Resolving IIS WMSVC Underlying Connection Was Closed

IIS Manager Remote Administration is a handy tool for for a web server administrator when you have multiple servers to manage. This feature will save you the trouble of having to Remote Desktop into each server every time you need to touch IIS. With IIS Manager Remote Administration you can login to one server for example and then configure IIS Manager with connections to other servers that you manage.  Or depending on the security of your enterprise you could even configure IIS Manager on your workstation and connect to the other servers from there. This becomes especially helpful if your enterprise has extra layers of security such as two factor authentication to lock down Remote Desktop access.

 

The underlying connection was closed: An unexpected error occurred on a send

Usually it works great. However, sometimes you may encounter connection problems while attempting to connect to your other severs.  I recently experienced one such error as shown below. It was occurring at nearly the final step of the remote management wizard after authenticating with my admin credentials.   It indicated that The underlying connection was closed: An unexpected error occurred on a send.   I have used IIS Manager Remote Administration for many years and this was the first time I had ever seen this particular error.  I went through the usual trouble shooting steps of ensuring port 8172 wasn’t blocked at the local firewall on either end. So then I decided to try reproducing the error on some other servers that I support and sure enough each server had this same issue.

image

 

I work for a large corporation that follows the practice of Separation of Duties which simply means that several different departments are involved with installing, configuring, and deploying our Windows servers.  In my role as an IIS web server administrator I know that many hands have touched the servers that I manage before the server is ever released to my team.

Checking the Management Service Certificate

Another place I checked was the Management Service itself. From here I could see that the WMSVC certificate was correctly assigned.  I was beginning to feel a bit flummoxed at this point. Everything I had checked so far appeared to be configured correctly.

image

 

Checking Port 8172 Certificate Binding

At a loss for a clear explanation of why I was getting the error above I decided to check online to see if anyone else had ever experienced it.  Searching for the error online I saw a suggestion to check the certificate binding on port 8172 using NetshNetsh is a command line utility that allows one to modify or display numerous settings of a server’s network configuration. To check a server’s certificate bindings  you just execute the following command.

netsh http show sslcert

image

 

Scrolling through the output I arrived at the settings for port 8172 and I could see the Certificate Hash of the certificate being used for this port. Next I went back to IIS Manager to double check the certificates that were installed on the server.  In addition to the certificates of several applications hosted on the server I saw the WMSVC certificate.  This is the default certificate used to secure the remote management communication between servers.  At this point a light bulb went off in my head because I could clearly see the Certificate Hash of the WMSVC certificate was different than the Certificate Hash of the certificate bound to port 8172. In fact the certificate bound to port 8172 wasn’t even installed on the server.

image

 

Changing Port 8172 Certificate Binding

My conundrum was over. The next steps were pretty clear. I had to delete the existing certificate binding on port 8172 and then configure port 8172 to use the WMSC certificate. Here is the command to delete the existing binding for a port and IP address:

netsh http delete sslcert ipport=0.0.0.0:8172

image

Here is the command to bind a new certificate to port 8172. Just replace XX below with the correct thumbrint of your certificate.

netsh http add sslcert ipport=<a href="http://0.0.0.0:8172/">0.0.0.0:8172</a> certhash=XX appid={00000000-0000-0000-0000-000000000000} clientcertnegotiation=enable

 

image

 

Back to the Remote Admin Wizard

After deleting the old certificate and configuring the correct one, I returned to the Remote Administration wizard and tried it again.

image

With the correct certificate configured on port 8172 I was finally able to complete the  Remote Administration wizard.

image

In Summary

IIS Manager Remote Administration is a handy tool for administrators to save time managing IIS without having to always use Remote Desktop to login to another server. If you have issues configuring remote management between servers be sure to double check the certificates that are installed as well as the bindings for port 8172 using Netsh commands. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website