Windows Server 2012 R2 – Resolving Port Conflict with IIS Websites and Work Folders

Windows Server 2012 R2 – Resolving Port Conflict with IIS Websites and Work Folders

  • Comments 13
  • Likes

Hi All, my name is Bill and I work in the Windows Server - File Services group.  One of my main responsibilities is to enhance the Server Manager user interface.  We have just delivered Work Folders as part of the Windows Server 2012 R2 release.  I have been following the forum and there have been several questions about Work Folders and port conflicts with other IIS Websites.  For this reason I posted this blog for guidance.

Covered in this Article:

  • Diagnosing Port Conflict between Work Folders and Windows Server Essentials or other web applications.
  • Changing Port Configuration in Work Folders
  • In-Place Upgrade from Windows Server Essentials to Windows Server Standard
  • Guidance for Using Hyper-V for Current Enabling of Work Folders and Windows Server Essentials using their default configuration

Sections:

  1. PROBLEM STATEMENT
  2. OVERVIEW
  3. DIAGNOSING WORK FOLDERS AND WINDOWS ESSENTIALS PORT CONFLICTS
  4. CHANGING WORK FOLDERS CONFIGURATION
  5. NO CONFIGURATION FOR BOTH FEATURES
  6. SUMMARY 

PROBLEM STATEMENT

Using any web application with Work Folders may create port conflicts between the web application and Work Folders.  Work Folders uses by default ports HTTPS=443 and HTTP=80.  Most web applications use the same well known ports.  In the specific case of Windows Server Essentials and Work Folders, both features use the same default ports.  The first feature to initialize the ports will exclusively own them.  This creates a port conflict for one of the features, depending on startup and how the features where configured. 

OVERVIEW

Work Folders is available in Windows Server 2012 R2 Essentials as part of the File and Storage Services role. Work Folders uses the IIS Hostable Web Core feature and all management is performed via the Work Folders canvas in Server Manager as well as via Windows PowerShell cmdlets.  Windows Server Essentials is managed via its dashboard and the IIS Management UX.  Both products assume exclusive access of the SSL port (443) and HTTP port (80).  This is the default configuration for both products.

The administrator has the ability to change both feature configurations when both products are enabled. Changing the port conflicts allows for both products to be installed on Windows Server 2012 R2 Essentials.  If the administrator does not want to change the default ports, they have the option of enabling either Windows Server Essentials feature or Work Folders.  This is at their discretion based on business need.

 If the administrator would like to change the ports on either feature, they need to open the firewall on the server for the specific ports they defined for the feature.  This can be accomplished by navigating to Control Panel and modifying the Windows Firewall configuration.  Further work is necessary in collaboration with a network administrator to configure the routers as well.  This document will not cover network configuration.

See: http://msdn.microsoft.com/en-us/library/bb909657(v=vs.90).aspx 

DIAGNOSING WORK FOLDERS AND WINDOWS SERVER ESSENTIALS PORT CONFLICTS

In the event where both features are enabled on the same server with default port configuration the behavior may be subtle and only one feature will work.  In the case of Windows Server 2012 R2 Essentials, Windows Server Essentials is enabled out of the box.  This means the ports will have been configured and ownership will be IIS.  When you enable Work Folders, the installation will succeed and Server Manager may not be able to manage the Work Folders feature on the Windows Server Essentials server.  If the administrator navigates to the SERVICES primary tile they will see the following:

 


 
 
The Sync Share Service will not start if both ports defined in its configuration are being used by another process.  This will be a clear indication the default ports are not available to Work Folders.  If on the off chance one of the ports is available the Sync Share Service will become operational.   There will be no indication there is an error.

Please note if port 443 is used by another process, although Work Folders Service will start and be operational, any SSL traffic will not be directed to Work Folders.  SSL=443 is the default secure port used by Work Folders.  The administrator would have to look at the port definition in the file c:\windows\system32\SyncShareSvc.config and compare the configuration of websites defined in the IIS UX.  Once they check the port information in IIS they can assess the conflict. 

Using Event Viewer to view SyncShareSvc errors

In the case both ports are not available the following error can be found in the system event log.

Using Event Viewer (eventvwr.msc) navigate to the Windows Logs, System Channel.  The error should be from the Service Control Manager.  The error returned will be in the system channel in the form:   “The Sync Share Service terminated with the following service-specific error:  Cannot create a file when a file already exists” This is the generic message when both ports are not available.

  

Using IIS PowerShell cmdlets “Get-WebBinding” to list port bindings

Get-WebBinding is a handy command for showing IIS website port bindings on your server.  In this particular case we want to see all the IIS website bindings active on your server.

>get-WebBinding     ß command on left will give you the following output:

Example 1 - both ports in use by IIS website:

The Work Folders SyncShareSvc will not start because both default ports are being used by IIS.

 

Example 2 – one port used by IIS website – SSL PORT:

As mentioned in the previous section, if Work Folders has access to one port the service SyncShareSvc will come up.  Work Folders uses port 443 as the default.  In example 2 Work Folders service would start and look  operational.  The output of Get-WebBinding would show the administrator Work Folders would not function as defined in the default configuration.

If neither port is in use by another web application, the list above would be empty. 

CHANGING WORK FOLDERS CONFIGURATION

On the Server Manager Service Primary Tile locate the SERVICES tile.  Locate the SyncShareSvc.  Verify it is stopped.  If it is not stopped, select the SyncShareSvc and stop it.

Navigate to the directory on the server where work folders feature is enabled.

>cd c:\windows\system32

Edit the file with your favorite editor (file name = SyncShareSvc.config)

Locate the section below and make the changes to your port designation

 

For this
example you want to change SSL Port from 443 to 12345.  Change the port number and close the file.   Because the sync service does not run under the system designation it does not have the privileges to access different ports other than the default. It runs under LOCAL SERVICE.  Because of this designation the administrator has to run another command.   In an elevated command window type the following command:

Netsh http add urlacl url=https://*:12345/ user="NT Authority\LOCAL SERVICE"

 

Navigate to SERVICES tile in Server Manager and start the service SyncShareSvc.

Since the Work Folders configuration on the client defaults to either HTTPS=443 or HTTP=80 there is additional configuration to override the default ports.  The administrator will need to change the URL for connecting to the Windows Server hosting the clients sync share.  Normally all that would be necessary is the URL of the server.  Since the port has changed there is an additional parameter in the URL which is – colon port number “:#”.  This  number matches the configuration in the configuration file on the server SyncShareSvc.config.   See example of the PC client configuration below:

 

  

NOTE: When the administrator changes the default ports for Work Folders they cannot use the auto discovery process.  They can communicate the new URL using Group Policy or a standard email communication with the URL and new port definition.

 

IIS References for Configuration Changes

For Windows Server Essentials port configuration see the Windows Server Essentials documentation using the IIS management UX.

http://www.iis.net/configreference/system.applicationhost/sites/site/bindings/binding

  

NO CONFIGURATION CHANGES FOR BOTH FEATURES

The administrator has another option for running both Windows Server Essentials and Work Folders on the same server.  There are posts on-line which already recommend an in-place license upgrade from Windows Server Essentials to Windows Server Standard.  This has a twofold improvement.  It allows for greater usage of Windows Server Essentials and has a license for two Hyper-V machines.  The administrator would then disable Windows Server Essentials in the main host and user the two Hyper-V machines one for each feature.  Windows Server Essentials in one VM and Work Folders in the other. They can both use their default configurations and work concurrently on the single host.

You can upgrade in place from Windows Server 2012 R2 Essentials to Windows Server Standard.  --- Windows Server Standard is the only in-place upgrade.  You cannot use the command below to upgrade to Windows Server Storage, Windows Server Datacenter etc. The command for upgrading from Windows Server 2012 R2 Essentials to Windows Server 2012 R2 Standard is:

 dism /online /set-edition:ServerStandard /accepteula /productkey:<Product Key>

From <windows2012 essentials upgrade to windows 2012 server standarddataenterprise

SUMMARY

There are several ways to configure Work Folders in an environment which already has established web applications. You have the ability to change the ports of either application.  In the case of an IIS application you can use the existing IIS UX.  In the case of WorkFolders you can follow this guide. The administrator also has the ability to run Work Folders in a separate VM which has the benefit of leaving their current configuration as is and installed Work Folders with default settings.

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • When will there (if at all) be a client for WorkFolders for

    Windows 7

    Mac

  • social.technet.microsoft.com/.../work-folders-client-support

    Nevermind, found the answer.

  • I lost whole day, trying to get WF running on DPM server. SQL reporting was using 443 port, and all my attempts to use 4443 or move SQL reporting to 4443 failed. Only after I removed https from SQL rep. I got WF online.

    And note, what WF setup/install wizard does not care about certificate for service. In general - WF is a good idea, but implementation and documentation is a mess.

  • I am unable to change 443 port to 7443. I correct config file, No erorrs in logs, both netsh commands are ok, but sync share does not listen on 7443. Can you help?

  • Hello Vladimir,

    Can you tell me how you know the SyncShareSvc is not listening on port 7443?

    Did you bind an SSL Cert to port 7443

    Is your client using a URL with the 7443 designation?

    I am here to assist.

    Bill

  • Edit in post subtle difference:

    when defining the URL the original post had a + after the double slash.  The updated post has an asterisk - this has been verified as the correct action.

    original  - Netsh http add urlacl url=https://+:12345/ user="NT Authority\LOCAL SERVICE"

    new edit - Netsh http add urlacl url=https://*:12345/ user="NT Authority\LOCAL SERVICE"

  • I can't seem to get this working.  I've followed your directions, but when I try to setup Work Folders on a client (Win 8.1 RT or Win 8.1 joined to Essentials domain), it fails.

    So far, I've:

    - Changed permission on c:\windows\system32\SyncShareSvc.config to allow editing

    - Changed binding in SyncShareSvc.config to:

        <binding protocol="https" bindingInformation="*:8443:" sslFlags="0" />

    - Updated the urlacl accordingly

          netsh http show urlacl

          ...     Reserved URL            : https://*:8443/

                      User: NT AUTHORITY\LOCAL SERVICE

                            Listen: Yes

                            Delegate: No

                            SDDL: D:(A;;GX;;;LS)

    - Validated I was able to start the SyncShareSvc service

    - Setup Work Folder sync on new NTFS Share (no user data)

    - Validated SyncShareSvc is listening on port 8443 (via netstat)

    When I try to setup Work Folders on a client (https://<essentials remote web url>:8443), it initially responds with "Retrieve work data - Finding your data on the Work Folders server".  Then it reports a problem, and the details show "The operation timed out (0x80072ee2)".

    This post mentioned enabling firewall rules, presumably to allow inbound access on my chosen port (8443).  I've tried various settings with mixed results.  Disabling the firewall caused the client's to fail immediately (e.g. no "Finding your data" prompt).  Likewise, adding a firewall rule for my port (similar to pre-defined Inbound Rules for Sync Share) resulted in immediate failure showing "The connection with the server was terminated abnormally (0x80072efe)".  Is there a particular firewall configuration I need to be using?

    In the post to Vladimir, there was a question raised regarding binding an SSL Cert to the port.  I followed the instructions in Step 4 from here (technet.microsoft.com/.../dn528861.aspx)...

    netsh http add sslcert ipport=[::]:8443 certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY

    Where <Cert thumbprint> was the same as was used for 443 bound to the default essentials site (as viewed by netsh http show sslcert).

    Binding this SSL cert seemed to have no impact (good or bad).

    Currently, I'm stuck - the logs (Event Viewer - App and Service Lobs - Microsoft - Windows - SyncShare - Operational; Event Viewer - Windows Logs - System; C:\ProgramData\Microsoft\Windows Server; C:\inetpub\logs\LogFiles) don't seem to show anything useful.

    Anything I'm overlooking?  Really looking forward to having Work Folders and Essentials Remote Web Access working together!

    Thanks

  • Making progress since last post...  It appears my firewall rule (created through the UI) wasn't working.  I ran the following:

    netsh firewall add portopening protocol=tcp port=8443 name="Windows Sync Share Custom Port" scope=all

    After that - the setup and sync works perfect on my domain joined Win 8.1 machine!!

    However - while the setup works on my Win 8.1 RT, and it successfully downloads new files (e.g. ones added by my 8.1 client), the non-domain joined Win 8.1 RT client fails to upload new files.

    Any ideas?

  • Michael, you mentioned your non-domained device does not sync files.  Can you give me more detail?  Can you set up the WorkFolders partnership successfully.  Either by typing in the users email, or the server URL?  Once the partnership is created, the non-domained joined device should automatically sync files already in the WorkFolders users' directory.  There should be no difference between the domain/non-domain joined device as far as file updates.  The only difference should be in typing in your credentials.

    Please let me know.

    Bill