ASP.NET - IIS7 Deployment Error 500 24 50 using WCF Web Service Binding w/ AD Groups

asp.net wcf iis-7.5 wcf-binding wcf-security

12,906

Solution 1

The 500.24.50 Error occurs because ASP.NET Integrated mode is unable to impersonate the request identity in the BeginRequest and AuthenticateRequest pipeline stages. 500.24 is thrown if your application is running in integrated mode, validateIntegratedModeConfiguration is not declared or set to true, and your application has identity impersonate set to true.

Workaround

A. If your application does not rely on impersonating the requesting user in the BeginRequest and AuthenticateRequest stages (the only stages where impersonation is not possible in Integrated mode), ignore this error by adding the following to your application’s web.config:

  <system.webServer>
          <validation validateIntegratedModeConfiguration="false" />
  </system.webServer>

B. If your application does rely on impersonation in BeginRequest and AuthenticateRequest, or you are not sure, move to Classic mode.

C. remove from web.config which won't be effective in integrated mode anyway

Solution 2

UPDATE:

Did a little more digging and you actually have the service mis-configured. This MSDN article explains how to configure basicHttpBinding for Windows authentication. Basically, the basicHttpBinding element needs to look like this:

  <basicHttpBinding>
    <binding name="BasicHttpEndpointBinding">
      <security mode="TransportCredentialOnly">
        <transport clientCredentialType="Windows" />
      </security>
    </binding>
  </basicHttpBinding>

Original answer:

Below is something to try from the information in this article. Since your service uses impersonation for authorization it looks like you'll need to use the ASP.NET classic mode pipeline configuration of the AppPool for this service. You may want to research how impersonation is supported in the new Integrated mode pipeline and see why your service is failing to comply with it since Integrated mode is prefered.

You will receive a 500 - Internal Server Error. This is HTTP Error 500.24: An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode. This occurs because ASP.NET Integrated mode is unable to impersonate the request identity in the BeginRequest and AuthenticateRequest pipeline stages. Workaround

B. If your application does rely on impersonation in BeginRequest and AuthenticateRequest, or you are not sure, move to Classic mode.

12,906

Author by

Brian McCarthy

Noob .NET Developer and UF Gator Graduate from sunny Tampa, FL using C# & VB w/ Visual Studio 2017 Premium. I also do Search Engine Optimization Consulting and Wordpress configurations. Feel free to contact me on: LinkedIn, Google +, or Facebook :) Everyone knows that debugging is twice as hard as writing a program in the first place. So if you're as clever as you can be when you write it, how will you ever debug it?" -Brian Kernighan from "Elements of Programming Style

Updated on June 19, 2022

Comments

Brian McCarthy almost 2 years

Background: I am getting a Internal Server 500 24 50 error after deploying an application that has compiled without errors on my local machine. The server that the application is deployed on has a ton of security and is running IIS 7.5 so I need to specify read and write access for every directory. This application uses windows authentication and a web service to populate drop down boxes via a proxy. I think there might be an issue connecting to the web service or an issue with the read/write security on the files, or an issue with the active directory authentication.

For some reason, Internet Explorer just displayed can't load webpage Error.

Error in Google Chrome:

 500 – Internal Server Error.
 There is a problem with the resource you are looking for, and it cannot be displayed.

Log File Details:

 #Software: Microsoft Internet Information Services 7.5
 #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

 2011-05-18 13:54:46 W3SVC1 FL-TPA-WEB-01 172.17.1.25 GET / - 80 - 
 172.17.1.25 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;
 +Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - -
 invitations.myagencyservices.com 500 24 50 1380 368 15

MSDN Defines the error at http://support.microsoft.com/kb/943891 as:

  500.24 - An ASP.NET impersonation configuration does not apply in Managed 
           Pipeline mode.

Web.Config code:

  <system.web>
  <customErrors mode="Off" ></customErrors>
  <compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
  <trace enabled="true" pageOutput="true" />


  <authentication mode="Windows"/> 
  <identity impersonate="true"/>  

    <authorization>          
    <allow users="alg\bmccarthy, alg\phoward" />               
    <allow roles="alg\ACOMP_USER_ADMIN" />
    <allow roles="alg\ACOMP_user_AMG" />
    <allow roles="alg\ACOMP_user_BIG" />
    <allow roles="alg\ACOMP_user_NIS" />
    <allow roles="alg\ACOMP_user_GLA" />
    <allow roles="alg\ACOMP_user_PIP" />
    <allow roles="alg\ACOMP_user_PSM" />
    <allow roles="alg\ACOMP_user_PAM" />
    <allow roles="alg\ACOMP_user_ANN" />
    <allow roles="alg\ACOMP_user_AAM" />
    <allow roles="alg\ACOMP_user_MWM" /> 
    <allow roles="alg\ACOMP_user_GIM" />
    <deny users="*" />      
  </authorization> 
  </system.web>

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>

  <system.serviceModel>
    <bindings>
    <basicHttpBinding>
    <binding name="BasicHttpBinding_IAcompService1" closeTimeout="00:01:00"
      openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
      allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
      maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
      messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
      useDefaultWebProxy="true">
      <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      <security mode="None">
        <transport clientCredentialType="None" proxyCredentialType="None"
          realm="" />
        <message clientCredentialType="UserName" algorithmSuite="Default" />
        </security>
      </binding>
   </basicHttpBinding>
  </bindings>

    <client>
        <endpoint address="http://63.236.108.91/aCompService.svc" binding="basicHttpBinding"
    bindingConfiguration="BasicHttpBinding_IAcompService1" contract="aComp_ServiceReference.IAcompService"
    name="BasicHttpBinding_IAcompService1" />
    </client>
  </system.serviceModel>

Any suggestions will be up-voted! Thanks for looking!

Brian McCarthy almost 13 years

@sixto saez, thanks for your response! How is this different from what I have? I have the binding name declared under <basicHttpBinding> just like you but the name of the binding is different and I am declaring a web service. Looking at the full code, do i need to use <services>, <identity>, and declare the endpoint address twice?
Brian McCarthy almost 13 years

I see the following is different: <security mode="TransportCredentialOnly"> <transport clientCredentialType="Windows" />. Before, I had <security mode="None"> <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
Sixto Saez almost 13 years

You have the security element mode="None" and transport element clientCredentialType="None" in the basicHttpBinding element. They should be set with security element mode="TransportCredentialOnly" and the transport element clientCredentialType="Windows".
Brian McCarthy almost 13 years

@Sixto Saez, why does a window pop-up for authentication? it should be automatic and not require me to type in my AD info as I'm already logged into windows. How do I prevent this?
Sixto Saez almost 13 years

Not sure how you are generating the client or how you are invoking the service. You should certainly make sure you regenerate the client after making the service config changes.
Brian McCarthy almost 13 years

@Sixto Saez, it says basicHttpBinding binding is used in order to provide support for older clients that expect a legacy ASMX Web service. The TransportCredentialOnly security mode option passes the user credentials without encrypting or signing the messages so I'm not sure that's what I necessarily want. This web service was just built and I don't want poor security.
Brian McCarthy almost 13 years

@Sixto Saez, it says basicHttpBinding binding is used for older clients that use a legacy ASMX Web service. The TransportCredentialOnly security mode option passes the user credentials without encrypting. This is a WCF web service and I don't want poor security.
Sixto Saez almost 13 years

The interaction between the client and the service to exchange the Windows identity credentials is encrypted. The actual soap request and responses will be in the clear using this approach. If you don't want that then simply switch the binding to wsHttpBinding and use enable message security. This way the soap message will also be encrypted.
Brian McCarthy almost 13 years

@Sixto Saez, what do you think of the answer I posted about adding the tag <validation validateIntegratedModeConfiguration="false" /> ?
Sixto Saez almost 13 years

You can give it a try but I doubt it will work. The config in your question implies you are using Windows authentication for your service so you need to configure the service as my update show. WCF security is a pretty intricate topic. I'd recommend you get your service working with no security first. Next, after some research decide how you want authentication to work and use sample service code to get the config right. Lastly, apply those configs to your working service. Good Luck!!!