Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, July 23, 2014 7:35 PM
Currently having a number of issues in our environment (Unable to delete item using Delete button in ribbon, unable to use the "send a link" button, unable to open in SP designer) and from my research all sources have said to turn off extended protection in IIS and everything will start working.
Why is turning off a security feature to protect against man-in-the-middle attacks the recommended fix for these issues?
Can anyone tell me why having the extended protection feature causes these issues?
Below is the error received on the WFE server when any of the actions mentioned above are attempted:
WebHost failed to process a request.
Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/15490010
Exception: System.ServiceModel.ServiceActivationException: The service '/_vti_bin/cellstorage.svc' cannot be activated due to an exception during compilation. The exception message is: The extended protection settings configured on IIS do not match the settings configured on the transport. The ExtendedProtectionPolicy.PolicyEnforcement values do not match. IIS has a value of WhenSupported while the WCF Transport has a value of Never.. > System.NotSupportedException: The extended protection settings configured on IIS do not match the settings configured on the transport. The ExtendedProtectionPolicy.PolicyEnforcement values do not match. IIS has a value of WhenSupported while the WCF Transport has a value of Never.
at System.ServiceModel.Channels.ChannelBindingUtility.ValidatePolicies(ExtendedProtectionPolicy policy1, ExtendedProtectionPolicy policy2, Boolean throwOnMismatch)
at System.ServiceModel.Channels.HttpChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
at System.ServiceModel.Channels.HttpTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
at System.ServiceModel.Channels.MessageEncodingBindingElement.InternalBuildChannelListener[TChannel](BindingContext context)
at System.ServiceModel.Channels.MtomMessageEncodingBindingElement.BuildChannelListener[TChannel](BindingContext context)
at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
at System.ServiceModel.ServiceHostBase.InitializeRuntime()
at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
End of inner exception stack trace
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)
Process Name: w3wp
Process ID: 5904
And this entry is already in the web.config file:
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
All replies (3)
Wednesday, July 23, 2014 7:56 PM
FYI it isn't really supported to change any IIS settings for an IIS Site hosting a Web Application for SharePoint, with the exception of IIS Bindings. SharePoint will not know about the IIS settings change you made, so you'd have to manually set it on each member of the farm (where applicable). In addition, if you performed any action that caused a Provision/ProvisionGlobally on the Web Application (such as changing authentication providers), your setting would be lost.
Trevor Seward
Follow or contact me at...
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Wednesday, July 23, 2014 8:13 PM
We only have the one WFE server, so the changes are only happening there. We do not want to change our authentication methods, just details about our current one (the extended protection setting in IIS which is currently set to 'Accept').
Tuesday, December 11, 2018 11:56 PM | 1 vote
You can fix this by adding the WCF entry in web.config on the IIS server. It's the typical poor quality error message that Microsoft gives. Come to think of it, the coding is also very poor. The word "WhenAvailable" should mean, when it is available, not when it feels like it. WCF and IIS settings should get their act together.. literally.
Modify the file (change the path to match yours, i.e. version number... etc...)
C:\Program Files\Microsoft Team Foundation Server 15.0\Application Tier\Message Queue\web.config
You will see in the web.config file two entries with elements <httpTransport> and <httpsTransport>. Add a child element called <extendedProtectionPolicy> to each of these. It will look something like this (I highlighted the two lines I added):
The EventLog entries should go away. You'll probably run into something else behind that. It took me a bit weaving and dodging through Kerberos SPN's and what not, but I eventually got it working.
<binding name="TfsSoapBinding">
<textMessageEncoding messageVersion="Soap12WSAddressing10" />
<httpTransport authenticationScheme="IntegratedWindowsAuthentication" manualAddressing="true">
<extendedProtectionPolicy policyEnforcement="WhenSupported"/>
</httpTransport>
</binding>
<binding name="TfsSoapBindingHttps">
<textMessageEncoding messageVersion="Soap12WSAddressing10" />
<httpsTransport authenticationScheme="IntegratedWindowsAuthentication" manualAddressing="true">
<extendedProtectionPolicy policyEnforcement="WhenSupported"/>
</httpsTransport>
</binding>