Multiple IIS sites / AppPools

Hi,

I tried to look for a similar topic but only found one for nested pages and UD pages.
I’d like to host multiple PowerShell Universal sites with different AppPools so API endpoints will have different permissions, based on account used for AppPool. Is anyone already doing this or has a tip for me? I’ve tried this already but got an error “HTTP Error 500.30 - ANCM In-Process Start Failure” when trying to access the second site.

Thanks in advance.

Best regards,
zweailltienrger

I tried to do the same to have 1 production and 1 dev enviroment and with IIS I got no success at all. With SNI it’s not working, the only solution I have atm is configuring PSU dev on another port.

Seems like it’s definitly linked to IIS rather than PSU. It’s really weird though and I can’t find any relevant information other than

failed to start process with commandline 'D:\PSU\DEV\Universal.win-x64.1.3.1\Universal.Server.exe ’ at stage ‘PostStartCheck’, ErrorCode = ‘0x8027025b’, assigned port 17561, retryCounter ‘0’.

@adam (sorry for the ping): do you have any ideas about what could lead to that error ?

Thx a lot in advance !

Have you configure PSU to use different databases? In the appsettings.json, you’ll need to make sure the db file is set to a different path.

  "Data": {
    "RepositoryPath": "%ProgramData%\\UniversalAutomation\\Repository",
    "ConnectionString": "%ProgramData%\\UniversalAutomation\\database.db",
    "GitRemote": "",
    "GitUserName": "",
    "GitPassword": ""
  },

If you have stdout logging enabled in the web.config you should be able to see the error in the log.

Yes, I can confirm that both PSU are configured to use different databases.

I configured the logging lvl to Trace in order to get everything possible in logs, but no errors shows up in PSU logs.

I configured both IIS site to use different APP POOL, each site has it’s own SSL Certificate, that is as well configured in the appsetting.json. Both configuration have their own URLs.
In IIS I did set bindings with SNI in order to be able to use, in theory, 2 sites on the same IP & Same port (in the current env, only 443 is opened) one PSU (the prod one) is running properly, the Dev one tho won’t start and except the error gave in the precedent post, nothing particular shows up. The only solution I found so far to get access to the Dev PSU is giving it another port in the bindings and it starts properly.

I’ll have to investigate. I’m not sure why that isn’t working.

it feels like it’s related to IIS tho, but I can’t find any clues about what’s going wrong.

I have this error related to IIS AspNetCore Module V2 :

Application ‘/LM/W3SVC/3/ROOT’ with physical root 'D:\PSU\DEV\Universal.win-x64.1.3.1' failed to start process with commandline 'D:\PSU\DEV\Universal.win-x64.1.3.1\Universal.Server.exe ’ with multiple retries. Failed to bind to port ‘20247’. First 30KB characters of captured stdout and stderr logs from multiple retries:

as well as this warning also related to IIS AspNetCore Module V2:

Application ‘/LM/W3SVC/3/ROOT’ with physical root 'D:\PSU\DEV\Universal.win-x64.1.3.1' failed to start process with commandline 'D:\PSU\DEV\Universal.win-x64.1.3.1\Universal.Server.exe ’ at stage ‘PostStartCheck’, ErrorCode = ‘0x8027025a’, assigned port 20247, retryCounter ‘0’.

everytime the second PSU fails to start.

That’s weird. I don’t know why changing the port would allow it to work. It does kinda sound like an IIS thing.

Thanks for your reply.

I tried with different ports, databases and AppPools, but not different URLs or certificates. Did both instances work simultaneously with your configuration? I noticed for my configuration that the first site I accessed worked, the second got the error “HTTP Error 500.30 - ANCM In-Process Start Failure”. So when accessing site two before one it works and after an iisreset I accessed site one before two and it worked. The other site showed the errror though. I’ll try with OutOfProcess and stdout in appsettings.json and let you know.

In fact it did work for like 1-2 days and it suddently stopped working… and I can’t figure why, IIS is sooo generous with logs that it make things even harder.

I tried with InProcess as well as OutOfProcess etc etc …

I guess I’ll simply forget about this for the time being, I can’t spend 2-3 days on this

Well time for me to abandon the idea of having a dev and a prod PSU. Nothing seems to work and I can’t figure who’s the culprit. I’ll keep an eye on that thread, but I give up for now…

I was able to get this working with SNI. I followed this article. https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability

I extracted PSU 1.3.1 to the C:\inetpub\magic and C:\inetpub\pokemon folders. I set “Everyone” permissions to make sure that wasn’t the issue and ran dir -Recurse | Unblock-File on the folder.

In IIS, I have 2 certs configured. I created them in IIS with the self-signed cert tool.

image1101×388 30.5 KB

I created 2 app pools. One for each website. I set the app pool identity as administrator because I was having some permission problems but those were evident in the event log so if you’re not seeing that, I doubt that’s your issue.

When I setup the websites, I configured SNI and set the certs accordingly. Both websites were setup to listen on 443.

image598×682 12 KB

Both the appsettings.json files are the same.

{
  "Kestrel": {
    "Endpoints": {
      "HTTP": {
        "Url": "http://*:5000"
      }
    }
  },
  "ApplicationInsights": {
    "InstrumentationKey": ""
  },
  "Logging": {
      "Path":"./logs/log.txt",
      "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
      }
    },
  "AllowedHosts": "*",
  "Data": {
    "RepositoryPath": ".\\Repository",
    "ConnectionString": ".\\database.db",
    "GitRemote": "",
    "GitUserName": "",
    "GitPassword": ""
  },
  "Api": {
    "Url": ""
  },
  "Authentication" : {
    "Windows": {
      "Enabled": "false"
    },
    "WSFed": {
      "Enabled": "false",
      "MetadataAddress": "",
      "Wtrealm": "",
      "CallbackPath": "/auth/signin-wsfed"
    },
    "OIDC": {
      "Enabled": "false",
      "CallbackPath": "/auth/signin-oidc",
      "ClientID": "",
      "ClientSecret": "",
      "Resource": "",
      "Authority": "",
      "ResponseType": "",
      "SaveTokens": "false"
    },
    "SessionTimeout": "25"
  },
  "Jwt": {  
    "SigningKey": "PleaseUseYourOwnSigningKeyHere",  
    "Issuer": "IronmanSoftware",
    "Audience": "PowerShellUniversal"
  },
  "UniversalDashboard": {
    "AssetsFolder": ".\\Dashboard"
  }
}

Both sites are running and sharing a port.

In order to access the sites, I need to switch the host file according to the doc: https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability#test-a-secure-site

If I switch my host file to:

127.0.0.1 magic

I can access the magic site on HTTPS.

If I switch my host file to:

127.0.0.1 pokemon

I can access the pokemon site on HTTPS.

I’m assuming that in a production environment, the host file step isn’t needed as the host name should correctly resolve in DNS based on the domain you are in.

Hi adam,

thank you so much. I played with SNI, ports and so on and now everything worked. I think I messed up the appsettings.json on my first tries, even though I’m quite sure I set different paths. Anyway I can confirm now multiple sites are working (with different physical paths) either, with SNI enabled, on port 443 or with different ports without SNI.

Is something like this possible on the msi installed version? Thanks

I don’t think you can use SNI for the Kestrel web server but you can host it on different ports.