Laurence's questions

Setup: a .NET (4.6) client application connects to a remote SOAP service over HTTPS. The remote service can be configured to require a a client certificate or not.

What I am looking as an answer is any possible explanation of why scenario #2 fails ... the following 3 scenarios were all tested using exactly the same code base, only changing the certificates involved and whether or not a client certificate was required by the service.

Scenario #1 - no client certificate required

• client connects OK

Scenario #2 - client certificate required, certificate A used

• certificate A is installed in Windows on client side (local computer store)
• certificate is valid, 2048 bits, non-wildcard, used successfully for server authentication in another unrelated service, issued by GoDaddy Secure Certificate Authority - G2
• certificate is shared with the remote party who seem to know what they are doing
• when client attempts request, handshake fails. On the client side the .NET exception is "The request was aborted: Could not create SSL/TLS secure channel.". On the server side the error is "client failed to present a certificate".

Scenario #3 - client certificate required, certificate B used

• everything is exactly the same as #2 except a different client certificate is used (B)
• certificate is valid, 2048 bits, wildcard, used successfully for server authentication in another unrelated service, issued by GeoTrust RSA CA 2018
• client connects OK

What we can see from logs is that in both scenario #2 and #3, the client and server negotiate to use TLS 1.2.

After running the above multiple times, checking everything, my only conclusion is that certificate A is somehow not compatible with the setup - either the .NET client decides not to present it, or the service cannot accept it. But what could possibly be different/missing?

Background

We are testing a pair of Windows 2008 R2 (IIS 7.5) web servers in conjunction with a hardware load balancer (external device) that splits port 80 traffic coming into a Virtual IP between the 2 servers.

There is a test website set up on both servers (each server has a duplicate copy). There is an address to access the site through the VIP, another address to access the site directly on server #1 and another for server #2.

In IIS, on both servers, the bindings are set up as follows (I am using a Shared Config, which is why both servers have all the bindings needed for both):

Type   Host Name                       Port   IP Address
HTTP   address-resolving-to-server-1   80     Public-IP-of-server-1
HTTP   address-resolving-to-server-2   80     Public-IP-of-server-2
HTTP   address-resolving-to-VIP        80     Public-IP-of-server-1 *

• This might not be the right binding to allow traffic coming through the VIP to be split across the servers, but at least it was allowing the site to come up on the VIP.

Up until today this has been working fine – the test website could be accessed through all 3 addresses.

Reporting Services 2008 R2 is installed on both servers. The configuration has not been altered since running the installation wizard. The binding of the Report Server and Report Manager looks like this:

IP Address: All Assigned (recommended) TCP Port: 80 SSL Cert: none

Reporting Services is also working fine.

The Problem !!

A change was made in the configuration of Reporting Services on server #1, and since then the test website cannot be accessed through the load balancer. Web clients hang for about 30s, then return a 502 - Connection Failed error.

Accessing the test website directly on server #1 and directly on server #2, still works.

This is the configuration change that was made in Reporting Services:

Under the Report Server (Web Service URL) section, we clicked Advanced and edited the existing HTTP Identity record, and changed it from listening on “All Assigned” IP addresses to a specific Host Header Name (the NETBIOS name of the server).

Immediately after making this change, the test website could no longer be accessed through the load balancer, however it could still be accessed directly on server #1 and directly on server #2. Reporting Services continued to work after the change.

We set the configuration of Reporting Services back to the original settings, however the problem persists.

We have tried restarting all IIS related services, and even restarting the server, but this has made no difference.

There are no relevant errors in the Windows System or Application logs that we can see.

I think this issue must have something to do with "URL reservations" as described here but I am really confused why setting the RS binding back to the default has not fixed the issue. It seems like RS has permanently hosed the server!

Setup: ASP.NET 4.0 website on IIS 6.0 on Win 2003 64 bit, 8xCPUs, 16GB memory, separate SQL 2005 DB server.

Had a serious slowdown today with any otherwise fairly well performing ASP.NET site. For a period of a couple of hours all page requests were taking a very long time to be served - e.g. 30-60s compared to usual 2s. The w3wp.exe's CPU and memory usage on the webserver was not much higher than normal. The application pool was not in the middle of recycling (and it hadn't recycled for several hours). Bottlenecks in the database were ruled out - no blocks occurring and query results were being returned quickly. I couldn't make any sense of it and set up the following Perfmon counters:

• Current Anonymous Users (for site in question)
• Get requests/sec (ditto)
• Requests/sec for the ASP.NET application running the site

Get requests/sec was averaging 100-150. Requests/sec for ASP.NET was averaging 5-10. However Current Anonymous Users was around 200. And then as I was watching, the Current Anonymous Users began to climb steeply going up to about 500 within a few minutes. All this time Get requests/sec & Requests/sec for ASP.NET was if anything going down.

I did a whole load of things (in a panic!) to try to get the site working, like shutting it down, recycling the app pool, and adding another worker process to the pool. I also extended the expiration time for content (in IIS under HTTP Headers) in an attempt to lower the number of requests for static files (there are a lot of images on the site).

The site is now back to normal, and the counters are fairly steady and reading (added Current Connections counter):

• Current Anonymous Users : average 30
• Get requests/sec : average 100
• Requests/sec for ASP.NET : 5
• Current Connections : average 300

I have also observed an inverse relationship between Get requests/sec & Current Anonymous Users. Usually both are fairly steady but there will be short periods when Get requests/sec will go down dramatically and Current Anonymous Users will go up in a perfect mirror image. Then they will flip back to their usual levels.

So, my questions are:

Thinking of the original performance issue - if w3wp.exe CPU, memory usage were normal and there was no DB bottleneck, what could explain page requests taking 20 times longer to be served than usual? What other counters should I be looking at if this happens again?

What explains the inverse relationship between Get requests/sec & Current Anonymous Users?

What could explain Current Anonymous Users going from 200 to 500 within a few minutes?

Many thanks for any insight into this.

Periodically my ASP.NET application crashes (usually because memory consumption exceeds maximum allowed by application pool) and DW20.exe starts up. This is a big problem because it uses huge amounts of memory and CPU for minutes at a time.

I want to know how to stop DW20.exe from running. Please note, I have already tried these often mentioned solutions:

• Disabling error reporting in Control Panel > System > Advanced > Error Reporting

• Disabling the Error Reporting Service

• Modifying the registry as in http://support.microsoft.com/kb/841477 (however I might have done this wrong - this doc says "add a DWReportee value of 1" - what I did was add a DWORD entry with hexadecimal value of 1 - is this right? Also only 2 of the 4 keys were present, so I only modified these, e.g. there was no HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth key at all)

So, zero points for suggesting any of the above (unless you can see I have modified the registry incorrectly)! Also zero points for suggesting I resolve whatever is causing the application crashes :) - I am figuring this out, I just want something in the mean time to stop DW20.exe eating up all the server resources.

By the way, this is a Windows 2003 SP1 server, with IIS 6 and SQL 2005 installed. There is no MS Office.

I am designing a process for users (some on a company LAN and some on internet) to upload files to a third party's FTP server. The critical requirement is to enforce a secure (FTPES) connection to the server. I am recommending the FileZilla client but as FTES is an optional setting I can only request the users create secure FTP connections - can't force them to. I should mention here that the FTP server belongs to a third party provider and if there are server settings to enforce FTPES connections, we can't get these enabled.

My idea is to set up an FTP Proxy server that acts as a wrapper to the third party server and which only accepts FTPES connections.

So, has anyone heard of an FTP Proxy server that can do this? The closest I have found after hours of scouring the web is Kiesoft Advanced FTP Server, but this only runs as a desktop app, not as a service.

I am designing a process for end users to upload files to an FTP server. The critical requirement is to ensure the connection to the server is secure.

I know it is possible for many FTP client applications to create a secure FTP connection (e.g. FTPES or SFTP - and yes the FTP server does support these) but its an optional setting in the client. In other words we can request people create secure FTP connections but we can't force them to.

I should mention here that the FTP server belongs to a third party provider and if there are server settings to enforce FTPES or SFTP connections, we can't get these enabled.

So, the question is - is there a way to enforce secure FTP connections? Here's a few speculations:

1. Maybe there's an FTP client that forces a secure FTP connection to be used and I tell end users this is the only client they can use. This is a bit lame!

2. Maybe there's an FTP client that can get its FTP connection details (url, protocol & login) from a remote server (i.e. a server I control) and therefore I can dictate them and the end user never sees them.

3. Maybe I could establish some kind of "2 hop" connection where the user initially connects to a server I control that requires a secure connection but (transparently to the user) the connection is actually redirected to the real FTP server.