I have a SignalR solution that is deployed to an Azure Web Role (cloud service, not Azure Web Site) and in order to ensure we can maximise the number of connections to each instance I need to make some changes various ASP.NET settings as detailed in this article: http://www.asp.net/signalr/overview/performance/signalr-performance#tuning
The appConcurrentRequestLimit and requestQueueLimit settings were easily changed with a startup task that uses APPCMD to make the relevant changes. However, the maxConcurrentRequestsPerCPU setting resides in the aspnet.config file which cannot be changed via the same mechanism.
I have tried updating that file directly with a startup task (just a basic file replacement for now), however it seems to get replaced by the Azure runtime after the startup tasks have completed and so the change is lost. I can RDP into the machine and make the change manually so I have seen that it works however that is not sustainable for a service that we expect to scale up and down on demand.
Any ideas on how to change this setting in an Azure environment would be appreciated!
I ended up using the following registry based approach which allowed me to change the maxConcurrentRequestsPerCPU setting without using aspnet.config
I added the following usage of the REG command line utility to my existing startup.cmd (already in use for calling APPCMD to change other settings):
REG ADD HKLM\SOFTWARE\Microsoft\ASP.NET\4.0.30319.0 /v MaxConcurrentRequestsPerCPU /t REG_DWORD /d 10000
REG ADD HKLM\SOFTWARE\Wow6432Node\Microsoft\ASP.NET\4.0.30319.0 /v MaxConcurrentRequestsPerCPU /t REG_DWORD /d 10000
This will configure both 32 and 64 bit application pools, although I only needed 64 in this instance.
Related
Hello we are using Azure Virtural Machine. Now We cannot remote into the server due to the following error message. Would like to get suggestion on the error since we don't have the support plan and the live agent suggest me to ask here.
Thanks all.
Error Message Image
So I resolved the issue temporarily. Follow these steps on your local computer (not on server)
Note : The below steps are not recommended by Microsoft. So follow these steps just to login to your machine and do necessary updates. Once it's done, revert the configuration changes
1 . Go to "Administrative Templates" (type /search it directly on window)
Please see above image.
Right click and edit Encryption Oracle Remediation.
Make it enabled, and change protection level to "vulnerable"
Click on Apply and close window.
Try to connect to VM. And after establishing a connection, update the VM if there's any pending updates
For a fast workaround that doesn't involve any server side changes just type the following in a console with administrator privileges
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2
I didn't have permission (human permission) to make any change to the server so this was a perfect solution for me
Easiest solution for me was to download remote desktop app on my phone and connect to remote server. Install windows updates on remote server and I was able to connect again from my pc
Login into https://portal.azure.com
Navigate to the Azure Virtual Machine tab and go to the VM that is giving this error
Now under operations, select the Run Command option which will give you the option to run a PowerShell script
In the PowerShell script section, type in the below two lines and click on run
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
Now on your own machine (client machine), follow the below steps:
On the client that has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane.
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.
If needed, please restart the server and now when you try to RDP into your Azure VM you will be able to login and complete the connection. Please note that it is highly recommended to patch your VMs and follow the latest guidelines that are mentioned in the Microsoft Support Article or blog
This issue can be resolved, just use this below command
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2
I had the same issue. My server didn't have the option.
Encryption Oracle Remediation
But I solved it by unchecking
Allow connections only from computers with network level authentication
under system properties as shown in figure.
I noticed that when you RDP to a Web Role instance on Windows Azure to make an iisreset, the World Wide Web Publishing Service shuts down, and the only way to get your role up and running again is either by restarting the aforementioned service or re-roll/restart your instance.
For reasons unknown to me, Windows Azure default the start mode of World Wide Web Publishing Service to Manual, why an iisreset sort a leave your Web Role unavailable to the WWW.
I found a solution to this - IMO - odd behavior, and answered it to the original question of this post.
However, is there an alternative to iisreset on Windows Azure - maybe programmatically where I can pinpoint the exact instance? Because that is another issue; now I have to use RDP to each instance .. it would be nice if it was possible to do a pinpoint each instance.
Think about it; i have a CNAME to www.awesome-azure.com; this is hosted by 3 instances in round-robin, and I want to reset/monitor/diagnose/heartbeat each one through a REST API (ir similiar), and not like now - through RDP.
Can this be achieved.
EDIT
Tried to make it more clear what the challenge is as well as the goal to achieve.
EDIT 2
Provided a solution to the iisreset challenge; updated the question to pinpoint instances over the Internet if possible.
Well, I still don't know why Microsoft Azure decides to set World Wide Web Publishing Service to start mode Manual, but I found a way to change it.
To the second part of the original question I still hoping for an answer, but until then, please find my solution for the first part to fix the (IMO) iisreset problem with Startup Task:
In your startup.cmd (or what ever you have named it) which I have placed in a startup folder in the root of my application, include this line of text:
powershell -ExecutionPolicy Unrestricted .\startup\w3svc.ps1
In the same folder, create a PowerShell file named w3svc.ps1 with the following content:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC -Name Start -Value 2
Voila; your IIS now works as expected - World Wide Web Publishing Service is now set to start mode Automatically.
Note: for the above to work, you need to have your osFamily property set to 2 in you ServiceConfiguration.cscfg file.
You can handle the RoleEnvironment.Changing event in WebRole.cs and set the Cancel property on the event arguments object to true. Then you just need to make a change to the configuration settings and Azure will restart all your instances in an orderly fashion.
I don't know why iisreset isn't working. As to your second question, you can use the Service Management API to reboot or reimage an instance. That might do what you want. You could also, of course, write your own code to do whatever you want. (You could have code in your web role that polls a blob called <instance ID>.txt and does an iisreset any time the blob changes.)
I am trying to deploy a PHP application to azure web cgi role. I set my web.config and web.roleconfig correctly, I believe. Since when I remote to the machine, I set the fast cgi handler in IIS manually to the same value. It works. However, it doesn't work after the package is deployed, even if the value is the same! I have to manually reset it to the same value! Sounds weird?
So I am thinking to write a piece of code in role start event to reset the mapping. Does anybody knows how to do it in C#?
Thanks
KAO!
Setting up the handler mapping has two phases:
1. setup web.config
2. create application
I only did first one. By clicking the OK on the popup window on UI will set the second. So if I want to deploy to Azure on a side website (which mean the website is not linked with the web role), I have to do the second setup myself, by either manually or runing a command line: %windir%\system32\inetsrv\appcmd set config /section:system.webServer/fastCGI /+[fullPath='XXXX\php-cgi.exe']
I'm trying to deploy website with MSDeploy and team build using some of this ...
/p:DeployOnBuild
/p:DeployTarget=MsDeployPublish
/p:CreatePackageOnPublish=True
/p:MSDeployPublishMethod=InProc
/p:MSDeployServiceURL=localhost
/p:DeployIISAppPath="Default Web Site"
Is there a way to set this website in custom application pool?
If you're using IIS 7, you can use the appPoolProvider to sync application pools to a remote server. See:
http://technet.microsoft.com/en-us/library/dd569070(WS.10).aspx
and
http://blog.torresdal.net/2010/08/16/NoClickWebDeploymentPart2WebDeployAkaMsdeploy.aspx
However, I wasn't able to really get that to work well, and if you're using IIS 6 this won't work anyway. What you can do though is leverage MSDeploy to run a couple commands on the remote server to set the application pool (and register the .NET version on the website).
First, create a batch file that contains something similar to the following:
cscript //nologo C:\Inetpub\AdminScripts\adsutil.vbs
SET w3svc/<IIS number>/Root/<virtual directory>/AppPoolid "<app pool name>"
So, if the IIS number is 1, your virtual directory is "MyDirectory" and the App Pool is named ".NET4.0", the command would be.
cscript //nologo C:\Inetpub\AdminScripts\adsutil.vbs
SET w3svc/1/Root/MyDirectory/AppPoolid ".NET4.0"
You can then run MSDeploy, passing this batch file in as an argument and running it on the remote machine:
MSDeploy
-verb:sync
-source:runCommand="<path to batch file>",waitinterval=5000
-dest:auto,computername=<computer name>
where <path to batch file> is the full path to the batch file you just created above, and is the computer against which you want to run this. Here is a link describing the runCommand argument: http://technet.microsoft.com/en-us/library/ee619740(WS.10).aspx
I'm sure you can set this up as a build step in TFS. We made a little .NET utility that we call as part of our deployment process that creates these batch files and runs the MSDeploy command.
There are also other things you can do in this same method that might prove useful to you:
Register an IIS version:
%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
-s w3svc/1/root/MyDirectory
Create an App Pool:
CSCRIPT //nologo %dir%\adsutil.vbs
CREATE w3svc/AppPools/AppPoolName IISApplicationPool
Thanks to http://justsamson.com/2010/06/14/create-virtual-directory-in-iis-6-0-via-command-line/ for the command-line scripts to do the various functionality.
Part of the trick is with /p:IncludeAppPool=true. That changes the deploy script to enable AppPoolExtension. But I haven't figured out how best to actually set the app pool yet. :)
I have an app which I'm trying to restrict permissions to while I'm doing maintenance. I use windows file permissions and remove access to the dll file the app runs from for all non admin accounts, ie:
cacls "%DLL_LOC%" /E /R BUILTIN\Users
and then I recycle the application pool (which was working on my dev environment to lockout users):
cscript c:\windows\system32\iisapp.vbs /a "DefaultAppPool" /r
But no luck as anybody can still access the dll and the app.
Any further ideas are appreciated as I haven't gotten the permissions to consistently be applied.
Make sure that the file you are editing is not inheriting its permissions from the folder above.
So after a couple of illfated attempts at trying to block network ports for a workaround and restarting the machine two or three times the users are blocked.
Sorry for the simple restart fix XP.