Diagnosing Failures with Remote Administration

By Nitasha Verma

February 14, 2008

Introduction

This article will help you diagnose and fix issues found while using RemoteMgr. This is based on frequently asked questions on the iis.net forums.

Cannot connect to the remote server?

Make sure the client and the server are using the same build. For example, a Server Beta 3 remoteMgr will not work with a RC1 server build.

Refer to the blog post about Remote Management Behavior Matrix. There might be a problem related to the access control lists (ACLs).

Look at the Event Viewer (eventvwr.msc) log. WMSVC has a good supportability story. Events are logged with detailed error messages and a stack trace. Looking at the Event Viewer often tells you what the problem might be.

Cannot connect to the remote server after updating wmsvc bindings?

If this happens after updating the port on which WMSVC is configured to run, check to see if the firewall is turned on for the server. If it is, add a new exception rule for the port on which WMSVC is running (default value: 8172). Then try connecting to the server again.

If this does not solve the problem, run the following commands from cmdline:

netsh http show sslcert

netsh http show sslcert

Ensure that the port 8172 (the one on which WMSVC is running) has SSL certificate bindings. Also make sure the cert hash matches the one to which WMSVC is bound to (in the Management Service UI).

Sample output:

c:\>netsh http show sslcert SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:8172
Certificate Hash : f06ae62a5275a818338f05ecc80707335be1e204
Application ID : {00000000-0000-0000-0000-000000000000}
Certificate Store Name: MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only: Disabled
Usage Check : Enabled
Revocation Freshness Time: 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled

netsh http show urlacl

netsh http show urlacl

Ensure that the URL https://*:8172/ (the port on which WMSVC is configured to run) appears in the list of reserved URLs.

Sample output:

c:\>netsh http show urlacl

URL Reservations:
-----------------
Reserved URL : https://*:8172/
User: NT SERVICE\WMSvc
Listen: Yes
Delegate: No
SDDL: D:(A;;GX;;;S-1-5-80-257763619-1023834443-750927789-3464696139-1457670516)

Use netsh commands in the previous paragraph to determine if the bindings are not correctly configured. The problem might be that the machine key does not have permissions for the administrator trying to adjust the WMSVC bindings. In that case, try the following:

1. Take ownership of the machine key:

takeown /F %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\bedbf0b4da5f8061b6444baedf4c00b1* /R

2. Configure the ACLs of the machine key such that the administrator group has read permissions:

icacls %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\bedbf0b4da5f8061b6444baedf4c00b1* /grant Administrators:(R)

3. Reserve the port 8172 for WMSVC:

netsh http add urlacl url=https://*:8172/ User="NT SERVICE\wmsvc"

4. Associate the cert with the port:

netsh http add sslcert ipport=0.0.0.0:8172 certhash=<certHash> appid={d7d72267-fcf9-4424-9eec-7e1d8dcec9a9}

Do not want to see the prompt on the client every time you connect to the remote server?

Make sure the server uses a trusted root certificate for WMSVC. Create a trusted root certificate (if you do not already have it) and on the Management Service feature page, assign this certificate to be used by the service. This ensures that the client does not get a prompt asking if they trust the server (since the certificate is not trusted).

If all else fails:

Post the issue on the iis.net forums with reproduced steps and details. Please include the eventvwr.msc log along with exception and call stack.

Here are details on how to get the exception and call stack:

  1. Attach windbg to wmsvc.exe
    windbg –pn wmsvc.exe
  2. Load the sos.dll and set a break point if a managed exception happens
    .loadby sos mscorwks
    sxe clr
  3. Then hit go
    g
  4. When it breaks, print the exception and the call stack and send it to iis.net/forums.
    !pe
    !clrstack


Discuss in IIS Forums