Thursday, September 10, 2015

Sharepoint 2013 - 404 Not Found while accessing site collection from outside

Error :

I have a Sharepoint 2013 running on a Windows Server 2012. Following issue appeared:
I made a new Site-Collection as wiki. Everything (links,...) works fine on the server but when I want to access the wiki from outside (not localhost) the server runs in a 404 Not found error.
http://localhost/sites/wiki/Pages/Home.aspx - works fine(localhost)

http://10.38.0.15/sites/wiki/Pages/Home.aspx - doesn't work.
I checked the IIS settings, all servers are up and running. The log file has no errors in it.

Resolution :

The most common cause for this is that you don't have the IIS host header configured correctly. The 404 will appear because you are hitting a different IIS web site and not the one you intended to.
If you go into IIS Manager and click on "Sites" in the right hand pane there will be a column called bindings and a column called ID.
IIS will check in the order of ID for the first site that matches. Make sure the default site is stopped. If you see bindings that look like the following:
ID 1: Bindings: *:80
ID 2: Bindings: www.yoursite.com:80
www.othersite.com will match ID 1. Any other site that doesn't specify a port or https: will be directed to ID 2.

You need to ensure that the site you are trying to access matches your bindings. The "www.yoursite.com" is added to the site via "New Web Application" in SharePoint.

There is a field called Host: in Central Administration. This should match what you are typing from inside and outside the server.

If you need the site to respond to multiple names, you need to extend the web application.
Assuming you used the default of claims authentication, here are the instructions for that:
I am not sure if this is still required in Server 2012, but disabling the loopback check might also help, although this usually results in a 401, and repeated attempts to log in. Here are the instructions for that.

Friday, April 24, 2015

Intermittent "HTTP 403 – Forbidden" error while trying to browse to a SharePoint web app

Consider a scenario where you receive the following error when you browse to a SharePoint web app

The website declined to show this webpage
HTTP 403
Most likely causes:
This website requires you to log in.

qxylgifx

This issue is intermittent. Strangely, if we create a copy of the web.config file, rename the web.config file, refresh the home page, we receive an "HTTP 404 - Page Not Found" error. Rename the web.config file back and refresh the page. The site is browse able for a while before failing after some time
We see the following error in Failed Request Tracing

3wjk4xr5

A procmon trace captured while accessing the web app from the server showed the following:

w3wp.exe 4180 CreateFile C:\inetpub\wwwroot\wss\VirtualDirectories\Web80.Contoso.com80\binACCESS DENIED Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, 

Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating:NT AUTHORITY\IUSR

5cgganli

This issue usually occurs when a request from an authenticated user without local admin rights results in a failed read of the /BIN directory by the impersonating w3wp.exe (IIS worker process for ASP.NET) process. This behavior is typically associated with lack of permissions to the temporary folder /BIN where ASP.Net assemblies are Just In Time (JIT) compiled.
Resolution
The solution is to ensure that the Authenticated Users or <SERVER NAME>\Users group (which usually contains DOMAIN\Users group) has Read & ExecuteList Folder Contents and Read permissions on the/BIN folder below C:\inetpub\wwwroot\wss\VirtualDirectories\{Sitename80}. 

Follow the steps listed below to grant the required permissions: 
  • Open Windows Explorer and navigate to the /bin directory of your web application
  • Right-click on the folder and click on Properties
  • Go to Security tab and click on Edit
  • Click on Add and add the local server group Authenticated Users or <SERVER NAME>\Users (this usually contains DOMAIN\Users group).
  • Select the Read & ExecuteList Folder Contents and Read permissions (if you are planning to add Everyone to the /bin folder, grant Read permissions only)
  • Click OK to apply the new settings
Refresh the page and we should be able to browse to the site.

There are instances where this permission needs to be re-applied as part of every deployment and we may often find that the permissions have reset after touching the Authentication Providers settings in Central Admin.
More Information
If an administrator accesses the site/feature that caused the error, the subsequent requests from non-administrators would succeed. This behavior is typically associated with lack of permissions to the temporary folder where ASP.Net assemblies are Just In Time compiled.
The freb trace shows a 403.0 for ManagedPipelineHandler
It seems to go through quite a few ASPNet events - but happens during the ASPNetPageRender - it goes to the ASPNetPageRender Enter, then ASPNetHTTPHandler Leave.Only then does it get a 403.0 which is not an official RFC error. The first sub-status for 403 is 403.0.
Application pool in Classic or Integrated mode 
  1. Application Pool in Classic Mode – In this case, we can configure a Wildcard mapping for ASPNET_ISAPI.dll at the website level. That would propagate to child virtual directories. That should not need any further modifications at the virtual directory level.
  2. Application Pool in Integrated Mode – In this case, all relevant virtual directories would need individual modifications. They need to be set for specific handler. E.g. ‘book’ virtual directory needs mapping for BookAPI and ‘movie’ directory would need mapping for MovieAPI.

Saturday, April 18, 2015

IIS Application Pool Availability Event ID

Event ID
Source
Message
Microsoft-Windows-IIS-W3SVC
The World Wide Web Publishing Service (WWW Service) encountered an error when it tried to secure the handle of application pool %1 from HTTP.sys. Edit the identification information for the application pool so that the WWW Service can secure the handle of the application pool again. The data field contains the error number.
Microsoft-Windows-IIS-W3SVC
Application pool %1 has been disabled. The HTTP.sys request to enable the application pool failed. The data contains the error number.
  Microsoft-Windows-IIS-W3SVC
Application pool %1 was not disabled. The HTTP.sys request to disable the application pool failed. The data contains the error number.
  Microsoft-Windows-IIS-W3SVC
The World Wide Web Publishing Service (WWW Service) did not issue a demand start to HTTP.sys for application pool %1. The data field contains the error number.
  Microsoft-Windows-IIS-W3SVC-WP
The worker process for application pool '%1' encountered an error '%2' trying to read global module configuration data from file '%3', line number '%4'. Worker process startup aborted.
  Microsoft-Windows-IIS-W3SVC-WP
An application has reported as being unhealthy. The worker process will now request a recycle. Reason given: %1. The data is the error.
  Microsoft-Windows-WAS
Application pool '%1' is being automatically disabled due to a series of failures in the process(es) serving that application pool.
  Microsoft-Windows-WAS
A process serving application pool '%1' terminated unexpectedly. The process id was '%2'. The process exit code was '0x%3'.
  Microsoft-Windows-WAS
A process serving application pool '%1' failed to respond to a ping. The process id was '%2'.
  Microsoft-Windows-WAS
A process serving application pool '%1' suffered a fatal communication error with the Windows Process Activation Service. The process id was '%2'. The data field contains the error number.
  Microsoft-Windows-WAS
A process serving application pool '%1' exceeded time limits during start up. The process id was '%2'.
  Microsoft-Windows-WAS
A process serving application pool '%1' exceeded time limits during shut down. The process id was '%2'.
  Microsoft-Windows-WAS
The Windows Process Activation Service encountered an internal error in its process management of worker process '%2' serving application pool '%1'. The data field contains the error number.
  Microsoft-Windows-WAS
A process serving application pool '%1' was orphaned but the specified orphan action %2 could not be executed. The data field contains the error number.
  Microsoft-Windows-WAS
The identity of application pool %1 is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights. If the identity is not corrected, the application pool will be disabled when the application pool receives its first request. If batch logon rights are causing the problem, the identity in the IIS configuration store must be changed after rights have been granted before Windows Process Activation Service (WAS) can retry the logon. If the identity remains invalid after the first request for the application pool is processed, the application pool will be disabled. The data field contains the error number.
   Microsoft-Windows-WAS
Application pool '%1' exceeded its job limit settings.
  Microsoft-Windows-WAS
A process serving application pool '%1' reported a failure. The process id was '%2'. The data field contains the error number.
  Microsoft-Windows-WAS
Windows Process Activation Service (WAS) did not run the automatic shutdown executable %2 for application pool %1. The data field contains the error number.
  Microsoft-Windows-WAS
Application pool %1 has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.
  Microsoft-Windows-WAS
Application pool %1 has been disabled. Windows Process Activation Service (WAS) encountered a failure when it started a worker process to serve the application pool.
  Microsoft-Windows-WAS
A worker process with pid '%2' that serves application pool '%1' has been determined to be unhealthy (see previous event log message), but because a debugger is attached to it, the Windows Process Activation Service will ignore the error.
  Microsoft-Windows-WAS
The Windows Process Activation Service (WAS) did not run the automatic shutdown executable for application pool %1. The data field contains the error number.
  Microsoft-Windows-WAS
The Windows Process Activation Service (WAS) did not create application pool %1. The data field contains the error number.
   Microsoft-Windows-WAS
The Windows Process Activation Service (WAS) did not delete application pool %1. The data field contains the error number.
  Microsoft-Windows-WAS
The Windows Process Activation Service (WAS) did not modify application pool %1. The data field contains the error number.
  Microsoft-Windows-WAS
A worker process '%2' serving application pool '%1' is no longer trusted by the Windows Process Activation Service, based on ill-formed data the worker process sent to the service. The data field contains the error number.
  Microsoft-Windows-WAS
Application pool %1 has been disabled. Windows Process Activation Service (WAS) was unable to enable application pool %1, because the request that WAS sent to protocol %2 failed. The data field contains the error number.
  Microsoft-Windows-WAS
Application pool %1 was not be disabled. The request from protocol %2 to disable the application pool failed. Restart the application pool so that Windows Process Activation Service (WAS) can determine the correct state of the protocol. The data field contains the error number.
  Microsoft-Windows-WAS
Application pool %1 has been disabled. The request from protocol %2 to create the application pool failed. Restart the application pool so that Windows Process Activation Service (WAS) can determine the correct state of the protocol. The data field contains the error number.
  Microsoft-Windows-WAS
Windows Process Activation Service failed to create the internal protocol app pool object for app pool '%1' and protocol '%2'. The virtual site of the application needing this app pool protocol combination will be disabled (see next message). The data field contains the error number.
  Microsoft-Windows-WAS
Windows Process Activation Service (WAS) was unable to determine the security identifier (SID) for the worker process identity in application pool %1. WAS will be unable to provide the correct identity to listener adapters, which may prevent the worker process or processes in the application pool from processing requests for this protocol. To resolve this issue, change the worker process identity to a new identity and then change it back to the previous identity. The data field contains the error number.
  Microsoft-Windows-WAS
Windows Process Activation Service (WAS) was unable to notify protocol %2 about an identity change for application pool %1. This may prevent the worker process or processes in the application pool from processing requests for this protocol. To resolve this issue, change the worker process identity to a new identity and then change it back to the previous identity. The data field contains the error number.
  Microsoft-Windows-WAS
The Windows Process Activation Service recovered from a previous error creating app pool '%1'. See previously logged event(s).
  Microsoft-Windows-WAS
The Windows Process Activation Service has encountered an error during the SID mapping for the application pool '%1'. The application pool will be disabled. This typically happens if there are more than one application pool name that maps to the same SID. To resolve this issue, please change the name of the app pool and recommit the configuration changes. The data field contains the error number.

Tuesday, April 7, 2015

‘HTTP 500 INTERNAL SERVER ERROR’ IN SHAREPOINT 2013 CLAIM BASED AUTHENTICATION

Background :
if your SharePoint 2013 Web application is Claim Based Authentication and you are getting this error while accessing any sites in this Web application
Error in Event Viewer : Task Category : Claims Authentication

Description :
An exception occurred when trying to establish endpoint for context: An error occurred loading a configuration file: Either a required impersonation level was not provided, or the provided impersonation level is invalid.

Root Cause:
The Application pool account was missing the ‘Impersonate a client after authentication’ user right.

Work Around :
Step 1. Go to Start – Administrative tools – Local Security Policy – Local Policies – User Right Assignments – Impersonate a client after authentication – Properties



Step 2. Add the Application Pool account for the site which is not working(Click on Add user or group)
Step 3. Reboot the server
Step 4. Check again the site, It will work.

Friday, March 27, 2015

Troubleshooting SharePoint "HTTP 500" Errors and IIS Failed Request Tracing

I had a client call me the other day as he was having an issue with a couple of his SharePoint 2010 sites that seemed strange, the sites just stopped working.  When anyone tried to access the sites, they would get HTTP 500 errors.  I was able to resolve this issue for the client so I thought I should share some of my troubleshooting tips.

As SharePoint admins, we get sucked into IIS and SQL Server, it's just the nature of the beast.  Save yourself therapy and hours crying yourself to sleep and just accept it.  Today we’re going to look at a few different steps as we troubleshoot issues with issues when the SharePoint sites don’t come up, specifically in IIS.

First, what is the HTTP 500?



The page could not be displayed.
The important piece of this page is the status code on the top right – "HTTP 500".  That’s the status code.  You can find more on general status codes in this Microsoft KB article.  It’s a fairly generic error code.  How do we know what’s broke?  There are many causes for this error, so I just try to give you a basic checklist of things to check that should point you in the right direction.

Troubleshooting Steps

Here are a few steps that I like to do when SharePoint appear to be down:

1. If the SharePoint sites don’t come up for you, first try another client machine to make sure it’s not just you.  These are unlikely to be client-side, but let’s rule that out anyway.  OK, so neither you nor your users can get to SharePoint, awesome.

2. The next step in my mind is to get on the SharePoint server and let’s rule out DNS or networking issues.  Pull up the SharePoint sites via their URL on the server desktop.  If this works, then go to your IT admins as Domain Name System (DNS) or there’s something with the network.  I had one issue one time where IT had switched the subnets around, and only users on a remote subnet couldn’t access SharePoint.  It happens.  If it still doesn’t come up, it’s definitely something server-side and it’s time to dig deeper.

3. From the SharePoint server, try to pull up the Central Administration site.  This should usually come up with this error.  If this doesn’t come up, we would likely be facing like a database access error or something.  But it’s good to rule out.  Assuming it comes up, go check the AAM (alternate access mappings) and make sure nothing changed.

4. From here you could do a couple things.  But since one web application works and one doesn’t, there’s only a few things that allow some sites to work and others not.  Let’s go check the IIS application pools.  Open up IIS Manager, expand the server node and click Application Pools.  Make sure the application pool that hosts your non-working SharePoint site is started (note – it’s normal for the SharePoint web services root to be stopped).  Sometimes this can happen after a server reboot.  You could also do an iisreset or even a full reboot here, but it is unlikely to resolve it.

Besides being stopped, it could be started or continuously stop.  Causes could be authentication related.  Check the IIS event logs (Event Viewer), and the SharePoint ULS logs and see if they point you in a direction.

5. While in your IIS, go to the site(s) in question and check their bindings.  Are the correct hostname bound to the site?  This just makes sure that IIS is listening on the right host.

6. So at this point, we’ve checked all the normal things and the problem seems to point with the site itself.  What does this leave?  Things like the web.config, applicationHost.config, etc.

7. Go to c:\inetpub\wwwroot\wss\VirtualDirectories\<sitename>.  Look at the web.config file.  Does it have a recent modified date?  In my case, it did.  OK, so we’re highly suspect of the web.config, how do we know what?

Let’s go back to IIS and let’s enable Failed Request Tracing.

In IIS, click on the down site in the left pane under the Sites heading.  We have to enable Failed Request Tracing.  Do this via the right panel, under the Configure heading, click Failed Request Tracing.  Click the Enable checkbox, and notice the path of the logfile.



Now that FRT is enabled, we have to tell it what to capture.  In the middle pane, under the IIS group, click the icon called Failed Request Tracing.  On the right under Actions, click Add.

In the wizard, leave All Content select and choose Next.

For the status code, enter 500.  Click Next.


Leave all providers checked, and click Finish.

8. Now go try to access the site, and get the 500 error.

9. That should have written what we needed to the log file.  Go to the path defined for the log earlier.  You will find two files, an XML file (the log with errors) and an XSLT that styles the XML for easy viewing.  Open the XML in a browser to see the error.

10. Review the error for details:


This will show you a specific error, and notice that the line number with the issue is listed as well.  Great!  Now we have something to work with.

11. In my case, in the web.config there was a Session state entry was duplicated.  This is normal, but there was a remove statement that prevented one of them from being loaded, which was commented out, in turn causing the duplicates to both load:

<!-- <remove name="Session" /> –>

I removed the comment out lines (highlight) and saved my web.config.  Success - the site came up!  Confetti fell from the rooftops, Champagne flowed from the heavens, and there were many celebratory handshakes.

So do you want to leave tracing enabled?  I don’t see the harm.  It is capped per the initial configuration, so it won’t fill up the C drive.  If you’re getting that many HTTP 500 errors, you likely have other issues.

I hope this gives you a few more tools in your bag of troubleshooting tricks when SharePoint won’t come up!

Wednesday, March 11, 2015

How to Set Up Site Bindings in Internet Information Services (IIS)

When IIS is first installed, a default website is already configured.  You can right-click on this site and choose Site Bindings to see the site bindings for the default website. If you haven’t made any changes to your default website, it should look similar to the image below.


There are three values that can be used in a site binding:  IP Address, Port and Host Name.  In the default website you see that the only values specified are the Port and IP Address.  The default site is bound to port 80 on any IP address that does not have another binding.  This gives you a “fallback” website for all requests that come to your server on port 80 and do not match any other site bindings.
IMPORTANT:  When setting up site bindings on your Dedicated or Cloud server, all site bindings must be unique.  The combination of IP address, port and host name must be different from all other site bindings on your server.
Below are some common situations and how you might set up your site bindings.

Example 1:  Web server with multiple IP addresses

In this situation we are going to assign a separate IP address for each website.
Company              Assigned IP Address       Port
———————————————————————-
Acme Products     192.168.1.200               80
Foobar Inc.           192.168.1.201               80
First we will set up the binding for the Acme Products website as shown below.


Any web request coming to 192.168.1.200 on port 80 will be served by this website.  It does not matter what host header is used.  It could be acmeproducts.com or www.acmeproducts .com or any other host that is configured in DNS to go to this IP address.
Similarly, we would assign the site bindings for Foobar Inc so that requests going to 192.168.1.201 on port 80 will go to their site.


Example 2:  Web server with one IP address using host name bindings

This situation is common at lost cost web hosting companies or in a situation where you run a server from your house or small business and only have one IP address to allocate to your web server.   Since we do not have enough IP addresses to assign to each site, we will use host headers to differentiate which website will serve requests.  In this case, the only IP address on the server is 192.168.1.200.
Acme products would like their site to respond to requests for acmeproducts.com and www.acmeproducts.com.  Since we have multiple sites on the server using the same IP address and port combination, we must use the host name to differentiate this site from the others.  We will set up two site bindings.  One for each host name that we want this site to respond to.

Foobar Inc would like their site to respond to foobarinc.com, www.foobarinc.com and blogs.foobarinc.com.  We will add three bindings to this site.

As you can see, both sites are using the same IP address and port.  The host name is the one thing that differentiates the two sites.  If we tried to add a binding for foobarinc.com to the Acme site, we will get a warning telling us that the same binding already exists.

If we allowed IIS to add this binding, we would have an issue the next time IIS started.  It would start the first website with this binding but the second site would not be started.

Example 3: Web server with one IP address using port number bindings

In this example we are going to use different port numbers to identity the site that should respond to a request.  Both sites will use the IP address 192.168.1.200.  Acme Products will be configured to use port 80 as shown below.

Foobar Inc will be configured to use port 8080.

There is one downside to configuring your sites this way.  Web browsers use port 80 by default.  In the case of our two websites, the Acme site will work fine but the Foobar website will not come up in a browser with a standard URL.  In order to get to the Foobar website, you will have to enter the URL like this:  http://www.foobarinc.com:8080.  The colon and port number must be added at the end of the URL for non-standard ports.