PROBLEM:

If you have been noticing recently that end users of your IIS web site are getting locked out more often than expected, rest assured you are not imagining things.

The particular problem I am describing here applies *ONLY* if you are using basic authentication. If you are trying to find the root cause of authentication issues with anything other than "Basic Authentication" on IIS 7.0 please ignore this blog. It doesn't apply to you.

CAUSE:

  I have been supporting IIS for nearly a decade now. And with each new version that I've seen, the support for non-English languages has been getting better and better. IIS 7 is no different. The way it does this is by formatting strings as Unicode characters in as many places as practical instead of ANSI. One of the "features" the BasicAuthenticationModule is that it supports *both* UTF-8 and ANSI encoded credentials.  UTF-8 (i.e. "Unicode") allows for a much larger range of characters due to the way each "character" is 2-bytes versus 1-byte. The possible values for a 2-byte character range from "0x0000" - "0xFFFF" which is 0-65,535. A 1-byte character is "0x00" - "0xFF" which is 0-255.

  Here's where the problem is: The BasicAuthenticationModule uses a simple Windows API called "LogonUserEx" to validate the credentials supplied by a user. According to MSDN this API accepts a string type of "LPTSTR" for the domainname, username, and password parameters. Based on what I am reading (I am not C++ developer by any means) a LPTSTR can potentially be either Unicode or ANSI. Because the BasicAuthenticationModule doesn't usually know what the encoding type is when a browser makes a request it actually tries both encoding types when calling LogonUserEx. For the most part, Windows has been using Unicode characters for quite some time now, so first we pass a UTF-8 encoded string to LogonUserEx. If that fails we give it another try using ANSI encoding to make sure the failure wasn't because of how the browser encoded the credentials. If that second try fails, we consider the credentials to be invalid. Unfortunately what this means is that 2 failed logon attempts via LogonUserEx have just occurred. If you have the lockout threshold set to something like "3", then those 2 invalid attempts by an end user actually just caused "4" failures and they are now locked out.

SOLUTION:

  Install the hotfix available from Microsoft's support site.
  http://support.microsoft.com/kb/981280

WORKAROUND:

  Fortunately the workaround is pretty straight-forward as long as your application works fine under an application pool using the "Integrated" managed pipeline mode. In a nutshell, just add a custom HttpModule to the IIS "pipeline" that calls LogonUser before the BasicAuthenticationModule does. In the HttpModule we can try only one type of encoding and also call LogonUser only once. If that single attempt fails then have the HttpModule immediately return a 401.1 instead of allowing the request to continue on to the BasicAuthenticationModule. Below are some steps that you can take to get this setup. I understand that most of the people reading this are probably not developers so I am providing some “sample” code below that you can use.

1. Copy/paste the following code into notepad.

////////////////////////////////////////////////////////////////////////////
// BEGIN CODE

using System;
using System.ComponentModel;
using System.Runtime.InteropServices;
using System.Text;
using System.Web;

namespace SampleCode
{
    public class BasicLockoutWorkaround : IHttpModule
    {
       #region Members
        private bool _disposed;
        #endregion

        #region Imports
        [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern bool LogonUser(
            string Username,
            string Domain,
            string Password,
            LOGON32_LOGON LogonType,
            LOGON32_PROVIDER LogonProvider,
            ref IntPtr Token
            );

        [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        private static extern bool CloseHandle(
            IntPtr handle
            );
        #endregion

        #region Enumerations
        public enum LOGON32_PROVIDER : uint
        {
            DEFAULT = 0,
            WINNT35 = 1,
            WINNT40 = 2,
            WINNT50 = 3
        }
        public enum LOGON32_LOGON : uint
        {
            /// <summary>This logon type is intended for users who will be interactively using the computer, such as a user being
            /// logged on by a terminal server, remote shell, or similar process. This logon type has the additional expense of
            /// caching logon information for disconnected operations; therefore, it is inappropriate for some client/server applications,
            /// such as a mail server.</summary>

            INTERACTIVE = 2,
            /// <summary>This logon type is intended for high performance servers to authenticate plaintext passwords. The LogonUser
            /// function does not cache credentials for this logon type.</summary>

            NETWORK = 3,
            /// <summary>This logon type is intended for batch servers, where processes may be executing on behalf of a user
            /// without their direct intervention. This type is also for higher performance servers that process many plaintext
            /// authentication attempts at a time, such as mail or Web servers. The LogonUser function does not cache credentials
            /// for this logon type.</summary>

            BATCH = 4,
            /// <summary>Indicates a service-type logon. The account provided must have the service privilege enabled.</summary>
            SERVICE = 5,
            /// <summary>This logon type is for GINA DLLs that log on users who will be interactively using the computer. This logon
            /// type can generate a unique audit record that shows when the workstation was unlocked.</summary>

            UNLOCK = 7,
            /// <summary>This logon type preserves the name and password in the authentication package, which allows the server to make
            /// connections to other network servers while impersonating the client. A server can accept plaintext credentials from a client,
            /// call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.</summary>

            NETWORK_CLEARTEXT = 8,
            /// <summary>This logon type allows the caller to clone its current token and specify new credentials for outbound connections.
            /// The new logon session has the same local identifier but uses different credentials for other network connections. This logon type
            /// is supported only by the LOGON32_PROVIDER_WINNT50 logon provider.</summary>

            NEW_CREDENTIALS = 9
        }
        #endregion

        #region Methods
       public void Init(HttpApplication application)
        {
            application.BeginRequest += new EventHandler(this.OnBeginRequest);
        }
        private void OnBeginRequest(object sender, EventArgs e)
        {
            HttpContext context = HttpContext.Current;

            if (context != null)
            {
                string authorization = context.Request.ServerVariables["HTTP_AUTHORIZATION"];
                if (authorization != null)
                {
                    if (authorization.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase))
                    {
                        int index = authorization.IndexOf(" ");
                        if (index != -1)
                        {
                            try
                            {
                                authorization = authorization.Substring(index + 1);

                                UTF8Encoding encoder = new UTF8Encoding();
                                Decoder decoder = encoder.GetDecoder();

                                byte[] bytes = Convert.FromBase64String(authorization);
                                int count = decoder.GetCharCount(bytes, 0, bytes.Length);
                                char[] characters = new char[count];
                                decoder.GetChars(bytes, 0, bytes.Length, characters, 0);
                                authorization = new string(characters);
                                index = authorization.IndexOf(":");
                                if (index != -1)
                                {
                                    IntPtr token = IntPtr.Zero;
                                    string domainName = null;
                                    string userName = authorization.Substring(0, index);
                                    string password = authorization.Substring(index + 1);

                                    index = userName.IndexOf("\\");
                                    if (index != -1)
                                    {
                                        domainName = userName.Substring(0, index);
                                        userName = userName.Substring(index + 1);
                                    }
                                    bool success = false;

                                    try
                                    {
                                        success = LogonUser(
                                            userName,
                                            domainName,
                                            password,
                                            LOGON32_LOGON.NETWORK_CLEARTEXT,
                                            LOGON32_PROVIDER.DEFAULT,
                                            ref token
                                            );
                                    }
                                    finally
                                    {
                                        if (!success)
                                        {
                                            Win32Exception exception = new Win32Exception();
                                            context.Response.AppendToLog("401Reason=0x" + exception.NativeErrorCode.ToString("X"));

                                            context.Response.Clear();
                                            context.Response.StatusCode = 401;
                                            context.Response.SubStatusCode = 1;
                                            context.Response.StatusDescription = exception.Message;
                                            context.Response.End();
                                        }

                                        if (token != IntPtr.Zero)
                                            CloseHandle(token);
                                    }
                                }
                            }
                            catch (Exception ex)
                            {
                                context.Trace.Write("OnBeginRequest", "Error decoding Authorization header: " + ex.Message);
                            }
                        }
                    }
                }
            }
        }
        public void Dispose()
        {
            if (!this._disposed)
            {
                lock (this)
                {
                    if (!this._disposed)
                    {
                        this._disposed = true;

                        HttpContext context = HttpContext.Current;

                        if (context != null)
                        {
                            HttpApplication application = context.ApplicationInstance;
                            application.BeginRequest -= new EventHandler(this.OnBeginRequest);
                        }
                    }
                }
            }
        }
        #endregion
    }
}
// END CODE
////////////////////////////////////////////////////////////////////////////

2. Save the file as "c:\Windows\Microsoft.net\Framework\v2.0.50727\BasicLockoutWorkaround.cs"

3. Open a CMD prompt and change to the above directory.

4. Type the following (minus the quotes) and press enter:

"Csc.exe /noconfig /nowarn:1701,1702 /errorreport:prompt /warn:4 /define:TRACE /reference:C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.dll /reference:C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll /debug:pdbonly /filealign:512 /optimize+ /out:BasicLockoutWorkaround.dll /target:library BasicLockoutWorkaround.cs"

5. Create a BIN folder in the root of your IIS application (either the web site or the folder where your content resides).

6. Copy the resulting "BasicLockoutWorkaround.dll" and "BasicLockoutWorkaround.pdb" files into the BIN folder.

7. Open the IIS 7.0 manager

8. Select the same web site or application as mentioned in step 5.

9. Double-click the “Modules” icon.

10. Click "Add Managed Module..." in the upper right.

11. Enter "BasicAuth Lockout Workaround" for the name.

12. Click the drop-down and choose the "SampleCode.BasicLockoutWorkaround" item.

13. Click "OK"

14. In the upper right, click "View Ordered List..."

15. Select the "BasicAuth Lockout Workaround" item and move it above the "BasicAuthenticationModule" item using the arrows in the upper right.

16. DONE (Close the IIS manager, do a test etc)!

Note: If you have Visual Studio available, instead of following these exact steps, it would be better to create a new managed assembly project, and sign it with a key. Then instead of putting the assembly in the BIN folder, put it in the GAC. This is especially important when you re-use the same assembly in multiple applications. For each application, IIS will pre-load all DLL’s from the BIN folder. If you have 30 applications, for example, even if they all point to the same location, it will load everything in BIN 30 times. In other words, you’ll have BasiclockoutWorkaround.dll loaded 30 different times into the vitual memory of your IIS process. This leads to memory fragmentation and can cause OutOfMemoryException problems. For more information please see http://blogs.msdn.com/tom/archive/2008/02/18/high-memory-part-5-fragmentation.aspx

http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1887 

Requirements:

  • Needs to be setup as a virtual directory in IIS. 
  • Requires .NET framework 2.0 or higher configured on the virtual directory.

Notable Features:

  • Supports IIS 7.0 (useKernelMode / useAppPoolCredentials)
  • Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP
  • Allows chaining of multiple hops (versus only a single backend)
  • Performs duplicate SPN check against all trusted domains.
  • /Set/SPNs.aspx - Allows adding and removing of ServicePrincipalNames
  • /Set/Delegation.aspx - Allows changing Trust for Delegation settings.
  • /Set/Providers.aspx - Allows correcting of inadequate NTAuthenticationProviders settings.
  • /Report.aspx - Gives a picture of what is right and what is wrong.
  • /Wizard.aspx - A set of wizard steps that supports adding more tiers to /Report.aspx.
  • /Test.aspx - Allows double-hop tests for webServer-to-Sql or webServer-to-fileServer or webServer-to-webServer

Changes:

  • 7/15/2009 - Fixed problem with error stating IIS machine is not joined to a domain caused by HttpContext.Current being null on background threads.
  • 7/15/2009 - Added support for IIS 7.5's "ApplicationPoolIdentity" (Managed Service Accounts)
  • 7/27/2009 - Added code to strip leading slashes from the "hostName" entered into the wizard
  • 8/24/2009 - Fixed SetSPN.exe syntax suggested on Report.aspx
  • 8/24/2009 - Disabled ViewState on Test.aspx textboxes to address "HttpRequestValidationException"
  • 8/26/2009 - Now pass results of DomainController.FindOne to DirectoryEntry instead of NetBIOS domain names
  • 9/03/2009 - Added client-side javascript to Test.aspx to delete textbox value during postback. This fixes "dangerous characters" problem.
  • 9/30/2009 - Added a Search.aspx to allow searching of specific SPNs... for those that don't trust the Report.aspx output (you know who you are)
  • 11/16/2009 - Removed "Fix this for me" button when using an IP address for a host name.
  • 11/16/2009 - When a machine name cannot be determined for a DNS name, an additional suggestion is made regarding load balancing.
  • 11/19/2009 - Made a change to address the NullReferenceException being thrown due to code changes from 11/16
  • 12/03/2009 - Changed some code from TheadPool.QueueUserWorkItem to Page.RegisterAsyncTask to avoid potential for crash in msvcrt!_purecall.
  • 8/11/2010 - Fixed problem with report.aspx saying to set SPNs on appPool user instead of machine account.

PROBLEM:

Windows 7 beta is available for download! Of course I immediately download it, format my laptop and install. Next step is to install Visual Studio 2008 so I can work on my various development projects. Unfortunately it kept failing with the following error:

The Application Data folder for Visual Studio could not be created.

TROUBLESHOOTING:

After searching for this error on the Internet and trying the available solutions, none of them fixed the problem. I tried disabling UAC, tried running Visual Studio as an Admin. Tried running in various compatiblity modes. No-go. Next I tried running ProcMon.exe (Process Monitor) from SysInternals thinking perhaps it was a permissions problem or missing folder. There were no obvious "NOT FOUND" or "ACCESS DENIED" messages so that wasn't working out for me. So... I break out WinDBG.exe. Thankfully I have source access to Visual Studio since I support ASP.NET. After the above error pops up, I attach to devenv.exe and switch to the thread displaying the message box. I set the appropriate breakpoint in the source window that automagically pops up, save my workspace, set gflags.exe to launch devenv.exe under the debugger, then relaunched devenv.exe. This time the debugger "breaks in" at the beginning of the method responsible for raising the message box. After stepping through the code I see that we're failing in SHGetFolderPath when passing CSIDL_COMMON_APPDATA to it. Okay super... I try stepping into SHGetFolderPath to see why it is failing but don't have Win7 source code access so I don't get my trusty source window!! But instead, I realize I can run ProcMon again with a filter of "ProcessName = devenv.exe" then right before entering SHGetFolderPath I clear the ProcMon output. I F10 over SHGetFolderPath and doing so only returned about 7 lines of registry reads in ProcMon <whew>. After inspecting the contents of the key(s) using RegEdit that were displayed in ProcMon I see there is some missing data.

RESOLUTION:

In RegEdit.exe, copy the settings from:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}

Into:
  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}

Since Visual Studio 2008 is a 32-bit application, it reads all registry settings from the various Wow6432Node keys. Somebody apparently forgot to set that particular 32-bit key. DevEnv.exe now launches for me. :-)

PROBLEM:

  When attempting to "run" an ASP.NET project on IIS 7.0 using Visual Studio 2008 the following error is displayed:

Unable to start debugging on the web server. The object identifier does not represent a valid object. (Exception from HRESULT: 0x800710D8)

RESOLUTION:

  Make sure that "Windows Authentication" is enabled in IIS on the applicable web application (web site or folder).

NOTES:

That was a little frustrating for me at first. No hits anywhere in our knowledge base or on Live. I figured I would ignore this and come back to it later but after about a week I finally decided this isn't something I wanted to deal with constantly. I started to troubleshoot it versus waiting to find somebody else's solution. One of the first things Visual Studio does when trying to debug an ASP.NET application is make a DEBUG request (versus a GET or POST) to IIS. If all goes well for the DEBUG request, VS automatically attaches as a debugger to the ASP.NET worker process (w3wp.exe in this case) and to IEXPLORE.exe. So into the IIS logs I went to see the result of that DEBUG request. Here was the entry for my failed debug attempt:

#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2008-06-03 12:11:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) sc-status sc-substatus sc-win32-status time-taken
2008-06-03 12:11:16 ::1 DEBUG /WebApp/Default.aspx - 80 - ::1 - - 401 0 0 157

You may notice that this is a 401.0. Normally when a "browser" (VS2008 in this case) first makes a request it is always anonymous. Then after seeing a 401, it will follow up the first request with a second request that includes credentials. In the IIS logs we'd expect to see a 401.2 (unauthorized due to sever configuration - i.e. I'm not accepting anonynous), then if using NTLM we'd see a 401.1 (NTLM challenge - i.e. you have only sent me half the credentials for that NTLM handshake) then finally a success status such as 200 (OK), 302 (Moved/Redirect), or 304 (Not Modified). Or if using Basic authentication or Kerberos there would be the 401.2 then the success status for the next log entry since those methods don't have a handshake. In my case here there was only a single 401 with no follow up attempt. Hmm... Why no follow up request with credentials? Next stop - IIS manager.

 

After highlighting my "WebApp" folder and double-clicking "Authentication" (shown above) in the IIS manager I saw that only Anonymous was enabled. Oh right... IIS 7.0 is secure by default. VS was making it's anonymous request and since IIS returned no "WWW-Authentication" headers specifying which auth method it is accepting, VS quit there. IIS 7.0 has only anonymous enabled by default and administrators have to consciously open up their server by enabling additional authentication types. After enabling "Windows Authentication" as well leaving "Anonymous" enabled, debugging worked fine. Thanks for the great error!!

Hope this helped somebody.

 

If you have recently upgraded a Visual Studio .NET 2003 ASP.NET application project or a Visual Studio 2005 Web Application project to a Visual Studio 2008 ASP.NET Web Application project you may have noticed the following popup. Needless to say this makes it a little more difficult to connect remotely to your project in order to run and debug it:

Unable to create the virtual directory. Could not find the server 'http://remoteMachine' on the local machine. Creating a virtual directory is only supported on the local IIS server.

At this point I can only guess as to why connecting to a remote web application project no longer seems to work. I do have a few guesses but I won't bother mentioning what they are because inevitably somebody will tell me my guesses are wrong. Instead I thought I would share with you a relatively simple way to get back to work and remotely debug anyway.

In a nutshell, to remotely debug we want to run two instances of Visual Studio. One will be the "debugger" instance, and the other will be the "editor/compiler" instance.

Here are the steps.

  1. Install the Visual Studio 2008 Remote Debugger on your remote machine. You can find the installation file in the Remote Debugger folder on your Visual Studio 2008 installation disk.
  2. Once you have the remote debugger installed, run Visual Studio 2008 Remote Debugger Configuration Wizard from the start menu of the remote machine.
  3. Choose Run the "Visual Studio 2008 Remote Debugger" service. You could try running individual instances of the debugger but you may run into user rights or permissions related issues. Personally I prefer easy versus difficult. Your choice though.
  4. Leave the service user as LocalSystem and leave the password blank then click Next.
  5. If you see a Configure the Windows Firewall for Debugging option, choose the available option to suit your needs then click Next then Finished.
  6. Next in order to prepare your old project to be opened with minimal problems, open your vbproj or csproj file in notepad and remove the "IISUrl" related settings then save the project file.
  7. Back on your local workstation, open Visual Studio 2008 then click File --> Open --> Project\Solution... and browse to the UNC path where the project or solution file resides.
    • Example: \\someserver\C$\inetpub\wwwroot\RemoveWebApp\myapp.csproj
    • Note: If you are not an administrator on the remote machine then you cannot use the adminitrative "C$" share. Instead you will need to ask the administrator to create a share for you.
    • Note: If you are not an administrator on the remote machine you will also need to ask the administrator to add you to the "Debugger Users" group.
  8. You can leave the Web settings for the project properties set to Use Visual Studio Development Server or Use IIS Web server. It does not matter since we aren't going to be launching the project that way. If you do choose to create a virtual directory you will to create it locally on your workstation of course to avoid the error mentioned above. This will actually create a virtual directory that points to the UNC path where your content lives.
  9. This first instance of Visual Studio will be used to edit source files and compile the application as necessary.
  10. From your local workstation, open a second instance of Visual Studio 2008 but do not open any projects.
  11. Click Tools --> Attach to process...
  12. Enter the appropriate remote server name in the Qualifier textbox then click the Refresh button near the bottom.
  13. Choose the correct remote process (aspnet_wp.exe or w3wp.exe for example) and click Attach
    • If there are multiple w3wp.exe processes running and you aren't sure which to pick you can run "cscript c:\Windows\System32\iisapp.vbs" on the remote machine to get the right PID. iisapp.vbs simply lists the running W3WP.exe processes along with their Application Pool name and PID.
    • If there are *no* processes running that you know you need to attach to, then you should make at least one request to http://someServer/RemoteWebApp" in order to spawn the worker process.
    • To make retrieving the PID a little easier I have included some sample VBS code below to get it for you.
  14. Click File --> Open --> File and open the source file that you want to debug from your UNC path.
    • Example: \\remotemachine\C$\inetpub/wwwroot\RemoveWebApp\Default.aspx.cs
  15. Set a breakpoint somewhere.
  16. This second instance of Visual Studio will be used to "debug" your project
  17. Open IE and request your page and you should break at the desired location.

NOTE: Something you might want to do to avoid the need to attach over and over while writing your code is to disable the idle timeout settings and possibly the recycling settings of the application pool that your ASP.NET application is using in IIS. To find which application pool your application is using you need to go to the remote server and open the IIS manager. Then go into your application's properties and look at either the "[Virtual] Directory" tab or "Home Directory" tab depending on whether it is a web site or directory level application.

To find the application pool name go into the properties of your application.

To disable the AppPool idle timeout go into the properties of the correct AppPool:

 

And finally... here is a script I wrote to make obtaining your remote PID a little easier. To use this:

  1. Copy/paste the text below into notepad
  2. Save the file with a VBS extension
  3. Edit the first 3 variables machineName, appPoolName, and url so they are correct for your remote server.
  4. Run this from your workstation.
''''''''''''''''''''''''''''''''
' Variables
machineName = "remoteMachineName"      'This to your remote machine.
appPoolName = "DefaultAppPool"  'This is the AppPool your ASP.NET is using.
url = "http://remoteMachineName/"       'This is the URL that will launch your AppPool

wmiPath = "winmgmts://" & machineName & "/root/cimv2"
wmiQuery = "SELECT * FROM Win32_Process WHERE Name='w3wp.exe'"

''''''''''''''''''''''''''''''''
' Code execution begins
Set wmiObj = GetObject(wmiPath)
Set wpList = wmiObj.ExecQuery(wmiQuery)

ShowAppPoolPid()

response = AskAboutRequestingPage()
If (response = vbYes) Then
	SpawnWorkerProcess()
	MsgBox "Unable to locate PID for '" & appPoolName & "'"
End If

''''''''''''''''''''''''''''''''
'Methods
Sub ShowAppPoolPid()
	message = ""
	For Each wp In wpList
		name = GetAppPoolId(wp.CommandLine)
		If (UCase(appPoolName) = UCase(name)) Then
			message = message & vbCrLf & "   " & wp.ProcessID
		End If
	Next
    
	If (message <> "") Then
		MsgBox "'" & appPoolName & "' is running under the following PID(s):" & message
		WScript.Quit()
	End If
End Sub

Function GetAppPoolId(strArg)
	Dim Submatches
	Dim strPoolId
	Dim re
	Dim Matches

    On Error Resume Next

	Set re = New RegExp
	re.Pattern = "-ap ""(.+)"""
	re.IgnoreCase = True
	Set Matches = re.Execute(strArg)
	Set SubMatches = Matches(0).Submatches
	strPoolId = Submatches(0)
	
	GetAppPoolId = strPoolId
End Function

Function AskAboutRequestingPage()
	message = "'" & appPoolName & "' is not currently running on '" & machineName & "'. Would you like to make a request to '" & url & "' in order to spawn the process?"
	style = vbYesNo + vbCritical + vbDefaultButton2
	title = "AppPool not running"
	AskAboutRequestingPage = MsgBox(message, style, title)
End Function

Sub SpawnWorkerProcess
	Dim ie: Set ie = WScript.CreateObject("InternetExplorer.Application", "Ie_")
	ie.Navigate url
	
	ie.Visible = True
	Set ie = Nothing
End Sub

Sub Ie_NavigateComplete2(ByVal pDisp, URL)
    ShowAppPoolPid()
End Sub 

Introduction 

Occasionally I am challenged with the task of needing to explain what the difference is between a "regular" variable and a "static" variable (called "Shared" in VB.NET). I use the term "challenged" not because the people I explain to aren't intelligent, but because it honestly is not a concept that is immediately clear for people that haven't had it explained to them before. Many people partially understand the concept of "object oriented" programming. But static variables are sort of like a step backwards from that which gets confusing. Anyway... last night I was working on a Severity A case (i.e. server is down... people are running around in a panic, thousands of dollars per hour are lost, CEO's are standing around looking for people to fire) where I found the root of the problem to be because of a static variable and I was having a tough time getting the concept across to the people I was helping. So I figured I'd see if I could come up with a good explanation here to save some time in the future.

So first... what is an "object"? If you don't know what an "object" is then you have no hope of understanding what a "static object" is.

You may have heard or read somewhere that "everything in .NET is an object." Okay great. But what the heck does that mean? Well, an object is basically like... I don't know... an object! Like a "real" object, as in a "noun". Maybe like a house. A house has parts in it that are always moving (refrigerator perhaps), things that just sit there (the couch), maybe has things that only do something when you turn them on or off (TV or faucet). So a house is an "object" that can have other objects in it. Or maybe it doesn't have other objects in it (house ready to be sold?). It all depends on the particular object that we've designed. Although "House" gives us a basic description of what this object is, there can be many different houses that are all still called "House". This is much the same as a programming object. It is basically a container of a particular format that can have other objects contained within it.

Okay, so let's make a "House" object in pseudo c# terms. It might look like this. 


class House
{
    string StreetAddress;
    string ResidentName;
    int ResidentCount;

   function TurnOn(string itemName)
    {
        if (itemName == "TV")
        {
            // Code to turn on the TV
        }
        else if (itemName == "Washer")
        {
            // Code to turn on the Washer
        }
        else
        {
            // Code to turn on all the Lights
        }
    }
}

Just the layout of a "House" object doesn't tell me a ton about any *specific* house. That's because this "class" is just a description of what a "House" should have. We can "create an instance" of one or more "House" objects like this:


House myHouse = new House();
House yourHouse = new House();
House dogHouse = new House();

The above code has setup a "new" section of memory that is used to store information about a particular House. Then we can perhaps set some of the values of each house:


myHouse.StreetAddress = "123 Street";
myHouse.ResidentName = "Brian Murphy-Booth";
myHouse.ResidentCount = 3;

yourHouse.StreetAddress = "456 Another Street";
yourHouse.ResidentName = "Some Person";
yourHouse.ResidentCount = 5;

dogHouse.StreetAddress = "Back Yard";
dogHouse.ResidentName = "Ollie";
dogHouse.ResidentCount = 1;

And finally... we can call our method to do something.


myHouse.TurnOn("lights");
yourHouse.TurnOn("TV");

As I go around and run the TurnOn("whatever") method of the different House objects that I have, those values affect only that specific "instance" of the "House" that I'm setting the value on. Each "House" has its own space in memory that has its own unique values. Therefore, calling myHouse.TurnOn("Lights") will only effect *my* house. Not yours. That's because there are 3 places in memory that holds an isolated "instance" of House.

Okay. We're almost ready to look at what a "static" object is. But before I do, let's fix up our pseudo class so it looks closer to valid C# syntax.


public class House
{
    public string StreetAddress;
    public string ResidentName;
    public int ResidentCount;
    private bool Initialized;

    public void TurnOn(string itemName)
    {
        if (itemName == "TV")
        {
            // Code to turn on the TV
        }
        else if (itemName == "Washer")
        {
            // Code to turn on the Washer
        }
        else
        {
            // Code to turn on all the Lights
        }
    }
}

You can see that all I've really done is added some "access modifiers" like "public" and "private" to control who can get or set the variable values. The behavior of setting "ResidentName" etc is essentially unchanged. The only difference now is that I've added an "Initialized" variable that can only be set by other methods inside of "House". For example... I cannot do:


myHouse.Initialized = true; // Can't do this

...since it is private. That's not really the important part of this Blog though, so let's move on. What if we "mistakenly" set one of our variables as "static"? Let's look at the following declarations that include that mistake.


public class House
{
    public static string StreetAddress;
    public string ResidentName;
    public int ResidentCount;
    private bool Initialized;

... etc etc...

}

Uh oh... that's trouble. "What will happen?", you ask. Let's look again at our example of setting the values on the different House objects that we've created.


myHouse.StreetAddress = "123 Street";
myHouse.ResidentName = "Brian Murphy-Booth";
myHouse.ResidentCount = 3;

yourHouse.StreetAddress = "456 Another Street";
yourHouse.ResidentName = "Some Person";
yourHouse.ResidentCount = 5;

dogHouse.StreetAddress = "Back Yard";
dogHouse.ResidentName = "Ollie";
dogHouse.ResidentCount = 1;

The end result here would be that "myHouse.StreetAddress", "yourHouse.StreetAddress", and "dogHouse.StreetAddress" would all have a value of "Back Yard". That's because when a variable is "static" there is only ONE version of the StreetAddress variable in all of the memory!! It is no longer associated with some unique "instance" of House. Think of a "static" variable as being similar to calling the local police station. It doesn't matter which House you call them from. The same phone will ring in the police station up the road. Ahh... but if there is only *1* copy of that StreetAddress variable (no "instance" versions) then there is actually a coding mistake above. Attempting to compile the above code would generate a compile error. It can actually only be like this:


House.StreetAddress = "123 Street";
myHouse.ResidentName = "Brian Murphy-Booth";
myHouse.ResidentCount = 3;

House.StreetAddress = "456 Another Street";
yourHouse.ResidentName = "Some Person";
yourHouse.ResidentCount = 5;

House.StreetAddress = "Back Yard";
dogHouse.ResidentName = "Ollie";
dogHouse.ResidentCount = 1;

In reality, since making it "static" means there can only be one copy, StreetAddress cannot be accessed using an "instance" name anymore (such as "myHouse"). There is one and only one version of StreetAddress in all of memory so we just say which object type we're referring to (House is a "type" of object) then set it directly (House.StreetAddress).

Abbreviated Real World Example:

I'll walk you through what was happening with the customer that I was helping last night. The configuration was something like this:

  • ShowInfo.aspx and ShowInfo.aspx.cs
  • DataBaseStuff.cs.
  • In DataBaseStuff there was a "static" SqlConnection *variable* called myConnection
  • In DataBaseStuff there was a "static" SqlCommand *variable* called myCommand
  • In DataBaseStuff there was a "static" *method* named GetDataTable().
  • Page_Load was calling DataBaseStuff.GetDataTable(string userName) to get some data.
  • GetDataTable made use of the static myConnection object to retrieve data from SQL.
  • Page_Load assigned the resulting DataTable to a DataGrid.
  • Personal information for the logged in user was displayed on the web page.

The result? During peak hours for the web site, information for UserA was being shown to UserB. How did this happen?

  • ShowInfo.Page_Load() begins to execute for UserA.
  • ShowInfo.Page_Load() begins to execute for UserB
  • UserA has DataBaseStuff.GetDataTable("UserA") called for them.
  • UserB has DataBaseStuff.GetDataTable("UserB") called for them.
  • UserA has something like "SELECT * FROM Users WHERE username='UserA';" assigned to the static myCommand object.
  • UserB has something like "SELECT * FROM Users WHERE username='UserB';" assigned to the static myCommand object.
  • UserA starts to pull data from SQL.
  • UserB starts to pull data from SQL.
  • Result: Since UserB's SQL query was the last one assigned to myCommand (which remember... there is only one version of this in all of memory), the myConnection object is using UserB's query for both users. UserB sees UserB's data. UserA sees UserB's data too.

Here are some questions I asked my customer after finding the problem.

Me: Why are the myCommand and myConnection variables "static"?
Customer: Because there was a compile error in GetDataTable when they weren't static.
I think: Hmm... not the best of reasons. But okay.

Me: That's because GetDataTable is static. Why is the GetDataTable method "static"?
Customer: Because when it is static I don't have to use "new" when calling it from ShowInfo.aspx.
I think: Okay. That's a valid reason.

Me: Well... that's a good reason to make it static. But... [So then I try for 20 minutes to explain what a static variable is.]

*The* reason you want to make a variable static is for scalability reasons. In my customer's example, it would not make sense to user the same SqlConnection and SqlCommand for multiple users because of the types of problems it could cause. It would, however, make sense to use the same connection string for multiple users. If you had 100 instances of DataBaseStuff in memory, you would not want to waste space by having 100 copies of the same connection string assigned to all 100 versions of DataBaseStuff Instead, we'd make myConnectionString static so that it exists in memory only once (yes, I know what an "interned" string is. For all you experts: don't complicate my example!!).

Summary:

There are many different features of C# (and VB.net). Using "static" methods and variables can be a big plus relative to performance and scalability. The important caveat is just that you make sure you use the features in the way they were intended on being used! Doing something "just because" can cause unexpected results.

I'm interested in your feedback. If my explanation above doesn't make sense, let me know. Leave a comment with your email address and I'll see if there is something I can do to make it easier to understand. All comments must be approved by me first so I'll be sure not to publish your address.

 

An error that most IIS 6.0 administrators have probably encountered is "Event ID: 1009" which usually leads to a "503 Service Unavailable" error being displayed in a browser. "503" usually indicates the Application Pool has been disabled for some reason. The IIS support team frequently gets support calls to help resolve this issue and over the years I have compiled a list of steps I use to troubleshoot this. If the following information seems too confusing please let me know and I'll clarify any confusing points. The follow list is broken down into different sections for the various "exit codes" that are in the Event 1009.

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

*** Problem Description ***
Many times when an IIS6 application pool terminates the following will be logged.

  1. The Name of the App Pool
  2. The PID
  3. The exit code.

The exit code is the most useful part of the event entry.

  Event Type: Warning
  Event Source: W3SVC
  Event Category: None
  Event ID: 1009
  Date:  1/29/2004
  Time:  10:01:14 AM
  User:  N/A
  Computer: COMPUTERNAME
  Description:
  A process serving application pool 'DefaultAppPool' terminated unexpectedly. The
process id was '3908'. The process exit code was '0x80'.

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

*** Resolution ***

Constants: 

// the WAS killed the worker process
#define KILLED_WORKER_PROCESS_EXIT_CODE 0xFFFFFFFD

// the worker process exited ok
#define CLEAN_WORKER_PROCESS_EXIT_CODE  0xFFFFFFFE

// the worker process exited due to a fatal error
#define ERROR_WORKER_PROCESS_EXIT_CODE  0xFFFFFFFF

-----------------------------------------------------------
Concepts that apply to exit codes of both 0x80 and 0xffffffff
  · Make sure "Network Service" and "IWAM_MACHINE" are members of IIS_WPG
  · If a custom identity is being used for the app pool ensure it is in IIS_WPG
  · Make sure that IIS_WPG is included somehow in these User Rights assignments
(example: Everyone group includes IIS_WPG so that is sufficient)
      a. Access this computer from network
      b. Log on as batch job
      c. Bypass traverse checking
  · Ensure that IIS_WPG or members of that group are not in any of the
corresponding "Deny" User Rights
  · Ensure that "NT AUTHORITY\Authenticated Users" and "NT AUTHORITY\Interactive"
are part of the "Users" group.
  · Use FileMon.exe and RegMon.exe to identify ACC DENIED's.
  · If customer has more than ~60 app pools with unique identities, set the
following key:
      HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\UseSharedWPDesktop
(REG_DWORD with value of 1)
-----------------------------------------------------------
The process exit code was '0x80'.
  In certain cases when w3wp.exe goes away IIS will attempt to determine the exit code by calling the "GetExitCodeProcess" API.
  If the reason cannot be determined by this API then the code returned is 0x80.
  "0x80" means "ERROR_WAIT_NO_CHILDREN" which means "There are no child processes to wait for"

  This typically means the W3WP.exe never started at all which could be User-Rights related or
NTFS permissions.
  If it is NTFS permissions, that means the AppPool identity doesn't have read
permission to the w3wp.exe file and/or supporting DLLs
  - Use FileMon to troubleshoot
  If it is User Rights related then the AppPool identity failed to logon.
  - Check the 3 User Rights listed above.
-----------------------------------------------------------
The process exit code was '0xffffffff'.
  Means the W3WP.exe process partially started but could not load a dependancy for
some reason.
  This is either permissions/security related or due to mismatched DLL's.
  Try running the AppPool as "Local System"
  - If this works it is a permissions problem for the AppPool Identity. Check the
following "Scenarios" section then follow the "concepts" section above
  - If this fails using System it is a mismatch or missing DLL problem. Check
scenario #1 below then follow the "Loader Snaps" section

Scenarios for 0xffffffff

  1. The first thing that should be checked is whether a Windows Service pack is installed
    - If it is, verify that "c:\windows\System32\instsrv\w3core.dll" is either the
RTM version or SP1 version.
    - If it is the RTM version then reapplying the service pack should fix the problem.

  2. Is this IIS server a DC and have you reinstalled IIS on another DC?
    I have had two cases where there was a permissions failure reading nodes in the
metabase
    When installing IIS it creates an IIS_WPG group with a somewhat random SID.
    Permissions in the metabase are then set using this unique version of
IIS_WPG.
    When removing IIS on a DC it will delete the IIS_WPG group, if Win2k3 SP1 is
not installed, which is used by all the other DC's running IIS
    When then adding IIS back on to this DC, a new IIS_WPG group is created that
has a new SID
    The pre-existing permissions (older SID) in the other metabases will have
"Unknown User" for the permissions and spawning W3WP.exe under anything other than
SYSTEM will fail with 0xffffffff
    - I found this by enabling Tracing then searching through source code.
    - If you get a Debug Trace using DbgView.exe look for a line that says:
        w3core!W3_SERVER::Initialize [\w3server.cxx @ 526]:Error reading
UseDigestSSP property.  hr = 80070005
    - However It would be easy enough to skip Debug Tracing and just look at the
following nodes using Metabase Explorer.
    - IIS_WPG needs permissions to the following nodes:
      1. MachineName - Read
      2. w3svc/1/Filters (or any other filters node) - Read/Write
      3. w3svc/AppPools - Special (Query Unsecure Property)

  3. Has the customer modified default DCOM security?
    - We have run into an issue where the customer had modified
the default Launch and Activation Permissions in Component Services.
    - The customer removed Local Launch and Local Activation for the Everyone
group.
    - Here is the section of loader snaps output that is a hint of this scenario:

LDR: LdrGetProcedureAddress by NAME - CoMarshalInterface
LDR: LdrGetProcedureAddress by NAME - CoUnmarshalInterface
LDR: LdrGetProcedureAddress by NAME - CoReleaseMarshalData
(15c8.914): Unknown exception - code 80070005 (first chance)
LDR: UNINIT LIST
          (1) [iisres.dll] c:\windows\system32\inetsrv\iisres.dll (0) deinit 0
LDR: Unmapping [iisres.dll]
LDR: Derefcount IISMAP.dll (0)

-----------------------------------------------------------
The process exit code was '0xc0000005'.
  This is a crash.
  Troubleshoot using a Debugger. (Debug Diagnostics)
-----------------------------------------------------------
The process exit code was '0xff'.
  Process shut down "gracefully" for some reason.
  Troubleshoot as a crash and see who called TerminateProcess or ExitProcess.
-----------------------------------------------------------
The process exit code was '0x0'.
  This would be typical if you had w3wp.exe configured to launch under a debugger
and you never did a "Go" in the debugger windows.
  Launch gflags.exe and clear the debugger setting for w3wp.exe
-----------------------------------------------------------
Loader Snaps Section - These steps are not for getting memory dumps. This explains
how to easily get the reason that a module (DLL) failed to load which is one reason for a 0xffffffff.

  1. Send customer "gflags.exe" (can be obtained from Debugging Tools for
Windows)
  2. Double-click gflags.exe
  3. Go to the "Image File" tab
  4. Enter "w3wp.exe" for the image then press "tab"
  5. Put a check in "Show loader snaps"
  6. Put a check in "Debugger" and enter
        "NTSD.exe -logo c:\temp\LDR.log -g -G -r 0" (<-- that is a zero)
  7. Ensure the folder from the previous step has adequate read/write permissions
for the Identity that is launching the AppPool.
  8. Ensure that the AppPool is enabled
  9. Reproduce the problem. - At this point w3wp.exe should spawn under NTSD.exe,
write to the log, then shut down.
  10. Have customer send the LoaderSnaps.log output found in the c:\temp folder.
  11. Search for the text of "exception" or "failed" (you'll probably find what you
want near the end of the log)
  12. Lookup the listed error number using err.exe or hrplus.exe. The DLL that it
is having trouble on is the line just previous to the "exception/failed" line.
  13. Take the logical steps to address whatever the error is describing.

  Notes - Don't forget to reverse these settings when done.
            - If you identify a DLL that is the wrong version usually simply
reapplying the relevant hotfix or service pack will resolve the issue.
 


<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

Where is the tool?

  For 2.0+ framework - IIS 6.0, 7.0, 7.5 - http://blogs.iis.net/brian-murphy-booth/archive/2009/04/22/delegconfig-v2-beta.aspx

  For 1.1 framework - IIS 5.0, IIS 6.0 - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434 

What is this tool?

  This is an ASP.NET application that I wrote a couple years ago that is meant to be called from Internet Explorer on an actual client machine. The tool (aspx page) attempts to look at all the common settings that contribute towards successful Kerberos authentication and delegation. I had originally written a  simple ASP page for my co-workers to demonstrate how to see whether a request had authenticated with Kerberos or NTLM by doing Response.Write Request.ServerVariables("HTTP_AUTHORIZATION"). After a little while I decided "why stop there?!" The tool will now check all the common pitfalls of Kerberos authentication except for a couple issues that I can't check for when the web request fails entirely (if my page won't even run, how can I check those settings?).

I'd like to hear your feedback!! If you have problems, constructive criticism, or praise please let me know. If you have comments or suggestions that will benefit the masses, I'll try to find time to implement your suggestions into the tool.

Usage Tips:

  • READ THE "Explanation" SECTIONS!! This tool is meant to be a teacher. If you don't read your material, you probably aren't going to understand what to do or at least why you're doing something that it suggests you do.
  • Did I mention that you should read the "Explanation" sections?? Do it!!
  • There are some "Fix This" buttons that help automate addressing issues. Although it isn't 100% clear in some of the output, it is probably easiest to use the "Fix This" buttons instead of manually following any KB articles that are also included in the output. You can, however, do whichever you prefer since either method should fix the applicable configuration problem.
  • If the DelegConfig tool doesn't work as expected, please see the "KNOWN PROBLEMS AND WORKAROUNDS" section below
  • If you end up making changes to your configuration based on what the tool reports, it is common that you'll need to log on/off the workstation machine and/or restart the IIS service or back-end service before you see Kerberos/Delegation start to work as desired.
  • Part of "Delegation" is authenticating with a back-end service. Don't forget to add the back-end server information with the applicable hyperlink to make sure everything looks good there too.

---------------------------------------------------------------
REQUIRED COMPONENTS:
---------------------------------------------------------------
  1. All files in this ZIP are required for the ASPX page to operate properly.
  2. ASP.NET version 1.1.4322.2300 or higher (also works with v2.0.50727) must be installed on the IIS server.

---------------------------------------------------------------
OPTIONAL COMPONENTS:
---------------------------------------------------------------
  1. For more accurate results the .Net framework should be installed on the Workstation/Client

---------------------------------------------------------------
SETUP:
---------------------------------------------------------------
  1. Unzip files to desired location that is *local* to the IIS server.
  2. In the IIS MMC create a new virtual directory that points to the folder with the unzipped files.
  3. Configure the virtual directory as an IIS application
    a. In the IIS MMC right-click the vDir and choose Properties.
    b. On the "Virtual Directory" tab click "Create" (if already configured as an IIS app you'll see a "Remove" button instead)
  4. Ensure that "Scripts Only" (recommended) or "Scripts and Executables" is enabled for this vDir.

---------------------------------------------------------------
USAGE:
---------------------------------------------------------------
  1. View the Default.aspx page through a web browser with an address such as "http://MyServer/MyVirtualDirectory/"

---------------------------------------------------------------
KNOWN PROBLEMS AND WORKAROUNDS.
---------------------------------------------------------------
General:
  Generally speaking if there are any problems running this tool's Default.aspx page (errors of any sort) it is probably because Kerberos isn't working yet. :-p. In that case it is best to start by requesting the page locally from the IIS server. Certain types of problems only exist when IE attempts to connect to IIS using Kerberos and Kerberos is usually not used when local to the IIS server. Requesting the Default.aspx locally from the server will avoid many types of problems this DelegConfig tool can encounter. Once you can get this page working locally from the IIS server the tool will then report some of the problems that could affect Kerberos and/or Delegation. Once some of those items are addressed and Kerberos is closer to working you may be able to do additional checks by requesting the ASPX page from a remote IE machine.

--------------
Problem:
[HttpException (0x8007052e): Failed to start monitoring changes to '\\ServerName\ShareName'.]

  ASP.net uses a hierarchical system of reading configuration files starting with Machine.Config, then web.config from the root of the web site, then finally web.config file from the virtual directory the ASPX application is running. Any time one of these files changes, IIS wants to be able to reload the file and restart the web application to ensure the most recent configuration is being used. If the dot net framework is not able to read from the root of the web site using the ASPNET account, this error will be returned. This is typical of when the home directory is a UNC path.

Workaround:
  1. If running IIS 6.0 this can sometimes be fixed by disabling "Run www service in IIS 5.0 Isolation Mode".
  OR
  2. To ensure that ASPNET can read from the root of the web site, temporarily change the "Home Directory" of the site to a local path. Once you have resolved the Kerberos and Delegation issues based on the results of the ASPX application you can change the home directory back to the desired UNC path.


--------------
Problem:
  Continuous password prompt with underlying 401.1 response. There are 2 common possibilities for this.

Additional Information:
  Looking in the security event logs shows:

POSSIBILITY ONE (notice the Logon Process of Kerberos):
  Event Type: Failure Audit
  Event Source: Security
  Event Category: Logon/Logoff
  Event ID: 529
  Date:  1/1/2005
  Time:  6:00:00 PM
  User:  NT AUTHORITY\SYSTEM
  Computer: COMPUTERNAME
  Description:
  Logon Failure:
    Reason:  Unknown user name or bad password
    User Name: 
    Domain:  
    Logon Type: 3
     Logon Process: Kerberos
    Authentication Package: Kerberos

Workaround:
  You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool
  http://support.microsoft.com/?id=871179

POSSIBILITY TWO (notice the strange Logon Process):
  Event Type: Failure Audit
  Event Source: Security
  Event Category: Logon/Logoff
  Event ID: 537
  Date:  1/1/2005
  Time:  6:00:00 PM
  User:  NT AUTHORITY\SYSTEM
  Computer: COMPUTERNAME
  Description:
  Logon Failure:
    Reason:  An error occurred during logon
    User Name: someuser
    Domain:  SOMEDOMAIN
    Logon Type: 3
    Logon Process: Ðù²
    Authentication Package: NTLM
    Workstation Name: COMPUTERNAME
    Status code: 0xC000006D
    Substatus code: 0x0
    Source Network Address: 127.0.0.1

Workaround:
  You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
  http://support.microsoft.com/?id=896861

Note: All of your Kerberos configuration questions can be answered by using the DelegConfig tool that I wrote. You can find that tool here 

Literally 99% of all Kerberos problems revolve around an incorrect, missing, or duplicate ServicePrincipalName (SPN).  To be honest, the concept of an SPN is so simple that I am often confused that other people don't understand even after I explain. I suppose it is the 5+ years that I've had of helping people configure and troubleshoot Kerberos related issues that have finally made it all clear to me ;-p. I like to think in simple terms instead of making things complex . This is a carry-over from my Algebra-1 days when my teacher used to pick the easiest problem possible when explaining a concept.

Think of an SPN as a “username” used to identify a program that is busy dealing with credentials. And we're only allowed to talk to this program using its “username”. PERIOD. Simple! Yes, that's all an SPN is: a "username". And as with any username, the name itself isn't really that important. It is merely to make identifying a person (or entity) easier to remember to humans. In this particular case, however, there are some naming conventions for this "username". Okay, so what username (SPN) is the right one? And where do we set it? These 2 questions are where all the confusion lies. We split the SPN into 2 parts and occasionally 3 parts: The first part is the “service type” and the second part is the “host name”. And sometimes the 3rd part is present which is the “port”. In the end, however, all these different parts are simply used to come up with this "username" that we call the ServicePrincipalName.

Let’s say I wanted to connect to a process called BrianService.exe. And the DNS name to route my connection was blah.overthere.com. As the designer of this weird service I might come up with a “service type” of BRIAN. So the SPN would be BRIAN/blah.overthere.com. Okay, and where do we set that? Simple, simple, simple. If my BrianService.exe process is running under “DOMAINNAME\someAccount” then we’d set the BRIAN/blah.overthere.com SPN on “DOMAINNAME\someAccount”. If my process (BrianService.exe) were running as something like “Network Service”, “Local Service”, or “Local System” then I’d set BRIAN/blah.overthere.com on the computer account itself that is running that process. If you ever change the account that is running your program then you need to remove the SPN from the original account and set it on the new account because we can't have the same username assigned to multiple "people" (or accounts in our case).

 Recap. An SPN is just a *name* that we've given to a "service" which is in the format of ServiceType/HostName and occasionally ServiceType/HostName:PortNumber. And it is set on which ever account is handling authentication for that service. I should also note that you as an administrator don’t get to pick whether you use a port. I used to think that maybe I could throw a port number on an SPN if I wanted to make it more secure. But it is the client application that has the decision built in on whether to use a port.

Okay, so let’s make this more complicated by using more realistic names. But while I do that I want you to maintain faith in what I just explained above regarding how simple these concepts are. Let’s say you’re connecting to an IIS server with a machine name of “iis-prod-01”. And let’s say the active directory domain name is “company.com.” In Internet Explorer you use an address of http://someInventedName. The “application pool” (i.e. the w3wp.exe process) is running under the account of “COMPANY\myserviceAccount”. With the knowledge that the web service’s Kerberos “service type” is “HTTP” (don’t confuse this with the browser’s protocol type) you’re probably thinking we can set an SPN of “HTTP/someInventedName” on “COMPANY\myserviceAccount”.  Doh!! Sorry no. Almost, but Kerberos would probably not work with that. The problem with that idea is that you have to know how name resolution is working also because it is ultimately name resolution that dictates what the "host name" part of the SPN should be. If you open a CMD prompt and ping someInventedName, it will most likely resolve to someInventedName.company.com. Therefore the SPN that “IE” will request is “HTTP/someInventedName.company.com”. IE was not programmed to request an SPN using the port so that part of the SPN is not needed nor can it ever be used. What if the ping did show the name as just “someInventedName”? Then IE would in-fact use Kerberos with an SPN of “HTTP/someInventedName” When dealing with NetBIOS names, because name resolution can be affected by many things, the key is to make sure an SPN of both “HTTP/someInventedName” and “HTTP/someInventedName.company.com” are set on the “COMPANY\myserviceAccount” account. Or the way I prefer to say that is you need to create an SPN that represents both the NetBIOS name and the Fully Qualified name.

Okay, so I can hear what many of you are thinking. “But I thought that KB article said to set the SPN on the computer account!” Well, yes, that would be accurate *IF* the process handling authentication was running as “SYSTEM”. If the process for that service is not running as SYSTEM (or Network Service, or Local Service) then you can’t set the SPN on the computer account (well you can but Kerberos isn’t going to work).

Recap 2: An SPN should actually be in the format of ServiceType/NetBIOSName *and* ServiceType/FQDN. And we *always* set that on whatever account is running the process that is handling the authentication. Read the above paragraphs a couple times and just maintain faith that it is really that simple. Don’t complicate it with questions!!  

I want to mention one last thing before I go. Whenever a computer is joined to a domain, it is assigned 2 SPN's by default: HOST/netbiosName, and HOST/FQDN.com. netbiosName being the machine name of the computer you're joining to the domain, and FQDN.com being the fully qualified machine name. These two SPN's use the generic "HOST" service type which includes all the various services that *come* with Windows. Therefore, if you connect to http://machineName or http://machineName.company.com, you will already have SPN's set that will handle Kerberos when using those names. Or if you connected to \\machineName\SomeShareName you'd also be all set for Kerberos (UNC's need a "CIFS" SPN which is included under "HOST" also). For a full list of the different service types included in HOST please see Table 1 of this technet article.

--Brian Murphy-Booth

Note: Although you can get Visual Studio .NET 2003 to work properly on Vista, Microsoft does not support this scenario. "Not supported" doesn't mean "won't work". It just means if you run into any trouble you just can't call the MS support line for assistance with this issue. Microsoft does, however, fully support *running* a .NET v1.1 app on Vista.

Because I support both IIS and ASP.NET here at Microsoft, I find it necessary to have both "Visual Studio .NET 2003" and "Visual Studio 2005" installed. I need to be able effectively troubleshoot issues for whatever product our customers need help with. But like any other tech junky, I like to have the latest-and-greatest OS installed so that I can learn the various features of the OS through day-to-day use. For this reason, I have Windows Vista installed on my primary machine. But, particularly when I was less familiar with the IIS 7.0 UI, getting ASP.NET 1.1 to run on IIS 7.0 was frustrating. Here are some of the errors I encountered while trying to get this setup:


Microsoft Development Environment
Error while trying to run project: Unable to start debugging on the web server. Could not start ASP.NET or ATL Server debugging.
Verify that ASP.NET or ATL Server is correctly installed on the server.

Microsoft Developement Environment
Error while trying to run project: Unable to start debugging on the web server. You do not have permissions to debug the server.
Verify that you are a member of the "Debugger Users" group on the server.

ASP.NET Version Mismatch
Visual Studio .NET has detected that the Web server is running ASP.NET version 1.0. The Web application you are creating or opening can be configured to be compliant with ASP.NET 1.0.
However, the application will not be able to use new features from ASP.NET 1.1.

To set this up properly so the above errors don't occur, follow these steps.

1. Ensure that .NET 1.1 --->SP1<--- or higher is properly installed.

  1. Vista does not include .NET v1.1 by default.
  2. Because .NET 1.1 is not included by default, .NET v1.1 *SP1* is also not included.
  3. Without SP1, W3WP.exe will crash when running an appPool under v1.1 due to DEP
  4. To check this, make sure that c:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll is version 1.1.4322.2032 or higher.
  5. Unless you are 100% sure that SP1 for .NET is installed, you *really* should double-check this.
   

2. Enable IIS 6.0 compatibility

  1. Open Control Panel
  2. Double-click Programs and Features
  3. Expand Internet Information Services
  4. Expand Web Management Tools
  5. Check IIS 6 Management Compatibility
   

3. Register v1.1 with IIS

  1. Open a CMD prompt
  2. Change your directory to c:\Windows\MIcrosoft.net\Framework\v1.1.4322
  3. Run "aspnet_regiis -ir"
  4. "ir" registers v1.1 with IIS but doesn't change any existing script mappings
  5. aspnet_regiis should also create a new AppPool under "Application Pools" called "ASP.NET 1.1" that is configured with the "Classic" pipline, and "Enable32BitAppOnWin64" set to true if a 64-bit OS.
   

4. Make sure IIS permits running ASP.NET.

  1. Open the IIS manager. 
  2. Highlight your Computer Name.
  3. Double-click ISAPI and CGI Restrictions
  4. Select ASP.NET v1.1.4322
  5. Click Allow in the Actions section in the upper right.

 

   

5. Make the new ASP.NET 1.1 appPool the default.

  1. Open the IIS manager
  2. Select the Sites folder.
  3. Under Actions on the upper right, click Set Web Site Defaults...
  4. Change the Application Pool setting to ASP.NET 1.1

 

   

6. **ALTERNATIVE step to 5** - Change the AppPool to ASP.NET 1.1 -->after<-- creating the ASP.NET project instead of making it the default.

  1. Create the v1.1 ASP.NET project via Visual Studio. Attempting to run the project at this point will fail if the 1.1 appPool is not the default.
  2. Open the IIS manager.
  3. Right-click the newly create application directory and choose Advanced Settings
  4. Change the Application Pool to ASP.NET 1.1
  5. Go back to Visual Studio and attempt to run/debug project.
 

Happy coding!!

More Posts