Last month we move our asp.net website farm from Server 2008 R2 to Server 2012 R2 and upgraded to asp.net 4.5. We are using cookied forms authentication to prevent unauthorized access to the website.
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
We have certain assets and pages (ex: sign in page) that are whitelisted in the web.config:
<location path="signin">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Over the last few months we've been noticing that IIS/Asp.net randomly stops obeying the whitelist and assume everything needs to be authenticated. All requests to the site on that server will be redirected to the signin page which then throws a 500 error. No whitelisted assets can be retrieved.
There are then 2 errors in the event viewer that we can see when IIS is messed up. The first:
Exception type: NullReferenceException
Exception message: Object reference not set to an instance of an object.
at System.Web.PipelineModuleStepContainer.GetNextEvent(RequestNotification notification, Boolean isPostEvent, Int32 eventIndex)
at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
This second one doesn't show up all the time:
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
The iis process will be working find for hours then all the sudden start doing this weirdness. As soon as we recycle the app pool, or even just modify the web.config the site starts working again.
Honestly we are quite stumped. This wasn't happening on our old servers, but we've made quite a few changes to our site since then but nothing related to authentication.
We are in a webfarm and we define our machine key inside of our web.config.
<machineKey validationKey="XXX" decryptionKey="XXX" validation="SHA1" decryption="AES" />
We are targeting asp.net 4.5
<httpRuntime targetFramework="4.5" executionTimeout="120" maxQueryStringLength="4096" minFreeThreads="72" minLocalRequestFreeThreads="88" maxRequestLength="32768" />
We recreated the application pool within IIS.
Yea, we are stumped. Any help is appreciated.
I had a similar experience, changing IIS to allow anonymous authentication solved it for me. In your case, I would recommend 2 things:
<location path="signin">
<system.web>
<authorization>
<allow users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
I hope this helps
I'll answer my own question with what we did to solve the issue, even though we never did find the root cause. We noticed that the server would start ignoring the whitelist rules when it got too heavy under load. Not much load, maybe 40% utilization over the course of 5 minutes. After that it would start ignoring things.
The simple solution for us was to throw more hardware at the issue. We are running 6 webservers instead of 3. We haven't seen the whitelist issue since then. So honestly... we have no idea what's up.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With