Unknown error has occurred when trying to initialize Web Server Module: "The remote server returned an error: (400) Bad Request."

[siggima]

Hi I installed IIS Extension on Server 2022 and when I try to open I get this error, I use wac as a gateway I am running version 2110 build 1.3.2111.01001 Unknown error has occurred when trying to initialize Web Server Module: "The remote server returned an error: (400) Bad Request."

[AbstractionsAs]

I have this problem as well. Any updates?

[BorisBrock]

Suddenly I get this error, too. Couldn't find a way to fix it or get at least more info. Any help would be appreciated.

[smezger]

same here! Suddenly seeing this error. Log is attached. vistrpndas4.zip

[yaqiyang]

is the IIS server running on the remote machine? Can you go to https://[servername]:55539/#/api/webserver?

[eliassal]

This morning I was able to cinnect for the 1st time to the remote IIS in WAC. After I visited another host and came back to the hosts hosting remote IIS, I started getting the same error (I restarted IIS admin on the remote host but it did not help). Also I am able to connect to https://[servername]:55539/#/api/webserver? locally and remotely.

[yaqiyang]

Are you running Windows Admin Center on the same machine as IIS? I did have the same issue once in that case. Also can you try add yourself to the appsettings.json file under "C:\Program Files\IIS Administration\[version]\Microsoft.IIS.Administration\config\appsettings.json" on the IIS host as described here?. When I tested the newest IIS extension, I needed to add myself to appsettings.json to get rid of the error messages. If it does not help, I will continue to debug it. Thanks

[eliassal]

I tried your suggestion but it seems that the file has permission that does not allow changing the file. I even opened the file in notepad as ADMIN but it does not allow me to change the file in spite of the dact that I stopped IIS admin, WWW... In notepad++ it displays a message "Please Check if this file is opened in another program"

[yaqiyang]

By default, the files under "C:\Program Files\IIS Administration\[version]\Microsoft.IIS.Administration\config" are owned by System or TrustedInstaller. First, you need to take ownership of that folder, then give yourself permission to modify files in it. https://www.windowscentral.com/how-take-ownership-files-and-folders-windows-10 https://www.thewindowsclub.com/change-files-and-folders-permissions-in-windows-10

[yaqiyang]

Also, you should use double backslash in your user name, not single backslash

[eliassal]

Thanks I was able to modify the file, restarted he IIS admin but it did not help I am getting the exact same error

[yaqiyang]

Let me know the version of WAC and IIS Extension you have https://localhost:6516/settings/updates should show you the WAC version. Go to https://localhost:6516/settings/extension/installed. you should find the version of IIS Extension.

When you get the error, go to Edge menu->More tools-Developer tools. Click the Console tab. What errors do you see that is related to (400) Bad Request? Click the Network tab, can you see a red command (status code 400)? If so, get the details of that command.

[drielenr]

I got a similar error message, but instead of (400) Bad Request, I had the (401) Unauthorized. I followed the instructions @yaqiyang described: changed the ownership of the folder and added myself as admin and owner in the appsetting.json file. At first, I kept getting the same error message, but I get it working after I reset my machine.

[yaqiyang]

I got a similar error message, but instead of (400) Bad Request, I had the (401) Unauthorized. I followed the instructions @yaqiyang described: changed the ownership of the folder and added myself as admin and owner in the appsetting.json file. At first, I kept getting the same error message, but I get it working after I reset my machine.

You need to restart the Microsoft IIS Administration service after you changed appsettings.json.

[desmondkung]

Same here. Just installed and got a 400 Bad Request. WAC is installed in a different machine and I'm trying to access IIS in a 2022 server core machine.

[yaqiyang]

Same here. Just installed and got a 400 Bad Request. WAC is installed in a different machine and I'm trying to access IIS in a 2022 server core machine.

Do you have the same problem when accessing IIS on other machines using WAC?

To help us diagnose the problem, please send us the full Response text from the server.

• With the error message showing in the IIS extension, go to Edge menu
• Open "More tools -> Developer tools"
• Select "Network" tab
• Locate the http command that has the error message
• Copy the full response text

[desmondkung]

Same here. Just installed and got a 400 Bad Request. WAC is installed in a different machine and I'm trying to access IIS in a 2022 server core machine.

Do you have the same problem when accessing IIS on other machines using WAC?

To help us diagnose the problem, please send us the full Response text from the server.

• With the error message showing in the IIS extension, go to Edge menu
• Open "More tools -> Developer tools"
• Select "Network" tab
• Locate the http command that has the error message
• Copy the full response text

Same issue for 2022 Standard with GUI.

Error for 2022 Standard with GUI: {"sessionId":"f66e8382-2ccf-4394-bc11-f99699dd26b6","completed":"True","results":[],"exception":"The remote server returned an error: (400) Bad Request.","progress":[{"id":174593042,"parentId":-1,"activity":"Reading web response","status":"Reading response stream... (Number of bytes read: 0)","percent":-1,"secondsRemaining":-1,"type":"Processing"},{"id":174593042,"parentId":-1,"activity":"Reading web response","status":"Reading response stream... (Number of bytes read: 15)","percent":-1,"secondsRemaining":-1,"type":"Processing"},{"id":174593042,"parentId":-1,"activity":"Reading web response","status":"Reading web response completed. (Number of bytes read: 15)","percent":-1,"secondsRemaining":-1,"type":"Completed"},{"id":174593042,"parentId":-1,"activity":"Reading web response","status":"Reading response stream... (Number of bytes read: 0)","percent":-1,"secondsRemaining":-1,"type":"Processing"},{"id":174593042,"parentId":-1,"activity":"Reading web response","status":"Reading response stream... (Number of bytes read: 15)","percent":-1,"secondsRemaining":-1,"type":"Processing"},{"id":174593042,"parentId":-1,"activity":"Reading web response","status":"Reading web response completed. (Number of bytes read: 15)","percent":-1,"secondsRemaining":-1,"type":"Completed"}],"statusCode":0}

[yaqiyang]

@desmondkung , thanks for the data. Unfortunately, I don't see anything that can help. Can you export all that data to HAR file and send it to me?

To export as HAR, select the export button on top of the Network tab,

[desmondkung]

@yaqiyang what's your MSFT mail address? I'll send to you as a zip attachment.

[yaqiyang]

@yaqiyang what's your MSFT mail address? I'll send to you as a zip attachment.

yaqi.yang@microsoft.com

I got status 400 from a remote machine if IIS Admin is not exposed on default port 55539. But the error message is different. So that is most likely not the root cause for you. When you capture the network traffic data, please first move focus away from IIS in WAC, then click on IIS from left navigation pane again to make sure you have captured all network traffic during the process.

Thanks

[yaqiyang]

@desmondkung Error 400 can also be related to authentication. Do you have permissions to access IIS Administration on the remote machine? Can you access it by something like https://[reomote machine name]:55539?

[desmondkung]

@desmondkung Error 400 can also be related to authentication. Do you have permissions to access IIS Administration on the remote machine? Can you access it by something like https://[reomote machine name]:55539?

I did a "powershell tnc -port 55539" from the WAC gateway. Before (port closed) and after explicitly opening 55539 (port open) on the remote iis machine, I'm getting shown the same error message: Unknown error has occurred when trying to initialize Web Server Module: "The remote server returned an error: (400) Bad Request."

[yaqiyang]

• When I tried tnc localhost -port 55539 in my test, it was successful. But not successful when I did just tnc -port 55539
• What happens if you just try to navigate to https://[reomote machine name]:55539 in the browser?

The error you mentioned above happens when the remote IIS server is in an unknow state. You can uninstall IIS Admin from your remote machine and let WAC install it automatically.

[desmondkung]

• When I tried tnc localhost -port 55539 in my test, it was successful. But not successful when I did just tnc -port 55539
• What happens if you just try to navigate to https://[reomote machine name]:55539 in the browser?

The error you mentioned above happens when the remote IIS server is in an unknow state. You can uninstall IIS Admin from your remote machine and let WAC install it automatically.

1) Test-netconnection requires a destination. 2) will test browser access shortly. 3) I used the recommended option where WAC installs IISAdmin 6.0 from online source. It doesn't add a firewall rule for 55539 though.

[yaqiyang]

Firewall is not a problem. That is the first thing I tested. WAC can still access IIS even if port 55539 is not enabled from the Firewall. It is something else that put the IIS server in an unknown state that I cannot reproduce. If possible, try access it on the IIS machine through https://localhost:55539

[desmondkung]

https://localhost:55539 works.

[yaqiyang]

This is what you have. The remote address is at port 80, not a secure port. But in my local test, it is always the same port of WAC.

I think some configuration settings on your WAC are causing the problem, but I cannot reproduce it. Are you running WAC from a remote machine?

[desmondkung]

Yeah, WAC is remote gateway. There is http to https redirection from 80 to 8443.

[yaqiyang]

@desmondkung, I set up a remote WAC gateway exactly like yours, but still cannot reproduce it. Does this happen to other machines? Can you try to access IIS on a different machine?

[desmondkung]

@desmondkung, I set up a remote WAC gateway exactly like yours, but still cannot reproduce it. Does this happen to other machines? Can you try to access IIS on a different machine?

Let me try on 2019 standard.

Not sure if this info helps. I'm connecting to the servers using WAC's "Manage As" option as domain admin instead of my domain user account. The servers that are connected to WAC also have resource-based constrained delegation applied using the following lines:

$gateway = "server1" # Machine where Windows Admin Center is installed
$node = "server2" # Machine that you want to manage
$gatewayObject = Get-ADComputer -Identity $gateway
$nodeObject = Get-ADComputer -Identity $node
Set-ADComputer -Identity $nodeObject -PrincipalsAllowedToDelegateToAccount $gatewayObject

[yaqiyang]

The error occurred when WAC tried to create an access token on the target machine. Your domain admin account should also be a local admin. So it should be able to create access tokens. But anything can happen. Maybe the log files can give us some clues. Check the logs on the target machine at C:\Program Files\IIS Administration\logs. They could have some useful error messages.

In this process, WAC calls Get-Token.ps1 to create the token. So, you can try to run Get-Token.ps1 directly and see if it works. The file is at https://github.com/microsoft/IIS.WebManager/blob/dev/src/app/resources/scripts/iis_scripts/Get-Token.ps1

1. download the file to the target machine, put it under c:\users\[username]\documents
2. On the WAC gateway, open PowerShell, it should be at directory c:\users\[username]\documents
3. Run command,
   .\Get-Token.ps1 -sessionID "session123" -command "ensure" -apiHost "https://localhost:55539"

It should return the created Access Token with name "WAC/session123" and some other data. You should also see the tokens at https://localhost:55539/security/tokens

[desmondkung]

@yaqiyang just tested connection to 2019 and it works. 2022 doesn't have any log file. I'll try the token script on 2022 shortly.

[desmondkung]

400 when running PowerShell in 2022 target

No token created on local

[desmondkung]

2019 target (working)

2022 target (not working)

[yaqiyang]

Get-Token.ps1.txt

I actually reproduced the same error on my local machine when I manipulated the date format. We may be passing an incorrectly formatted expiration date to the HTTP request. I updated the script and also added some debug output. Can you download it, rename back to .ps1, then run the same command again on the target machine?

By the way, what is the date format on your target machine?

[desmondkung]

date time format

result from PowerShell

result from WAC

[yaqiyang]

Thanks a lot for your help to debug this issue. I will submit a pull request for it. But the fix in the IIS extension will have to come in our next update, which may be soon. At the same time, you may have to change your short date format to something like m/d/yyyy for it to work. I don't see a good workaround here.

[desmondkung]

You're welcome! Glad to help. This issue isn't a priority so I can wait for the update to be pushed out.

[sobriant74]

I have updated to the latest version of web admin center, and I have updated the server and rebooted. I get the following error when running the script from powershell on the host machine: .\Get-Token.ps1 -sessionID "session123" -command "ensure" -apiHost "https://localhost:5553 9" Command: Invoke-WebRequest 'https://localhost:55539/security/api-keys' -UseBasicParsing -UseDefaultCredentials -ContentType 'application/json' Invoke-WebRequest : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. At C:\Users\username\Documents\Get-Token.ps1:110 char:14

• ... $query = Invoke-WebRequest "$apiHost/security/$CreateEndpoint" -Us ...

• 
  + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc
  eption
  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

I get a similar error when running it from WAC on my machine against the host: Unable to connect to the remote server

• CategoryInfo : InvalidOperation: (Systems.net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], Webexception
• FullyQualifiedErrorID : WebCmdletWebResponseException,Microsoft.Powershell.Commands.InvokeWebRequestCommand

Has this been fixed in the latest IIS plugin update for WAC, or do I need to keep waiting? Thanks

[yaqiyang]

I have updated to the latest version of web admin center, and I have updated the server and rebooted. I get the following error when running the script from powershell on the host machine: .\Get-Token.ps1 -sessionID "session123" -command "ensure" -apiHost "https://localhost:5553 9" Command: Invoke-WebRequest 'https://localhost:55539/security/api-keys' -UseBasicParsing -UseDefaultCredentials -ContentType 'application/json' Invoke-WebRequest : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. At C:\Users\username\Documents\Get-Token.ps1:110 char:14

• ... $query = Invoke-WebRequest "$apiHost/security/$CreateEndpoint" -Us ...

•           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc eption
  • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

I get a similar error when running it from WAC on my machine against the host: Unable to connect to the remote server

• CategoryInfo : InvalidOperation: (Systems.net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], Webexception
• FullyQualifiedErrorID : WebCmdletWebResponseException,Microsoft.Powershell.Commands.InvokeWebRequestCommand

Has this been fixed in the latest IIS plugin update for WAC, or do I need to keep waiting? Thanks

That is a different problem. Are you trying to access your local IIS from WAC? If so, you need to do this and restart your IIS Administration service, https://github.com/microsoft/IIS.Administration#:~:text=Open%20src%5CMicrosoft.IIS.Administration%5Cconfig%5Cappsettings.json%2C%20modify%20the%20users%20section%20as%20below%2C

[eliassal]

@yaqiyang I followed all instructions, updated WAC to latest version, reinstalled IIS extension but still getting the same exact error. When I acces https://salam7:55539/security/tokens/ after authentication, I can access the app and generate tokens

but in Edge, it indicates that certificate has expired so even when I try from command line your script .\Get-Token.ps1 I get a message as follows

… $query = Invoke-WebRequest "$apiHost/security/$CreateEndpoint" -Us … | ~~~~~~~~~~~~~ | The remote certificate is invalid because of errors in the certificate chain: NotTimeValid

the question is how can I renethe certificate for the site https://salam7:55539/? I checked IIS I don't see any app or site fior this app

[yaqiyang]

@eliassal , did you try all my suggestions in this thread? Please try all of them first. If nothing works, I will try to take a closer look. It has been a while since I worked on this project. I need to refresh my knowledge.

[eliassal]

Yes @yaqiyang , added myuser to appsettings

updated WAC to latest version

as well as IIS extension

I checked log files at C:\Users\myuser\wac-iis-logs I have only 3 lines as follows

[2024/10/01 17:46:29:6417] Started admin_api_util... [2024/10/01 17:46:29:6877] Microsoft IIS Administration installed, version: 2.3.0 [2024/10/01 17:46:29:6917] Pinging Admin API at https://localhost:55539

As I said the problem is very clear, certificate used by the extension has expired.

[yaqiyang]

I installed it to my machine, and everything works. Can you try a new access key? Also restart service "Microsoft IIS Administration"

[eliassal]

@yaqiyang I did but it did not help. Tell me please, ok, I created a new key but what is the beneifit of doing this as far as the the problem is with the certificate

[yaqiyang]

Are you accessing https://salam7:55539/ from the same machine or a different machine? Your Access Keys list does not show a key for WAC, so you are not accessing it from the WAC app.

[eliassal]

Yes It is on the local machines. Of course there is no key as any request is failing because of the certificate with the following error right away

So again, how the certificate can be renewed? on which server this app is running, there is nbo site in IIS.

[yaqiyang]

The certificate is issued to localhost. So you should be able to access https://localhost:55539/connect with no problem. If you still get an error, you can delete the certificate and re-install Microsoft IIS Administration. Open "Internet Information Service Manager", open Server Certificates. You should see "Microsoft IIS Administration Server Certificate". Check the expiration date. Has it expired? If so, just delete it, repair or re-install Microsoft IIS Administration.

The certificate hash of Microsoft IIS Administration Server Certificate should match the certificate thumbprint from "C:\Program Files\IIS Administration\6.0.0\setup.config"

[eliassal]

Hi, I removed the IIS admin certificate but not able to find the option how to repair Microsoft IIS Administration. I checked Win features it seems that there is no option for repairing. I googled but found nothing indicating how to repair or re-install!

Do you mean remove completly IIS? if yes, then would that make me lose all my sites and config?

[yaqiyang]

Go to Control Panel-Uninstall a Program, you should find Microsoft IIS Administration there. Double click it, you should see options to Repair or Uninstall. If Repair is not allowed, uninstall it. Then go back to WAC and it will be installed once you click IIS there.

[eliassal]

Thanks, I did a "Repaire" but getting the following error in spite of the fact that I am local and domain administrator,

I do cancel, then retry , at the end operation fails