having an issue with membership credential verification failed when it shouldn't be using it
Asked Answered
C

6

18

Since our website cannot take credit cards directly we are routing the user, with credential and other misc variables, to a 'hosted page' on another site.

To go more in detail, this is how the user would access this generally:

  1. Go to our site and login with a username and password that they created previously. This uses the asp.net membership provider.

  2. Once logged in, we show them their account and they have a button to make a payment. Once they click this...

  3. They are prompted with a 'prepayment' page to verify the amount and various other bits of information. They click continue from here...

  4. So, the payment page is displayed within an iframe of our website. We redirect them to the external hosted webpage with the following code:

    < div align="center"> < iframe width="100%" height="600px" src="@Html.Raw(@ViewBag.GateWayWebsite)"> < /div>

  5. Once the payment page has been entered and the customer clicks submit, that site submits a post back to our website where they began and passes back the information about the charge. I grab this information and save it to our database and display a receipt.

Everything works fine except for #5. That works most of the time but about 1 in 10 come back with this message:

Event code: 4006 
Event message: Membership credential verification failed. 
Event time: 12/16/2013 4:32:22 AM 
Event time (UTC): 12/16/2013 12:32:22 PM 
Event ID: 42c509f2a25d46f0af17e72a52dfbbe5 
Event sequence: 38 
Event occurrence: 1 
Event detail code: 0 

Application information: 
    Application domain: /LM/W3SVC/3/ROOT/SuburbanCustPortal-1-130316693110399868 
    Trust level: Full 
    Application Virtual Path: /SuburbanCustPortal 
    Application Path: C:\inetpub\wp\SuburbanCustPortal\ 
    Machine name: WIN-OB929P97YAR 

Process information: 
    Process ID: 3620 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\NETWORK SERVICE 

Request information: 
    Request URL: https://myurl:443/SuburbanCustPortal/Account/Logon2 
    Request path: /SuburbanCustPortal/Account/Logon2 
    User host address: xx.xx.xx.xx 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 

Name to authenticate: testuser 

I cannot get to happen on the handful of test cases that I've run which makes it that much more frustrating.

This is my web.config:

<?xml version="1.0"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=152368
  -->
<configuration>

  <appSettings>
    <add key="webpages:Version" value="1.0.0.0"/>
    <add key="ClientValidationEnabled" value="true"/>
    <add key="UnobtrusiveJavaScriptEnabled" value="true"/>
    <add key="suburbanServiceUrl" value=""/>
  </appSettings>

  <system.web>

    <sessionState
      mode="InProc"
      stateConnectionString="tcpip=127.0.0.1:42424"
      stateNetworkTimeout="60"
      sqlConnectionString="data source=127.0.0.1;Integrated Security=SSPI"
      cookieless="false"
      timeout="60"
    />

    <customErrors mode="Off"/>
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.Helpers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add assembly="System.Web.WebPages, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
      </assemblies>
    </compilation>
    <authentication mode="Forms">
      <!-- timeout: Gets and sets the amount of time, in minutes, allowed between requests
                    before the session-state provider terminates the session. -->
      <forms loginUrl="~/Account/LogOn" timeout="60"/>
    </authentication>

    <membership>
      <providers>
        <clear/>
        <add name="AspNetSqlMembershipProvider"
             type="System.Web.Security.SqlMembershipProvider"
             connectionStringName="ApplicationServices"
             enablePasswordRetrieval="false"
             enablePasswordReset="true"
             requiresQuestionAndAnswer="false"
             requiresUniqueEmail="true"
             maxInvalidPasswordAttempts="30"
             minRequiredPasswordLength="6"
             minRequiredNonalphanumericCharacters="0"
             passwordAttemptWindow="10"
             applicationName="webportal"/>
      </providers>

    </membership>

    <profile>
      <providers>
        <clear/>
        <add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
      </providers>
    </profile>

    <roleManager enabled="true">
      <providers>
        <clear/>
        <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/"/>
        <add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/"/>
      </providers>
    </roleManager>

    <pages enableSessionState="true">
      <namespaces>
        <add namespace="System.Web.Helpers"/>
        <add namespace="System.Web.Mvc"/>
        <add namespace="System.Web.Mvc.Ajax"/>
        <add namespace="System.Web.Mvc.Html"/>
        <add namespace="System.Web.Routing"/>
        <add namespace="System.Web.WebPages"/>
      </namespaces>
    </pages>
  </system.web>

  <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules runAllManagedModulesForAllRequests="true">
      <remove name="Session"/>
      <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
    </modules>
    <httpProtocol>
    </httpProtocol>
    <staticContent>
      <clientCache cacheControlCustom="public"
      cacheControlMaxAge="00:00:01" cacheControlMode="UseMaxAge" />
    </staticContent>   
  </system.webServer>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35"/>
        <bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0"/>
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBinding_ISuburbanService" maxReceivedMessageSize="128072" />
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://localhost:2181/ISuburbanService.svc"
        binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ISuburbanService"
        contract="SuburbanService.ISuburbanService" name="BasicHttpBinding_ISuburbanService" />
    </client>
    <!--<bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBinding_ISuburbanService" closeTimeout="00:01:00"
          openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
          allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
          maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
          messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
          useDefaultWebProxy="true">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <security mode="Transport">
            <transport clientCredentialType="Basic" proxyCredentialType="None"
              realm="" />
            <message clientCredentialType="UserName" algorithmSuite="Default" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="https://localhost/SuburbanHUB/ISuburbanService.svc"
        binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ISuburbanService"
        contract="SuburbanService.ISuburbanService" name="BasicHttpBinding_ISuburbanService" />
    </client>-->
    <!--<behaviors>
      <serviceBehaviors>
        <behavior name="SomeServiceServiceBehavior">
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>-->
  </system.serviceModel>
</configuration>

And the method that captures the post:

  [NoCache]
    [HttpPost]
    public ActionResult Receipt(string id)
    {
      var sb = new StringBuilder();
      try
      {
        sb.AppendLine("ActionResult Reciept(string account)");

        var count = 0;
        var postVals = new Dictionary<string, string>();
        foreach (var key in Request.Form.AllKeys)
        {
          sb.AppendLine("count: " + count);
          sb.AppendLine(string.Format("key:   {0}    Value:   {1}", key, Request.Form[key]));
          postVals.Add(key, Request.Form[key]);
          sb.AppendLine("finished count: " + count);
          count++;
        }
        sb.AppendLine("finished processing ALLKeys");
        var paymentReq = createPaymentRequest(postVals);
        sb.AppendLine("finished processing 'var paymentReq = createPaymentRequest(postVals)' ");
        var receipt = _client.RecordPaymentWithRequest(paymentReq);

        var retval = PartialView(receipt.Duplicate ? "Duplicate Receipt" : "Receipt", receipt);
        sb.AppendLine(string.Format("retval: {0}", retval));
        return retval;

      }
      catch (Exception ex)
      {
        sb.AppendLine(string.Format("Receipt error: {0}", ex.Message));
        Logging.LogException("Receipt error!", ex, _asName);
        throw;
      }
      finally
      {
        Logging.LogInfo(sb.ToString(), _asName);
      }
    }

As you can see above, I don't have [Authorize] on it so it shouldn't be requiring membership provider to check for access. The class level does not either.

Anyone have any suggestions of what might be going on?

UPDATE

2013-12-16 04:22:14 xxx.xxx.xxx.xxx GET /SuburbanCustPortal/Scripts/Views/logon.js - 443 - xxx.xxx.xxx.xxx Mozilla/5.0+(Linux;+Android+4.2.2;+en-us;+SAMSUNG+SGH-M919+Build/JDQ39)+AppleWebKit/535.19+(KHTML,+like+Gecko)+Version/1.0+Chrome/18.0.1025.308+Mobile+Safari/535.19 304 0 0 109
2013-12-16 04:22:14 xxx.xxx.xxx.xxx GET /SuburbanCustPortal/Content/images/mod/modavoca.png - 443 - xxx.xxx.xxx.xxx Mozilla/5.0+(Linux;+Android+4.2.2;+en-us;+SAMSUNG+SGH-M919+Build/JDQ39)+AppleWebKit/535.19+(KHTML,+like+Gecko)+Version/1.0+Chrome/18.0.1025.308+Mobile+Safari/535.19 304 0 0 93
2013-12-16 04:22:15 xxx.xxx.xxx.xxx GET /Content/favicon.ico - 443 - xxx.xxx.xxx.xxx Mozilla/5.0+(Linux;+Android+4.2.2;+en-us;+SAMSUNG+SGH-M919+Build/JDQ39)+AppleWebKit/535.19+(KHTML,+like+Gecko)+Version/1.0+Chrome/18.0.1025.308+Mobile+Safari/535.19 404 0 2 250
2013-12-16 04:22:15 xxx.xxx.xxx.xxx GET /apple-touch-icon-precomposed.png - 443 - xxx.xxx.xxx.xxx Mozilla/5.0+(Linux;+Android+4.2.2;+en-us;+SAMSUNG+SGH-M919+Build/JDQ39)+AppleWebKit/535.19+(KHTML,+like+Gecko)+Version/1.0+Chrome/18.0.1025.308+Mobile+Safari/535.19 404 0 2 250
2013-12-16 04:22:15 xxx.xxx.xxx.xxx GET /apple-touch-icon.png - 443 - xxx.xxx.xxx.xxx Mozilla/5.0+(Linux;+Android+4.2.2;+en-us;+SAMSUNG+SGH-M919+Build/JDQ39)+AppleWebKit/535.19+(KHTML,+like+Gecko)+Version/1.0+Chrome/18.0.1025.308+Mobile+Safari/535.19 404 0 2 78
#Software: Microsoft Internet Information Services 7.0
#Version: 1.0
#Date: 2013-12-16 04:39:52
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2013-12-16 04:39:52 xxx.xxx.xxx.xxx GET / - 443 - xxx.xxx.xxx.xxx - 200 0 0 171
2013-12-16 04:50:12 xxx.xxx.xxx.xxx POST /SuburbanHUB/ISuburbanService.svc - 443 suburbansoftware xxx.xxx.xxx.xxx - 200 0 0 875
2013-12-16 04:50:12 xxx.xxx.xxx.xxx POST /SuburbanHUB/ISuburbanService.svc - 443 suburbansoftware xxx.xxx.xxx.xxx - 200 0 0 187
2013-12-16 04:50:12 xxx.xxx.xxx.xxx GET /SuburbanCustPortal/Account/Verify id=dde4bbfb-0d2e-4706-a604-36eea3fdcae3&verifyid=c0b4fdb5-9bb3-4d2b-b724-df42e6ea2a59 443 - xxx.xxx.xxx.xxx Mozilla/5.0+(iPhone;+CPU+iPhone+OS+7_0_3+like+Mac+OS+X)+AppleWebKit/537.51.1+(KHTML,+like+Gecko)+Version/7.0+Mobile/11B511+Safari/9537.53 200 0 0 1328
2013-12-16 04:50:12 xxx.xxx.xxx.xxx GET /SuburbanCustPortal/Content/reset.css - 443 - xxx.xxx.xxx.xxxMozilla/5.0+(iPhone;+CPU+iPhone+OS+7_0_3+like+Mac+OS+X)+AppleWebKit/537.51.1+(KHTML,+like+Gecko)+Version/7.0+Mobile/11B511+Safari/9537.53 200 0 0 453

There is a lapse in the log from 04:22:15 through 04:39:52

Is this normal?

EDIT

I clarified the steps above for those who asked.

Complicity answered 18/12, 2013 at 20:38 Comment(28)
Do you have the IIS logs for any of these requests? The event log looks like that page in particular is being requested, which means that something is redirecting to that page. The logs will show you which page was requested before it.Confrere
@MatthewSteeples I'll check it and post the results.Complicity
The time lapse is probably the app pool shutting down due to inactivity. Are you storing anything in session state? If you're using in-proc as the state storage then you'll lose it.Selfpronouncing
@MatthewSteeples if it is related, can it be prevented? That's awfully suspicious to happen right at that time.Complicity
what is your type of membership provider?Runion
the asp membership provider, is that what you are asking?Complicity
asp.net has built-in SqlMembershipProvider and ActiveDirectoryMembershipProvider, or you can build your custom membership provider. Which one are you using?Runion
"System.Web.Security.SqlMembershipProvider" I posted the wrong web.config. I have updated my questionComplicity
You might have to just throw out some Logging.LogInfo lines, to try to narrow down where the error occurs. Disugsting, I know, but in a case like this, it's effective.Dominic
do you set allow anonimous in your IIS settings?Kacey
There is nothing wrong with logging. If you want to monitor ASP.NET shutdowns here is a link how to do it: weblogs.asp.net/scottgu/archive/2005/12/14/433194.aspx It will also give you the shutdown reason which could be useful. Not sure if since 2005 a better method exists to achieve the same.Penknife
There is something bothering me. The Receipt action seems to not to authorize the POST in any way. It seems so open to possible misuse. Am I missing something or your design lacks proper security?Abscind
Also, what is "webportal" in the application name in the membership provider configuration?Abscind
Why is there no POST to /{controller}/Receipt in your log?Endospore
@Endospore That's what I'm wondering. Seems like it is logging in the event viewer before it even reaches my code.Complicity
@WiktorZychla It is my bad attempt to prevent timeouts if the spend too long on the payment page. I need to record the payment regardless if they are logged in at this point since the payment has occurred otherwise I lose the transactionComplicity
Also, I wanted to add, this is only happening 1 of every 10 people who visit. That's a rough guestimate since I cannot replicate the issue.Complicity
I believe authentication happens before the controller is reached, so I would not expect to see the POST to /Receipt in the log.Singular
@ErocM: I believe it should create a log entry before it attempts to run your code. Is the POST URL from the external page definitely correct and hitting your correct server and IIS site? Have you checked the logs for other sites in IIS?Endospore
@Endospore I spoke to the vendor who hosts the payment page and they checked their logs. They said they are getting a 302 Found response from our website. Other than that, they don't know.Complicity
@ErocM: Their logs from what? Are you saying they make a server side POST to you as well as the POST to send the user back? Which is the one that is failing?Endospore
These clarifying details should be added to the question or to the answer as appropriate; comments can be (and are) deleted at any time.Chimene
@Endospore I don't know what logs they are checking. I'll have to ask. I was just told that and only that from them.Complicity
@ErocM: Please can you clarify what exactly step #5 is? Is it a POST from their server, or does it send the user's browser back to your site with a POST? To me it sounds like there is a misunderstanding somewhere of how it is to work.Endospore
@Endospore It is working for the most part so I don't think it's a misunderstanding. I have updated my steps.Complicity
Could be the user is presenting an expired forms auth ticket. I've found that despite the docs saying the ticket expiry should be extended with each request (sliding window) it isn't & can expire.Junie
I'm not sure if it has anything to do with 3-rd cookie. Could you try not to host the external page inside an frame?Runion
Sorry guys, the holidays put me a little behind on this. I'll get to testing these ideas in the morning. Thanks again!Complicity
S
5

That's awfully suspicious to happen right at that time.

I would agree, but it seems that in step #4 you redirect off the site, and then the user does data entry. If a user occasionally takes 10-20 minutes to enter that information (due to distraction, etc.), it makes it much more likely than if it were just a simple race condition.

If you still have the data from all the errors, you may be able to look back to see if you can find a pattern to the times when this happens (or every xx hours--see below).

  1. Check your IIS settings to see when the app pool recycles. Does it recycle around 4am every night? Is it on a rolling schedule? By default, IIS recycles on some odd number of hours for some reason (I think every 28 hours).
  2. Get off of InProc Session state and into State Server (or SQL). InProc is only going to cause you pain anyway in the long run. Note that when you make this change, you have to ensure that all objects you put into session are serializable, otherwise you will get errors. InProc does not require objects to be serialized in session.

Edit: Ok, to check your app pool recycling:

  1. In IIS Manager, select the appropriate app pool and select Advanced Settings (right click or use right side menu).
  2. Scroll to the bottom, to section Recycling
  3. Regular Time Interval will reset the app pool every xx minutes. The default is 1740 minutes, or every 29 hours.
  4. The Specific Times setting allows you to set a scheduled time for it to recycle.

In general, you DO want to recycle the app pool periodically (probably daily).

To answer your second question: if this is indeed the cause, it's not a question of timeout; it's a question of whether the app pool recycles during the period of time between when they are redirected away and when they get redirected back. Changing your session state to something other than InProc should solve this problem.

That said, the session expiring could ALSO be the cause of this, so setting your session timeout to a larger value could also resolve this.

If you take a more extensive look at the logs during periods of time when this happened, it might give more clues to what is happening.

Edit #2

See if you can isolate the occurrences of the error in the logs. If you can, see if there is a pattern to the browser that is being used. I would also look for other patterns to see if anything jumps out.

You might just test with a bunch of different browsers (including mobile) to see if you can reproduce. Also, try different versions of IE and different security settings on IE.

Singular answered 22/12, 2013 at 21:5 Comment(12)
Mind pointing me where I find out when the pool recycles in IIS? Is this necessary to have run often?Complicity
Also, should I extend the timeout period in case they do sit on that the redirected page for 10-20 minutes as suggested?Complicity
Are you by any chance using logic in Global ASAX postAuthenticaton events. Are you CERTAIN you logic isnt assuming the SAME thread for following steps. I have seen very similar problems when statics are used POST authentication.Markmarkdown
Seems like it would fail every time, though, right? Not just 1 time in 10?Singular
@PhilSandler Great post. I'll check these settings in the morning. Thanks for everyone's input.Complicity
@PhilSandler I checked it and it was set to 1740. Doesn't seem like that happening once every 29 hours doesn't fit the profile for my issue though.Complicity
Can you take a deeper look at the logs, and correlate times it is happening to what the log shows?Singular
Added a few more ideas to my answer.Singular
@PhilSandler Thank you for the info. I found out it is happening on Firefox and Chrome. I wasn't able to duplicate it. Also, I tried to mimic the time out by waiting 60 minutes before returning back to the site and it didn't give me any issues. :( Would have been nice to be able to replicated it that easily. I also increased the app pool recycling to 2 days but I don't think that was playing a part since it was happening more than once a day already.Complicity
@Complicity Are you sure it's happening in Firefox? The posted logs only show Webkit based mobile browsers (Chrome and Safari) and Webkit has a long history of issues with Integrated Windows Auth. Chrome has supported it properly since v8.0 and Safari with Kerberos ticket - but who know how much of the browsers capabilities have filtered to mobile?Expulsive
@Complicity Can you replicate it by using a private browser mode?Expulsive
@wormtown Yeah, I tried that and it worked without any problems. :(Complicity
P
1

The few things I found in your web.config are -

  1. You have multiple applicationName. Normally, IsUserInRole and GetRolesForUser should fail if applicationName are not same.

  2. In addition, you want to set defaultProvider for each provider especially if you have more than one provider like roleManager - <roleManager ... defaultProvider="DefaultRoleProvider">

Current Web.config

<membership>
   <providers>
      <clear/>
          <add ... applicationName="webportal"/>
   </providers>
</membership>

<profile>
   <providers>
      <clear/>
      <add ... applicationName="/"/>
    </providers>
</profile>

<roleManager enabled="true">
   <providers>
      <clear/>
      <add ... applicationName="/"/>
      <add ...  applicationName="/"/>
   </providers>
</roleManager>

Take a look at web.config of Scott Hanselman's ASP.NET Universal Providers blog.

<sessionState
   mode="InProc"
   stateConnectionString="tcpip=127.0.0.1:42424"
   stateNetworkTimeout="60"
   sqlConnectionString="data source=127.0.0.1;Integrated Security=SSPI"
   cookieless="false"
   timeout="60"
/>

You do not need stateConnectionString, stateNetworkTimeout and sqlConnectionString for InProc. More information here.

Pastelist answered 23/12, 2013 at 21:1 Comment(0)
T
1

Please refer to the following article by ScottGu http://weblogs.asp.net/scottgu/archive/2006/04/22/Always-set-the-_2200_applicationName_2200_-property-when-configuring-ASP.NET-2.0-Membership-and-other-Providers.aspx.

In addition,make sure that the “ApplicationName” value in “aspnet_Applications” database table and the “applicationName” property value for all providers in web.config (Membership provider, Role provider, Profile provider etc.) must have the same value carefully again.

Hope this would fix your problem!

Thorncombe answered 25/12, 2013 at 2:28 Comment(0)
C
1

Its been a while since I have troubleshot issues like this (but I did it for pss over 7 yrs ago).

Everything that @PhilSandler recommended is good. However I have a gut feeling the root cause is NOT AppPool recycling or Session time outs, if you do get desperate you could try Out-Of-Process Session State.

I'm thinking if its roughly 1 out of 10 users and it appears intermittent (as you cannot reproduce it), then its probably going to be a browser specific setting. I'm guessing users which encounter the problem have cookies disabled in their browsers (FF and Chrome users are more switched on than regular IE users).

This hypothesis would slightly match up with @SilverlightFox theory:

the frameset that is preventing 3rd party cookies


<authentication mode="Forms">

I'm thinking that the forms authentication cant store the session data on client side. Membership credential verification failed event log entries can be caused due to disabled cookies.

Please disable cookies in FF or Chrome and try out my hypothesis. Fingers crossed this allows you to reproduce it.

Coppice answered 27/12, 2013 at 6:25 Comment(3)
I'll give that a shot in the morning. Thanks for the idea.Complicity
Do let me know if it isn't the root cause, I'd be interested in following this question through even if the bounty has already been awarded.Coppice
I tested this and the user doesn't get past the login screen without my catch all error method grabs it. I have tried several variations of the cookie settings. I did find that I don't want to use them anymore :) I'm going to move off them completely now since it is causing issues on my site.Complicity
C
1

After looking around the web, here are the solutions I've found where people have had your 4006 error and ultimately fixed the issue.

  • applicationName field set to "/". - This is the most common conversation about your issue. But, your applicationName field looks fine so that's definitely not it.

  • Problem with ActiveDirectoryMembershipProvider - Link. This seems unlikely to be your problem because you're using the SqlMembershipProvider.

  • Internet user missing permissions on the .mdf and .ldf files - Link. The references to this problem that I saw were with people using SQLExpress because it runs under the ASP.NET user account and needs read/write access. Again, this seems unlikely to be be your problem because your only having it intermittently. But it is related to the 4006 error, so verifying permissions on the user seems worth looking at.

  • Duplicated User Passwords - I didn't save a link, but if you don't have unique constraints on both username and password in the database, it can return the 4006 response. So, far this seems most probable too me because it would explain the intermittent behavior and because people frequently double-click when using the internet. I would double and triple check your constraints.

I'll be happy to see what else I can find, but ruling out the last two of these first seems like a good idea. Also, the thing that seems the most odd about the gap in your logs is the fact that the EventLog data shows the error happening almost in the middle of the IIS gap. Then after it resumes, there is another log gap. It looks like it might be two completely different users. Maybe not, Just throwing that out there. Let me know. Good luck.

Constantinople answered 27/12, 2013 at 7:6 Comment(2)
I can see that the OP didn't down-vote this post. Getting 2 up-votes or more on a bounty means you get the award even if you didn't help the OP. Why would someone down-vote a response that clearly tries to rule out and inquire about possible causes of the problem at hand that haven't been mentioned. And, not give a reason for the down-vote? Hmm, I wonder.Constantinople
I haven't downvoted anything on this thread. It's good info +1 for the help!Complicity
E
0

I notice that the src isn't set correctly on the IFrame.

<div align="center"> <iframe width="100%" height="600px" src="@Html.Raw(@ViewBag.GateWayWebsite)"></iframe></div>

The GateWayWebsite should be properly HTML encoded in case it contains special characters that are relevant but are not being passed properly:

<div align="center"> <iframe width="100%" height="600px" src="@ViewBag.GateWayWebsite"></iframe></div>

Another thought is that it could be that the frameset that is preventing 3rd party cookies - either the browser setting or the P3P privacy policy header. Try opening the link outside of the IFrame (i.e. so the address bar changes to the external site), just as a test to see if this resolves your issues.

Edit: I shouldn't have edited my answer as you have now reverted your upvote. My answer is technically correct, although it might not be the answer that fixes your current problem, I am right that the output of the URL is wrong as you are not HTML encoding it. I find it is best to fix everything as this reduces the chances of niggly bugs occurring in future that are difficult to debug.

Endospore answered 23/12, 2013 at 21:22 Comment(2)
The viewbag will not work without the html.raw for the iframe. It drops the url in place by having it otherwise it will display as text.Complicity
@ErocM: I'm not sure what you mean... @ViewBag.GateWayWebsite will be rendered by the Razor engine. Do you have an example GateWayWebsite URL?Endospore

© 2022 - 2024 — McMap. All rights reserved.