Server error “invalid AppPoolId ‘CertWebService_App’” due to bad .NET patches?

Topic

New Reply

Interesting quandary from @jstillings1: Ok folks theory check this. Windows server 2016 essentials set up 7/21/2018 All patches are installed… yes the
[See the full post at: Server error “invalid AppPoolId ‘CertWebService_App’” due to bad .NET patches?]

Reply | Quote

Replies

Ok folks theory check this.

Windows server 2016 essentials set up 7/21/2018

All patches are installed… yes the july ones.

Local machines are getting an error when trying to use the web interface to connect to the domain by using http://[server-name]/Connect

I have a theory it is due to the certificate issues with IIS with .Net updates with the july patches…

Here is the error codes in IIS

The application ‘/’ belonging to site ‘2’ has an invalid AppPoolId ‘CertWebService_App’ set.  Therefore, the application will be ignored.

Site 2 was disabled because the root application defined for the site is invalid. See the previous event log message for information about why the root application is invalid.

The Application Host Helper Service encountered an error trying to delete the history directory ‘C:\inetpub\history\CFGHISTORY_0000000014’.  The directory will be skipped and ignored.  Note that the directory may still get deleted in the future if the service restarts.  The data field contains the error number.

So am I just a IT noob and didnt set up the server right or… did the .NET patches break something..

1 user thanked author for this post.

woody

Reply | Quote

Trying this.. Removing IIS with .net 4.6 and going back to 3.5 and reinstalling IIS

Edit to insert attachment

Reply | Quote

Unable to remove .net 4.6 looks like it is part of server 2016 core now, I was unable to go back.

I uninstalled Windows Server 2016 Essentials Experience and reinstalled. It found this during config which seems to be the error i was having.

Reply | Quote

If you updated from June to July, it might be worth a try to roll back to the June patches. Both the CUs and .NET patches  for most of the versions of Windows have been very problematic this month. Read some of the blog topics lately and their links to the ComputerWorld articles.

2 users thanked author for this post.

jstillings1, woody

Reply | Quote

This. Remove the .NET update for July. If you cannot do it through Add/Remove cpl, View Installed Updates, then check for a System Restore point.
If neither of those pans out, reinstall the OS fresh (since it’s new and doesn’t sound like it’s a prod server).
You may chase your tail and waste days trying to fix it, and could potentially never be able to fully fix it.

1 user thanked author for this post.

jstillings1

Reply | Quote

zero2dash wrote:

This. Remove the .NET update for July. If you cannot do it through Add/Remove cpl, View Installed Updates, then check for a System Restore point. If neither of those pans out, reinstall the OS fresh (since it’s new and doesn’t sound like it’s a prod server). You may chase your tail and waste days trying to fix it, and could potentially never be able to fully fix it.

Will do, one quick noob question though. When we set up our Office 365 business it wanted us to add a Domain. We of course picked the same domain as our website. I just noted an error that leads me to believe  you can not set up a windows server with the same domain name as your website?

 

 

Reply | Quote

Typically any server would be domain.local, like askwoody.local whereas the web entity would of course end in .com.

I believe you can technically set up a server (like a DC) as a domain.com, but I’ve never done it and I think (IIRC) that’s not a “recommended” way to go because supposedly it can cause problems. I think AD generally believes that its local Forest is going to be a .local domain.

O365 usually wants a domain for web/email, in which case you probably did fine using a .com there… but if you’re doing something like AD Sync, I believe you’d use a .local to point to your local DC but then also sync to the cloud. You could always remove the domain in your O365 Admin portal, leaving the free provided .onmicrosoft.com one, and then get your local server straightened out before tackling that one. 🙂

Reply | Quote

Essentials role in 2016 is a special animal that has a wizard for hooking in Office 365.  It names the server .local and then when you run the wizard it sets up the password sync up to the Office 365.

Be aware that Microsoft has announced they are deprecating this role and it will no longer be worked on /included in Server 2019.  You can’t install Azure AD connect on an Essentials 2016 server.  Did you follow the setup wizard when you set up the Essentials role?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

After that last removal and install I am getting a hard error for .NET

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 7/25/2018 4:38:23 PM
Event time (UTC): 7/25/2018 8:38:23 PM
Event ID: ab801571fd2547ebb76dbe1ce0ffa8da
Event sequence: 4
Event occurrence: 1
Event detail code: 0

Application information:
Application domain: /LM/W3SVC/1/ROOT/Connect-1-131770247007449878
Trust level: Medium
Application Virtual Path: /Connect
Application Path: C:\Program Files\Windows Server\Bin\WebApps\Client\
Machine name: TFA-PDC-SERVER

Process information:
Process ID: 5584
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception information:
Exception type: HttpException
Exception message: Attempt by security transparent method ‘Microsoft.WindowsServerSolutions.Client.Website.Global.Application_Start(System.Object, System.EventArgs)’ to access security critical method ‘Microsoft.WindowsServerSolutions.Common.Support.ResolveAssembliesFromProductBinDir()’ failed.

Assembly ‘ClientSetupWebsite, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ is partially trusted, which causes the CLR to make it entirely security transparent regardless of any transparency annotations in the assembly itself.  In order to access security critical code, this assembly must be fully trusted.
at System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

Attempt by security transparent method ‘Microsoft.WindowsServerSolutions.Client.Website.Global.Application_Start(System.Object, System.EventArgs)’ to access security critical method ‘Microsoft.WindowsServerSolutions.Common.Support.ResolveAssembliesFromProductBinDir()’ failed.

Assembly ‘ClientSetupWebsite, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ is partially trusted, which causes the CLR to make it entirely security transparent regardless of any transparency annotations in the assembly itself.  In order to access security critical code, this assembly must be fully trusted.
at Microsoft.WindowsServerSolutions.Client.Website.Global.Application_Start(Object sender, EventArgs e)

Request information:
Request URL: http://tfa-pdc-server/Connect
Request path: /Connect
User host address: fe80::9a1:4475:dab7:30d0ab801571fd2547ebb76dbe1ce0ffa8da
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE

Thread information:
Thread ID: 7
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace:    at System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)

Custom event details:

Reply | Quote

4.6 and 4.7 are okay with Essentials 2016, but not 4.7.1 or 4.7.2.

https://www.mcbsys.com/blog/2018/06/essentials-2016-dashboard-fails-with-net-4-7-1/

Not sure this related to your issue though.

Mark

Reply | Quote

anonymous wrote:

4.6 and 4.7 are okay with Essentials 2016, but not 4.7.1 or 4.7.2. https://www.mcbsys.com/blog/2018/06/essentials-2016-dashboard-fails-with-net-4-7-1/ Not sure this related to your issue though. Mark

It shows 4.6 is installed and I do not have the KB for 4.7X installed.

Reply | Quote

You Can use the same domain as your website, but in the end it generally causes more problems than it’s worth.  Generally it’s best practice to use a .local instead of .com as part of your domain name.  Or was, for non-cloud networks.  If you’re planning on doing something like Single Sign-on in the future with Office 365, you may want to instead do a subdomain.  eg: office.domainname.com

I think integration with Office365 will still work with .local domains (It’s been a while since my last transition), but a subdomain will be more future-proof.

Reply | Quote

It’s possible that your issue is patch-related (uninstalling July patches should tell you) but certificate setup is a classic Essentials stumbling block. You might get more help in a forum dedicated to Essentials:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserveressentials

https://www.server-essentials.com/community/discussions

Reply | Quote

https://windowsserveressentials.com/2014/02/14/windows-server-essentialsconfiguration-troubleshooter/  Use that tool to help identify what’s going on.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thanks all, it was partly both issues 1 me being a noob and 2 july patches.

I had to 1 install the server 2016 essentials with the default [name].onmicrosoft.com

I also had to used advanced install so that MS update was turned off.

Once that was done I was able to set everything up like a champ. Just connected a windows 10 pro to the domain and all is well… till I try to enable Access anywhere tomorrow.

The funny thing Susan is I just graduated in May and they were teaching us Server 12 like it was new…  I had a serious crash course this past week in Server 2016 and if they are turning this off in 5 months then I guess I get to learn something new. The constant in IT is change.

Thanks all.

Reply | Quote

jstillings1 wrote:

Will do, one quick noob question though. When we set up our Office 365 business it wanted us to add a Domain. We of course picked the same domain as our website. I just noted an error that leads me to believe you can not set up a windows server with the same domain name as your website?

”

The short answer, as best practice:

• Microsoft strongly recommends that you register a public domain and use subdomains for the internal DNS.
• So, register a public DNS name, so you own it. Then create subdomains for internal use (like corp.example.org, dmz.example.org, extranet.example.org) and make sure you’ve got your DNS configuration setup correctly.

Source:

https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx

Reply | Quote

Naming your DC the same as your internet site is a recipe for disaster because your PCs will not know how to get to your internet site.
Always use a separate domain, .local is good, but you can choose almost anything that doesn’t exists, and will never exist, on the internet.

cheers, Paul

Reply | Quote