none
Authentication/Firewall problem

    Question

  •  

    I cannot connect to my Windows Server 2008 using the Server Explorer(visual Studio 2008) either by name or ip address, the error message returned simply states ‘an error occurred while attempting to connect to server’.

     

    The Windows Server 2008 networked resource can be seen using a low level ping, the networked device can also be seen from the Network & Sharing Centre feature from windows vista  - the device is physically exists.

     

    Is the Windows Server 2008 blocking my attempts to connect to the IIS7.0 resource? I’ve installed IIS7.0 for longhorn on Windows Server 2008 and I can browse the IIS7.0 welcome page locally on the server but I cannot connect to the server remotely.

     

    Is there a procedure rule that I’ not following i.e. authentication rules and incoming/outgoing firewall rules that I need to apply. I don't believe that its I'm dealing with Visual Studio 2008 problem, I can publish web sites locally to the local host, but I can't publish the files to the remote Windows 2008 server. 

     

    Thanks,

     

    bownce

     

    Wndows Server 2008 & Visual Server 2008 evaluator

    Sunday, September 09, 2007 9:10 PM

Answers

  • Hi,

     

    Is this a full server or a server core installation? Can you remotely access the Web pages from the other box, or only locally? If only locally, it sounds like either an IIS or firewall configuration problem. Can the Computer Management and included functionality or the Event Viewer MMC snap-ins access the server? If not, it is likely a firewall problem and you need to enble one or more of the management rules.

     

    Andrew

     

    Monday, September 10, 2007 4:43 PM
  • Full version vs. Server Core

    My guess this involves a full version of Windows Server 2008, not a Server Core installation, because as far as I know you use the Server Explorer from within Visual Studio to work with database servers and web servers. I base my guess on two things:

    1. You can't install SQL Server on Windows Server 2008 Server Core (yet), because as far as the installation requirements go (at the moment) you need to install the .Net framework first. You can't install the .Net Framework on Server Core.
    2. You can't install ASP.Net components on Windows Server 2008 Server Core (yet). You can install Internet Information Services (IIS) 7 on Server Core when you're using a Post-Beta 3 build, but you can't install all the components necessary. SQL Reporting Services for instance requires ASP.Net

     

    Same issue on the Connect website

    I also saw this issue get addressed on the Visual Studio 2008 Connect Website a while ago, where someone reported the same type of error, stating it worked fine with Visual Studio 2005 before. Microsoft gave the following reactions:

     

    "If this issue is urgent, please call support directly (see http://support.microsoft.com). Thank you, Visual Studio Product Team."

     

    "We determined that this issue was previously identified and has been fixed for the final release of Visual Studio 2008. Thanks for notifying us of the problem. VS Pro Data Team"

     

     

    Investigating the issue

    When you suspect your firewall is the reason why you can't connect, the most obvious place to investigate is by looking for logged dropped packets in the firewall log. You enable the logging of these packets using the netsh set logging C:\windows\pfirewall.log enable command. After a new connection attempt you might find usefull clues in the log.

     

    When authentication seems to slow your experiments down you might find usefull clues in the Security Log of your Server box. eventvwr.msc can be used on a full version of Windows Server 2008. On a Server Core installation you can review the latest three events in your Security Log using the wevtutil.exe qe Security /rd:true /c:3 /f:text command.

     

    Andrew also has a good point to check whether you can use the Management tools from your workstation to connect to your Windows Server 2008 box. If this fails you probably need to enable the Remote Management exception in the Windows firewall. (which is turned on by default in the latest builds)

     

    Another thing to check is whether you can connect to the SQL Server installation on the Windows Server 2008 box. A lot of programmers prefer to use SQL Server Management Studio Express (SSMSE) to manage their (Microsoft SQL Based) database servers. Finding your SQL Server instance and supplying the right credentials is also the key to managing databases using this tool.

     

     

    I hope this helps...

    Monday, September 10, 2007 6:57 PM
  •  

    Thanks all for your comments,

     

    Re: Andrew’s first comment, this was a full installation of Windows Server 2008, all I’ve done so far is  implement the Web Server role.

     

    Additional software has been installed as part of the installtion process and includes ASP & .Net aspects, this is included in the WS2008 software. The only other component additionally installed was the FrontPage Server Extensions for code name Longhorn, this was obtained from the IIS7.0 support site.

     

    I’ve been following the TechNet documentation for guidelines concerning the Web Sever (IIS) installation, all the components for this role have been installed.

     

    I have followed the FrontPage procedure and extended the FrontPage extension from the default web site – note sure as why I need to do this but all appeared to go normally, no errors were reported.

     

    Testing to date,

     

    Test 1. A virtual web folder called ‘MyWebs’ was created under the default web, this site can be browsed from

    the Server machine, it can also be browsed from the networked PC, (this is where VisualStudio2008 resides).  

     

    All seems to be okay at this stage – remember, the installation so far remains at default on the Windows2008 Server I’ve not changed anything with regards to authentication or security.

     

    Re: Andrews second point the Event Viewer ‘snap-in’ appears to access the Web Server there are no errors reported.

     

    The firewall suggestion, I will need check this.

     

    I’ve enabled 2 logging mechanisms on the server, these are

     

    (i) - Log dropped packets

    (ii) - Log successful connections

     

    When I use the browser to access the IIS7.0 home page I receive successful connection entries written into the log – this confirms that I’m accessing the correct url i.e. http://192.168.0.7/MyWebs, my pc is 192.168.0.3

     

    below, extract of successful connection messages

     

    2007-09-13 17:28:38 ALLOW TCP 192.168.0.3 192.168.0.7 49401 80 0 - 0 0 0 - - - RECEIVE

    2007-09-13 17:28:38 ALLOW TCP 192.168.0.3 192.168.0.7 49402 80 0 - 0 0 0 - - - RECEIVE

     

     

    My Assumption - the 2008 Server is clearly not dropping the packets

     

     

    Test 2. – from the VisualStudio2008 pc attempt to connect to the Server and check for dropped packets as suggested by ‘SanderBerkouwer’  

     

    The log extract clearly shows that the packets are being received – not dropped,

     

    2007-09-13 17:56:05 ALLOW TCP 192.168.0.3 192.168.0.7 49426 80 0 - 0 0 0 - - - RECEIVE

    2007-09-13 17:56:05 ALLOW TCP 192.168.0.3 192.168.0.7 49427 80 0 - 0 0 0 - - - RECEIVE

     

    VisualStudio2008 does though provide a message indicating that “unable to create Web http://192.168.0.7/MyWebs/helloweb - the web server does not appear to have any authentication methods enabled. It asked for user authentication, but did not send a WWW-Authenticate header.

     

    My Assumption – the TCP packets are not being dropped but I clearly have an authentication problem , resolution address the authentication problem on the Windows 2008 Server first.

     

    Any other suggestions for now?

     

    I will let you have more detail as I progress, thanks again for your suggestions.

     

     

    Thursday, September 13, 2007 5:33 PM
  • Hi,

     

    Your analysis looks right on, the packets appear to be getting to the Server but there is a security/auth issue higher up. Have you posted this in the IIS forum or a VS forum? What authentication features did you install as part of IIS?

     

    Andrew

     

    Friday, September 14, 2007 5:26 PM
  • 17th Sept 2007

     

    continuing, from the “Windows Firewall with Advanced security” help, it appears that for successful communications to take place both computers must share the same common “IPSec” security rule.

     

    The help file continues “the two peers must have at least one common authentication method or communications will fail. Creating multiple authentication methods will increase the chance that a common method between the two computers can be found”.

     

    This sounds a bit hit& miss, anyway.

     

    Additionally, connection security rules determine how authentication takes place for allowed connections; they do not allow a connection. If you configure the connection security rule to require authentication, the rule will deny the connection if authentication fails. To allow a connection, you must create an inbound or outbound firewall rule.

     

    How do I know that authentication was successful between the Server and the Client? Is there a log file that I can enable or will it appear in the same firewall log.

     

    Regarding the IIS authentication features I enabled the Anonymous, Basic & Windows and I have also enabled the directory browsing feature.  

     

    Test 3 – For my next test I’ve setup a basic authentication security rule that is common to both computes ‘as suggested’, the aim of this test is to see if I can negotiate this authentication problem as seen in ‘Test 2’.

     

    Repeating test 2 again but this using a common authentication method, again when I attempted to create the new http web site a new different warning message appeared, this read,

     

    “could not find a web server at 192.168.0.7 on port 80. Please check to make sure that the web server name is valid and your proxy settings are set correctly. If you are sure that everything is correct, the web server may be temporarily out of service.”

     

    If you look at the log extract you will notice that the packets have been dropped, I’m of the opinion that the packets have been dropped because I don’t have the inbound/outbound firewall rule’s setup as previously mentioned above.

     

    2007-09-17 23:47:09 DROP TCP 192.168.0.3 192.168.0.7 49498 80 48 S 840359438 0 8192 - - - RECEIVE

    2007-09-17 23:47:15 DROP TCP 192.168.0.3 192.168.0.7 49498 80 48 S 840359438 0 8192 - - - RECEIVE

     

    My assumption, being that a new error message has appeared at the VS2008 computer at this moment I’m going to assume that the authentication process has worked even though the packets are being dropped. My suggestion for the dropped packets is due to the fact that I haven’t configured the inbound/outbound firewall rules.

     

    Does anyone have any examples of typical authentication profiles?

     

     

    Thursday, September 20, 2007 5:28 PM

All replies

  • Hi,

     

    Is this a full server or a server core installation? Can you remotely access the Web pages from the other box, or only locally? If only locally, it sounds like either an IIS or firewall configuration problem. Can the Computer Management and included functionality or the Event Viewer MMC snap-ins access the server? If not, it is likely a firewall problem and you need to enble one or more of the management rules.

     

    Andrew

     

    Monday, September 10, 2007 4:43 PM
  • Full version vs. Server Core

    My guess this involves a full version of Windows Server 2008, not a Server Core installation, because as far as I know you use the Server Explorer from within Visual Studio to work with database servers and web servers. I base my guess on two things:

    1. You can't install SQL Server on Windows Server 2008 Server Core (yet), because as far as the installation requirements go (at the moment) you need to install the .Net framework first. You can't install the .Net Framework on Server Core.
    2. You can't install ASP.Net components on Windows Server 2008 Server Core (yet). You can install Internet Information Services (IIS) 7 on Server Core when you're using a Post-Beta 3 build, but you can't install all the components necessary. SQL Reporting Services for instance requires ASP.Net

     

    Same issue on the Connect website

    I also saw this issue get addressed on the Visual Studio 2008 Connect Website a while ago, where someone reported the same type of error, stating it worked fine with Visual Studio 2005 before. Microsoft gave the following reactions:

     

    "If this issue is urgent, please call support directly (see http://support.microsoft.com). Thank you, Visual Studio Product Team."

     

    "We determined that this issue was previously identified and has been fixed for the final release of Visual Studio 2008. Thanks for notifying us of the problem. VS Pro Data Team"

     

     

    Investigating the issue

    When you suspect your firewall is the reason why you can't connect, the most obvious place to investigate is by looking for logged dropped packets in the firewall log. You enable the logging of these packets using the netsh set logging C:\windows\pfirewall.log enable command. After a new connection attempt you might find usefull clues in the log.

     

    When authentication seems to slow your experiments down you might find usefull clues in the Security Log of your Server box. eventvwr.msc can be used on a full version of Windows Server 2008. On a Server Core installation you can review the latest three events in your Security Log using the wevtutil.exe qe Security /rd:true /c:3 /f:text command.

     

    Andrew also has a good point to check whether you can use the Management tools from your workstation to connect to your Windows Server 2008 box. If this fails you probably need to enable the Remote Management exception in the Windows firewall. (which is turned on by default in the latest builds)

     

    Another thing to check is whether you can connect to the SQL Server installation on the Windows Server 2008 box. A lot of programmers prefer to use SQL Server Management Studio Express (SSMSE) to manage their (Microsoft SQL Based) database servers. Finding your SQL Server instance and supplying the right credentials is also the key to managing databases using this tool.

     

     

    I hope this helps...

    Monday, September 10, 2007 6:57 PM
  •  

    Thanks all for your comments,

     

    Re: Andrew’s first comment, this was a full installation of Windows Server 2008, all I’ve done so far is  implement the Web Server role.

     

    Additional software has been installed as part of the installtion process and includes ASP & .Net aspects, this is included in the WS2008 software. The only other component additionally installed was the FrontPage Server Extensions for code name Longhorn, this was obtained from the IIS7.0 support site.

     

    I’ve been following the TechNet documentation for guidelines concerning the Web Sever (IIS) installation, all the components for this role have been installed.

     

    I have followed the FrontPage procedure and extended the FrontPage extension from the default web site – note sure as why I need to do this but all appeared to go normally, no errors were reported.

     

    Testing to date,

     

    Test 1. A virtual web folder called ‘MyWebs’ was created under the default web, this site can be browsed from

    the Server machine, it can also be browsed from the networked PC, (this is where VisualStudio2008 resides).  

     

    All seems to be okay at this stage – remember, the installation so far remains at default on the Windows2008 Server I’ve not changed anything with regards to authentication or security.

     

    Re: Andrews second point the Event Viewer ‘snap-in’ appears to access the Web Server there are no errors reported.

     

    The firewall suggestion, I will need check this.

     

    I’ve enabled 2 logging mechanisms on the server, these are

     

    (i) - Log dropped packets

    (ii) - Log successful connections

     

    When I use the browser to access the IIS7.0 home page I receive successful connection entries written into the log – this confirms that I’m accessing the correct url i.e. http://192.168.0.7/MyWebs, my pc is 192.168.0.3

     

    below, extract of successful connection messages

     

    2007-09-13 17:28:38 ALLOW TCP 192.168.0.3 192.168.0.7 49401 80 0 - 0 0 0 - - - RECEIVE

    2007-09-13 17:28:38 ALLOW TCP 192.168.0.3 192.168.0.7 49402 80 0 - 0 0 0 - - - RECEIVE

     

     

    My Assumption - the 2008 Server is clearly not dropping the packets

     

     

    Test 2. – from the VisualStudio2008 pc attempt to connect to the Server and check for dropped packets as suggested by ‘SanderBerkouwer’  

     

    The log extract clearly shows that the packets are being received – not dropped,

     

    2007-09-13 17:56:05 ALLOW TCP 192.168.0.3 192.168.0.7 49426 80 0 - 0 0 0 - - - RECEIVE

    2007-09-13 17:56:05 ALLOW TCP 192.168.0.3 192.168.0.7 49427 80 0 - 0 0 0 - - - RECEIVE

     

    VisualStudio2008 does though provide a message indicating that “unable to create Web http://192.168.0.7/MyWebs/helloweb - the web server does not appear to have any authentication methods enabled. It asked for user authentication, but did not send a WWW-Authenticate header.

     

    My Assumption – the TCP packets are not being dropped but I clearly have an authentication problem , resolution address the authentication problem on the Windows 2008 Server first.

     

    Any other suggestions for now?

     

    I will let you have more detail as I progress, thanks again for your suggestions.

     

     

    Thursday, September 13, 2007 5:33 PM
  • Hi,

     

    Your analysis looks right on, the packets appear to be getting to the Server but there is a security/auth issue higher up. Have you posted this in the IIS forum or a VS forum? What authentication features did you install as part of IIS?

     

    Andrew

     

    Friday, September 14, 2007 5:26 PM
  • 17th Sept 2007

     

    continuing, from the “Windows Firewall with Advanced security” help, it appears that for successful communications to take place both computers must share the same common “IPSec” security rule.

     

    The help file continues “the two peers must have at least one common authentication method or communications will fail. Creating multiple authentication methods will increase the chance that a common method between the two computers can be found”.

     

    This sounds a bit hit& miss, anyway.

     

    Additionally, connection security rules determine how authentication takes place for allowed connections; they do not allow a connection. If you configure the connection security rule to require authentication, the rule will deny the connection if authentication fails. To allow a connection, you must create an inbound or outbound firewall rule.

     

    How do I know that authentication was successful between the Server and the Client? Is there a log file that I can enable or will it appear in the same firewall log.

     

    Regarding the IIS authentication features I enabled the Anonymous, Basic & Windows and I have also enabled the directory browsing feature.  

     

    Test 3 – For my next test I’ve setup a basic authentication security rule that is common to both computes ‘as suggested’, the aim of this test is to see if I can negotiate this authentication problem as seen in ‘Test 2’.

     

    Repeating test 2 again but this using a common authentication method, again when I attempted to create the new http web site a new different warning message appeared, this read,

     

    “could not find a web server at 192.168.0.7 on port 80. Please check to make sure that the web server name is valid and your proxy settings are set correctly. If you are sure that everything is correct, the web server may be temporarily out of service.”

     

    If you look at the log extract you will notice that the packets have been dropped, I’m of the opinion that the packets have been dropped because I don’t have the inbound/outbound firewall rule’s setup as previously mentioned above.

     

    2007-09-17 23:47:09 DROP TCP 192.168.0.3 192.168.0.7 49498 80 48 S 840359438 0 8192 - - - RECEIVE

    2007-09-17 23:47:15 DROP TCP 192.168.0.3 192.168.0.7 49498 80 48 S 840359438 0 8192 - - - RECEIVE

     

    My assumption, being that a new error message has appeared at the VS2008 computer at this moment I’m going to assume that the authentication process has worked even though the packets are being dropped. My suggestion for the dropped packets is due to the fact that I haven’t configured the inbound/outbound firewall rules.

     

    Does anyone have any examples of typical authentication profiles?

     

     

    Thursday, September 20, 2007 5:28 PM