Troubleshooting
The most common source of problems with remote administration can be categorized by two error messages: Unable to Connect to the Remote Server and (401) Unauthorized.
Unable to Connect to the Remote Server
When you try to connect remotely and don’t receive a response from the remote server, you will get an error message such as Unable to Connect to the Remote Server. You can get this error message for several reasons, including:
-
The Web Management Service has not been
started on the remote machine. The
Web Management Service is responsible for listening for remote
requests, and it must be running. -
A firewall is blocking the client requests.
Make sure that a firewall is not blocking the port that Web Management
Service uses. By default, the service uses port 8172 and includes a
Windows Firewall exception for it. However, if you change the port, you
will need to create a firewall exception for it. -
The client and the server are using
different configurations. If you are using a port other than the default
8172, specify it in the Server Name text box in the Connect To Server
dialog box. -
The
configuration settings in HTTP.sys are not set correctly. This
configuration is set when you are using the Management Service feature
in IIS Manager. In this case, you need to make sure that the URL
reservation and the SSL configuration are registered correctly. To do
so, you can use the Netsh.exe command line tool. The output of a machine
configured correctly is shown in the following code. Note that some of
the fields might be different, specifically the port and the certificate
hash.
netsh http show urlacl
URL Reservations:
-----------------
Reserved URL : https://*:8172/
User: NT SERVICE\WMSvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-257763619-...)
netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:8172
Certificate Hash : 2e302fb76cbb0ff0cec2b759820fec5cd1f7a0cd
Application ID : {00000000-0000-0000-0000-000000000000}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
If the HTTP.sys configuration is not set
correctly, you can try to use the Management Service feature in IIS
Manager to set it correctly. Another advanced option is to manually use
Netsh.exe to configure the values.
You might get this error for several reasons, including:
-
The user or password is invalid. Whenever an
invalid user or password is used to try to access the Web Management
Service, an entry will be logged in the Windows Event Viewer in the
Security Log. This will include all the details, as shown here.
An account failed to log on.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Logon Type: 8
Account For Which Logon Failed:
Account Name: Administrator
Account Domain: CARLOSAG1-IIS
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x8d8
Caller Process Name: D:\Windows\System32\inetsrv\WMSvc.exe -
The
delegated user, either Windows or IIS Manager User, is not allowed to
connect to the site or application. In this case, an entry with Source:
IIS-IISManager and an Event ID:1105 will be logged in the Windows
Application Event Log. It will look similar to the following code.
IISWMSVC_AUTHORIZATION_FAILED
The user 'IisUser1' is not authorized for the path '/Default Web Site'
Process:WMSvc
User=NT AUTHORITY\LOCAL SERVICE
To correct this, you can go to the specific site
or application level inside IIS Manager and use the IIS Manager
Permissions feature to grant the delegated user permissions to log on. -
A delegated user is trying to establish a
server connection. As mentioned previously, only Windows users with
administrative privileges are allowed to connect to the server. If a
delegated user tries to connect to the server, the attempt will be
denied. An entry with Source: IIS-IISManager and an Event ID:1104 will
be logged in the Application Event Log. It will look similar to the
following.
IISWMSVC_AUTHORIZATION_SERVER_NOT_ALLOWED
Only Windows Administrators are allowed to connect using a server
connection. Other users should use the 'Connect To Site or Application'
task to be able to connect.
Process:WMSvc
User=IisUser1
You’ll find it useful to understand the activity
of the Web Management Service’s logging functionality. By default, the
log files are stored in the %SystemDrive%\Inetpub\Logs\Wmsvc\
folder. Below this, you will find a folder named W3SVC1 that contains
all the log files detailing the activity of the Web Management Service.
The log file uses the World Wide Web
Consortium (W3C) log file format to log information about all the
activity on the server. This format is handled by HTTP.sys and is an
ASCII text-based format that is easy to read and understand. Fields are
separated by spaces, and time is recorded in Universal Coordinated Time
(UTC). Table 4 shows the list of fields that are available in the log file for each of the requests the service processes.
Table 4. Fields Included in the Log File
|
Field |
Description |
|---|
|
date, time |
The date and time of the activity, in UTC format | |
s-ip |
The IP address of the server | |
cs-method |
The HTTP method used, for example, GET or POST | |
cs-uri-stem |
The target of the action; most remote client requests will use /service.axd as the target | |
cs-uri-query |
The query information for the target; for
/service.axd, it will include the module used, the method invoked, and
the site and application path if you are using delegated connections | |
s-port |
The server port used | |
cs-username |
The user that generated the request | |
c-ip |
The client IP address | |
cs(User-Agent) |
The type of client used for this call, including its name and the version information | |
sc-status |
The HTTP status code | |
sc-substatus |
The HTTP substatus code | |
sc-win32-status |
The Windows status code | |
time-taken |
The time it took to execute the request |
The best way to analyze the log file is to use
an existing tool called Log Parser that lets you easily issue queries by
using a SQL-based syntax. The following section shows how to do this.
Note
Log Parser is a tool that provides query
access to text-based log files, XML files, and CSV files. You can
download Log Parser by going to http://www.microsoft.com/downloads
and searching for Log Parser. You must execute queries from within the
context of the Log Parser command prompt. To open the command prompt,
launch Log Parser from the Log Parser program group.
Analyzing Remote Administration Logs by Using Log Parser
Log Parser is a powerful tool that provides
access to several different file formats and that offers simple
universal query syntax to exploit them. All of the following queries can be
executed using the LogParser.exe command line tool included with Log
Parser. Use the following syntax to do so.
LogParser.exe "<QUERY>" -i W3C
The argument –i specifies that the input format of the logs uses W3C.
The following query displays a table showing
all the different status codes that have been generated as well as the
number of times each has been hit.
SELECT TOP 25
STRCAT(TO_STRING(sc-status), STRCAT('.', TO_STRING(sc-substatus))) As
Status,
COUNT(*) AS Hits
FROM c:\inetpub\logs\wmsvc\w3svc1\*.log
WHERE cs-uri-stem='/Service.axd'
GROUP BY Status ORDER BY Status ASC
Status Hits
------ ----
200.0 264
401.1 7
401.2 89
403.6 2
Number of Requests per User
The following query shows the number of request issued per user.
SELECT TOP 25
cs-username As User,
COUNT(*) as Hits
FROM c:\inetpub\logs\wmsvc\w3svc1\*.log
WHERE User Is Not Null
GROUP BY User ORDER BY Hits DESC
User Hits
-------------- ----
administrator 219
DelegatedUser1 75
IisUser1 19
Number of Times a Module Has Been Used
The following query uses the information in the request to determine how many times a module has been used.
SELECT TOP 25
EXTRACT_VALUE(cs-uri-query,'Module') as Module,
COUNT(*) As Hits
FROM d:\inetpub\logs\wmsvc\w3svc1\*.log
WHERE Module IS NOT NULL
GROUP BY Module
ORDER By Hits DESC
Module Hits
----------------- ----
Framework 138
WebObjects 90
AppSettings 51
ConnectionStrings 16
ClassicAsp 7
List the Number of Delegated Calls for Each Site
The following query lists the number of calls
that delegated connections, either site or application connections
grouped by site.
SELECT TOP 25
TO_LOWERCASE(EXTRACT_VALUE(cs-uri-query,'Site')) as Site,
COUNT(*) As Hits
FROM c:\inetpub\logs\wmsvc\w3svc1\*.log
WHERE Site IS NOT NULL
GROUP BY Site ORDER By Hits DESC
Site Hits
-------------------- ----
default%20web%20site 305
delegateduser1site 8
|
