Vulnerability in EPiServer.Forms
EPiServer, EPiServer.SchedulerSvc version 5.2.375.236
In CMS 5 the Scheduler run jobs by calling the site and then using the API/objectmodel.I have a job scheduled every night at 3.00. If I enable "Anonymous access" in the IIS it works OK. But if I disable "Anonymous acccess" in the IIS it does not run before someone browses the site, normally sometime between 8.00 and 9.00.
The Scheduler log sais (Anonymous access disabled):[2010-06-01 19:34:53UTC] #INF# [_LM_W3SVC_207710262_root] Site down for 10+ minutes, open http://mysiteurl/[2010-06-01 19:35:53UTC] #INF# [_LM_W3SVC_207710262_root] Failed calling site (Attempting to deserialize an empty stream.)[2010-06-01 19:36:53UTC] #INF# [_LM_W3SVC_207710262_root] Failed calling site (Attempting to deserialize an empty stream.)etc............................................
The IIS log sais (Anonymous access disabled):401 2
By using Reflector I have tracked the problem to the "EPiServer.SchedulerService.JumpStartWEB.StartSite(string sUrl)" method. This method do:WebRequest state = WebRequest.Create(sUrl);state.BeginGetResponse(new AsyncCallback(JumpStartWEB.dontCare), state);
No credentials are set.
I have a little test application where I execute:WebRequest state = WebRequest.Create("http://mysiteurl");WebResponse response = state.GetResponse();
This throws an exception:System.Net.WebException : "The remote server returned an error: (401) Unauthorized."
If I enable anonymous access my code works ok.
So my conclusion is that when the EPiServer.SchedulerSvc.exe tries to wake the site it can't because it is unauthorized.
My question: Can the EPiServer Scheduler handle EPiServer sites where "Anonymous access" is disabled in the IIS? If not, how should I work around it?
Nice work. I would like to be able to ensure that the scheduler is executing and completing successfully for all sites, but have these "Failed calling site" and "18.3.1 Scheduler error: Terminating client connection: Error reading from pipe" errors littering various logging. Does anyone have a response to Hans' question?