PerkinElmer Informatics Support Forum
Decrease font size
Increase font size
Topic Title: All IIS Services become unavailable after applying Microsoft update KB973917
Topic Summary: The request failed with HTTP Status 503:Service Unavailable
Created On: 1/22/2010 1:08 PM
Status Post and Reply
Linear : Threading : Single : Branch
Topic Tools Topic Tools
View topic in raw text format. Print this topic.
Answer This question was answered by CS Gleb, on Friday, January 22, 2010 1:09 PM

Answer:
To resolve this problem, reinstall Service Pack 2 for Windows Server 2003 on the web server. This will bring all IIS 6.0 components up to the correct file versions, and will maintain the installation of the KB973917 update. Reinstalling the KB973917 update should not be necessary.


References:

http://support.microsoft.com/kb/2009746,
http://support.microsoft.com/kb/973917 (the list of core IIS binaries).
 1/22/2010 1:08 PM
User is offline View Users Profile Print this message


CS Gleb

Posts: 185
Joined: 2/24/2009

We applied some Microsoft critical updates, and when our E-Notebook users try to connect to the ELN, they receive an error message:

"Sorry , an error occurred while opening a client connection: while setting up connection to central database: The request failed with HTTP Status
503:Service Unavailable".



Contents of the event log:

"Event Type: Error
Event Source: W3SVC-WP
Event Category: None
Event ID: 2269
Date: 18/01/2010
Time: 10:14:40
User: N/A
Computer: UK1ELNWEB1
Description:
The worker process failed to initialize the http.sys communication or the w3svc communication layer and therefore could not be started. The data field contains the error number.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 00 07 80"



Affected systems:


WebServer - Windows Server 2003 SP2 (where SP2 was installed after SP1), IIS 6.0, ELN or COUE installed.
The issue is risen up only in case when core IIS dll versions (before applying KB973917) are older than provided with SP2.


Explanation:

Users can't login to the ELN as ENService in IIS becomes unavailable. The issue affects IIS at all, that is why all services (ELN and COUE related) are not working properly.

Consider the following scenario. You have an Internet Information Services (IIS) 6.0 web server running on Windows Server 2003 Service Pack 2. The Microsoft update KB973917 gets installed on the server. After installing KB973917, the IIS 6.0 application pools cannot start up successfully. See also http://support.microsoft.com/kb/2009746.


-------------------------

-PerkinElmer Technical Support



Edited: 1/28/2010 at 12:50 PM by CS Gleb
 1/22/2010 1:09 PM
User is offline View Users Profile Print this message


CS Gleb

Posts: 185
Joined: 2/24/2009

Answer Answer
To resolve this problem, reinstall Service Pack 2 for Windows Server 2003 on the web server. This will bring all IIS 6.0 components up to the correct file versions, and will maintain the installation of the KB973917 update. Reinstalling the KB973917 update should not be necessary.


References:

http://support.microsoft.com/kb/2009746,
http://support.microsoft.com/kb/973917 (the list of core IIS binaries).


-------------------------

-PerkinElmer Technical Support



Edited: 1/23/2010 at 11:00 AM by CS Gleb
 9/8/2010 2:52 AM
User is offline View Users Profile Print this message


chrisadam

Posts: 2
Joined: 9/8/2010

This article describes a nonsecurity update that implements Extended Protection for Authentication in Internet Information Services (IIS).

When Extended Protection for Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server to which the client tries to connect and to the outer Transport Layer Security (TLS) channel over which Integrated Windows Authentication happens.

Note On March 9, 2010, this update was rereleased to address an installation issue and a functional issue:
This update will now correctly detect when a computer that is running Windows Server 2003 Service Pack 2 (SP2) is in an installation where IIS 6 contains some Windows Server 2003 Service Pack 1 (SP1) binaries, and will refuse to install and exits with an error code. The versions of update 973917 that were released before this date will successfully install, but they could cause IIS to not restart after installation.
On a computer that is running Windows Server 2003, this rerelease addresses an issue that could cause excessive amounts of memory to be allocated upon enabling Extended Protection for Authentication.
On a computer that is running Windows Server 2008, this rerelease addresses an issue that could cause Extended Protection not to function correctly when IIS is configured to use kernel-mode Windows Authentication.
Back to the top
MORE INFORMATION
Configuration
Extended protection enhances the existing Windows Authentication functionality to mitigate authentication relay or "man in the middle" attacks. This mitigation is accomplished by using security information that is implemented through two security mechanisms:
Channel binding information that is specified through a Channel Binding Token (CBT). This is used primarily for SSL connections.
Service binding information that is specified through a service principal name (SPN). This is used primarily for connections that do not use SSL or when a connection is established. For example, this might be in a scenario in which SSL is offloaded to another device, such as a proxy server or load-balancer.
In IIS 7.0, Extended Protection is configured through the <extendedProtection> element. Detailed configuration information can be found under the header "Configuration on IIS 7.0 and IIS 7.5". For IIS 6.0, the same configuration parameters are used, but the parameters are deployed by using registry keys. (Review the section "Configuration on IIS 6.0.")

The <extendedProtection> element may contain a collection of <spn> elements, each of which contains a unique SPN for the service binding information. Each SPN represents a unique endpoint in the connection path. It may be a Fully Qualified Domain Name (FQDN) or NetBIOS name of the destination server or a proxy server. For example, if a client is connecting to a destination server through a proxy server, the SPN collection on the destination server would have to contain the SPN for the proxy server. Each SPN in the collection must be prefixed with "HTTP". Therefore, the SPN for "www.contoso.com" would be "HTTP/www.contoso.com".
Back to the top
Extended Protection Scenarios
Consider the following sample scenarios.
Scenario Flags Description
Client connects directly to destination server that uses HTTP. Proxy, ProxyCohosting SPN checking will be used, and channel binding token checking will not be used.
Client connects directly to destination server that uses SSL. None Channel binding token checking is used, and SPN checking is not used.
Client connects to destination server through a proxy server that uses HTTP for the path. Proxy, ProxyCohosting SPN checking will be used, and channel binding token checking will not be used.
Client connects to destination server through a proxy server that uses SSL for the path. Proxy SPN checking will be used, and channel binding token checking will not be used.
Client connects to proxy server that uses SSL, and proxy server connects to the destination server that uses HTTP (SSL off-loading). Proxy SPN checking will be used, and channel binding token checking will not be used.
In these scenarios, you could also specify the AllowDotlessSpn flag if your networking environment supports NetBIOS-based SPNs. However, NetBIOS-based SPNs are not secure.
For the scenarios in which SPN checking will be used, and channel binding token checking will not be used, you should not specify the NoServiceNameCheck flag.
Default installation of IIS 6.0, IIS 7.0, or IIS 7.5 does not enable or install Windows authentication. Extended Protection is applicable only when Windows authentication is enabled for your Web site or application.





_____________________________________________________________________



Want to get-on Google's first page and loads of traffic to your website? Hire a SEO Specialist from Ocean Groups [url= http://oceangroups.org/]seo pecialist [/url]

FuseTalk Basic Edition v4.0 - © 1999-2019 FuseTalk Inc. All rights reserved.