Diagnose Failures with Remote Management

 

Diagnose Failures with Remote Management

Good place to start if you want to learn about how to configure remote administration for IIS Manager: http://learn.iis.net/page.aspx/158

This is a long overdue blog entry. It's an attempt to help you all diagnose any issues you might come across while using Remote Manager. My assumption is that you know how to get started and have run into issues while using the Remote Manager. This is based on frequently asked questions on iis.net forums. This troubleshooting applies to all remote management (i.e. downlevel --> 2K8 and 2k8-->2k8).

1)      Cannot connect to the remote server?

  • Make sure the client and the server are using the same build. For example, Server Beta 3 Remote Manager client will not work with a RC1 server build and so on...
  • Refer to the blog about Remote Management Behavior Matrix located at: http://blogs.iis.net/nitashav/archive/2007/04/23/remote-management-behavior-matrix.aspx ; there might be problems because of acls.
  • Look at the Event Viewer (eventvwr.msc) log: *wmsvc has a good supportability story; events are logged with detailed error message and stack trace. Most of the time, looking at the Event Viewer will tell you what the problem might be.

2)      Cannot connect to the remote server after updating *wmsvc bindings?

If this happens after you updated the port on which wmsvc is configured to run, check if the firewall is turned on for the server. If it is, add a new exception rule for the port on which wmsvc is running (default value: 8172). Now try connecting to the server again.

If this does not solve the problem, run the following commands from cmdline

  • netsh http show sslcert

Ensure that the port 8172 (the one on which wmsvc is running) has ssl certificate bindings. Also make sure the cert hash matches the one to which wmsvc is bound to (in the Management Service UI)

Sample output:

c:\>netsh http show sslcert

 

SSL Certificate bindings:

-------------------------

IP:port                 : 0.0.0.0:8172

Certificate Hash        : f06ae62a5275a818338f05ecc80707335be1e204

Application ID          : {00000000-0000-0000-0000-000000000000}

Certificate Store Name: MY

Verify Client Certificate Revocation    : Enabled

Verify Revocation Using Cached Client Certificate Only: Disabled

Usage Check    : Enabled

Revocation Freshness Time: 0

URL Retrieval Timeout   : 0

Ctl Identifier          : (null)

Ctl Store Name          : (null)

DS Mapper Usage    : Disabled

Negotiate Client Certificate    : Disabled

 

  • netsh http show urlacl

Ensure that the url https://*:8172/ (port on which wmsvc is configured to run on) shows up in the list of reserved urls

Sample output:

c:\>netsh http show urlacl

 

URL Reservations:

-----------------

Reserved URL            : https://*:8172/

User: NT SERVICE\WMSvc

Listen: Yes

Delegate: No

SDDL: D:(A;;GX;;;S-1-5-80-257763619-1023834443-750927789-3464696139-1457670516)

If you see that bindings are not correctly configured (using netsh commands in the previous paragraph), the problem might be that the machine key does not have permissions for the administrator trying to tweak wmsvc bindings. In that case, try the following --

  • Take ownership for the machine key

takeown /F %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\bedbf0b4da5f8061b6444baedf4c00b1* /R

  • Acl the machine key such that administrators group has read permissions

icacls %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\bedbf0b4da5f8061b6444baedf4c00b1* /grant Administrators:(R)

  • Reserve the port 8172 for wmsvc

netsh http add urlacl url="https://*:8172/" User="NT SERVICE\wmsvc"

  • Associate the cert with the port

netsh http add sslcert ipport=0.0.0.0:8172 certhash=<certHash> appid={d7d72267-fcf9-4424-9eec-7e1d8dcec9a9}

 

3)      Do not want to see the prompt on client every time you connect to the remote server?

Make sure your server uses a trusted root certificate for wmsvc. Basically create a trusted root certificate (if you don't already have it) and on the Management Service feature page assign this certificate to be used by the service. This will ensure the client does not get a prompt asking if they trust the server (since the certificate isn't trusted).

4) If all else fails:

Post your issue on iis.net forums (http://forums.iis.net/) with repro steps and details. It would be great if you could send the eventvwr.msc log along with exception and call stack (see below for details on how to get the exception and call stack)

  • Attach windbg to wmsvc.exe

windbg -pn wmsvc.exe

  • Load the sos.dll and set a break point if a managed exception happens

.loadby sos mscorwks

sxe clr

  • Then hit go

g

  • When it breaks, print the exception and the call stack and send it to us @ iis.net/forums.

!pe

!clrstack

 

*WMSVC is the service for Remote administration on the server side and can be configured in the UI in the Management Service Page. You can get some more information about this at http://learn.iis.net/page.aspx/158/remote-administration-for-iis-manager/

 

3 Comments

  • helpful, thanks!

  • I accidentally deleted the WMsvc SSL Certificate on IIS 7. Now I cannot connect to my RemoteApps via Termincal Services Web Access. Please assist me in re-creating the default SSL Certificate.

    Thanks,'

    Gian

  • There are a couple of ways to fix this issue:

    1) Auto (re-)Generate the built in WMSVC SSL certificate:
    On the server machine, open Server Manager. Remove IIS Management Console and Management Service components.
    Re-install IIS Management Console and Management Service. The WMSVC- self-signed certificate will be auto-created again and used by wmsvc. Start the wmsvc service on the server, its ready!

    2) Create a new Certificate and assign that for WMSVC:
    On the server machine, Launch inetmgr. Go to Server Certificates feature and create a new certificate (self-signed or a new Certificate request). Then go to the Management Service feature page and select the newly created SSL certificate for Management Service. Start the service, wmsvc is now ready on your server machine

Comments have been disabled for this content.