Aspnetcore.docs: HttpSysException: 'Access is denied'

Hello @marqdouj ... Did you register the URL(s) described by Step 3.a. at https://docs.microsoft.com/aspnet/core/fundamentals/servers/httpsys#configure-windows-server ?

For example (for port 80) ...

netsh http add urlacl url=http://+:80/ user=Users

[EDIT] 80 or 443 ... ports above 1024 should be ok and not require you to do anything. Were you having this issue for port 80 or 443?

If I start VS as administrator then it runs, however all browsers (Edge, Chrome, etc.) report that it 'Can’t connect securely to this page'. I suspect I need to register the default asp.net certificate for https.sys? If so, then perhaps the example to add a certificate be updated to include how to add the default asp.net certificate.

We (on the docs team) probably don't have much direct experience, so we're going by what engineering provided. That sounds correct. Use the netsh command for port 443, which I think you already did ...

netsh http add urlacl url=https://+:443/ user=Users

... and then for the cert you need the SHA hash of the certificate and to assign a GUID for the app's id ...

netsh http add sslcert ipport=0.0.0.0:443 certhash=MyCertHash_Here appid="{00000000-0000-0000-0000-000000000000}"

https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725882(v=ws.10)#add-sslcert

add a certificate be updated to include how to add the default asp.net certificate.

That's an interesting idea now that there is an ASP.NET Core development certificate. Yes, I think we can provide a little bit here.

Yes, I had run the port commands - and also for 5000/5001 (just in case).
How do I know what the AppID is for the cert?
I displayed all the certifications (netsh http show sslcert) and based on the 443 certification listed I tried these:

netsh http add sslcert ipport=0.0.0.0:443 certhash=615572448d881a7af7fc7c96f5ecb8d14dee42cf appid="{214124cd-d05b-4309-9af9-9caa44b2b74a}"

netsh http add sslcert ipport=0.0.0.0:5001 certhash=615572448d881a7af7fc7c96f5ecb8d14dee42cf appid="{214124cd-d05b-4309-9af9-9caa44b2b74a}"

The 443 was already there, the 5001 was added.
Now when I run the app I get 'HTTP Error 503. The service is unavailable.'

https://localhost:5000/ = 'Can’t connect securely to this page'
https://localhost:5001/ = 'HTTP Error 503. The service is unavailable.'

I may as well spin up an Azure VM and see if I can make this work. _I'm halfway there!_ :smile:

I was finally able to get it to work.
Adding the certificate I mentioned earlier did work. It was the netsh port config that was all screwed up.
The fix was to configure the ports using '+' instead of 'localhost' :

    public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
        WebHost.CreateDefaultBuilder(args)
            .UseStartup<Startup>()
            .UseHttpSys(options =>
            {
                options.UrlPrefixes.Add("http://+:5000");
                options.UrlPrefixes.Add("https://+:5001");
            });

https://stackoverflow.com/questions/22293445/http-503-service-is-unavailable-when-trying-to-browse-signalr-hubs/22972905#22972905

However, this make work for the dev environment; not sure what I will have to do for production. Perhaps a companion article to this one that targets deploying and setup in production should be created?

Anyway, thanks for the help!

This seems related to: https://github.com/aspnet/HttpSysServer/issues/276

using '+' instead of 'localhost'

That's what I'm finding out right now. I just choked on an Azure VM with "localhost" there.

I think I'll just need to make some updates to the topic. Leave this issue open to track the work.

@shirhatti TL;DR I'm just about ready to put up a short list of potential improvements for the HTTP.sys deployment experience to WS, but I've hit a snag with one thing when trying to use the VM's public IP (i.e., I'm avoiding + in this process) ...

• URL reservation with add urlacl ... ✔️
• Adding SSL certificate with add sslcert ... ✔️

• Provide IP address to app, compile, place on VM, and run ... :x:

  options.UrlPrefixes.Add("https://<PUBLIC_IPv4_ADDRESS>:443");
  

  ... Seems like that format would be valid according to https://docs.microsoft.com/en-us/windows/desktop/Http/urlprefix-strings.

Result when the app is run ...

Microsoft.AspNetCore.Server.HttpSys.HttpSysException (1214): The format of the specified network name is invalid
at Microsoft.AspNetCore.Server.HttpSys.UrlGroup.RegisterPrefix(String uriPrefix, Int32 contextId)
at Microsoft.AspNetCore.Server.HttpSys.UrlPrefixCollection.RegisterAllPrefixes(UrlGroup urlGroup)
at Microsoft.AspNetCore.Server.HttpSys.HttpSysListener.Start()

Unhandled Exception: Microsoft.AspNetCore.Server.HttpSys.HttpSysException: The format of the specified network name is invalid
at Microsoft.AspNetCore.Server.HttpSys.UrlGroup.RegisterPrefix(String uriPrefix, Int32 contextId)
at Microsoft.AspNetCore.Server.HttpSys.UrlPrefixCollection.RegisterAllPrefixes(UrlGroup urlGroup)
at Microsoft.AspNetCore.Server.HttpSys.HttpSysListener.Start()
at Microsoft.AspNetCore.Server.HttpSys.MessagePump.StartAsyncTContext
at Microsoft.AspNetCore.Hosting.Internal.WebHost.StartAsync(CancellationToken cancellationToken)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token, String shutdownMessage)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token)
at Microsoft.AspNetCore.Hosting.WebHostExtensions.Run(IWebHost host)
at HttpSysSample.Program.Main(String[] args) in c:_apps\httpsys\Program.cs:line 12

😕
@Tratcher?

@guardrex that's a new one...
The implication from the internet is that it thinks that's not your real local IP, even if it's your public one. Can you show your full urlacl and ssl cert commands? Also, IPConfig output from the VM?

http://www.therealtimeweb.com/index.cfm/2011/10/24/iis-error-0x800704BE
https://social.msdn.microsoft.com/Forums/vstudio/en-US/8e58005c-23ec-46e4-a0b3-a19699f64bea/the-format-of-the-specified-network-name-is-invalid?forum=wcf

On a another note: the dev cert would take a lot of work to use with Http.Sys. The main reason is that Http.Sys runs in kernel mode and doesn't use the same cert store.

I took the dev cert and put it on the VM manually just for fun and hacks. I'm _NOT_ suggesting that the topic cover that at all. No, I'm just explaining how to do it with any valid cert in the store.

I'll get this data together for you now.

The thumbprint shown below is a fake, but the IP shown is real.

btw wrt your point about the dev cert. It's just for my hacking around. It does work tho. I exported it from my local machine and then installed it on the server. I used its thumbprint. It worked ... but it worked when the app used the wildcard binding http://+:443. Because it worked with the wildcard binding, I suspect it will still work if the IP address situation with UrlPrefixes goes well (guessing, of course).

The main reason is that Http.Sys runs in kernel mode and doesn't use the same cert store.

I installed it in Local Machine > Personal ... is that incorrect?

add urlacl

netsh http add urlacl url=https://104.214.79.47:443 user=Users

URL reservation successfully added

show urlacl

I think the first one is leftover from prior testing with the wildcard ... I forgot to remove it.

Reserved URL            : https://+:443/
        User: BUILTIN\Users
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;BU)

    Reserved URL            : https://104.214.79.47:443/
        User: BUILTIN\Users
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;BU)

add sslcert

netsh http add sslcert ipport=104.214.79.47:443 certhash=b66ee04419d4ee37464ab8785ff02449980eae10 appid="{9412ee86-c21b-4eb8-bd89-f650fbf44931}"

SSL Certificate successfully added

Not the real thumbprint.

show sslcert

SSL Certificate bindings:
-------------------------

    IP:port                      : 104.214.79.47:443
    Certificate Hash             : REMOVED
    Application ID               : {9412ee86-c21b-4eb8-bd89-f650fbf44931}
    Certificate Store Name       : (null)
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled
    Disable HTTP2                : Not Set

UrlPrefixes

.UseHttpSys(options =>
{
    options.Authentication.Schemes = AuthenticationSchemes.None;
    options.Authentication.AllowAnonymous = true;
    options.MaxConnections = null;
    options.MaxRequestBodySize = 30000000;
    options.UrlPrefixes.Add("https://104.214.79.47:443");
});

ipconfig (Azure VM)

Windows IP Configuration

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : oq4azbxtgoaullpbb01eqladld.jx.internal.cloudapp.net
   Link-local IPv6 Address . . . . . : fe80::5481:80d7:52a8:2129%2
   IPv4 Address. . . . . . . . . . . : 10.0.0.4
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1

Tunnel adapter isatap.oq4azbxtgoaullpbb01eqladld.jx.internal.cloudapp.net:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : oq4azbxtgoaullpbb01eqladld.jx.internal.cloudapp.net

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:3c32:12f0:f5ff:fffb
   Link-local IPv6 Address . . . . . : fe80::3c32:12f0:f5ff:fffb%5
   Default Gateway . . . . . . . . . : ::

Yeah, your public IP may be 104.214.79.47, but your local IP is 10.0.0.4 and that's what you need to bind to.

Ah ... ok. Thanks.

Also, having a registration for + precludes having any other registrations on that port. See Strong Wildcard.
https://stackoverflow.com/questions/7007929/what-does-a-plus-sign-mean-in-a-http-url-http-80

I'll remove that ... and I'm taking it OUT of the topic where it describes wiring things up server-side. IMO this setup should be dead simple and include best practices (i.e., we have this giant note about not using the wildcard ... and then go on to _use the wildcard_ in examples. 🤦‍♂️).

What's up with this one tho? It has the wildcard and seems like it will break things based on your comment ...

Reserved URL            : https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
        User: NT SERVICE\SstpSvc
            Listen: Yes
            Delegate: Yes
        User: BUILTIN\Administrators
            Listen: Yes
            Delegate: Yes
        User: NT AUTHORITY\SYSTEM
            Listen: Yes
            Delegate: Yes
            SDDL: D:(A;;GA;;;S-1-5-80-3435701886-799518250-3791383489-3228296122-2938884314)(A;;GA;;;BA)(A;;GA;;;SY)

Except it's also constrained to the path /sra_...

1. Deleted the registrations (urlacl, sslcert).
2. Re-established the URL registration with https://10.0.0.4:443/ and cert with 10.0.0.4:443.
3. Set UrlPrefixes to use https://10.0.0.4:443

... and the app says ...

Microsoft.AspNetCore.Server.HttpSys.HttpSysException (183): The prefix 'http://10.0.0.4:443/' is already registered.

Why does the error say http and not https?

Two reasons:

1. I'm an idiot.
2. No lunch yet (after a 3 hour lift at the gym 💪) ... low blood sugar combined with a lack of :beer:.

kk ... all good now. It's just about all written up. I'll put the final touches on it and submit the PR within a couple of hours.

Thanks for ur help. I'm surprised that we haven't heard feedback on this process before now. This was a bit painful to grok from our stuff and the netsh docs. Thanks again to @marqdouj :rocket: for opening this issue. @marqdouj, I'll ping you on the PR when it goes in. You can let me know if you think the updates would have made the process straightforward for you.

Great, thanks @guardrex, @Tratcher !

I just came across this post - you many want to have a look at it:

wrt: services.AddAuthentication(Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme);

https://stackoverflow.com/questions/45818095/asp-net-core-2-0-httpsys-windows-authentication-fails-with-authorize-attribute