
Locate the <NamedPermissionSets> section, under this there is a <PermissionSet> that looks like:
<PermissionSet
class="NamedPermissionSet"
version="1"
Name="ASP.Net">
This contains a number of <IPermission> nodes. Look for one that called WebPermission, it looks like this:
<IPermission
class="WebPermission"
version="1">
If it's missing or looks like:
<IPermission
class="WebPermission"
version="1">
<ConnectAccess>
<URI uri="$OriginHost$"/>
</ConnectAccess>
</IPermission>
You need to add or modify so it looks like:
<IPermission
class="WebPermission"
version="1"
Unrestricted="true"/>
This setting controls outbound and inbound access from your application to or from a URI.
It may also be necessary to ensure that the SocketPermission configuration is similarly configured:
<IPermission
class="SocketPermission"
version="1"
Unrestricted="true"/>
Turns out that this problem is somehow related to the VM environment in which the server is running. This problem doesn't occur on my development box, the test server or the production server - it's only occurring on the integration server. The cause is still unknown but I am no longer working on it.
Related
Hi I have a question regarding Azure keyvault and IIS. So our server provider did an windows patch:
2021-04 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5001347)
2021-04 Servicing Stack Update for Windows Server 2016 for x64-based Systems (KB5001402)
After this windows patch and restart of server our fetch from web.config to keyvault in Azure stopped to work.
When IIS is starting our app it can not find Microsoft.Configuration.ConfigurationBuilders.Azure
Even if the DLL is located in the bin folder.
One other important thing to mention is that our connectionStrings to the database that are located in their own file connectionstrings.config are working great with Azure Keyvault.
Our windows services on the same machine are also working great with Azure Keyvault.
So the issue is only affecting our appsettings section in our web.config.
We have tried to add the bin folder to privatePath in the web.config, that didnt help
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="bin;modulesbin"/>
This works great on our STAGING machine which has the same windows updates and uses the same configs.
Does anyone have a clue what we can do next?
What we are using:
System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
<configBuilders>
<builders>
<add name="AzureKeyVault" vaultName=somevaultname"
type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=1.0.0.0, Culture=neutral"
vaultUri="somevaulturi"/>
</builders>
</configBuilders>
Thanks for any help
Edit:
We have now installed newer Azure dlls.
Installed Azure CLI on server.
We hare now using AZURE_TENANT_ID, AZURE_CLIENT_SECRET, AZURE_CLIENT_ID instead of AzureServicesAuthConnectionString in the environment variables.
After reboot, the webapp, services, connectionstring stopped working.
Error message in Event viewer:
Exception message: An error occurred loading a configuration file: The specified user does not have a valid profile. Unable to load 'Microsoft.Configuration.ConfigurationBuilders.Azure
Everything still work as expected on our stage server.
AZURE_TENANT_ID was added correctly under Administrator environment variables
but under system environment variables it was added with AZURE_TENTANT_ID (one t too much)
Such a typo. All good now.
We have a client Windows application calling C# Web Services. Everything is in .Net Framework 4.0.
So basically, we deploy Web Services in IIS, and also the client application will be located on the server. The application will be executed on client PCs via a network share.
Everything works fine, every functionality works ok (Web Services, Windows functionalities, etc).
But we have an error reporting functionality that reads customs definition in the .Config file. The section looks like this:
<configuration>
<configSections>
<section name="exceptionManagement" type="Some.Namespace.ExceptionManagerSectionHandler,Some.Assembly"/>
<section name="ProductInformation" type="Some.Namespace.ProductInfoManagerHandler,Some.Assembly"></section>
</configSections>
The section will be read only when the application encounters an exception.
When executing the application locally on the server, the error reporting will work fine, but when executing the same assemblies from a network share (even on the same machine with a shortcut using the FQN of the machine and share), I will get this exception (line 5 is my "ProductInformation" custom definition):
Exception has been thrown by the target of an invocation. An error
occurred creating the configuration section handler for
ProductInformation: Request failed.
(\\Server\PATH\Some.exe.config line
5) Request failed.
But as I told before, every other functionalitiy will work just fine. And, of course, I got this at the end of my config :
loadFromRemoteSources enabled="true"
I really don't get it, since basically the code is fine when ran locally, but fails when ran from network share, but all other functionalities will work fine over network.
Any ideas?
I am having an issue where when I run my asp.net website, I get a security exception to do with the trust level in the config file. I have tried adding the following code into the config file in the solution, but no luck;
<securityPolicy>
<trustLevel name="Full" policyFile="internal"/>
</securityPolicy>
Description of the 'Security Exception' -
The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Exception Details
System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
I am only trying to run this locally from Visual Studio, and it has been working before.
We have recently moved our environments from working in a TS session (where vs2010 is), to having our own virtual machines (where vs2012 is). To get to the VS2010, we have to remote in from our virtual machine, and each time we log in it brings over our documents folder and everything. Could it be to do with this, logging in from somewhere else causes permission issues?
Many thanks.
On my production server, I just deployed a asp.net web application.
I am seeing a generic '500 internal server error'.
How can I view a detailed error temporarily until I fix the problem?
I already have:
<customErrors mode="Off" defaultRedirect="error.aspx"/>
<customErrors mode="Off" /> is usually enough. But if you have messed up with some IIS configuration it won't even reach your web.config which might explain why you are seeing this generic 500 error message. Take a look at the Event Log (eventvwr.msc) of the server which might contain additional information about the error. There could really be lots of possible reasons (.NET framework misconfiguration, application pool or virtual directory misconfiguration, missing access rights to some folders, ...)
That's the reason why you should have a staging server which has the same configuration as your production server - it would allow you to test your configuration before shipping.
Change IIS Error Pages feature settings to "Detailed errors" or try to run the app from the server where it's deployed.
If the error page is coming from IIS because of some configuration being incorrect, you can try using Failed Request Tracing.
Since yesterday, I receive a security exception when I want to run a unit-test from within VS.NET 2008.
The error goes like this:
SecurityException: that assembly does not allow partially trusted callers
...
The assembly that failed was : file:///S:/MyProject/MyAssembly.dll
The S: drive is a mapped drive which points to a physical location on my disk.
What I find very strange, is that this used to work for months previously. I mean, I did this all the time.
In order to get this to work, I 've created a new security zone with the caspol utility in order to give this S: network share drive FullTrust.
In other words, when I run
caspol -m -lg
I see this (I removed the other zones for the sake of brevity):
1.2. Zone - Intranet: LocalIntranet
1.2.1. All code: Same site Web
1.2.2. All code: Same directory FileIO - 'Read, PathDiscovery'
1.2.3. Url - file://R:/*: FullTrust
1.2.4. Url - file://S:/*: FullTrust
1.2.5. Url - file:///S:/*: FullTrust
I've added the 1.2.5 zone just recently because the error that was given, mentionned file:///s:/....
Any ideas ?
Could it be that this has something to do with the installation of VS.NET 2010 or the .NET Framework version 4.0 ?
Try adding
<configuration>
<system.web>
<trust level="Full" />
</system.web>
</configuration>
to your web.config.