[OPENAM-690] Unprotected IIS Websites Stopped Working Created: 05/Jun/11
Updated:
29/Jan/16 Resolved: 04/Aug/11
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Awaiting Verification
OpenAM
web agents
Agents-3.0.2, Express8
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Environment:
Bug
fmourtada
Fixed
AMAgent, release-notes
Not Specified
Agents-3.1.0-Xpress
Priority:
Assignee:
Votes:
Major
Mareks Malnacs
2
Not Specified
Not Specified
-----------------------------------------------Web Agent Version: 3.0.2
Agent Type: IIS 7
Build Date: 20110206 [Stable Build]
20110604 [Nightly Built]
Operating System Type: Windows Server 2008 R2 64-Bit
IIS Version: 7.5
-------------------------------------------------------------------------------------------------------------OS Version: Windows Server 2008 R2 64-Bit
Container Version: Tomcat 6.0.29
JVM Version:
java version "1.6.0_18"
Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
Java HotSpot(TM) 64-Bit Server VM (build 16.0-b13, mixed mode)
OpenAM Version: Express Build 8(2009-September-1 11:08)
Load Balancer: Windows NLB
-------------------------------------------------------------
Attachments:
AgentTestSiteConfig303SB.txt
IIS Web Agent Configuration
Steps_303_SB.txt
IIS_WebAgent_Reg.jpg
amAgent.txt
regedit.png
screenshot-1.jpg
Issue Links:
Duplicate
is duplicated
by
OPENAM696
Open SSO - Policy Agent Issue on
Wind...
Closed
Description
After configuring the IIS web Policy Agent for the target website, all the rest of the other IIS
websites stopped working.
However, the protected website, which the agent has been configured for, works with no issues
(Properly redirects to the opensso).
Note:


I have tested with both stable and nightly builds, however the same behavior is
perceived.
I have configured and tested the IIS 7 web agent (Version: 3.0.1) earlier as a proof of
concept and have not faced any issues.
Could you please advise whether there are archived versions of the IIS Web Agent
(Both 32 & 64 bit)?
Event viewer is showing the following three exceptions:
(1)
Faulting application name: w3wp.exe, version: 7.5.7600.16385, time stamp: 0x4a5bd0eb
Faulting module name: amsdk.dll, version: 0.0.0.0, time stamp: 0x4d4ac10a
Exception code: 0xc0000005
Fault offset: 0x000000000001d1e5
Faulting process id: 0x1300
Faulting application start time: 0x01cc1f52366c0527
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
Faulting module path: C:\web_agents\iis7_agent\bin\amsdk.dll
Report Id: 7426e719-8b45-11e0-91b7-00155d016f03
(2)
The description for Event ID 0 from source Sun OpenSSO Policy Agent 3.0 for Microsoft IIS
7.0 cannot be found.
Either the component that raises this event is not installed on your local computer or the
installation is corrupted.
You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the
event.
The following information was included with the event:
Sun OpenSSO Policy Agent 3.0 for Microsoft IIS 7.0: iisaPropertiesFilePathGet() failed.
(3)
The description for Event ID 0 from source Sun OpenSSO Policy Agent 3.0 for Microsoft IIS
7.0 cannot be found.
Either the component that raises this event is not installed on your local computer or the
installation is corrupted.
You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the
event.
The following information was included with the event:
Iis7Agent.cpp(1015) Opening registry key HKEY_LOCAL_MACHINE\ failed with error code
2
Comments
Comment by prasanthmp [ 09/Jun/11 ]
Could you please update us with status of this issue. No solution has been provided yet.
Comment by Mareks Malnacs [ 09/Jun/11 ]
Error message included with the event suggests that iis7 when initialized its module (policy agent in this case) w
windows registry key to be able to start that module up. You should check whether policy agent is installed prop
unconfigure/uninstall first, remove registry entries by hand (if unconfig fails with an error) under
HKEY_LOCAL_MACHINE\\Software
Sun Microsystems
OpenSSO IIS7 Agent, restart windows server and retry agent installation.
/mareks
Comment by prasanthmp [ 12/Jun/11 ]
The issue is not solved yet. I removed the registry entries and tried re-configuring the ageent.
We are getting the following messages in the event viewer.
I even tried to configure in a new server and is facing the same issue.
------------------------ Error---------------------------Faulting application name: w3wp.exe, version: 7.5.7600.16385, time stamp: 0x4a5bd0eb
Faulting module name: amsdk.dll, version: 0.0.0.0, time stamp: 0x4df03ec6
Exception code: 0xc0000005
Fault offset: 0x000000000001d155
Faulting process id: 0x7ec
Faulting application start time: 0x01cc28d72f99110f
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
Faulting module path: C:\web_agents\iis7_agent\bin\amsdk.dll
Report Id: 6dcff05d-94ca-11e0-910c-00155d016f01
-------------------------- Error--------------------------------
The description for Event ID 0 from source Sun OpenSSO Policy Agent 3.0 for Microsoft IIS 7.0 cannot be foun
component that raises this event is not installed on your local computer or the installation is corrupted. You can i
component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Sun OpenSSO Policy Agent 3.0 for Microsoft IIS 7.0: iisaPropertiesFilePathGet() failed.
------------------------------------------The description for Event ID 0 from source Sun OpenSSO Policy Agent 3.0 for Microsoft IIS 7.0 cannot be foun
component that raises this event is not installed on your local computer or the installation is corrupted. You can i
component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Iis7Agent.cpp(1054) Opening registry key HKEY_LOCAL_MACHINE\ failed with error code 2
---------------------------------------------------------Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: w3wp.exe
P2: 7.5.7600.16385
P3: 4a5bd0eb
P4: amsdk.dll
P5: 0.0.0.0
P6: 4df03ec6
P7: c0000005
P8: 000000000001d155
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_w3wp.exe_8214a9998b9e086fcbe8a80515
Analysis symbol:
Rechecking for solution: 0
Report Id: 6dcff05d-94ca-11e0-910c-00155d016f01
Report Status: 0
----------------------Comment by Mareks Malnacs [ 14/Jun/11 ]
Hi,
Are You running IIS in some restricted mode (specific/restricted user) ? How did You configure agent - may I as
detail how did You do agent installation, including user and environment information ?
Error You see is a permission error - user running IIS does not have permissions to read that registry key (error c
/mareks
Comment by Mareks Malnacs [ 14/Jun/11 ]
Also - would it be possible to show (screenshot) output of Your registry entry showing "Software
Sun Microsystems
OpenSSO IIS7 Agent
Identifier_...." subtree values ?
/mareks
Comment by prasanthmp [ 15/Jun/11 ]
as requested by Mareks Malnacs
Comment by Mareks Malnacs [ 15/Jun/11 ]
registry screenshot from a properly installed II7 agent
Comment by Mareks Malnacs [ 15/Jun/11 ]
I have attached regedit.png to show how registry entry should look like when agent is properly installed. In Your
not put required entries into registry. Did Your installation procedure finished successfully ? Did You run agent
Administrator ?
Here are a few/easy steps to install/uninstall agent from IIS7 container:
1) installation (make sure IIS7 machine has either DNS configured or hosts file contains address of OpenAM ser
itself, run all cli commands as Administrator)
unzip web agent archive into some directory
create configuration with the following cli command:
cscript IIS7CreateConfig.vbs config.txt
install this configuration:
cscript IIS7Admin.vbs -config config.txt
restart IIS7
2) uninstallation
cscript IIS7Admin.vbs -unconfig config.txt
del config.txt
restart IIS7
Regards,
/mareks
Comment by Mareks Malnacs [ 15/Jun/11 ]
Also please note that IIS7CreateConfig procedure require IIS7 web site identification, which usually is a number
/mareks
Comment by fmourtada [ 15/Jun/11 ]
I did configure agent v. 3.0.3. The steps explained in your comment are exactly the same performed for my end a
agent's installation script as Administrator.
Please check attached files:


Configuration Steps: IIS Web Agent Configuration Steps_303_SB.txt
Configuration File: AgentTestSiteConfig303SB.txt
Comment by fmourtada [ 15/Jun/11 ]
The registry is not being updated though it mentions that is was updated upon configuring the agent.
Please check attached file: IIS Web Agent Configuration Steps_303_SB.txt
--------------------------------------------------C:\web_agents_303_SB\iis7_agent\bin>cscript IIS7Admin.vbs -config c:\AgentTestSiteConfig303SB
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Copyright c 2009 Sun Microsystems, Inc. All rights reserved
Use is subject to license terms
Enter the Agent Resource File Name [IIS7Resource.en] :
Creating the Agent Config Directory
Creating the OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.prop
erties File
Updating the Windows Product Registry
Completed Configuring the IIS 7.0 Agent
----------------------------------------------------------Comment by Mareks Malnacs [ 15/Jun/11 ]
Are there any specific Windows Policy set which prevents vbs script to update registry key values ? What value
"Prevent access to registry editing tools" (in gpedit.msc) ?
/mareks
Comment by Mareks Malnacs [ 15/Jun/11 ]
Can You create those entries directly with regedit (use sample from my screenshot) ? Do You get any permission
/mareks
Comment by fmourtada [ 16/Jun/11 ]
I did delete the existing registry, restarted the server and reconfigured the agent. The registry entry is created suc
attached file: "IIS_WebAgent_Reg.jpg") however still I'm facing the same issues. All unprotected websites stopp
errors are being logged in the "Event Viewer". Any other speculations on what might be causing the issue?
Note: I have tested on different servers with the same environment and faced the same issues (No errors are logg
debug file). Did you test on Windows Server 2008 64bit (IIS 7.5)??
I did test both agents 3.0.2 & 3.0.3 on Windows 7 (IIS 7.5) 32bit. Both configurations where successful and web
functioning properly.
/Firas
Comment by Mareks Malnacs [ 16/Jun/11 ]
Hi,
We are testing it on IIS7.5 64bit machine too and it runs fine. Which build are You using for 3.0.3 64bit agent ?
a day or two ago - You should re-download it again (today) - there were a required dll packaging problem with t
3.0.3 IIS7 64bit agent and see if that solves Your problem.
Thanks,
/mareks
Comment by fmourtada [ 19/Jun/11 ]
Hello Mareks,
I did try the latest stable build for agent 3.0.3, built on 14 June, but with no success. I am still getting the same er
=======================================
Version: 3.0.3
827
Build Date: 20110614
Build Machine: dali.internal.forgerock.com
=======================================
May you please advise any ideas or clues that might help pinpoint the issue. I have attached the agent's debug fil
reference.
Regards,
Firas
Comment by jwagon [ 21/Jun/11 ]
I'm seeing a very similar issue, and I also tried it with an older version.
Almost exactly the same setup on this end. Verified that the registry keys were created during install.
The error I'm seeing is
"amiis7module.dll failed to load"
Any update on this issue? Is there any workaround, or other suggestions on how to figure out the cause?
Comment by Mareks Malnacs [ 21/Jun/11 ]
When You have agent installed for a particular site, what do You see in Modules (IIS7 console) section for both
and for each individual site (where You have agent installed) ?
Same can also be done by cli:
appcmd.exe list modules
and
appcmd.exe list modules /app.name:"Default Web Site"
where last one is a site name where You have policy agent installed to.
/mareks
Comment by jwagon [ 21/Jun/11 ]
It says the same thing under both:
MODULE "iis7agent" ( native, preCondition: )
Is that what you're asking for?
Comment by Neha [ 29/Jun/11 ]
Has anyone tried doing the configuration of 3.0-02 with iis7.5 with sharepoint 2007 ? I installed that agent and g
as below in eventlog
...</Computer><Security/></System><EventData><Data>Iis7Agent.cpp(798) Opening registry key
HKEY_LOCAL_MACHINE\<non-displayable-character> failed with error code 2</Data></EventData></Even
Comment by Pernam [ 18/Jul/11 ]
I have the same problem. Running on Windows 2008R2 64 bit. Using a 32 bit application pool and the 32 bit Ag
and 3.03 agents.
Comment by Pernam [ 18/Jul/11 ]
I think I found the problem on my server: When running a 32 bit application pool on a 64 bit machine the registr
configuration is not at the usual location. The search for the registry key will occur below HKLM\Software\Wow
Microsystem etc. I manually created these entries (copied them from the default location) and the error went awa
Sysinternals Process Monitor
Comment by Taruna [ 20/Jul/11 ]
Try the following workaround:
remove 'iis7agent' module from non-protected web sites. After installing Agent on web site (i.e default port 80),
on all other ports. The 'iis7agent' module is native and inherited by default for all other website. So we need to re
before browsing on different ports.
Steps to follow 1- Open IIS 7.5 manager console
2- Expand Sites
3- Click on non-protected web site in the left panel
4- Select Modules in the right panel
5- Remove 'iis7agent' module
6- Restart the web site
7- Browse the web site and make sure you can access the content with no authentication required
8- Check Event log (Application logs) and make sure no App Crash happened.
Also the protected website will work without issues.
try this out and share back if this works.
Comment by Mareks Malnacs [ 04/Aug/11 ]
Fixed in r979
Comment by Dan Cutler [ 16/May/12 ]
Mareks,
I too am seeing this issue.
Event viewer shows:
Sun OpenSSO Policy Agent 3.0 for Microsoft IIS 7.0: iisaPropertiesFilePathGet() failed.
I've studied the registry entries and mine are correct.
I also want to mention that there is a potential issue in both the IIS7CreateConfig.vbs script and the IIS7Admin.v
When running create and install scripts, I was getting errors:
ie
C:\sso\iis_v7_WINNT_x64_agent_3\web_agents\iis7_agent\bin>cscript IIS7CreateConf
ig.vbs agent_config.txt
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Copyright c 2009 Sun Microsystems, Inc. All rights reserved
Use is subject to license terms
--------------------------------------------------------Microsoft (TM) Internet Information Server (7.0)
--------------------------------------------------------Enter the Agent Resource File Name [IIS7Resource.en] :
Enter the Agent URL (Example: http://agent.example.com:80) :
https://mysite.mydomain.com:443
Displaying the list of Web Sites and its corresponding Identifiers (id)
C:\sso\iis_v7_WINNT_x64_agent_3\web_agents\iis7_agent\bin\IIS7CreateConfig.vbs(1
72, 3) WshShell.Exec: C:\Windows\system32\inetsrv\appcmd list sites is not a val
id Win32 application.
The issue has to do with the WshShell.Exec function.
For some reason, I had to add ".exe" to all the .Exec system calls:
IIS7CreateConfig.vbs:
Where this:
strCmd = "%systemroot%\system32\inetsrv\appcmd list sites"
Needs to be this:
strCmd = "%systemroot%\system32\inetsrv\appcmd.exe list sites"
Similarly in IIS7Admin.vbs:
This:
strCmd = "%systemroot%\system32\inetsrv\appcmd install module /name:" + agentName + " /image:" + module
Needs to be this:
strCmd = "%systemroot%\system32\inetsrv\appcmd.exe install module /name:" + agentName + " /image:" + mo
The same edit for the UnconfigureDLL...
Is there any workaround for the path not found error?
C:\sso\iis_v7_WINNT_x64_agent_3\web_agents\iis7_agent\bin>type ..\..\..\..\sso_3
2.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Sun Microsystems]
[HKEY_LOCAL_MACHINE\SOFTWARE\Sun Microsystems\OpenSSO IIS7 Agent]
[HKEY_LOCAL_MACHINE\SOFTWARE\Sun Microsystems\OpenSSO IIS7 Agent\Identifier_1]
@="1"
"Path"="C:\\sso\\iis_v7_WINNT_x64_agent_3\\web_agents\\iis7_agent\\Identifier_1\
\config"
"Version"="3.0"
Generated at Sun Mar 06 07:21:47 GMT 2016 using JIRA 6.3.9#6339sha1:46fa26140bf81c66e10e6f784903d4bfb1a521ae.