IIS SSL Cert Binding Randomly Disappears RSS

5 replies

Last post Jul 10, 2018 03:27 PM by jrgonzalez

  • IIS SSL Cert Binding Randomly Disappears

    Jun 19, 2018 09:50 PM|jrgonzalez|LINK

    Hello, 

    I have multiple Windows Servers various platforms like 2012 R2 and 2016 . On these various servers most are running IIS 10 but some are running IIS 7.5 or IIS 8. Each one of these servers are running an SCCM Distribution Point which creates a couple of websites for software packages. 

    I have noticed that just about every Distribution Point I have will randomly lose its SSL CERT binding. When this happens clients cannot reach the website and download its software. 

    In the event logs I have noticed the following events right before the SSL binding disappears:

    Event ID: 5186

    Source: WAS

    A worker process with process id of '6536' serving application pool 'SMS Distribution Points Pool' was shutdown due to inactivity. Application Pool timeout configuration was set to 20 minutes. A new worker process will be started when needed.

    Then I see the following:

    Event ID: 15300

    Source: HTTPEVENT

    SSL Certificate Settings deleted for endpoint : 0.0.0.0:443 .

    Any help or guidance would be much appreciated. 

  • Lex Li
    IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: IIS SSL Cert Binding Randomly Disappears

    Jun 20, 2018 07:55 PM|jrgonzalez|LINK

    Hi lextm, thank you for the links. I had already come across these links and I checked the applicationhost.config file for entry 5506 and it doesn't exist. In the second link you posted, in the comments below someone specifically mentions SCCM and property entry of 5511 and 2161 and neither of those are in my applicationhost.config file. 

    Here is what my applicationhost.config file looks like: (just a portion of it)

    <configSections>
    <sectionGroup name="system.applicationHost">
    <section name="applicationPools" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    <section name="configHistory" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    <section name="customMetadata" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    <section name="listenerAdapters" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    <section name="log" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    <section name="serviceAutoStartProviders" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    <section name="sites" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    <section name="webLimits" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    </sectionGroup>

    <sectionGroup name="system.webServer">
    <section name="asp" overrideModeDefault="Deny" />
    <section name="caching" overrideModeDefault="Allow" />
    <section name="cgi" overrideModeDefault="Deny" />
    <section name="defaultDocument" overrideModeDefault="Allow" />
    <section name="directoryBrowse" overrideModeDefault="Allow" />
    <section name="fastCgi" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    <section name="globalModules" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    <section name="handlers" overrideModeDefault="Deny" />
    <section name="httpCompression" overrideModeDefault="Allow" />
    <section name="httpErrors" overrideModeDefault="Allow" />
    <section name="httpLogging" overrideModeDefault="Deny" />
    <section name="httpProtocol" overrideModeDefault="Allow" />
    <section name="httpRedirect" overrideModeDefault="Allow" />
    <section name="httpTracing" overrideModeDefault="Deny" />
    <section name="isapiFilters" allowDefinition="MachineToApplication" overrideModeDefault="Deny" />
    <section name="modules" allowDefinition="MachineToApplication" overrideModeDefault="Deny" />
    <section name="applicationInitialization" allowDefinition="MachineToApplication" overrideModeDefault="Allow" />
    <section name="odbcLogging" overrideModeDefault="Deny" />
    <sectionGroup name="security">
    <section name="access" overrideModeDefault="Deny" />
    <section name="applicationDependencies" overrideModeDefault="Deny" />
    <sectionGroup name="authentication">
    <section name="anonymousAuthentication" overrideModeDefault="Deny" />
    <section name="basicAuthentication" overrideModeDefault="Deny" />
    <section name="clientCertificateMappingAuthentication" overrideModeDefault="Deny" />
    <section name="digestAuthentication" overrideModeDefault="Deny" />
    <section name="iisClientCertificateMappingAuthentication" overrideModeDefault="Deny" />
    <section name="windowsAuthentication" overrideModeDefault="Deny" />
    </sectionGroup>
    <section name="authorization" overrideModeDefault="Allow" />
    <section name="ipSecurity" overrideModeDefault="Deny" />
    <section name="dynamicIpSecurity" overrideModeDefault="Deny" />
    <section name="isapiCgiRestriction" allowDefinition="AppHostOnly" overrideModeDefault="Deny" />
    <section name="requestFiltering" overrideModeDefault="Allow" />
    </sectionGroup>
    <section name="serverRuntime" overrideModeDefault="Deny" />
    <section name="serverSideInclude" overrideModeDefault="Deny" />
    <section name="staticContent" overrideModeDefault="Allow" />
    <sectionGroup name="tracing">
    <section name="traceFailedRequests" overrideModeDefault="Allow" />
    <section name="traceProviderDefinitions" overrideModeDefault="Deny" />
    </sectionGroup>
    <section name="urlCompression" overrideModeDefault="Allow" />
    <section name="validation" overrideModeDefault="Allow" />
    <sectionGroup name="webdav">
    <section name="globalSettings" overrideModeDefault="Deny" />
    <section name="authoring" overrideModeDefault="Deny" />
    <section name="authoringRules" overrideModeDefault="Deny" />
    </sectionGroup>
    <section name="webSocket" overrideModeDefault="Deny" />
    </sectionGroup>
    <sectionGroup name="system.ftpServer">
    <section name="log" overrideModeDefault="Deny" allowDefinition="AppHostOnly" />
    <section name="firewallSupport" overrideModeDefault="Deny" allowDefinition="AppHostOnly" />
    <section name="caching" overrideModeDefault="Deny" allowDefinition="AppHostOnly" />
    <section name="providerDefinitions" overrideModeDefault="Deny" />
    <sectionGroup name="security">
    <section name="ipSecurity" overrideModeDefault="Deny" />
    <section name="requestFiltering" overrideModeDefault="Deny" />
    <section name="authorization" overrideModeDefault="Deny" />
    <section name="authentication" overrideModeDefault="Deny" />
    </sectionGroup>
    <section name="serverRuntime" overrideModeDefault="Deny" allowDefinition="AppHostOnly" />
    </sectionGroup>
    </configSections>

    <configProtectedData>
    <providers>
    <add name="IISWASOnlyRsaProvider" type="" description="Uses RsaCryptoServiceProvider to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useMachineContainer="true" useOAEP="false" />
    <add name="IISCngProvider" type="Microsoft.ApplicationHost.CngProtectedConfigurationProvider" description="Uses Win32 Crypto CNG to encrypt and decrypt" keyContainerName="iisCngConfigurationKey" useMachineContainer="true" />
    <add name="IISWASOnlyCngProvider" type="Microsoft.ApplicationHost.CngProtectedConfigurationProvider" description="(WAS Only) Uses Win32 Crypto CNG to encrypt and decrypt" keyContainerName="iisCngWasKey" useMachineContainer="true" />
    <add name="AesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisConfigurationKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAALTTCStsuA6x5jVGpNdWbTow4Yq/M1MRdXEgyq+dkIzTnOZEA9Qegh5LjUZ0WQaiKxZ4HqK0g3PjE7ZRohcoegDAqlgnLjWgB0m9xPcIuQSjKuwxLm5MjeaSgd+7NT09HeShKxQdQVrGuxRzxDDJSz4+JRCWKUVHnbp1Yd2tz3G2esvgxWgIpWFMQXtiXnwH6z+5kjFnLSM9tvA7q2sBJB18oFPXIQaWAL1w2D7GfZB6zG65GPWfSR1Yb522YmtzAQvTvjVuunpGZLLQbb6i2cVRxFJ9TIpVl6foQMAJXMC4SB1rqaQD9wim+meNb0Os9ZGJfvohfW3WtpFff6C5rIw==" />
    <add name="IISWASOnlyAesProvider" type="Microsoft.ApplicationHost.AesProtectedConfigurationProvider" description="Uses an AES session key to encrypt and decrypt" keyContainerName="iisWasKey" cspProviderName="" useOAEP="false" useMachineContainer="true" sessionKey="AQIAAA5mAAAApAAAwysrfn08VpTTiIItRoo2i9YlB4roS5H598hlWBZsj0TctFe3TsIN/gD3L81HngEXLlMDt7DSGl1PwOjGWovJgCUEpqO8ellja5kMijYKzQO9BOJx/5bqMbWu/MUfMjcb6NYJfKP/0kip5pmVhdY9EwH04ezm8saV0eztMYeryqgDRTyHl2Y83wScBQsDbOW8cq4kj2VxqRwFaPRSa7tJn8N9FXCyxuFryYG/3pGOklmektm86MsceJq+Pc75wz60+7v1mBfHX27PC582AVVGg3qU77W8Gg16ZcKg8iGOJAItg118kMdFsYD3ONAS+owSZgpmQnOJMyek6uMNhxjOPw==" />
    </providers>
    </configProtectedData>

    <system.applicationHost>

    <applicationPools>
    <add name="DefaultAppPool" />
    <add name="SMS Distribution Points Pool" autoStart="true">
    <processModel identityType="LocalService" />
    </add>
    <applicationPoolDefaults managedRuntimeVersion="v4.0">
    <processModel identityType="ApplicationPoolIdentity" />
    </applicationPoolDefaults>
    </applicationPools>

    <!--

    The <customMetadata> section is used internally by the Admin Base Objects
    (ABO) Compatibility component. Please do not modify its content.

    -->
    <customMetadata>
    <key path="LM/W3SVC">
    <property id="1002" dataType="String" userType="1" attributes="None" value="IIsWebService" />
    <property id="130002" dataType="String" userType="2" attributes="Inherit" value="BITS-Sessions" />
    <property id="130003" dataType="String" userType="2" attributes="Inherit" value="18446744073709551615" />
    <property id="130004" dataType="DWord" userType="2" attributes="Inherit" value="1209600" />
    <property id="130005" dataType="DWord" userType="2" attributes="Inherit" value="0" />
    <property id="130006" dataType="String" userType="2" attributes="Inherit" value="" />
    <property id="130008" dataType="String" userType="2" attributes="Inherit" value="" />
    <property id="130009" dataType="DWord" userType="2" attributes="Inherit" value="86400" />
    <property id="130011" dataType="DWord" userType="2" attributes="Inherit" value="0" />
    <property id="130012" dataType="DWord" userType="2" attributes="Inherit" value="1" />
    <property id="130013" dataType="DWord" userType="2" attributes="Inherit" value="12" />
    <property id="130014" dataType="DWord" userType="2" attributes="Inherit" value="1" />
    <property id="130015" dataType="DWord" userType="2" attributes="Inherit" value="0" />
    <property id="130016" dataType="DWord" userType="2" attributes="Inherit" value="0" />
    <property id="130017" dataType="DWord" userType="2" attributes="Inherit" value="0" />
    <property id="130018" dataType="DWord" userType="2" attributes="Inherit" value="50" />
    <property id="130019" dataType="DWord" userType="2" attributes="Inherit" value="0" />
    <property id="2073" dataType="MultiSZ" userType="1" attributes="Inherit" value="C:\Windows\system32\bitssrv.dll&#xA;" />
    </key>
    <key path="LM/W3SVC/INFO">
    <property id="4012" dataType="String" userType="1" attributes="Inherit" value="NCSA Common Log File Format,Microsoft IIS Log File Format,W3C Extended Log File Format,ODBC Logging" />
    <property id="2120" dataType="MultiSZ" userType="1" attributes="None" value="400,0,,,0&#xA;" />
    </key>
    <key path="LM/W3SVC/1/ROOT/SMS_DP_SMSPKG$">
    <property id="2102" dataType="String" userType="100" attributes="Inherit" value="SMS_DP_SMSPKG$" />
    </key>
    <key path="LM/W3SVC/1/ROOT/NOCERT_SMS_DP_SMSPKG$">
    <property id="2102" dataType="String" userType="100" attributes="Inherit" value="NOCERT_SMS_DP_SMSPKG$" />
    </key>
    <key path="LM/W3SVC/1/ROOT/SMS_DP_SMSSIG$">
    <property id="2102" dataType="String" userType="100" attributes="Inherit" value="SMS_DP_SMSSIG$" />
    </key>
    <key path="LM/W3SVC/1/ROOT/NOCERT_SMS_DP_SMSSIG$">
    <property id="2102" dataType="String" userType="100" attributes="Inherit" value="NOCERT_SMS_DP_SMSSIG$" />
    </key>
    </customMetadata>

    <!--

    The <listenerAdapters> section defines the protocols with which the
    Windows Process Activation Service (WAS) binds.

    -->
    <listenerAdapters>
    <add name="http" />
    </listenerAdapters>

    <log>
    <centralBinaryLogFile enabled="true" directory="%SystemDrive%\inetpub\logs\LogFiles" localTimeRollover="true" />
    <centralW3CLogFile enabled="true" directory="%SystemDrive%\inetpub\logs\LogFiles" localTimeRollover="true" />
    </log>

    <sites>
    <site name="Default Web Site" id="1" serverAutoStart="true">
    <application path="/">
    <virtualDirectory path="/" physicalPath="%SystemDrive%\inetpub\wwwroot" />
    </application>
    <application path="/SMS_DP_SMSPKG$" applicationPool="SMS Distribution Points Pool">
    <virtualDirectory path="/" physicalPath="D:\SCCMContentLib" />
    </application>
    <application path="/NOCERT_SMS_DP_SMSPKG$" applicationPool="SMS Distribution Points Pool">
    <virtualDirectory path="/" physicalPath="D:\SCCMContentLib" />
    </application>
    <application path="/SMS_DP_SMSSIG$" applicationPool="SMS Distribution Points Pool">
    <virtualDirectory path="/" physicalPath="\\SRV-XXX-XXX.XXX.XXX\SMSSIG$" />
    </application>
    <application path="/NOCERT_SMS_DP_SMSSIG$" applicationPool="SMS Distribution Points Pool">
    <virtualDirectory path="/" physicalPath="\\SRV-XXX-XXX.XXX.XXX\SMSSIG$" />
    </application>
    <bindings>
    <binding protocol="http" bindingInformation="*:80:" />
    <binding protocol="https" bindingInformation="*:443:" sslFlags="0" />
    </bindings>
    <logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, BytesSent, TimeTaken, ServerPort, UserAgent, Referer, HttpSubStatus" />
    </site>
    <siteDefaults>
    <logFile logFormat="W3C" directory="%SystemDrive%\inetpub\logs\LogFiles" localTimeRollover="true" />
    <traceFailedRequestsLogging directory="%SystemDrive%\inetpub\logs\FailedReqLogFiles" />
    </siteDefaults>
    <applicationDefaults applicationPool="DefaultAppPool" />
    <virtualDirectoryDefaults allowSubDirConfig="true" />
    </sites>

    <webLimits />

    </system.applicationHost>

    <system.webServer>

    <asp />

    <caching enabled="true" enableKernelCache="true">
    </caching>

    <cgi />

    <defaultDocument enabled="true">
    <files>
    <add value="Default.htm" />
    <add value="Default.asp" />
    <add value="index.htm" />
    <add value="index.html" />
    <add value="iisstart.htm" />
    </files>
    </defaultDocument>

    <directoryBrowse enabled="false" />

    <fastCgi />

  • Re: IIS SSL Cert Binding Randomly Disappears

    Jun 20, 2018 09:47 PM|lextm|LINK

    Then your best option is to open a support case via http://support.microsoft.com as it reveals to be a very difficult issue to investigate (like the second link indicated).

    Lex Li
    IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: IIS SSL Cert Binding Randomly Disappears

    Jun 20, 2018 09:50 PM|jrgonzalez|LINK

    Thank you for your input. I just opened up a case this morning with Microsoft regarding the issue. I will post results on this thread in hopes that it may help someone out in the future.  

  • Re: IIS SSL Cert Binding Randomly Disappears

    Jul 10, 2018 03:27 PM|jrgonzalez|LINK

    Just wanted to provide some feedback on this issue in case anyone runs into this problem. 

    After going over all the event logs it seems like this related to a bug when installing System Center Virtual Machine Manager Agent. 

    If you are interested to find more on it you can go to this thread:

    https://systemcentervmm.uservoice.com/forums/280803-general-vmm-feedback/suggestions/33095461-potential-bug-pushing-a-vmm-agent-to-an-infrastru