cnbexpert
asked on
Page cannot be displayed for 90 pc's does not display for 2 pc's
We have a server as part of our local network with SQL Express installed on it. Â We have 2 computers in our network that can access this server using internet explorer. Â The rest of the computers on our network receive "This page cannot be displayed" Â These pcs will not work even when logged on as administrator. Â The pcs that do work can be logged on as any user. Â I can ping to the server from any pc using name or IP address which leads me to believe not a DNS cache issue. Â Windows XP SP2 firewall is disabled for all pcs in our network via active directory.
I have had our Microsoft Windows expert look at this and is stumped.
I have had our Microsoft Windows expert look at this and is stumped.
what are the dns settings on these pc's - are they all from dhcp?
ASKER
They are trying to access a database on a server by using http://server name/database name/
Using IP address does not make a difference.
Our local pcs use dhcp but our offsite pcs do not.
Using IP address does not make a difference.
Our local pcs use dhcp but our offsite pcs do not.
You said it works for 2 PCs. Are these PCs part of same LAN.
Could you paste ipconfig/all from these 2 PCs and one of the non working PCs.
Could you paste ipconfig/all from these 2 PCs and one of the non working PCs.
Not knowing how you are authenticating with the DB, I have to ask - are you sure that permissions on the DB are set properly? Â
could it be that the ip's are restricted in IIS?
ASKER
These pcs are part of the same LAN. Â
ASKER
As far as permissions on the database are concerned, I'm not sure. Â The software vendor assures me that they are. Â Do you have someplace I can look for this. Â I'm not very knowledgeable about database setup.
ASKER
IIS - I am in IIS manager. Â Where do I check for restricted IP's?
Okay, so they are hitting a internal site hosted in IIS and this is using a db back-end. Â Â correct?
Check in IIS - go to the site>right clck properties. Â Go to Directory Security tab and give us information on the authentication method.
Check in IIS - go to the site>right clck properties. Â Go to Directory Security tab and give us information on the authentication method.
In IIS, once you've found the site which would most likely be the "database name", right-click -> properties -> directory  security -> click the middle "edit" button. Also, the top edit button can be used to check username properties -> it could be that the 2 pc's work because the logged in user has permission to access the db/website.
ASKER
top rung - your first question is over my head, but the directory security tab has enable anonymous access checked
Don't worry about it. Â Follow Dundee's steps and post back results. Â
ASKER
dundeemedia - I don't think it is a user permissions issue because any user with any security level can access the site when they are logged onto the pc that is working and no user including administrator can use the pcs that are not working.
ASKER
in IIS IP address and name restrictions the all pcs will be granted access radio is on
Can you provide more information on the error you receive  when trying to go to the site (e.g. 404, 500) and any event logs, and the software vendor product?
ASKER
Is it helpful to know that on the pc that is functioning when I enter http://server name without the database name I receive a page under construction message.  When I do the same on a pc that is not working I get the page cannot be displayed.
Just a thought...
Are the version of IE different on these pc's?
Did you try adding the server to the trusted sites list? (might be activex problem?)
More info needed!
Are the version of IE different on these pc's?
Did you try adding the server to the trusted sites list? (might be activex problem?)
More info needed!
That helps a lot.
Can you ping the server from the machine that doesn't work?
Can you do an ipconfig from a machine that works, and a machine that doesn't work - mostly looking at IP / GATEWAY / DNS settings!
Can you ping the server from the machine that doesn't work?
Can you do an ipconfig from a machine that works, and a machine that doesn't work - mostly looking at IP / GATEWAY / DNS settings!
ASKER
top rung - the software is a Jack Henry product called WEB MIR. Â There are no events logged. Â The error is just the standard "friendly HTTP error message" when you cannot connect to any internet site.
ASKER
dundee - I can ping the server from the pc that does not work. Â the ipconfig matches the pc that is working exactly except for the mac address and the ip address
ASKER
dundee - version of IE exactly the same and yes to trusted sites question
ASKER
I think this is something that is not very common because I already had a Microsoft certified techician look at this problem and he was not able to locate the problem. Â Maybe I should increase the point value of the problem. Â What do you think?
this is a very weird error. i'd say that i'm certain that something is stopping the machine see the website.
you could taking one of the machines that works off the network temporarily, and then setting the ip address of a pc that doesn't work to the ip of the machine.
ok, it sounds weird, but try a ipconfig /flushdns and ipconfig /registerdns
check the hosts file - notepad c:\windows\system32\driver s\etc\host s - just to make sure that the server is not under there called something else as that may confuse the iis header.
you could taking one of the machines that works off the network temporarily, and then setting the ip address of a pc that doesn't work to the ip of the machine.
ok, it sounds weird, but try a ipconfig /flushdns and ipconfig /registerdns
check the hosts file - notepad c:\windows\system32\driver
ASKER
I performed a flushdns etc and looked at the hosts file a few days ago. Â Alas no luck
ASKER
I took your advise about the IP address and set the IP on the pc that was not working and you are correct. Â That pc is working now. Â I'm not sure where that leads us and how to create permanent fix
Well what it means is there is some ACL. The PCs that are not working, there IP addresses have restricted access. So you can now have a look at the network diagram and see throught what devices they communicate with the server.
Remember I asked you to check the ip in directory security for the site, well, go up the tree and check it for the site higher than it and so on until you reach the top level - even the "websites" folder can have the directory security set!
(if it's only for internal use, then I would say set it to DENIED ACCESS, then add the local subnet(s))
ASKER
dundeemedia - OK, I'm confused because I am looking in directory security on the database.
When I edit IP address and domain name restrictions there are none. Â All computers are granted access is checked.
When I edit authentication methods enable anonymous access is checked.
When I edit secure communications the only thing checked is ignore client certificates.
Is this where you are telling me to check?
When I edit IP address and domain name restrictions there are none. Â All computers are granted access is checked.
When I edit authentication methods enable anonymous access is checked.
When I edit secure communications the only thing checked is ignore client certificates.
Is this where you are telling me to check?
ASKER
I turned on denied access with not grant access included and I get a not authorized page for the pc that was working. Â I get a page cannot be displayed still for the pc that was not working. Â If I put our local subnet in the pc that is working continues to work and the pc that does not continues to not work.
Both pcs do not go through any routers to get to the server. Â They both go through a managed switch that has no ACL control.
Both pcs do not go through any routers to get to the server. Â They both go through a managed switch that has no ACL control.
For example, in my IIS Manager I have:
server
+application pools
-web sites
---default web sites
------my-website
+web service extension
The directory security can be changed by right-clicking either "my-website", "default web sites", or "web sites" and the permissions of a lower level site (like my-website) can be set at any level, so the ip security that is affecting your pc could be set at "web sites", or "default web sites"
Sorry if I'm not making myself clear!
Can you see other iis hosted sites from the pc's?
server
+application pools
-web sites
---default web sites
------my-website
+web service extension
The directory security can be changed by right-clicking either "my-website", "default web sites", or "web sites" and the permissions of a lower level site (like my-website) can be set at any level, so the ip security that is affecting your pc could be set at "web sites", or "default web sites"
Sorry if I'm not making myself clear!
Can you see other iis hosted sites from the pc's?
Could you try rebooting your switch if possible. It may not sound a correct step but I have seen many issues like that.
Sorry guys, I was at work and didn't have a chance to check the updates. Â So, the errors don't seem to indicate it, and your test of changing IP should rule this out, but please check the NTFS permissions on the directories used by the site (home directories and sub). Â Look for any 'denies' or explicit access. Â Long shot, but we should at least know where it is at.
....still trying to determine other possibilities.... Â Permissions might be on the DB itself and the vendor needs to verify them!
....still trying to determine other possibilities.... Â Permissions might be on the DB itself and the vendor needs to verify them!
Also, what happens if, in IIS, you set Denied Access but explicitly add the problem computers to be granted access? Â Does that allow them to hit the site?
ASKER
I'm back:
top rung - tried giving specific access in IIS to the bad computer IP address - did not work
I actually gave all permissions for all users to C: and applied to all sub directories to see if this may be the problem and that did not work.
dundeemedia - yes that is where I was going in IIS and when I setup denied access for all but my subnet that computer still fails and my computer contiues to work.
I have also unplugged the computer that is working from the ethernet jack and plugged the non working computer into the ethernet jack of the computer that is working to be sure the same path is being taken by both pcs. Â This had no affect on the non-working pc.
top rung - tried giving specific access in IIS to the bad computer IP address - did not work
I actually gave all permissions for all users to C: and applied to all sub directories to see if this may be the problem and that did not work.
dundeemedia - yes that is where I was going in IIS and when I setup denied access for all but my subnet that computer still fails and my computer contiues to work.
I have also unplugged the computer that is working from the ethernet jack and plugged the non working computer into the ethernet jack of the computer that is working to be sure the same path is being taken by both pcs. Â This had no affect on the non-working pc.
So basically, we've found that so far that being able to see any website from the server is wholly dependent on ip address - yet the pc can see other services on the server, and can view other websites on other servers. It's not hosts file related as that's been checked, and it can't be the pc because if the ip address is changed to a working one it can access the website.
So, it's some kind of filtering or firewall on the server. It has to be.
what do you get if you do the following (from command prompt)
nslookup
set type=cname
<servername>
you will get back something like primary name server= xxx - type this into nslookup too to make sure it's
Is this different between the machines that work and that don't work.
Could you try ie in safe mode (accessories -> system tools -> ie with no addins)
So, it's some kind of filtering or firewall on the server. It has to be.
what do you get if you do the following (from command prompt)
nslookup
set type=cname
<servername>
you will get back something like primary name server= xxx - type this into nslookup too to make sure it's
Is this different between the machines that work and that don't work.
Could you try ie in safe mode (accessories -> system tools -> ie with no addins)
ASKER
When I enter those commands on pc that works and pc that does not they get exactly the same response.
Turned off addins and had no affect.
Turned off addins and had no affect.
If you rule out the Browser by running with no addons or Firefox, then I think you need to check with your Vendor so that the rights on the DB itself can be verified. Â Â Too many computers are affected. Â Â What is special about the two computers? Â Is one your workstation and the other the station that the vendor worked from, or something along those lines? Â Or are they just random PCs in the network?
top_rung - it's not those computers, when the ip address on a non-working computer is changed to the ip from a working pc, then it works - so it must be ip related serverside somewhere.
ASKER
Just random PC's in the network. Â The two that are working were the first two pc's that were tested. Â We did not install anything on them at all. Â This led me to believe it was a server licensing issue, but that server has an eopen license.
Unless you have access to the DB Â yourself and you can verify the permissions and/or make modifications, I would contact the vendor at this point and tell them that the only computers that work are the two that you initially tested. Â Do you have an administration page for the application where you can configure anything?
From the info so far, it doesn't seem to be IIS nor Server rights, or hardware (firewalls and ACLs). Â It must be on the DB - I can't think of anything else.
From the info so far, it doesn't seem to be IIS nor Server rights, or hardware (firewalls and ACLs). Â It must be on the DB - I can't think of anything else.
ASKER
I have contacted the vendor and they say it is something on our network. Â I have contacted a Microsoft Certified Technician who actually set up our network and he has found no solution. Â This is why I thought coming to this site might help me. Â I appreciate you trying.
Actually the suggestion made by dundeemedia pertaining to the IP address got me closer than either the vendor or the technician was able to resolve.
Actually the suggestion made by dundeemedia pertaining to the IP address got me closer than either the vendor or the technician was able to resolve.
Cheers. This thing is so weird I'm half tempted to get you to log me in so I can do more - I love these kinda things (and hate them)
Let's make sure it isn't IIS permissions again.... Try throwing in a text file with just the word test in the root directory of the defualt website in IIS.   Can the problem computers load this page if you manually put the address in  - http://srv/test.txt.   Do the same thing with the vendor's site, e.g.  http://srv/vendorsite/test.txt.  Â
Lastly, what happens if you create a new/simple site? Â Can they load it?
Lastly, what happens if you create a new/simple site? Â Can they load it?
hahah Dundeemedia.... I feel the same!!! Â
ASKER
ok I am in IIS and I'm not sure where I'm supposed to add a txt file. Â I attached a view of my IIS
Doc1.doc
Doc1.doc
Right-click the site and "explore" to be able to add files.
Right click on Default Website and choose Explore. Â In the right-hand pane, create a new text file. Â Then http://srv/test.txt
 from both a working and non working station.
 from both a working and non working station.
ASKER
I was able to view my text on working pc but not on non-working pc
Just out of interest, what's that black rose icon on your system tray?
ASKER
I am VNC'd onto that server
Guys, I am stepping out but will check back in a few hrs. Â Hopefully you have it figured out ;)
ASKER
I am going to lunch also. Â will be back in a while
The last suggestion I can give is if you download the resource kit ( http://support.microsoft.com/kb/840671Â )
There are two useful apps, the first is the metabase explorer and the 2nd (possibly) is the permissions verifier (this may only work on users though)
The metabase explorer basically gives you a open air view of the settings, but it is very powerful and you should be very careful with it!
If you open up metabase explorer, drill down the W3SVC, there are numbers that correspond to the different sites, then ROOT. The IPSecurity details are in there (ID is around 6000 for security details) - http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6cc53bc1-6487-412c-ae93-063cd86b4f6e.mspx?mfr=true
If you get it sorted, please let me know!!!
There are two useful apps, the first is the metabase explorer and the 2nd (possibly) is the permissions verifier (this may only work on users though)
The metabase explorer basically gives you a open air view of the settings, but it is very powerful and you should be very careful with it!
If you open up metabase explorer, drill down the W3SVC, there are numbers that correspond to the different sites, then ROOT. The IPSecurity details are in there (ID is around 6000 for security details) - http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6cc53bc1-6487-412c-ae93-063cd86b4f6e.mspx?mfr=true
If you get it sorted, please let me know!!!
Please also tell us if you are using Static IPs on all the stations? Â If not and you are using DHCP to dynamically assign IPs, what device/server is handling this?
ASKER
dundeemedia - Will take a look at what you suggest
top rung - We do not use static Ip addresses. We use DHCP dynamically. Â I did try placing a static IP on that pc after we had placed the IP that was working in it. Â The other static IP did not work. Â I also thought it may be a DHCP issue. Â
top rung - We do not use static Ip addresses. We use DHCP dynamically. Â I did try placing a static IP on that pc after we had placed the IP that was working in it. Â The other static IP did not work. Â I also thought it may be a DHCP issue. Â
Yeah, I was wondering if DHCP was maybe doing something squirrely. Â While the tests you have run don't seem to indicate that, if you haven't already, Â go to DHCP and see if you see anything that stands out for the computers being assigned addresses.
If IIS logging is not on for the website, turn it on (Default Website>RightClick Propeties>Bottom of the Web Site tab).  If it is on, in the same location, get the path/filename to the logs  go there.  Look through the logs and see if there are any errors or GET commands from an IP source of a non-working station.  That way we can see if you are even hitting the site at any level.
If IIS logging is not on for the website, turn it on (Default Website>RightClick Propeties>Bottom of the Web Site tab).  If it is on, in the same location, get the path/filename to the logs  go there.  Look through the logs and see if there are any errors or GET commands from an IP source of a non-working station.  That way we can see if you are even hitting the site at any level.
ASKER
IIS logging is turned on and the good news is that I see the IP address of the good machine and the bad machine in the log file. Â The difference is the good machine ends with a 00 at the end of the string of data and the bad machine ends with a 64. Â Is there some way to break down what this log is saying?
ASKER
I've been studying the log parser and way over my head. Â I am going on vacation now and will not be back at this until Monday. Â thank-you to all who have tried to help.
sc-win32-status of 64 indicates a network error / incorrect transmission - net helpmsg 64 at the command prompt returns "the specified network name is no longer available" meaning that the transmission wasn't completed.
check the headers that are being returned. you can use netcat to do this, available from http://joncraton.org/files/nc111nt.zip
open command prompt
type (press return after each line, case has to be correct for GET commands etc.):
nc <server> 80 >>Â headers.txt
GET / HTTP/1.1
Host: a
<return a couple of times, then press ctrl+c>
headers.txt should now contain what is received from the webserver, this should give us some info!
check the headers that are being returned. you can use netcat to do this, available from http://joncraton.org/files/nc111nt.zip
open command prompt
type (press return after each line, case has to be correct for GET commands etc.):
nc <server> 80 >>Â headers.txt
GET / HTTP/1.1
Host: a
<return a couple of times, then press ctrl+c>
headers.txt should now contain what is received from the webserver, this should give us some info!
For future reference, you can also use a program such as Fiddler and run it on the workstation while you open IE and access the url - run them side-by-side.
http://www.fiddlertool.com/fiddler/
I am eager to see what you find out.
Â
http://www.fiddlertool.com/fiddler/
I am eager to see what you find out.
Â
ASKER
I am sorry that I have been out of touch for over a week. Â My father passed away and things have been hectic. Â As soon as I get caught up on other problems at work I will be trouble-shooting this problem again. Â
cnbexpert - Â I am sorry to hear about your loss. Â
Take your time - whenever you are ready.
Take your time - whenever you are ready.
ASKER
dundeemedia - I downloaded nc and attempted to run it but got errors saying GET is not a recognized command. Â I'm sure I am doing something wrong.
top rung - I loaded fiddler and it is running. Â What information would be helpful for us to look at?
top rung - I loaded fiddler and it is running. Â What information would be helpful for us to look at?
To start, when you browse to the site, what is displayed in the Results column (200, 500, 404)?
You can double-click on one of those entries, and on the right side it should take you to the Session Inspector tab. Â The top portion are the headers (request), and the bottom is the response.
You can double-click on one of those entries, and on the right side it should take you to the Session Inspector tab. Â The top portion are the headers (request), and the bottom is the response.
ASKER
Only one time did I get a result code of 504 - HTTP/1.1 504 Fiddler - Send Failure
Every other time it is a result code of 0 - with no response data.
This made me think it was a database permissions issue rather than an IIS permissions issue. Â I kind of messed around with database permissions with no luck. Â I'm not really sure what I am doing though.
Every other time it is a result code of 0 - with no response data.
This made me think it was a database permissions issue rather than an IIS permissions issue. Â I kind of messed around with database permissions with no luck. Â I'm not really sure what I am doing though.
Hi cnbexpert,
It could be to do with where the spaces are, it's
GET<SPACE>/<SPACE>HTTP/1.1 <RETURN>
Host:<SPACE>a<RETURN>
A response of 0 is very weird...
Oh. 504 is a gateway timeout... I can't remember, but is there a proxy set in connections -> lan settings?
It could be to do with where the spaces are, it's
GET<SPACE>/<SPACE>HTTP/1.1
Host:<SPACE>a<RETURN>
A response of 0 is very weird...
Oh. 504 is a gateway timeout... I can't remember, but is there a proxy set in connections -> lan settings?
ASKER
Spacing is correct but no GET command
Ahh, the GET command shouldn't be run at the cmd prompt - when netcat is run, it should accept the GET command and forward it to the server - I think you're running GET at the cmd prompt...
ASKER
Yes, that is what I was doing. Â So explain exactly where I run netcat. Â I'm sorry but I don't understand.
if you've downloaded netcat, put it in your path (i have mine in c:\windows\system32)
open a command prompt
type:
nc <servername> 80 >>Â headers.txt
when you press return, the next line should be blank waiting for your input, what you type now gets forwarded via netcat through to the servers web port. next we basically ask for the default page
GET / HTTP1.1
SITE: A
press <return> a couple of times, and then ctrl &Â c to finish
post the contents of header.txt
open a command prompt
type:
nc <servername> 80 >>Â headers.txt
when you press return, the next line should be blank waiting for your input, what you type now gets forwarded via netcat through to the servers web port. next we basically ask for the default page
GET / HTTP1.1
SITE: A
press <return> a couple of times, and then ctrl &Â c to finish
post the contents of header.txt
ASKER
OK, I wonder if this is important.
 When I ran your commands on the pc that is working it ran as you stated.  After I keyed in the nc command the screen just went to a blank line waiting for my next command.
 When I run your command on the pc that is not working and I enter the nc command it goes back to a c: prompt.
 When I ran your commands on the pc that is working it ran as you stated.  After I keyed in the nc command the screen just went to a blank line waiting for my next command.
 When I run your command on the pc that is not working and I enter the nc command it goes back to a c: prompt.
Are you sure there's no firewall, as that is what would happen if a port was blocked or non-existant.
Just as a matter of interest, have you tried typing in http://server:80/site instead of just http://server/site
Just as a matter of interest, have you tried typing in http://server:80/site instead of just http://server/site
ASKER
That also does not work. Â Would it make sense that it is a firewall issue when I modify that pc to have the IP address of the pc that is working it works just fine?
I say firewall, but I mean that something appears to be refusing access based on ip addresses.
Now, I just tested my machine, and if I change the directory security to exclude ip addresses, the error message I get tells me I've been excluded, so it's not that.
So, because the netcat returns fairly quickly it tells me that the connection to the server is being dropped (or doesn't exist)
could there be a trial of norton on that machine (if it's not a server) - or did it come with ISA server?
Now, I just tested my machine, and if I change the directory security to exclude ip addresses, the error message I get tells me I've been excluded, so it's not that.
So, because the netcat returns fairly quickly it tells me that the connection to the server is being dropped (or doesn't exist)
could there be a trial of norton on that machine (if it's not a server) - or did it come with ISA server?
ASKER
We have norton corporate on all of our pc's. Â I have turned off norton, but I suppose I could uninstall it to see if that makes a difference. Â We also have windows firewall turned off on all pc's.
I don't _think_ it's an individual pc thing because changing the ip address made it work, however I had a pc in the other day that could not reach the internet because the trial of norton had expired, however symantec corporate is a different beast altogether (in that I actually like it!)
Have a look through the services list of the server, and possibly even run hijackthis on it, just to see what could be running and causing this!
How about setting the website to listen on a different port, and what happens if you use https://Â instead of just http://Â to access that site.
Have a look through the services list of the server, and possibly even run hijackthis on it, just to see what could be running and causing this!
How about setting the website to listen on a different port, and what happens if you use https://Â instead of just http://Â to access that site.
ASKER
I have gone back to the vendor and asked him to reinstall his database and we are going to work on that tomorrow. Â If we find a solution to the problem I will let you all know.
Sweet!
Good Step!
Hey there, Â I was just curious if you found anything out? Â - I hope all is well!!
ASKER
The software is stumped. Â He is coming next Thursday to check things out in person. Â He uninstalled everything and reinstalled and still no luck. Â I guess I will keep this open until he comes to see if we find a solution.
ASKER
Well, we have things working. Â Let's see if I can explain what they did. Â The software vendor determined that for some reason the information was coming into the server but would not return the request. Â To get around this issue they installed a separate router with an IP address outside of our network IP scheme and things are now working. Â They were not able to determine what in the server was preventing the request from returning to the pc, but as long as things are working I guess I don't care. Â Thank-you to all that attempted to help on this item.
Ok, complete kludge fix - but at least it's fixed :)
I think I would have re-installed that pc to be honest, then reinstalled the software (it was only an xp machine wasn't it? - or am I talking rubbish?!)
I think I would have re-installed that pc to be honest, then reinstalled the software (it was only an xp machine wasn't it? - or am I talking rubbish?!)
ASKER
It's a W2003 server. Â They found that the server was answering the request and sending the page but the page was never getting to the pc's. Â they think that what they did bypassed the route it was taking somehow.
baffling, but okay. Â Interesting. Â Â Glad it is working, but it would be eating at me (it is) to know what the real culprit is. :-\ Â If you ever mess with it again, please post what you find!
ASKER
will do...yes they thought it was also baffling. Â They felt something was destroying the packets, but it made no sense that it worked on two IP addresses.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
What specifically are they trying to access in IE (website, share, etc)? Â Â If you use the IP in IE, does the same thing happen?