Tuesday, January 25, 2011

IIS cannot access itself

We are on a corporate network that uses ISA and I am having issues trying to not have requests go through ISA.

  1. I have IIS7 on my local Windows 7 machine that has websites and a service layer.
  2. The websites access the service layer using a xxxx.servicelayer.local address that is set up in my HOSTS file to point to 127.0.0.1.
  3. I have Windows Firewall client which I have disabled.
  4. I have tried both adding this address into IE so that it does not go through ISA and also disabled this section altogether.
  5. When the website (which is actually IIS making the request to itself) tries to access the service layer I receive an ISA error that proxy authentication has failed.

Considering that everything I can see to configure is set to not go through the proxy, ISA, I cannot see how this is actually going through the proxy and giving this error. Is there something within Windows 7 that forces the proxy setting, some sort of caching or similar?

  • Have you verified that IE on the server can load the site using the URL? What application is it that you're using (.net?)? Did you specify proxy settings in that app? Have you checked the site bindings to make sure the site is listening on 127.0.0.1 as well?

    IIS isn't going to see the settings you adjust in IE, because those settings are for your user, not the server/service.

    dave : Several other PCs on the network can connect, yes. The issue is not that the server cannot connect, the issue that I cannot see why it would be even getting to the server if the Firewall Client is disabled (and even the service stopped) and proxy settings within IE removed. Yes, IIS is listening on "All unassigned" so that covers 127.0.0.1. That is correct about IIS, that is why I have edited the hosts file.
    Jon Angliss : I meant on the server itself, running IIS, and attempting to access the site, can you get to it using IE? I doubt the firewall has anything to do with your problem, as you said, it's off.
    dave : Yes, the server can access the site but that is not really the issue. The issue is why the PC itself is even getting to the server and then the proxy if the firewall (proxy) client is not running and the hosts file has an IP address set to 127.0.0.1? Why would the PC even be getting to ISA and its proxy?
  • If this is .Net - and you haven't specified what the platform is - then you could try adding this configuration XML block in the web.config of the web application not the service). It needs to go directly inside the root section:

    <system.net>
      <defaultProxy enabled="false">
      </defaultProxy>
    </system.net>
    

    Equally - you might find that the config already has an entry for system.net in there somewhere which is directing the requests out to a specific proxy, in which case replace it with this.

    EDIT - In response to your comment

    Out of interest - does the service layer attempt to make a call to the outside world? I'm just wondering if you're actually getting an error on the service method that is getting bubbled through the service back to the website code - if this is a SOAP/wsHttp service then .Net could well be persisting a proxy auth error from the service layer back to the calling code.

    As a final note - I would use Fiddler to debug the web traffic on the machine - that way you can see exactly where requests are going, which processes are requesting them, and why they are failing. What this won't capture is all the traffic that is hitting 127.0.0.1, as the HTTP subsystem usually bypasses any system proxy for loopback. However - something is trying to access an address that requires a proxy, and with Fiddler running you should see what it is - and what the address is.

    A Final, final note Okay - so the request is going out to ISA - it's not IIS doing this, it's code, or at least configuration values that the code uses, that's doing this. If you can't track down these values and disable the firewall usage then one thing you can do is to switch the application pool's identity over to using Network Service - so long as the machine is allowed out of ISA, it will successfully authenticate through the proxy, thus solving all the problems.

    It would be helpful to know, however, how this webservice call is being made (.Net, Java etc) because there are numerous different ways they can be affected depending on this.

    dave : It is a .Net application and I can confirm that this is not happening. If I switch the service layer to use one that exists on a different machine then I am not given the authentication error which indicates that it is not going through the proxy.
    Andras Zoltan : @dave: have added a couple of things; it could be the service that's getting the proxy auth error (depending on what it's doing), and I would install Fiddler on the machine to find out which process is attempting to go out through the proxy.
    dave : Thanks Andras, it is not accessing anything external. I have tried Fiddler and the request is going to our ISA server which is what prompted my question. I just cannot see how IIS is doing this if everything is instructing it resolve to the local machine....
    Andras Zoltan : @dave - please look at my 'final final' note - it's not IIS that's doing this. It has no infrastructure for outgoing http requests - it's the runtime that's doing it. But there is a potential way around if you can't track down what configuration/code needs to be changed - change the app pool identity to Network Service - it works on machine (tm)

0 comments:

Post a Comment