IIS/ASP

Contents

  1. 1 Q:In ASP.NET, how do I determine why my assembly isn't being loaded?
  2. 2 Q: What is the syntax of /configuration/system.webServer/handlers/add@type?
  3. 3 Q: In ASP.NET, I get the Fusion log error "WRN: Comparing the assembly name resulted in the mismatch: NAME", but the name specified in the type attribute matches the filename exactly. How do I fix this?
  4. 4 Q: In an ASP.NET configuration/system.web/handler/add node, is it necessary to specify the assembly name?
  5. 5 Q: My ASP.NET application cannot find the handler I specified with the error "Could not load file or assembly", even though it is in the correct directory. Why?
  6. 6 Q: I am unable to view symbols when debugging an IIS HttpHandler/HttpModule, with the error "Cannot obtain the value of '<name>' as it is not available", but I'm using a debug build. How do I fix this?
  7. 7 Q: Why do .NET 3.5 and above JSON web services return their results inside a root "d" property?
  8. 8 Q:  How do I secure an ASMX web service to prevent the default method helper web page, WSDL, and make ASP.NET secure access to this page as it does other ASPX pages?
  9. 9 Q:  In IIS7, how do I configure an application pool to use .NET 3.5?  Only 2.0 and 4.0 are listed.
  10. 10 Q:  In ASP.NET, I got the error "error CS0234: The type or namespace name 'Linq' does not exist in the namespace " when adding an ASPX/ASMX file to an existing web application.  How do I fix this?
  11. 11 Q:  I can't call an ASMX service I added to an existing web application with error 500s.  The application has a handler for ASMX files.  How do I fix this?
  12. 12 Q:  In IIS, where are the default handler mappings defined?
  13. 13 Q:  I can't place a breakpoint in an ASP.NET application after updating the backing assembly and source code.  Visual Studio only places empty-circle breakpoints.
  14. 14 Q:  In .NET, how do I get a WindowsIdentity object from a SID?
  15. 15 Q:  I get an error 500 Unknown web method when calling an ASMX WebMethod via JSON where the remoting contract is specified using an interface.  It worked fine before using the interface.  How do I fix this?
  16. 16 Q:  WinHttpCert fails to grant rights to an AppPool virtual account reporting "No account information was found".  How do I fix this?
  17. 17 Q:  I modified a few ASPX files, then when IIS 7.5 (Server 2008) serves them they appear to have no content.  For example, RDWeb's default.aspx.  How do I get the pages to work again?
  18. 18 Q:  I can't debug an ASPX file that lives in a virtual directory:  breakpoints won't set and are never triggered.  How do I fix this?
  19. 19 Q:  How do I configure an IIS web application to require SSL?
  20. 20 Q:  How do I grant folder rights to an IIS AppPool Account?
  21. 21 Q:  What is the proper syntax for Microsoft.Web.Administration.Configuration.GetSection's locationPath argument?
  22. 22 Q:  In IIS, how do I configure a feature setting, such as IP Security, for an individual file in an application via IIS manager?
  23. 23 Q:  When configuring IIS via the C# Microsoft.Web.Administration API, how do I configure an IIS feature for a specific folder?
  24. 24 Q:  When configuring IIS via the C# Microsoft.Web.Administration API, how do I configure a feature setting for an individual file, for example, set via the location element?
  25. 25 Q: How do I set an environmental variable for a FastCGI handler mapping?
  26. 26 Q: I get a 403 Forbidden error when trying to access files on a CGI (PHP) web site served by the StaticFileHandler, after reducing the web app file rights to the AppPool+Administrators only.  Why?
  27. 27 Q:  I get a "Provider load failure" when using the IIS WMI provider (root\WebAdministration) as an administrator but not elevated.  It works if I elevate.  How do I make this work non-elevated?
  28. 28 Q: I get a "Configuration Error: An error occured creating the configuration section handler" for my custom ASP configuration section.
  29. 29 Q: When using a NET runtime class type as a property, like System.Net.IPAddress, I get the error "The value of the property 'IP' cannot be parsed. The error is: Unable to find a converter that supports conversion to/from string for the property 'IP' of type 'IPAddress'."
  30. 30 Q: How do I access the data for a custom ConfigurationSection from my HttpModule?
  31. 31 Q: When I call Microsoft.Web.Administration.Application.GetWebConfiguration().GetSection() from outside IIS, such as in an install, I get an exception "The configuration section cannot be read because it is missing schema declaration".
  32. 32 Q: When I call Microsoft.Web.Administration.Application.GetWebConfiguration().GetSection() from outside IIS, such as in an install, I get an exception "System.Configuration.ConfigurationErrorsException: An error occurred creating the configuration section handler for DuoIpSecurity: Could not load type '<Your type here>' from assembly 'System.Web, Version=4.0.0.0...
  33. 33 Q:  I've declared a custom configuration section, but when trying to get it's object via OpenWebConfiguration/GetSection, I get an error System.Configuration.ConfigurationErrorsException: An error occurred creating the configuration section handler for DuoIpSecurity: Could not load type.
  34. 34 Q:  In an install, WebConfigurationManager.GetSection() returns NULL, but my code is creating a correct configSections/section element.
  35. 35 Q:  My ASP application returns error 503 on all requests and the AppPool reports Stopped.  Why?
  36. 36  Q:  My custom configuration section is not saved when calling Commit on Microsoft.Web.Administration.ServerManager.
  37. 37 Q:  In ASP, how do I get a full pipeline trace?
  38. 38 Q:  In ASP, how do I control certificate validation?
  39. 39 Q:  In ASP, how do I debug a certificate validation problem to find out why validation failed?
  40. 40 Q: How do I create a self-signed HTTPS certificate for IIS?
  41. 41 Q: I'm trying to output some simple debugging text from an ASPX handler, but the br tags aren't breaking. How do I fix this?
  42. 42 Q: While debugging a .NET assembly running under IIS, I get the error "Cannot obtain value of local argument as it is not available" in the Locals window. How do I fix this?
  43. 43 Q:  How do I force .NET to load a specific version of an assembly that is also in the GAC?


Q:In ASP.NET, how do I determine why my assembly isn't being loaded?

A: Follow these instructions:
  1. In your ASP.NET application, open the web.config.  If the app has multiple web.configs, open all of them.
  2. Search for the configuration element /configuration/system.web/customErrors and create it if it does not exist.  If there are multiple web.config files, create it in the highest-level file.  Set the mode attribute of this element to "Off".
  3. Open regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion.
  4. In that key, set the following DWORD values:  ForceLog=1, LogResourceBinds=1, and LogFailures=1.
  5. Create a directory to store logs (e.g., c:\FusionLogs).
  6. In the Fusion key, create a string value named LogPath equal to the log directory specified in step 3 with a trailing backslash.
  7. Restart IIS.  In IIS7, open IIS manager, select your server, then click Restart on the right.  Otherwise, restart the World Wide Web Publishing Service in Control Panel|Services.

Your web application will now return assembly load errors in it's error page.  This is almost always sufficient, but if you need more details or can't view the page due to your usage scenario, check out the log files in the directory you specified.  Alternately, copy over the Fusion Log Viewer from a machine with Visual Studio 2008 or higher, but note this sometimes fails to show the logs.  It will be located in one the versioned directories under ProgramFilesx86\Microsoft SDKs\Windows, such as C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\NETFX 4.0 Tools.

Q: What is the syntax of /configuration/system.webServer/handlers/add@type?

A: This attribute uses the standard .NET syntax for type specification with one important variance from other parts of .NET, such as WPF: it uses a PERIOD separator between a class's namespace and the name of the class. For example, the following are valid:
Class with no namespace type="TestHandler"
Class in namespace type="TestNamespace.TestHandler"
Class in child namespace type="ParentNamespace.ChildNamespace.TestHandler"
Note that if the namespace itself uses a "+" in it's name, this must be escaped.

Q: In ASP.NET, I get the Fusion log error "WRN: Comparing the assembly name resulted in the mismatch: NAME", but the name specified in the type attribute matches the filename exactly. How do I fix this?

A: In .NET, the assembly name is not the same as the filename and is embedded within the file. Open this file in either .NET Reflector or IL Spy and select the file to view to the internal .NET name. This error can happen if, for example, you create a simple ASP.NET site, build it, and try to use it's App_Code.dll in another site by renaming it, or by changing the filename of a class library project.
There are several ways to fix this:
Edit the Assembly
  1. Install .NET Reflector, then install the ReflexIL editor plug-in from http://reflexil.net/
  2. Open the assembly to rename in .NET Reflector and select it.
  3. Right-click the assembly, select the ReflexIL menu option, then rename. Enter the new name without extension in Rename dialog. Note that .NET Reflector will NOT display this change.
  4. Expand the assembly and right-click the next node underneath it. This node represents the default module within the assembly and will normally be named the old filename - for example, App_Code.dll. Right click this node and enter the new filename WITH extensioin in the Rename dialog. Note that .NET Reflector will NOT display this change.
  5. Right-click the assembly and select ReflexIL|Save As, then enter the new filename.
Edit the Source Code of a Class Library
  1. Open the project in Visual Studio
  2. In Project Properties, goto the Application tab and change the value in the Assembly name field. This will change BOTH the output filename and the internal assembly name.
Notes:
  1. Editing the source code cannot be done for some ASP.NET Web Projects because the classes are assumed to have no namespace and the target assembly name and filename are hard-coded as App_Code.dll.
  2. The AssemblyTitle attribute specified in AssemblyInfo does NOT specify the internal assembly name.

Q: In an ASP.NET configuration/system.web/handler/add node, is it necessary to specify the assembly name?

A: No. ASP.NET will automatically search all files located in the bin directory at the same level as the web.config.


Q: My ASP.NET application cannot find the handler I specified with the error "Could not load file or assembly", even though it is in the correct directory. Why?

A: There are several possible reasons. One of the more common causes is that the filename does not match the assembly name. The assembly name is an internal name embedded within the file. ASP.NET expects the filename to match the assembly name and will not load the assembly if they do not match. To verify this as the cause, enable Fusion logging and look for the error "WRN: Comparing the assembly name resulted in the mismatch: NAME". To fix this, open the file in .NET reflector or IL Spy, find the assembly name, and rename the file to the filename. Then make a meaning change to the web.config to force the app to reload.

Q: I am unable to view symbols when debugging an IIS HttpHandler/HttpModule, with the error "Cannot obtain the value of '<name>' as it is not available", but I'm using a debug build. How do I fix this?

A: There are many possible causes, with the basic problem being parts of, or the entire assembly, are being converted to native code with insufficient information to map back to the original IL PDB symbols.There is no single cause or definitive fix for this, although the same issue for standalone .NET EXEs is more reliably solved by [most of] these steps.  To resolve this, address each of the following:
  1. In Project|Properties|Build, make sure Optimize code is NOT checked.
  2. In Project|Properties|Build|Advanced, ensure Debug Info is set to Full.
  3. Check the assembly for a System.Diagnostics.Debuggable attribute, typically in AssemblyInfo.cs. Remove it if found and re-add as [assembly: System.Diagnostics.Debuggable(true, true)].
  4. Edit the root level web.config and set /configuration/system.web/compilation@debug="true"
  5. In Control Panel|System, click Advanced|Environmental Variables and set COMPLUS_ZAPDISABLE = "1". As a side-effect, this will disable some JIT'ing system-wide.
  6. Create the following text file Windows\System32\inetsrv\w3wp.ini (assumes running on x64 machine):
    [.NET Framework Debugging Control]
    GenerateTrackingInfo=1
    AllowOptimize=0
  7. Clear the Temporary ASP.Net files, typically in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files.
  8. At an elevated command prompt, run iisreset.
  9. It may also be necessary to change the project build platform to Any instead of x86 or x64.

Q: Why do .NET 3.5 and above JSON web services return their results inside a root "d" property?

A: This is a security feature to address a client-side vulnerability due to clients executing JSON results as a quick-and-easy way to deserialize them. Wrapping the result in a root-level "d" property forces the client to properly parse it before it can be used. See this link.

Q:  How do I secure an ASMX web service to prevent the default method helper web page, WSDL, and make ASP.NET secure access to this page as it does other ASPX pages?

A:  To address the first two issues, add the node <remove name="Documentation"/> to /configuration/system.web/webServices/protocols (IIS7+).  In addition, IIS includes built-in local call functionality that is NOT disabled by this.  To disable that, add <remove name="HttpPostLocalhost"/>.
To address the second issue, use a location element to deny access to the page unless the user is logged in.  For example:
<location path="Hello.asmx">
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
</location>

Source here.

Q:  In IIS7, how do I configure an application pool to use .NET 3.5?  Only 2.0 and 4.0 are listed.

A:  The .NET Framework version field is incorrectly named and actually refers to the CLR version used.  The NET framework 2.0-3.5 use the same CLR, so specifying 2.0 is sufficient to enable .NET frame 3.5 functionality.  Courtesy this MSDN blog.

Q:  In ASP.NET, I got the error "error CS0234: The type or namespace name 'Linq' does not exist in the namespace " when adding an ASPX/ASMX file to an existing web application.  How do I fix this?

A:  The web application domain must be configured to load the referenced assemblies - a using statement is insufficient for ASP.NET to determine the source assembly.  After determining the source assembly, edit the web.config and add the reference to /configuration/compilation/assemblies via an add element.  For example, to fix the above problem, add a reference to System.Data.Linq by adding a reference to it as follows:
<compilation>
    <assemblies>
        <add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    </assemblies>
</compilation>

Q:  I can't call an ASMX service I added to an existing web application with error 500s.  The application has a handler for ASMX files.  How do I fix this?

A:  There are many possible causes.  One cause is that the GUI may show that a handler is mapped when it actually is not.  All handler mappings are filtered by a "precondition" attribute, permitting the developer to declare multiple mappings for different application configurations:  managed vs unmanaged, 32-bit vs 64-bit, CLR version, and .NET Framework version.  However, the IIS Admin GUI does NOT display the preCondition attribute.  If the ASMX class is bound to the .NET 3.5 System.Web.Script.Services.ScriptHandlerFactory but the web app is configured for CLR v2, then the web service will fail because the default mappings on newer machines are preconditioned to only work on .NET 4.0 web applications.  To fix this, either change the app pool to use CLR 4 and modify the ASMX class to bind to .NET 4, or change the app to map the 3.5-version of this handler to ASMX by adding the following to /configuration/system.webServer/handlers in the application's web.config:
    <remove name="ScriptHandlerFactory"/>
    <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

Sources:  this stack overflow question, Blog on preCondition attribute, MSDN blog.

Q:  In IIS, where are the default handler mappings defined?

A:  This appears to be %system32%\inetsrv\config\applicationHost.config.

Q:  I can't place a breakpoint in an ASP.NET application after updating the backing assembly and source code.  Visual Studio only places empty-circle breakpoints.

A:  The application domain has been invalidated, but not yet reloaded, so Visual Studio is reporting the mismatch between the new source and old, loaded binary.  To force the reload, make any request of the web application, then the break point indicator should refresh to a solid red dot.

Q:  In .NET, how do I get a WindowsIdentity object from a SID?

A:  The API exists, but isn't in the System.Security.Principal namespace.  Use System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity. Courtesy this TechNet article.

Q:  I get an error 500 Unknown web method when calling an ASMX WebMethod via JSON where the remoting contract is specified using an interface.  It worked fine before using the interface.  How do I fix this?

A:  Change the interface method implementations from explicit interface implementation to virtual methods.  For example, given the following (simplified) interface:
public interface IDuoRDSingleSignOn
    Result<AuthorizedRdpFile> GetDuoAuthorizedRdpFile( string fileNodeName );
This must be implemented in the class as a virtual function, as shown below:
public class DuoRDSingleSignOnCallReceiver : System.Web.Services.WebService, IDuoRDSingleSignOn
    [System.Web.Script.Services.ScriptMethod(ResponseFormat = System.Web.Script.Services.ResponseFormat.Json, UseHttpGet = false, XmlSerializeString = false)]
    [WebMethod]
    public virtual Result<AuthorizedRdpFile> GetDuoAuthorizedRdpFile( string fileNodeName )
Also note that the [WebMethod] and associated attributes must mark the concrete class methods, not the interface methods.

Q:  WinHttpCert fails to grant rights to an AppPool virtual account reporting "No account information was found".  How do I fix this?

A: Do not use the FQDN of the server in the account name (-a) parameter - use the machine name only. For example:
winhttpcertcfg -g -c LOCAL_MACHINE\My -s Server2008Delta.Delta.local -a "Server2008Delta\IIS APPPOOL\RDWebAccess"

Q:  I modified a few ASPX files, then when IIS 7.5 (Server 2008) serves them they appear to have no content.  For example, RDWeb's default.aspx.  How do I get the pages to work again?

A:  The Unicode BOM was removed from the files when they were saved.  Restore it by editing the files in an editor that can write the BOM, then the pages will render again.  Notepad by do this by default, so opening, touching, and saving it notepad will fix the problem.

Q:  I can't debug an ASPX file that lives in a virtual directory:  breakpoints won't set and are never triggered.  How do I fix this?

A:  Attach the debugger to the default AppPool for the web site/app that CONTAINS the app being debugged.  For example, in the case of RDWeb, attach the debugger to the process for DefaultAppPool instead.  ASPX files in virtual directories are not served from AppPool of their associated web application regardless of where they exist.  Also, be sure to edit the ASPX file and set debug=true on the Page directive.

Q:  How do I configure an IIS web application to require SSL?

A:   There are several tricks to doing this:
  1. Unlock system.webServer/security/access
    1. By default, this is locked at the IIS level.
    2. Unlocking occurs at a site-level, however.  But the normal site configuration object cannot unlock this - it will throw.  Instead, use the AppHost configuration object and ask it for the relevant setting the context of the specified app.
  2. Flags type is undocumented
    1. Set the sslFlags attribute to "Ssl".
The code will look something like this:
    var localIis = new Microsoft.Web.Administration.ServerManager()
    string actualSiteName = null;
    if (siteName == null)
        actualSiteName = serverManager.GetDefaultWebsite().Name;
    else
        actualSiteName = siteName;
    Configuration serverConfiguration = localIis.GetApplicationHostConfiguration();
    ConfigurationSection targetSection = serverConfiguration.GetSection(sectionPath, siteName);
    targetSection.OverrideMode = OverrideMode.Allow;
    localIis.CommitChanges()
    localIisManager = new Microsoft.Web.Administration.ServerManager();
    duoAccessGatewayApplication = defaultWebSite.Applications.FirstOrDefault((x) => x.Path.Equals(applicationVirtualPath, StringComparison.CurrentCultureIgnoreCase));
    dagConfiguration = duoAccessGatewayApplication.GetWebConfiguration();
    var accessSection = dagConfiguration.GetSection("system.webServer/security/access", "");
    accessSection["sslFlags"] = "Ssl";
    localIisManager.CommitChanges();

Q:  How do I grant folder rights to an IIS AppPool Account?

A:  There are several ways to do so.  Note this is only supported in Server 2008 R2 and above as lower versions of Windows do not support virtual accounts.  From the Security tab GUI:
  1. Click Add
  2. Click Locations.
  3. Select the name of the local machine and click OK.  If you do not do this, you will get an error that the object cannot be found.
  4. Enter "IIS AppPool\[PoolName]" in the "Enter the object names to select" box.  For example, if the AppPool is named RDWebAccess, enter "IIS AppPool\RDWebAccess".
  5. Click OK.
  6. In C#, use the normal mechanisms with a username of the form IIS AppPool\[PoolName].

Q:  What is the proper syntax for Microsoft.Web.Administration.Configuration.GetSection's locationPath argument?

A:  The syntax is an IIS path relative to the host.  In IIS, the base path for this API is MACHINE/WEBROOT/APPHOST.  To specify a web application, use the relative syntax <SiteName>/<VirtualPath>.  This is similar to, but unlike, the IIS WMI syntax of W3SVC/1/ROOT.  For more information, see this page.

Q:  In IIS, how do I configure a feature setting, such as IP Security, for an individual file in an application via IIS manager?

A:  Do the following:
  1. Start IIS Manager.
  2. In the left hand pane, browse to the directory that contains the file and select it.
  3. In the middle pane, click the Content View button at the bottom.
  4. In the middle pane, select the file that you want to change the feature setting for.
  5. In the right-hand pane, click the Switch to Features View link.
  6. Note the left hand pane now displays the target file.  In the middle pane, double-click the feature you wish to change the setting for and change the setting as desired.
  7. Note in some cases, such as IP Security, it is generally necessary to configure a setting for the directory, such as deny all, with different settings on individual files, such as allow from local IPs.

Q:  When configuring IIS via the C# Microsoft.Web.Administration API, how do I configure an IIS feature for a specific folder?

A: Use these steps:
  1. Determine the IIS web.config path were the settings for this feature are stored.  For example, for IP Security, the path is system.webServer/security/ipSecurity.
  2. Get the config object for either IIS or the web application.
  3. Call GetSection(<web.config section path>, <path to folder>).
There are two different ways to get the web configuration object:  from the app or from IIS.  Consequently, either of the following are valid:
    // To get a configuration section for a folder within a web application, use either of these two methods:
    // 1.  Get the ServerManager object, get it's GetApplicationHostConfiguration(), and call GetSection([config path], [sitename][appFolderPath]
    // 2.  Get the Application object, get it's WebConfiguration(), then call GetSection([config path], [folder path relative to app]
    // For example, to get the ipSecurity section for the folder "admin" under the web app "simplesaml" on the Default Web Site:
    var localIisManagerA = new Microsoft.Web.Administration.ServerManager();
    var localIisConfigA = localIisManagerA.GetApplicationHostConfiguration();
    var ipSecurityConfigSectionA = localIisConfig.GetSection("system.webServer/security/ipSecurity", "Default Web Site/simplesaml/admin");
    // OR
    var localIisManagerB = new Microsoft.Web.Administration.ServerManager();
    var defaultWebsiteB = localIisManager.GetDefaultWebsite();
    var duoAccessGatewayApplicationB = defaultWebsite.Applications.FirstOrDefault(x => x.Path.EqualsNoCase("/"+DuoAccessGateway.WebApplicationName));
    var ipSecurityConfigSectionB = duoAccessGatewayApplication.GetWebConfiguration().GetSection("system.webServer/security/ipSecurity", "/simplesaml/admin");

Q:  When configuring IIS via the C# Microsoft.Web.Administration API, how do I configure a feature setting for an individual file, for example, set via the location element?

A:  This is not obvious and does not work via several API approaches.  The only way is to get the IIS (host) configuration object and get the config section from it, specifying the full path to the file on this instance of IIS.  For example, assume the target is the IP Security settings section for the file dlux.php in the admin folder of the web application simplesaml installed on the default web site.  Use the following code to get the system.webServer/security/ipSecurity settings for this file:
    // Get configuration for individual file
    var localIisManagerD = new Microsoft.Web.Administration.ServerManager();
    var fileConfigD = localIisManagerD.GetWebConfiguration("Default Web Site", "/simplesaml/admin/dlux.php");
    var fileWebConfigD = fileConfigD.GetSection("system.webServer/security/ipSecurity");
    var fileWebConfigCollectionD = fileWebConfigD.GetCollection();


Q: How do I set an environmental variable for a FastCGI handler mapping?

A: This cannot be done for a handler mapping, but can be done by defining a new FastCGI application and redirecting the handler mapping to it. In the FastCGI object model, while the web app specifies a pathname to an application, the handler mapping is not the root definition for that CGI entity. Instead, the authoritative CGI definition exists at machine level. The pathname to the EXE is actually a formatted argument used to link to the machine level definition. It consists of two fields, the file pathname and the command line arguments, separated by a | symbol.
To define a new FastCGI application via the GUI:
  1. Open IIS Manager and select the left-hand node for the SERVER
  2. In the middle pane, double-click FastCGI.
  3. In the right hand pane, click Add Application button and enter the full pathname to the php-cgi.exe.
  4. Create a unique Arguments string. For example, for PHP, use the -d argument to assign an unused variable a unique value, such as -d uniqueifier=6BC78C27-92D7-4EC3-9C1D-C767171F31E5.
  5. In the middle pane, find the web application using this FastCGI application definition and select it.
  6. In the middle pane, double-click Handler Mappings.
  7. Find the handler mapping previously used and replace the Executeable field with a formatted version of the program pathname and arguments entered in steps 3 and 4, in the form <program>|<arguments>.  For example, if the program pathname is C:\Program Files (x86)\PHP\v5.6\php-cgi.exe and the arguments are -d uniqueifier=5ed8b5e232d14926abacde84c0906c62, the Executeable field here should be "C:\Program Files (x86)\PHP\v5.6\php-cgi.exe|-d uniqueifier=5ed8b5e232d14926abacde84c0906c62".

Q: I get a 403 Forbidden error when trying to access files on a CGI (PHP) web site served by the StaticFileHandler, after reducing the web app file rights to the AppPool+Administrators only.  Why?

A:  The static file handler checks for file access using the Internet User identity by default, which fails since rights to the IUSRS group were specifically revoked here.  To reconfigure it to use the process identity instead, change system.webServer/serverRuntime/authenticatedUserOverride=UseWorkerProcessUser.  Reference the end of this article.

Q:  I get a "Provider load failure" when using the IIS WMI provider (root\WebAdministration) as an administrator but not elevated.  It works if I elevate.  How do I make this work non-elevated?

A:  To fix this, specify Impersonation Level of Impersonate and authentication of Packet integrity during the WMI connection AND login as Administrator, not just a member of the local Administrators group, or you as a local admin and elevated.  Windows has special elevation rules for the built-in Administrator account, and each WMI provider implements security in their own way.  The IIS provider won't allow read access without elevation, unfortunately, while some do or provide limited information - see this link for more information.  The syntax to specify these varies from interface to interface.
To do so from JavaScript/VBScript using GetObject, specify {impersonationLevel=impersonate,authenticationLevel=pkt} in the GetObject string For example:
// Gets the specified IIS Web application sub application
function GetSubApplication(siteName, appName, subAppPath)
{
    var webAdminInterface   = GetObject("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pkt}root\\WebAdministration")
    var wmiQueryPath        = "/" + appName;
    var poolName            = "";
 
    if (webAdminInterface != null)
    {
        if (typeof (subAppPath) == "string")
            wmiQueryPath = wmiQueryPath + "/" + subAppPath;
        return webAdminInterface.Get("Application.SiteName='" + siteName + "',Path='" + wmiQueryPath + "'");
    }
    return null;
}
In PowerShell, specify -Authentication 5 -Impersonation 3 for Get-WmiObject.  For example:
    Get-WmiObject -Class Application -Namespace "root\WebAdministration" -Authentication 5 -Impersonation 3

Q: I get a "Configuration Error: An error occured creating the configuration section handler" for my custom ASP configuration section.

A: There are several possible causes:
1. The ConfigurationSection implementation backing this may not have a public default constructor. This error may not occur until a value is specified for an attribute or element child of the section.
2. If the section has a collection, the ConfigurationElementCollection implementation CreateNewElement or GetElementKey may be throwing, as in their default implementations.

Q: When using a NET runtime class type as a property, like System.Net.IPAddress, I get the error "The value of the property 'IP' cannot be parsed. The error is: Unable to find a converter that supports conversion to/from string for the property 'IP' of type 'IPAddress'."

A: You must implement a TypeConverter and decorate the property with the TypeConverter attribute to use any non-primitive types, except enums, as ConfigurationProperties. For example, to use System.Net.IPAddress, use the following code:
[ConfigurationProperty(Property_IP, IsRequired=false)]
[System.ComponentModel.TypeConverter(typeof(StringIpConverter))]
public System.Net.IPAddress IP
...
public class StringIpConverter : System.ComponentModel.TypeConverter
public override bool CanConvertFrom( System.ComponentModel.ITypeDescriptorContext context, Type sourceType )
return sourceType.Equals(typeof(string));
public override bool CanConvertTo( System.ComponentModel.ITypeDescriptorContext context, Type destinationType )
return destinationType.Equals(typeof(System.Net.IPAddress));
public override object ConvertFrom( System.ComponentModel.ITypeDescriptorContext context, System.Globalization.CultureInfo culture, object value )
return System.Net.IPAddress.Parse((string) value);
public override object ConvertTo( System.ComponentModel.ITypeDescriptorContext context, System.Globalization.CultureInfo culture, object value, Type destinationType )
var valueIp = (System.Net.IPAddress) value;
return valueIp.ToString();

Q: How do I access the data for a custom ConfigurationSection from my HttpModule?

A: Call System.Web.Configuration.WebConfigurationManager.GetWebApplicationSection(<name of section>) and cast it to the ConfigurationSection derrived class type.

Q: When I call Microsoft.Web.Administration.Application.GetWebConfiguration().GetSection() from outside IIS, such as in an install, I get an exception "The configuration section cannot be read because it is missing schema declaration".

A: Outside of the web application using the module, call System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration(webAppVirtualPath, siteName), then call GetSection on the result.

Q: When I call Microsoft.Web.Administration.Application.GetWebConfiguration().GetSection() from outside IIS, such as in an install, I get an exception "System.Configuration.ConfigurationErrorsException: An error occurred creating the configuration section handler for DuoIpSecurity: Could not load type '<Your type here>' from assembly 'System.Web, Version=4.0.0.0...

A: The Type attribute of the configSection element is not fully qualified.  It must contain the name of the assembly as well as the class, or IIS will return this error.  For example, the string "Duo.Iis.IpSecurityModule.ConfigurationSection, DuoIisIpSecurity, Version=1.2.0.67, Culture=neutral, PublicKeyToken=d84208eddb8532b3" is fully qualified, resolving this error.  This is necessary even if another element maps in the host assembly.

Q:  I've declared a custom configuration section, but when trying to get it's object via OpenWebConfiguration/GetSection, I get an error System.Configuration.ConfigurationErrorsException: An error occurred creating the configuration section handler for DuoIpSecurity: Could not load type.

A:  In the section declaration, the Type must include the assembly reference.  For example, under /configuration/configSections, the declarations should look like this:
<section name="DuoIpSecurity" type="Duo.Iis.IpSecurityModule.ConfigurationSection, DuoIisIpSecurity, Version=1.2.0.67, Culture=neutral, PublicKeyToken=d84208eddb8532b3" />

Q:  In an install, WebConfigurationManager.GetSection() returns NULL, but my code is creating a correct configSections/section element.

A:  The web application must be configured to use the backing assembly in a prior Microsoft.Web.Administration.ServerManager transaction.  To fix this, relocate the code that references the backing assembly into a prior Microsoft.Web.Administration.ServerManager transaction.  After calling CommitChanges on that, the next Microsoft.Web.Administration.ServerManager instance will provide the configuration section.

Q:  My ASP application returns error 503 on all requests and the AppPool reports Stopped.  Why?

A:  An HttpModule may be throwing during Init, or an event handler could be generating a runtime exception such as StackOverflow.

 
Q:  My custom configuration section is not saved when calling Commit on Microsoft.Web.Administration.ServerManager.

A:  Add a call to System.Configuration.Configuration.Save before Commit.  Also, make sure any collection properties are decorated with ConfigurationCollection.  For example:
var dagWebConfiguration = System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration(dagVirtualPath, defaultWebsite.Name);
dagWebConfiguration.Save(System.Configuration.ConfigurationSaveMode.Minimal, true);

Q:  In ASP, how do I get a full pipeline trace?

A:  On server 2012, you can get this by enabling Failed Request Tracing for the site, including codes 200-299 in the list of codes that will be logged.  Page tracing will not provide this - it is designed to output detail once the ASP page renderer starts.

Q:  In ASP, how do I control certificate validation?

A:  There are limited controls.  Open web.config and set the attributes checkCertificateName or checkCertificateRevocationList on /configuration/system.net/settings/servicePointManager to false to disable them.
Courtesy this article.

Q:  In ASP, how do I debug a certificate validation problem to find out why validation failed?

A:  Enable tracing, then add the following to your web.config.  For RDWeb, this is the Pages\web.config file.
/configuration/system.diagnostics/sources/source[name="System.Net" tracemode="includehex" maxdatasize="1024"]/listeners/add[name="System.Net"]
/configuration/system.diagnostics/sources/source[name="System.Net.Sockets"]/listeners/add[name="System.Net"]
/configuration/system.diagnostics/sources/source[name="System.Net.Cache"]/listeners/add[name="System.Net"]
/configuration/system.diagnostics/sources/source[name="System.Net.Http"]/listeners/add[name="System.Net"]
/configuration/system.diagnostics/sources/source[name="System.Net.WebSockets"]/listeners/add[name="System.Net"]
Then add:
/configuration/system.diagnostics/switches/add[name="System.Net" value="Verbose"]
/configuration/system.diagnostics/switches/add[name="System.Net.Sockets" value="Verbose"]
/configuration/system.diagnostics/switches/add[name="System.Net.Cache" value="Verbose"]
/configuration/system.diagnostics/switches/add[name="System.Net.Http" value="Verbose"]
/configuration/system.diagnostics/switches/add[name="System.Net.WebSockets" value="Verbose"]

Note the name attributes must be adjusted to use a sharedListener, such as the one shown below.
/configuration/system.diagnostics/sharedListeners/add[name="System.Net" type="System.Diagnostics.TextWriterTraceListener" initializeData="d:\temp\network.log"]
/configuration/system.diagnostics/trace[autoflush="true"]
Finally, create d:\temp and grant Everyone read/write rights to it.  Note it may take several seconds for log data to flush out.  Sometimes, the log file is listed as 0-bytes despite having significant data.
For example, if a certificate is not trusted, you will see log output like this (among a great deal of output):
System.Net Information: 0 : [5116] Remote certificate: [Version]
V3
[Subject]
CN=*.duosecurity.com, O="Duo Security, Inc.", L=Ann Arbor, S=Michigan, C=US
Simple Name: *.duosecurity.com
DNS Name: duosecurity.com
...
System.Net Information: 0 : [5116] SecureChannel#13350567 - Remote certificate has errors:
System.Net Information: 0 : [5116] SecureChannel#13350567 - A certificate chain could not be built to a trusted root authority.
Courtesy this article.

Q: How do I create a self-signed HTTPS certificate for IIS?

A: Get the makecert command from a Visual Studio distribution and run these two commands, replacing [FQDN of your machine] with the FQDN of the machine.  The first will prompt for password - enter password, or change -pi argument of the second command to match the password you use.  This will create a PVK, PFX, and CER fileset.  The PFX contains the private key and certificate; the CER is just the certificate, in binary format.
makecert -r -pe -a sha1 -sky exchange -sv cert.pvk cert.cer -n "CN=[FQDN of your machine]"
pvk2pfx -pvk cert.pvk -spc cert.cer -pfx cert.pfx -pi password

Q: I'm trying to output some simple debugging text from an ASPX handler, but the br tags aren't breaking. How do I fix this?

A: Set Response.ContentType = "text/html; charset=UTF-8" and use the XHTML version of this tag "<br/>". By default, ASPX returns XHTML and has already written an XML header to the response.

Q: While debugging a .NET assembly running under IIS, I get the error "Cannot obtain value of local argument as it is not available" in the Locals window. How do I fix this?

A: There are several possible causes. Before debugging, goto Project Properties|Debug and set Enable native code debugging. Rebuild the assembly, post the update, then try to debug again. After doing so, if the problem recurs, stop debugging and repost the DLL/PDB.  Source is one of the responses to this question.  Note that simply enabling the Native code debugger in the Attach to Process window will NOT fix this.

Q:  How do I force .NET to load a specific version of an assembly that is also in the GAC?

A:  If the assembly has a strong name (signed), then the GAC always wins.  This can be circumvented when manually loading assemblies by using the simple name (assembly name only) with the DLL in the same directory.  No known solution to resolve the references inside an assembly.  However, to fix this for an ASP.NET application at runtime, the following should work.  By extension this may work for desktop apps by copying the file into the program directory, adjusting the href, and modifying the app.config instead.  However, this will not affect the build-time references.

To resolve this for ASP.NET applications:
0.  Copy the desired version of the assembly into the bin directory
1.  Adding a strong name to the assembly being referenced.
2.  Editing the web app's web.config with the following to force load of the specific file:
    <runtime>
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
            <dependentAssembly>
                <assemblyIdentity name="Your.Assembly.Name" publicKeyToken="31bf3856ad364e35"/>
                    <codebase version="1.0.0.0" href="/bin/Your.Assembly.Name.dll" />
            </dependentAssembly>
        </assemblyBinding>
    </runtime>

Source:  http://www.aip.im/2013/04/how-to-force-iis-asp-net-to-use-assembly-from-the-bin-folder-instead-of-gac/

Comments