IIS bindings keep being removed - iis

I'm having a problem where the security certificate for a site is being periodically unbound from port 443 and replaced with another certificate which is sitting on the server. So whenever a user tries to access the site they are met with a 'untrusted' warning.
So when this first happened, I investigated and found the wrong certificate in place so I changed it back. This worked fine for a while but then it happened again. I checked the event logs and the following two warnings are fired:
SSL Certificate Settings deleted for endpoint : 0.0.0.0:443
SSL Certificate Settings created by an admin process for endpoint : 0.0.0.0:443
This happens once or twice a day, and I have to keep rebinding the correct certificate, and I haven't been able to find a solution yet.
The site is running on Windows Server 2012/ IIS 8
According to a couple of online support forums/articles there was an old legacy setting in the ApplicationHost.config file which was supposed to cause this. All references to this that I found referred to a property in the 'customMetaData' section, the property had a specific Id (5506). I couldn't find this specific property anywhere in our ApplicationHost.config file on the server.
Has anyone encountered a similar issue? Or can anyone shed any light on potential causes of this? Having looked around online I'm finding it hard to find much related to my problem, but perhaps I'm not searching for the right thing...
Any advice on this issue would be greatly appreciated.
NOTE:
Have since realised that this happens at 13:00 each day, cant see any significant events that are occurring on the server that might trigger it though...

Resolution
Locate the following property in the section of the applicationHost.config file, and delete it:
<property id="5506" dataType="Binary" userType="1" attributes="None" value="oXiHOzFAMOF0YxIuI7soWvDFEzg=" />
This property is a legacy feature from Internet Information Services (IIS) 6.0 and is no longer needed.
Link to MS Article

If the other answer (property id) doesn't work, follow these steps:
Check if there is an antivirus software in the server. Look for especially HIPS feature. Disable the antivirus and try to reproduce the issue
Check if the site is using a wildcard certificate. This issue occurs when the wildcard certificate has been imported without marking the keys as exportable. In order to solve it, the affected certificate should be uninstalled and it should be imported back again with marking the keys as exportable
Look for System Center Virtual Machine Manager Agent in the server. If it is enabled in the server, disable it and try to reproduce the issue (Reference)
Another process might be using 443 port in the server (Example: Windows Admin Center. Check this post out: 503 Service Unavailable error related to Windows Admin Center)
Check if insecure protocols are enabled. Registry settings are below. Disable these protocols if they are enabled and try to reproduce the issue
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
2.0\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
3.0\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
3.0\Server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Client
Source: SSL Certificate Settings deleted for endpoint (Event ID 15300)

Related

SSL certificate for azure cloudapp.net

I know that this question was asked many times but I couldn`t make it work with answers I found on web.
My goal is to make https://my.cloudapp.net to work. So solution for this, is to buy domain and certificate and make this domain point/redirect to my https://my.cloudapp.net. I bought lets say www.example.pl. Downloaded certificate from https://example.pl. Assigned certificate to https://my.cloudapp.net using IIS.
When I visit https://example.pl certificate itself is fine but firefox shows me error:
my.cloudapp.net uses an invalid security certificate. The certificate is only valid for the following names: example.pl, www.example.pl Error code: SSL_ERROR_BAD_CERT_DOMAIN
What I`m doing wrong?
Edit Solution:
I called microsoft support and resolved the issue. The issue was on my domain provider side. My domain example.pl had forwarding wildcard *.example.pl to go to example.pl. Thats why when I made another forwarding from app.example.pl to my cloudapp it went straight to example.pl. Removed the wildcard and it started to working fine.
I attempt to visit the website https://example.pl, it works fine with IE edge or chrome explorer. Also i do a test over at the Qualys SSL Labs to check your certificate. It shows me Incorrect certificate because this client doesn't support SNI and indicate thatThis site works only in browsers with SNI support. It is the browser issue. So you could try another explorer.
You can from here to get more details.

403 Forbidden Error - IIS 8

I'm using IIS 8 on Windows 2012 server. I have a site set up to serve as an API for HTTPS traffic on a custom port (4443). I have installed a wildcard SSL certificate, which is functioning properly. Our network firewall is routing all public inbound traffic on port 4443 to this server internally, which is then being handled by IIS.
From the server itself, everything works fine. I am not using localhost, and do not have a hosts file entry looping the traffic back internally. Going to https://api.blahblahblah.com:4443 returns what I want.
However, from external to the network, I am getting a 403 Forbidden error. I know the traffic is making it to the server because I get the correct custom "X-Powered-By" response header that I have set on that server.
I have tried setting the permissions on the folder that contains the site files to allow Full Control to "Everyone", but no luck. The site has Anonymous Authentication enabled for the user "IUSR". Directory browsing is disabled.
What's going on? I'm assuming it's a permissions error with the file system, but I figured having the Everyone permission would eliminate that. Also, there is nothing special about the internal traffic (from the server itself) in terms of an authenticated session or anything. It's just a plain request with no bells or whistles.
Please help! Thanks.
=======UPDATE=======
Here is a sample log entry showing the substatus code of 16:
2018-02-08 17:56:58 10.1.10.11 GET /favicon.ico - 4443 - 184.4.143.229 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36 https://api.blahblahblah.com:4443/data/countyList 403 16 2148204809 97
Apparently this is a client certificate trust issue? Upon further testing, I am able to access the site without issue on another device, just not my primary development PC.
I just set the site to Ignore Client Certificates in the SSL Settings, and it is working as expected again.
A 403 error could occur due to multiple reasons. Could you please share the substatus code. You can find it in IIS logs. Default location - C:\inetpub\logs\logfiles\w3svc_websiteID.
Once you have the substatus code, please share it here.
You can also capture FREB logs by following this article - https://learn.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis
Just modify step #10 in this article and don't uncheck anything in your case (leave everything to default). This will clearly tell you what's going on in the IIS pipeline.
If its 403.14, just add a default document in IIS and you should be good to go.

Azure Traffic Manager with my own SSL cert?

I've been using Azure to host my Web Apps for a while now and they've had my own wildcard cert attached to various ones with no problem. Recently, however, one of my clients has wanted a certain degree of uptime/performance (not that there have been any problems so far but they are willing to pay for it and who am I to turn down money) so I've set up mirrored sites and am using traffic manager to route between them.
It works like a charm but for one problem: I have a cname pointing a friendly url to the traffic manager address and, if I try to connect via https, it craps out and wants to use its own *.azurewebsites.com cert no matter what I try.
So my question is: am I missing something here? How to I use my own custom *.mycompany.com cert in this case?
Or, for that matter, is there a better way of doing what I'm ultimately trying to accomplish here?
Here is my set up:
Endpoint 1: MyWebApp-East (type - Azure Endpoint, ssl installed and proper host info added)
Endpoint 2: MyWebApp-West (type - Azure Endpoint, ssl installed and proper host info added)
Traffic Manager: Routing Type - Performance
UPDATE
Oddly enough, I got it to work. I must have had something wrong somewhere. I did a scorched earth approach to it by deleting EVERYTHING (sites, traffic manager, dns entries, etc) and starting over. It works perfectly now!
Posted this in the top part but so as not to leave this open, I'll repost the solution I found:
Oddly enough, I got it to work. I must have had something wrong somewhere. I did a scorched earth approach to it by deleting EVERYTHING (sites, traffic manager, dns entries, etc) and starting over. It works perfectly now.
Sometimes to go forwards, you have to destroy everything.

Error in non existent global.asa

I have a user's website giving an error in a global.asa file but it does not exist in their web root. It looks like the account has been hacked as it's giving an error about not connecting to a server, and at the same time I see the firewall block outbound connection requests.
msxml3.dll error '80072efd'
A connection with the server could not be established
/LM/W3SVC/6510/ROOT/global.asa, line 66
I've deleted the IIS instance and had the control panel recreate it, but the issue still exists. I've even created a dummy asp file which only displays some text and it happens.
I'm at a loss where this could be being picked up and looking for suggestions. Where might this be set?
I've had the same problem on a w2k3 server (iis6) with many sites, where just one had the fake global.asa;
I've not still found cause but a workaround solution, for me, has been:
open MMC Console (IIS manager)
stop IIS
double click on Web Sites (confirm reload offline configuration)
under every site delete "ghost" global.asa (that you don't find under phisical websites folder)
start IIS

What causes a "this connection is untrusted" issue?

I am new to development and at my new job we have this issue where on a sub-domain users are getting the error you see below but when they go to the base domain (e.g: domain.com) they don't see that.
I am supposed to solve this but not sure what might be causing it. I am not looking for somebody to solve this for me but if you can outline possible reasons why, i would be very thankful.
First thing: open up the "Technical details". They will give you more information, information you might or might not yet fully understand, but it still have the necessary info.
Basically, SSL (https) certificates are created for a specific domain. If the domain name changes (from e.g. example.com to foo.example.com), the certificate can not be used without a security warning popping out.
You need to create (either by self-signing or purchasing) separate SSL certificates for all the host names/domains under which the site will be accepted, to avoid the security warning. An alternate option is to purchase a wildcard certificate for the entire domain and sub tree (ie: *.example.com).
There are, to the best of my knowledge, no other ways around this; it's one part of how the HTTPS security is established.
When you're running HTTPS, you should have a different certificate for each server (subdomain) not each domain and the client should trust it if you don't want them to see this error.
You can use a wildcard certificate also. It would inherit through all subdomains.

Resources