The request was aborted: Could not create SSL/TLS secure channel

Since most Servers are moving towards TLS 1.3 and removing TLS 1.0/1.1 support, it is important to make note of certain Server configurations that might be required to make your .Net Framework Application compatible with new TLS versions like TLS 1.2.

Just upgrading the Application to latest .Net Framework like 4.8 version, which as per documentation states it automatically handles the compatibility with newer TLS versions when older TLS versions are disabled.

I have managed to resolve the issues on my server by updating the SSL Cipher Suite Order, I had mistakenly removed some of the suites that windows suggested was for TLS1.0 and 1.1 only when in actual fact they were needed for some TLS1.2 connections as well.

I resolved my issues by:

  1. Open Run Prompt and run gpedit.msc
  2. Navigate to “Administrative Templates > Network > SSL Configuration Settings”
  3. Open SSL Cipher Suite Order
  4. Select Enabled
  5. Paste the list of suites below into the text box (make sure there are no spaces)
  6. Click Apply
  7. Restart the server

SSL SUITES:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Note, these suites work for me but you may require other ones for different applications. You should be able to find a full list and more info on the suites here https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel?redirectedfrom=MSDN

You can also use a tool like IISCrypto to update the Cipher Suite order.

Cannot access files with Umlauts in virtual directory IIS

In case you have a file in the virtual directory with filename containing non-English characters like Umlauts e.g. รถ. When we try to access the path with it is becomes inaccessible, but the files with only English characters are accessible.

You can try the following IIS settings, first one is

Request Filtering:

  1. Open the iis, double click the ‘Request Filtering’ icon
  2. In the ‘File Name Extension’ right click->Edit Feature Settings…’ the file ‘web.config’
  3. Check the option ‘Allow double escaping’ (this option is unchecked by default)
  4. Repeat all above 3 steps for the ‘default website’ (or whatever you have given the name to your site)
  5. Re-start IIS.

UrlScan under ISAPI:

One of the possible causes could be you’re using UrlScan extension for IIS which is visible under ISAPI filters. It is applied to all sites by default. In our case, removing UrlScan for the site facing issue resolved the issue.

Redirect with URLRewrite based on QueryString

Consider a situation where you need to redirect your Application to the Error page when you receive a particular value in your query string. This can be done using URL Rewrite with an inbound rule either directly in IIS or add rules directly in your web.config.

Below configuration can be added in web.config:

<system.webServer>
	<rewrite>
		<rules>
			<rule name="BlockQS" enabled="true" stopProcessing="true">
				<match url=".*" />
				<conditions>
							<add input="{QUERY_STRING}" pattern="P=abc" />
				</conditions>
				<action type="Redirect" url="https://website.com/ErrorMessage.aspx" appendQueryString="false" />
			</rule>
		</rules>
	</rewrite>
</system.webServer>

If you check directly under IIS URLRewrite feature for your website, it would look like this:

URL Rewrite

Now, when you try to access https://website.com/?P=abc, it would redirect to the configured error page.

To install URL Rewrite, follow the link.

LogParser query example

I’ve found LogParser tool to be very useful for querying log files especially whenever I am required to analyze the IIS log files. You can download LogParser from here.

In this example, I’ll be querying multiple Log files unique users with Windows Authentication visiting the site. Click on the icon “Choose Log files/folders to query” and Add all files which you want to search. Open a New Query window and in the Query editor, enter the below query:

SELECT DISTINCT cs-username FROM '[LOGFILEPATH]'

This works much like SQL queries where IIS log headers work like columns. The above query will simply return distinct users visiting the site. Make sure the Log Type selected is W3CLOG.

Update to above example while searching for a QueryString and also getting the username count:

SELECT DISTINCT cs-username, COUNT(cs-username) FROM '[LOGFILEPATH]' WHERE cs-uri-query LIKE '%Excel%' GROUP BY cs-username

If you want to Output all the data to a .csv file, then you can use the below query:

SELECT DISTINCT cs-username INTO '[OUTFILEPATH]users.CSV' FROM '[LOGFILEPATH]'

You can check the default export directory where the file is created. It should be something like this “C:\Users\<username>\AppData\Roaming\ExLPT\Log Parser Studio\Output”.

Configure Reverse Proxy in IIS with URL Rewrite

Reverse Proxy is an intermediate Server that might be exposed to the Internet that can help secure your incoming traffic from the Client and forwarding the request to a back-end service that might be on a Private network. This returns the response back to the Client and hides your Web Server from the Outside world.

You need the following IIS extensions for configuring IIS Reverse Proxy:

URL Rewrite:
https://www.iis.net/downloads/microsoft/url-rewrite

Application Request Routing:
https://www.iis.net/downloads/microsoft/application-request-routing

Now add the following URL Rewrite rule:

You’ll be prompted to enable the ARR to further enable Proxy functionality. Click on OK.

In the above window, you can also provide the Outbound configuration to map the response URLs From Private URL To Public URL conversions mapping.

For this example, accessing http://localhost:8087 will simply redirect to http://localhost:8084 and serve the Client.

Debug classic asp application hosted on IIS with Visual Studio

Some non .Net Applications like the ones written in classic ASP are required to be debugged in Visual Studio. Since these are not hosted on IIS Express, but on IIS, you need to identify the worker process running your machine or the Server and attach the w3wp.exe with the Debug tool in Visual Studio.

Enable Debugging under IIS classic ASP section as shown below:

Under the Debug menu in Visual Studio, select “Attach to Process”:

There may be multiple worker processes running on the machine depending on how many applications are running under IIS. Match the right one with the correct ProcessID.

Add the debug points in your Asp file and hit the required Page in the browser.

Check incoming requests IIS with Request Monitor

Enable the Request Monitor feature for IIS Server from the Server Manager. Do the Role-based or feature-based installation.

Click on install on the final screen:

When the installation completes, open IIS Manager (inetmgr.exe), select Server name and open Worker processes.

Select a worker process for which you want to monitor the incoming requests. Click on View Current Requests option as shown below on the right pane:

The Request details will be visible as shown in the below screen.

Bring out the hidden intelligence in your dog. Click here to know more.

Create a self signed certificate in IIS

An SSL certificate also known as a digital certificate helps establish a secure link between the Client browser and the Hosting Server.

Self-signed certificates are created when you need to test your website using an SSL certificate. This is usually not recommended for Production use especially if your website involves sensitive data transactions.

This example is from IIS 8.5. Open IIS Manager and select your Server name from the Left Pane. Double-click on Server Certificates as highlighted.

Select the option for Self-signed certificates on the right as shown. Provide a suitable name for your certificate in the dialog box.

The list will show the created SSL certificate with the validation for a year that is issued to the Server.

Add this certificate to your website with binding it to port 443.

Since the certificate is issued to the Server, you might get a certificate trust error in the browser. You can just continue to the website to test further.
To get rid of this error, you’ll need to create either a SAN certificate or a wild card certificate as per your needs.

App Pool set idle time out IIS Server

When it comes to managing your website traffic, one of the things to consider is the availability of your website.

IIS has a idle time-out property that is by default set to 20 minutes. This means that if no request comes for your site for 20 minutes of inactivity, IIS would kill the worker process to free-up resources. This means the memory utilised by loading of classes, session etc. This can be helpful when multiple websites may be hosted on the Server and is resource crunched.

You’ll find the below settings under the AppPool advanced settings:

So, when the next request comes to your site to access something e.g. Login page, IIS Server would again need to initialize the Worker process and load the required resources to serve that request. The first request will be slow to respond to the user because of all the initialization time required. You need to think in these terms that how much traffic usually comes to your site. If your website requires high availability, then you should consider setting the idle time-out to 0 in the App Pool settings. Or if high availability isn’t a concern, you can think for how many minutes you’d usually require your application to be available depending on the traffic.

There have been studies regarding the make or break for websites because of their initial load time. So, please be careful about this setting. Internet facing websites usually require high availability. For Intranet websites, you can think of some number of minutes based on the usage.

Change app pool settings iis express

You may face an Asp.Net error while running your Web Application Project in Debug mode using IIS Express:

“an asp.net setting has been detected that does not apply in integrated managed pipeline mode”

This error means that the framework expects the App Pool to be running the Managed Pipeline Mode as Classic. In Classic mode, managed application events are executed by using ISAPI.

There are other ways to suppress the error by making an entry in the Web.Config file to set the validateIntegratedModeConfiguration to false. But it is better to set the correct application pool.

Select your Project under the Solution and press F4 on your keyboard to access the Project Properties as shown below:

Also, you can enable/disable the Authentication for Anonymous and Windows modes.

Check this post on how to create Virtual Directory in IIS Express.