Working in Kovai.co provides a lot of opportunities to learn and explore new things. I’m sure within Kovai.co your job role doesn’t decide your day to day work routine. Click here to know more about the work culture. Recently we had an opportunity to work in Microsoft Azure Marketplace and interestingly we came across a new case related to IIS configuration.
In this blog, I’m going to share my experience in creating a Marketplace installer for BizTalk360 and how we solved the challenge.
There are various deployment choices for BizTalk360. To fulfill all the customer needs, there are several ways to install BizTalk360 and we provide different types of installer options:
For an overview please check here.
Before going to the problem, I would like to provide a brief insight into Microsoft Azure Marketplace and how to create an Azure Marketplace installer, since the problem appeared while creating Marketplace.
The Microsoft Azure Marketplace is an online store that offers applications and services either built on or designed to integrate with Microsoft’s public cloud computing platform.
The products and services offered through the Microsoft Azure Marketplace come from either Microsoft or its technology partners.
Before they become available for purchase on the Marketplace, all services and products are certified through the Microsoft Azure Certified program to ensure compatibility with the Azure public cloud.
BizTalk360 on Azure Marketplace is suitable for customers having a full-blown setup in the cloud, such as a domain setup, Active Directory and one or more BizTalk environments running within the network. In this scenario, customers can download BizTalk360 from the Marketplace. BizTalk360 will run independently in its own virtual machine environment and will connect to all the available BizTalk environments available in the same network.
So, our task is to make BizTalk360 support the BizTalk Server 2016 installations on Microsoft Azure. For this, we must provision a complete virtual machine for the BizTalk server 2016 along with the pre-requisites to install BizTalk360. To know more about the BizTalk360 Azure marketplace installer please check here.
Since it’s a vast process, here we would like to give a general step that required to create a managed or an unmanaged image from a generalized VHD.
For in-depth Azure marketplace documentation please refer to the article here.
Once after uploading the VM image into the Marketplace, before getting into public, the images will be available in preview items (inclusively for testing) for the configured subscriptions.
During the testing, we have tried installing BizTalk360 to verify the BizTalk360 is installing automatically without any issues. Without any problem, the BizTalk360 installed its services and created a database. But it failed to create the website. In the installation log, we have found error lines (some may face different error code) to the following:
WriteIIS7ConfigChanges: Error 0x80070002: Site not found for create application.
WriteIIS7ConfigChanges: Error 0x80070002: Failed to configure IIS application.
WriteIIS7ConfigChanges: Error 0x80070002: WriteIIS7ConfigChanges Failed.
We are able to understand that the problem is not due to the creation of the Website but during the changes in it. To drill down the problem, we tried to create a web pool manually and changed its identity. During the change, we faced an exception below.
You may face this specific issue when you are running IIS 7+ and versions. When we try to change the application pool identity of an application pool to a domain account, we get the above error while committing the changes.
The error code might change according to your machine operating system and IIS version, but you will get the text as keyset does not exist while trying to update the application pool identity with a custom account or while trying to specify a connect as a user. You might also get the below error codes:
This issue happens when your IIS specific machine keys are corrupted or missing. Your machine keys might go corrupt if there was an improper shutdown of the machine or the machine was cloned from an existing image or if there was a system crash.
We have referred some blogs and articles for this issue, and they suggested to replace the machine keys. What if you don’t have a backup (Its always a good idea to have a backup of the machine keys)? Unfortunately, we have no idea about the corrupted machine keys.
Okay! Let’s see the different machine keys required in IIS for encryption.
The location of the key depends on the operating system (from Windows server 2012 onward) is basically C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
The BizTalk360 service should be the LOCAL SERVICE account of the IIS Web Management Service (also known as WMSvc). This problem occurs because the SERVICE account does not have Read access on the iisWasKey key.
Check if the metabase.xml is corrupted or if c2319c42033a5ca7f44e731bfd3fa2b5_GUID is corrupted. In IIS any sensitive data like passwords won’t be stored in plain text and will have to be encrypted before it is stored in the config file and get decrypted accordingly when needed.
Most suggest to rebuild or reinstall IIS ☹. But what if reinstalling IIS is not an option?
We can regenerate these machine keys without reinstalling IIS completely. To do that follow the below steps.
1. Rename the below files or move them to a different location from C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\. This time I don’t want to take the risk, so I just took existing machine keys as a backup.
2. Backup applicationhost.config, then delete everything inside the tags below in applicationhost.config. Delete the contents within <configProtectedData> or <providers>.
3. Open a command prompt in admin mode and run the below command
“%windir%\system32\inetsrv\iissetup.exe /install SharedLibraries”
Now you will receive a message “the error Failed = 0x80070005”. Even though it shows a failure message, the above steps should regenerate the machine keys and the configprotecteddata section in applicationhost.config.
If the above suggestions don’t help, the most preferable option would be to reinstall IIS to fix the corruption (no other go).
From my understanding, the machine keys might be corrupted due to an improper shutdown of the machine. Because we used the Sysprep command to generalize the VM.
sysprep.exe /oobe /generalize /shutdown /mode:vm
The above command helped the image to remove computer-specific information such as installed drivers and the computer security identifier (SID).
Once after running the sysprep.exe command, we faced the WriteIIS7ConfigChanges exception. So, to fix the issue, we used the below registry command to regenerate the machine keys during the machine provision/first-time launch.
in RegenerateIISKeys.reg file
Windows Registry Editor Version 5.00
“BizTalk360 Azure Marketplace Installer”=”\”C:\\AzureMarketplaceInstaller\\RegenerateIISKeys.bat\””
In RegenerateIISKeys.bat file
START cmd.exe /k “C:\Windows\System32\inetsrv\iissetup.exe”
After the bootup, at the initial launch (only one time) RegenerateIISKeys.bat file will be called by the RegenerateIISKeys.reg file to regenerate the machine keys. So, during the installation of BizTalk360, the installer will have the new machine keys and the installation will be successful.
Keeping the user perspective in mind, we have built various deployment choices for BizTalk360 customers which would ease the installation and provide a user-friendly experience. You are just one click away from provisioning a brand new BizTalk360 VM in Microsoft Azure.
I want to take this opportunity once again to thank everyone in and out of Kovai.co for this wonderful opportunity and believing in us. We are looking forward, for many more opportunities.