W3SVC and asp.net

I ran into some problems between my test and production web servers.

TEST SERVER:
2003 Server 32bit
Default IIS setup
Default SQL setup
SELFSSL test cert
..net 2 running 32BIT

PRODUCTION SERVER:
2003 Server 64bit
NTFS locked down to prohibit WEBUSERS (IUSR/IWAM)
IIS:
not on system drive
site id is NOT 1
AppPools Enable32BitAppOnWin64 = 1 for UserType SERVER
IUSR and IWAM were placed in a WEBUSERS security group
SQL:
Data is not on system drive
startup as a user account
SERVER service among others disabled.
IPSEC to open only necessary ports.
VeriSign SSL cert
..net 2 running 32BIT
Administrator account renamed to ■

Everything works fine on the test server...
My problem occurs with the LOGINSTAUS asp control on the production server.
When I click >>Logout<< to log out a user, JS _dopostback is called on a page
that invertantely attempts to read a HTTPcontext.current.profile when there
is NONE because the user just logged out!

Value cannot be null.
Parameter name: username
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information about
the error and where it originated in the code.

Exception Details: System.ArgumentNullException: Value cannot be null.
Parameter name: username

Source Error:


Line 293: ' 2/5/07: Get email from profile
Line 294: If profile.Email = "" Then
Line 295: MyEmail = Membership.GetUser(profile.UserName).Email
Line 296: Else
Line 297: MyEmail = profile.Email


This gets triggered on the PROD SERVER but the TEST SERVER completely omits
this and when a user logs out the login control takes him back to the login
screen and asks for USER/PW input.

What the heck is going on?

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/iis-security/2007 03/1

Re: W3SVC and asp.net

"fixitchris via WinServerKB.com" wrote in message
news:6ecac72fd425c@uwe...
>I ran into some problems between my test and production web servers.
>
> TEST SERVER:
> 2003 Server 32bit
> Default IIS setup
> Default SQL setup
> SELFSSL test cert
> net 2 running 32BIT
>
> PRODUCTION SERVER:
> 2003 Server 64bit
> NTFS locked down to prohibit WEBUSERS (IUSR/IWAM)
> IIS:
> not on system drive
> site id is NOT 1
> AppPools Enable32BitAppOnWin64 = 1 for UserType SERVER
> IUSR and IWAM were placed in a WEBUSERS security group
> SQL:
> Data is not on system drive
> startup as a user account
> SERVER service among others disabled.
> IPSEC to open only necessary ports.
> VeriSign SSL cert
> net 2 running 32BIT
> Administrator account renamed to ?
>
> Everything works fine on the test server...
> My problem occurs with the LOGINSTAUS asp control on the production
> server.
> When I click >>Logout<< to log out a user, JS _dopostback is called on a
> page
> that invertantely attempts to read a HTTPcontext.current.profile when
> there
> is NONE because the user just logged out!
>
> Value cannot be null.
> Parameter name: username
> Description: An unhandled exception occurred during the execution of the
> current web request. Please review the stack trace for more information
> about
> the error and where it originated in the code.
>
> Exception Details: System.ArgumentNullException: Value cannot be null.
> Parameter name: username
>
> Source Error:
>
>
> Line 293: ' 2/5/07: Get email from profile
> Line 294: If profile.Email = "" Then
> Line 295: MyEmail = Membership.GetUser(profile.UserName).Email
> Line 296: Else
> Line 297: MyEmail = profile.Email
>
>
> This gets triggered on the PROD SERVER but the TEST SERVER completely
> omits
> this and when a user logs out the login control takes him back to the
> login
> screen and asks for USER/PW input.
>
> What the heck is going on?
>

Why do you state that the test server "completely omits this" ?
The way I am seeing it, the code is not there in the test server, but
is in production (added 2/5/07 ?).

You do not provide enough context code guarding the path(s) into
the code you do provide, so there is no way to say why the provided
code fires on one but not the other. (or perhaps you have only tested
on the test server with profiles that do have emails stored within?)

Obviously the error happening in production is correct - if the profile
has been torn down already and the profile has no stored email.

Roger

Re: W3SVC and asp.net

Here is some relevant code....





The loginstatus control does not have LogoutAction or LogoutPageUrl specified,
which makes it refresh the current page by default.... This would explain the
previous behavior of the page attempting to obtain user membership on an
anonymous user. However, on the test server, once I click LOGOUT , it logs
out and returns to login.aspx. in the forms authentication, whatever
loginURL I specify that is the page that is redirected to upon logout... WHY?
and also this is not true all the time on the test server. When I log out
from page1.aspx it returns me to login.aspx, however when I logout of page2.
aspx, it just refreshes the page and does not return me to login.aspx.

thanks

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forums.aspx/iis-security/2007 03/1