HTTP Permissions Issues

666 views
Skip to first unread message

Joel Skrepnek

unread,
Apr 5, 2015, 1:49:50 PM4/5/15
to event...@googlegroups.com
Hi,

Sorry to trouble the group: I'm disguising Azure/Windows server ignorance as an Event Store issue.  Hope someone can help anyway.

Trying to serve Event Store 3.0.3 on an Azure VM deployment (Windows Server 2012 Data Center R2).

I have:

1) Added a TCP endpoint for port 2113 through the Azure Portal
2) Added Inbound and Outbound firewall rules for TCP port 2113
2) Added HTTP permissions (netsh http ...)
3) Run the Event Store as administrator

The result is:

- 503 Service Unavailable when I try to access the UI locally
- No response when I hit the VM at port 2113 publicly

I've followed the 503 guidance, which seems to be explained by *duplicate* entries in the reservations.

- There's only a single entry in the listing for port 2113.  
- When I remove the single entry anyway I can then access the UI locally (but still not externally)

Thanks for any help.  Happy Easter,

Joel

Greg Young

unread,
Apr 5, 2015, 1:55:23 PM4/5/15
to event...@googlegroups.com
What exactly have you run?

What is the output of netsh http show urlacl
> --
> You received this message because you are subscribed to the Google Groups
> "Event Store" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to event-store...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Studying for the Turing test

Joel Skrepnek

unread,
Apr 5, 2015, 2:04:06 PM4/5/15
to event...@googlegroups.com
I'm following these instructions generally.

Here's the snippet from that command:

 Reserved URL            : http://+:2113/
     User: MSGBOARD-EVENTS\joel
         Listen: Yes
         Delegate: No
         SDDL: D:(A;;GX;;;LA)

So that's from running:

netsh http add urlacl url=http://+:2113/ user=\joel

Should I specify the external IP explicitly?

Joel 

Greg Young

unread,
Apr 5, 2015, 2:07:54 PM4/5/15
to event...@googlegroups.com
Try removing and starting as admin (as specified there)

Joel Skrepnek

unread,
Apr 5, 2015, 2:09:08 PM4/5/15
to event...@googlegroups.com
Here's the entire output:

PS C:\Users\joel> netsh http show urlacl

URL Reservations:
-----------------

    Reserved URL            : http://+:80/Temporary_Listen_Addresses/
        User: \Everyone
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;WD)

    Reserved URL            : https://+:5986/wsman/
        User: NT SERVICE\WinRM
            Listen: Yes
            Delegate: No
        User: NT SERVICE\Wecsvc
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-
877974739-1245631912-527174227-2996563517)

    Reserved URL            : http://+:5985/wsman/
        User: NT SERVICE\WinRM
            Listen: Yes
            Delegate: No
        User: NT SERVICE\Wecsvc
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-
877974739-1245631912-527174227-2996563517)

    Reserved URL            : http://+:47001/wsman/
        User: NT SERVICE\WinRM
            Listen: Yes
            Delegate: No
        User: NT SERVICE\Wecsvc
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-
877974739-1245631912-527174227-2996563517)

    Reserved URL            : http://*:2869/
        User: NT AUTHORITY\LOCAL SERVICE
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;LS)

    Reserved URL            : http://*:5357/
        User: BUILTIN\Users
            Listen: Yes
            Delegate: No
        User: NT AUTHORITY\LOCAL SERVICE
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;BU)(A;;GX;;;LS)

    Reserved URL            : https://*:5358/
        User: BUILTIN\Users
            Listen: Yes
            Delegate: No
        User: NT AUTHORITY\LOCAL SERVICE
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;BU)(A;;GX;;;LS)

    Reserved URL            : https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
        User: NT SERVICE\SstpSvc
            Listen: Yes
            Delegate: Yes
        User: BUILTIN\Administrators
            Listen: No
            Delegate: No
        User: NT AUTHORITY\SYSTEM
            Listen: Yes
            Delegate: Yes
            SDDL: D:(A;;GA;;;S-1-5-80-3435701886-799518250-3791383489-3228296122-2938884314)(A;;GR;;;BA)(A;;GA;;;SY)

    Reserved URL            : http://+:2113/
        User: MSGBOARD-EVENTS\joel
            Listen: Yes
            Delegate: No
            SDDL: D:(A;;GX;;;LA)

On Sunday, 5 April 2015 10:55:23 UTC-7, Greg Young wrote:

Joel Skrepnek

unread,
Apr 5, 2015, 2:22:45 PM4/5/15
to event...@googlegroups.com

Right.  I had tried this.  What happens is that I can then access the UI locally, but it remains unavailable externally.  After removing the entry there remains no url reservation for port 2113 in the list.  All of the issues people had online seemed to be related to duplicate url reservations ... but that doesn't seem to be the culprit here.  Shrug.

Joel

Greg Young

unread,
Apr 5, 2015, 2:25:35 PM4/5/15
to event...@googlegroups.com
What are you binding as and what are your public routes that need to
be setup? Have you setup any prefixes?

And when you say locally to which uri? obviously setting things up on
localhost will not be available remotely.

Greg Young

unread,
Apr 5, 2015, 2:26:37 PM4/5/15
to event...@googlegroups.com
btw from the sounds of it above you are at a point that would be
working *without azure* and now need the azure specific stuff

Joel Skrepnek

unread,
Apr 5, 2015, 2:45:02 PM4/5/15
to event...@googlegroups.com

I've not got much further than executing this command from the docs:

netsh http add urlacl url=http://+:2113/ user=\joel

Sorry, I'm not sure what you mean by "what are you binding as".  Should I bind to a specific external IP or URL?  (I tried this anyway to no avail).

I'm not sure what public routes I would need to access the UI externally - it's served from the root at that address.

Prefixes?

By "locally", I mean that I can access the UI on the VM at "http://localhost:2113".

Joel Skrepnek

unread,
Apr 5, 2015, 2:47:23 PM4/5/15
to event...@googlegroups.com

I have no doubt this is true.  Thanks for working through it.  I'll look more closely at the recently posted Azure provisioning scripts.

Thanks,

Joel

Greg Young

unread,
Apr 5, 2015, 2:49:30 PM4/5/15
to event...@googlegroups.com
ok you are in azure.
You have added the route (lets assume it works locally).

The next thing is when you start event store you need to tell it to
bind to a ip (there could be any on your machine) normally you would
want to bind to a public ip not say localhost this is using say
--ext-ip=23.53.143.22

This however is only enough if running on say a local machine. If you
are using elastic ips/nat/etc you also need to inform that bound
address that it should also respond not only as it itself but also as
some other ip (--prefix=http://*:2113 as example).

You are right though in your first email that none of this is ES specific

Cheers,

Greg

Joel Skrepnek

unread,
Apr 5, 2015, 3:20:07 PM4/5/15
to event...@googlegroups.com

I found the magic sauce.  

Thanks, and it was this last piece that brought it together.

Joel
Reply all
Reply to author
Forward
0 new messages