Error Readout:
HTTP Error 404 - File Not Found
HTTP Error 404- File or Directory not found

Fix:
Enable a Pre-existing Web Service Extension in IIS 6.0

To permit IIS to serve content that requires a specific ISAPI or CGI extension that is already listed in the Web service extensions list, follow these steps:

1. Open IIS Manager, expand the master server node (that is, the Servername node), and then select the Web service extensions node.
2. In the right pane of IIS Manager, right-click the extension that you want to enable. In this example, this is Active Server Pages.
3. Click to select the Allow check box.

Microsoft Link: http://support.microsoft.com/kb/315122

Explanation:
Apparently there was no easy Google search for this stupidly easy fix. (UPDATE: I'm wrong Google the title of this blog entry and a Microsoft fix is the first result) Consequently, I spent more time than I would like on trying to fix it.

Here is how it went down. I recive a HTTP Error 404 - File Not Found error on a page I was browsing to from IIS 6.0. How could this be I ask myself, the page does exists, I know because I see it in IIS 6.0, I right click the file and I select browse. WTF. Upon a little investigation I found out what was wrong and I found a Microsoft website furthers my fix. Soooo  easy! Anyways moving on, going to go drink a beer and forget this time was lost in which I will never get back.

Error Readout:
unable to read unknown load command 0x80000022

Fix:
Upgrade to xCode 3.2 with the 10.6 libraries.

Explanation:
This error doesn't do anything to your application except provide some really annoying output to your Debugger Console. File under annoying. You can get xCode 3.2 DOWNLOAD HERE for free at the apple website. It will require you to create a login.

Snow Leopard has only been out since Friday, but a few people got the OS upgrade early and blogged all the good stuff. Knowing this, I'm still going to blog about the new OS from Apple.

Error Readout:
Exception: System.Web.HttpException
Message: Authentication of viewstate failed.  1) If this is a cluster, edit configuration so all servers use the same validationKey and validation algorithm.  AutoGenerate cannot be used in a cluster.  2) Viewstate can only be posted back to the same page.  3) The viewstate for this page might be corrupted.
Source: System.Web
   at System.Web.UI.LosFormatter.Deserialize(String input)
   at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()


Fix:
I encountered the above error the other day. Since the server wasn't on a web farm I was a little confused. The fix I ended up using was updating the web.config key to

requiressl=true


Explanation:
The next thing I asked myself was how can that key affect the viewstate. With some serious investigation into viewstate and best practices I finally made the link of how our applications viewstate is tied to session state which is tied to SSL when the session cookies are encrypted manually, a step (encrypting our own session cookies manually) we did because we are still running asp.net 1.1.

In .net 1.1 there is a property called "ViewStateUserKey" located in the viewstate, this key adds user-specific information to the view state. When the request is processed, ASP.NET extracts the key from the view state and compares it against the ViewStateUserKey of the running page. If the two match, the request is considered legitimate; otherwise an exception is thrown. In our application we use the Session.SessionID to set the property. This is where my problem starts.

When a user fills out a form utilizing viewstate to create an account to login to our system the user establishes a viewstate in their asp.net page.  In order to make the view state slightly more secure we give the viewstateuserkey the same value as the session ID. The session ID is a much better fit because a session ID is unpredictable, times out, and varies on a per-user basis
[http://msdn.microsoft.com/en-us/library/ms972969.aspx]

Once the user has completely filled out the form, we authenticate them.  This is where my error occurs [See beginning of post].


The error is caused because the session id is now encrypted. It's encrypted because our security team said, all information stored in cookies is to be secured. Our team consequently set up a flag in the global.asax file that states if this flag is set to true it should grab the session id out of each cookie and encrypt it. The reason we did this by hand is because asp.net 1.1 does not offer secure cookies with one easy key change in the web.config [NOTE: In asp.net 2.0 all you have to do is have the requiressl=true and you are done].

Now understanding that our session ID is tied to our viewstateuserkey you can understand the viewstateuserkey is now invalid because the session ID is a different value, simply because it's encrypted and the server does not know to decrypt it.  [NOTE: The session ID may still be the same value, it's just encrypted.] Now asp.net states the viewstateuserkey is invalid and pumps out the error you have seen above.

To fix this I simply change requiressl=true in the web.config.  How does requrie ssl affect an encrypted session id within a cookie that I set to encrypt? Well, when requiressl is not on but you are sending the server a secure cookie value, which we did since we created our own secure cookies in asp.net 1.1  the server doesn't know to decrypt the cookie because requiressl is not turned on [apparently you have to send secure cookies over ssl in asp.net 1.1 and possibly other run times, I didn't know this] which in turn invalidates the viewstateuserkey because the viewstateuserkey uses the session ID which is encrypted in the secure cookie.

What made this confusing for me is the first part of the form worked without a hitch. It's when the user authenticates when the error arose. The reason for this being that the requiressl key is not applicable until authentication happens. If you'll notice the requiressl key is nested in the authentication element in the web.config file.  Additionally we don't encrypt the cookie until the user is authenticated.  Sooo, the first few postbacks for our page were just collecting information.  It wasn't until we authenticated the user to our system that requiressl actually cared if we had secure cookies or not.


Overview
Viewstateuserkey is set to the session ID.

Session ID is encrypted and the updated value is set to the viewstateuserkey

requressl being turned on tells the server to decrypt session id in which case allows the viewstateuserkey to remain valid with the server.

So basically IE 7 is just bad. We all knew it, but this is just one aspect that confirms it.

My boss and co-worker dealt with the error last week. IE7 on the third request to a web server would fail. No real good reason, it just would. Now being a Mac guy this just fueled my fire. I hate errors that just happen, with no real good explanation behind it and by no good explanation I mean IE7 should just work, and not be breaking on a simple web request.

To top it all off we are a website that sees millions of sessions a month. Call center = not happy. Also noting there are more people using IE7 then I would have ever expected. Really people IE7?

My co-worker James Peckham blogged the issue and resolution already so I'll just quote and post a link.  Thanks for the leg work James.

"So I saw this awesome issue where IE 7 hangs indefinitely and stops responding on the third request for a page. Yes the 3rd request.

Basically IE7 is limited to 2 active connections per server inside one browser window (including all tabs) and these connections were being wasted in unresponsive requests for favicon.ico.

 

Here's what I learned. 

At the time I did not know that IE browsers attempt to retrieve favicon.ico from ther root of your website every time they make a page request. (How to add a favicon to your website)

Also, I did not know that this generated a 404 error in the IIS log every single time they tried to retrieve it unsuccessfully.

Also, I did not know that some web application firewalls (firewalls that constantly learn and update themselves to prevent security breaches) will actually stop responding to requests that are consistently turning up 404 as a safety measure.

Columnist Ivan Ristic comments on web security "The point is that you are not looking for a single suspicious action any more - you are using counters to look for anomalies. Other examples include looking for IP addresses with too many failed requests (too many 404 responses typically point to web application scanner activity), enforcing session inactivity timeouts, session duration timeouts, and so on."

Lastly, and the final piece of the puzzle. I did not know that:

Internet Explorer 7 (IE7) has an extremely long time out for requesting favicon.ico. ("a hex with a lot of F's" said the Microsoft Support Engineer)"