If your web application is crashing with OutOfMemoryException, check Event Viewer for more details. In the stack trace, you should see which function is throwing this exception. In my case, a variable in StringBuilder type was the root cause.
IIS
Which time zone IIS logs are recorded in?
IIS logs are helpful in troubleshooting various web application issues. However, they may mislead server administrators by showing the logs in a time zone different than what the server uses. This is because IIS uses UTC time zone by default.
(Solved) 403.16 Forbidden: Client certificate is untrusted or invalid
A browser displays 4xx error when there is a client side issue while accessing a website. Specifically, 403 error translates into “Forbidden“. If you dive deep in the issue (Failed Request Logs or IIS logs), you may see 16 as a sub-status code which refers to “Client certificate is untrusted or invalid” (Reference).
You will find out about how to solve 403.16 error in this post.
(Solved) Could not reach the Web Deploy endpoint on the specified virtual machine
By using Visual Studio, you can publish your website directly to an Azure Virtual Machine. After selecting the VM in the Publish wizard, you may come across this error message: “Could not reach the Web Deploy endpoint on the specified virtual machine“
Missing bindings in IIS (net.tcp, net.pipe, net.msmq, msmq.formatname)
IIS uses site bindings to redirect traffic to corresponding web applications. Site bindings depend on listener adapters. The most common listener adapters (site binding types) are http, https, and ftp.
In some cases, you may want to use uncommon listener adapters such as net.tcp, net.pipe, net.msmq, and msmq.formatname. If you configure IIS correctly, you should see all of these adapters in the “Add Site Binding” window:
How to encrypt and decrypt connection strings
Web applications use connection strings to find out what database to interact with which credentials and other configuration. For example, you can instruct your web application to use X database at the server with 192.168.1.100 IP address by using Z username and Y password.
For most applications, the connection strings are stored in web.config files. It means your IP address, database name, username, and password are stored as a clear text in a file. It may not be a problem for your Development server but it is definitely a security concern for your Production servers. This is where we need to encrypt these connection strings.
(Solved) 550 supply message incomplete, signature was not verified
While trying to upload a file via FTPS, you may come across “550 supply message incomplete” error. In my case, the file upload was working fine via FTP. However, FTPS didn’t work for any IIS server and any FTP client.
Here is the entire error message:
550 supply message incomplete, signature was not verified
FTP log:
2019-06-13 20:28:26 134.165.112.56 SERVER\user 134.45.232.24 21 STOR test.txt 550 2148074264 0 05edb0d4-756e-4509-8d5e-4f566cae5bfb /test.txt
How to disable HTTP TRACK and TRACE verbs in IIS?
There are several HTTP verbs (request methods) such as GET and POST. TRACK is one of these verbs which tells IIS to return the full request back to the client as part of the response. HTTP TRACK verb is Microsoft’s implementation and it is similar to TRACE verb which is RFC complaint.
Security scan tools often raise a flag if HTTP TRACK and TRACE verbs are enabled in your server because attackers can try capturing client cookies by forcing web servers to return full requests.
Here is a description from a security scan tool that marked the usage of this verb as a vulnerability:
The HTTP TRACK method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACK request and capture the client’s cookies. This effectively results in a Cross-Site Scripting attack.
Source
(Solved) Authentication stops working after installing February 2019 updates
After installing February 2019 updates to your Windows Server, the authentication in your web application may stop working. The users may experience a delay and then authentication error following the delay.
There is a known issue about these updates. You will find the root cause and solution for this issue.
Background
There is a registry setting that instructs the web server and domain controller which version of NTLM to be used. If the web server and DC are trying to use versions that are incompatible with each other, NTLM authentication fails. Updates set the preference to “NTLMv2 only” (Registry value is 3) which may cause an issue if the DC is not supporting it.
For example: If DC (or client) is set to the value of 1 (Send LM, NTLM and prohibit NTLMv2) and the server is set to the value of 5 (Only accept NTLMv2), this issue may occur. Please see this article for the descriptions of each value.