Error 0x2efd from xhr when accessing intranet services

Question

I have an app that makes calls to RESTful services on the intranet using WinJS.xhr and elsewhere in the app it loads intranet content into an iframe.  Unfortunately, the service calls and the iframe content load both fail. I do have the following capabilities declared in the .appxmanifest file:

    <Capability Name="privateNetworkClientServer" />
    <Capability Name="internetClient" />

Additionally, I have the sites of the service host and the content host in the Trusted Sites zone in IE (I have added them by both host name and FQDN (e.g. http://servername and http://servername.company.com).

If I open Metro IE and put in the URL of the service or a content page in the address bar, they resolve correctly and display as expected, but only if I have the sites in the Trusted Sites zone.  However, attempting to load a content page in the iframe (e.g. document.getElementById("contentIFrame").src = "http://server.company.com/path/page.aspx";) fails with no visible error. The xhr calls (to an endpoint such as http://server.company.com/path/morePath/GetMyData/someValue  ) fail with the 0x2efd error.   Note: I have also used just http://server/<path> as well (instead of FQDN) and it fails equally.

Here's the rub: If have Fiddler running, the xhr calls execute and the iframe content loads successfully.   I'm not quite clear why this is so. 

I've done quite a bit of searching on this forum and others, but not yet found anything to address this issue.  The closest I've seen is that the privateNetworkClientServer capability needs added, but I already have that capability declared.  The xhr calls are executed from the page (not the iframe), so based on my understanding (see this bit on context), they should work provided the capability declarations are in place and CORS is not an issue.   

Are there additional bits that need flipped that I've missed?

 

---

Please remember to mark replies as answers if they help you.

Answer 1

Nino,

Is this a public facing server I could hit from here?

-Jeff

---

Jeff Sanders (MSFT)

Answer 2

Hi Jeff,

Unfortunately not - these servers are not publicly exposed.

-Nino

---

Please remember to mark replies as answers if they help you.

Answer 3

Nino,

The Hex code you specified translates to:

  12029       ERROR_INTERNET_CANNOT_CONNECT
               The attempt to connect to the server failed.

So for some reason, the app is not able to connect to the URI you specified.  My best guess would be you have some sort of proxy filtering going on.  You should take a network trace and see if the request is issued from your application or not for that URI.

-Jeff

---

Jeff Sanders (MSFT)

Answer 4

Jeff,

Thanks for clarifying the hex code. I finally got Wireshark installed today and ran several captures, but did not see _any_ requests issued for that URI when Fiddler was not running. I did verify, via Desktop IE, that there were no proxies configured in any way. I then tried setting breakpoints within the xhr function in base.js, but was not able to ascertain any additional detail. I then attempted, on a whim, to use the XMLHttpRequest object directly as well as jQuery's ajax() and getJson() methods. All failed as I expected.

Next, I wanted to see if I would experience the same with a C#-based Win8 app using HttpClient. The request failed, but not for the same reason. The inner-most InnerException was "An attempt was made to access a socket in a way forbidden by its access permissions" which I thought odd given that I did have the privateNetworkClientServer capability specified. Conversely, when I create a C# console app that also uses HttpClient, it works without issue.

I think I know the answer, but I'll ask anyway: Is it possible that the xhr() call returning the 12029 error is just masking a socket access permissions issue? Additionally, what might cause the C# app to seemingly ignore the privateNetworkClientServer capability being selected?

Thanks, Nino

---

Please remember to mark replies as answers if they help you.

Answer 5

Hi Nino,

By any chance is your server on the same box as the client?  Do you have some sort of antivirus installed?  Some AV software is pretty notorious for being over protective.

-Jeff

---

Jeff Sanders (MSFT)

Answer 6

Hi Jeff,

The server is on a different box from the client.  No additional antivirus is installed, just the default Windows Defender.

-Nino

---

Please remember to mark replies as answers if they help you.

Answer 7

Let's stick with the C# world for now.  For the C# test did you have both Private and internet client enabled?  Can you take a System.Net trace and see anything that says 'Error' in it?

How to take a System.Net trace from Windows Store applications (Developer Preview)

-Jeff

---

Jeff Sanders (MSFT)

Answer 8

My capabilities section in both the JS and C# apps looks like this:

  <Capabilities>

    <Capability Name="privateNetworkClientServer" />

    <Capability Name="enterpriseAuthentication" />

    <Capability Name="internetClient" />

  </Capabilities>

Regarding the System.Net trace, I am not getting a log written despite adding the requisite system.diagnostics section and granting permissions to the ALL APPLICATION PACKAGES for the target directory.   I even did a system restart for grins, but same behavior.  I also ran Fiddler so that it would connect to the service endpoints, but still nothing logged. 

Thinking I made an error on the security side, I fired up ProcMon, but can see no write attempts to C:\temp.  It seems as though it's just not picking up the diagnostics section.  I've copied my machine.config  here for your reference.  

---

Please remember to mark replies as answers if they help you.

Answer 9

The System.Net trace will only work for .NET projects.  You are not trying to get the trace for JS correct?  Also the machine.config is bit specific so ensure you are modifying the correct machine.config.

---

Jeff Sanders (MSFT)

Answer 10

Correct. I missed the obvious last night. The file I modified is:  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config. The correct file to modify is C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config

When I run the C#/XAML Win8 app, the only lines with "Error" in them are:

System.Net.Sockets Error: 0 : [1356] Socket#37489757::UpdateStatusAfterSocketError() - AccessDenied
    ProcessId=10864
    DateTime=2012-08-14T13:05:09.7344959Z
System.Net.Sockets Error: 0 : [1356] Exception in Socket#37489757::EndConnect - An attempt was made to access a socket in a way forbidden by its access permissions 10.64.6.149:80.
    ProcessId=10864
    DateTime=2012-08-14T13:05:09.7434993Z

---

Please remember to mark replies as answers if they help you.

Answer 11

That error is the same error you would get if your manifest is not set correctly or you have turned off access in your application settings.  Double check the application settings and ensure you have allowed access there.

---

Jeff Sanders (MSFT)

Answer 12

In the manifest, internetClient, privateNetworkClientServer, and enterpriseAuthentication are all declared as noted earlier. What application settings should I be checking? I am not aware of any setting in the project properties that could affect this, and I am not creating any ApplicationSettings items manually.

Additionally, I just found the CheckNetIsolation.exe
utility.  I ran it against my test app (C#) and my actual app (JS) and found the following similar results with the Debug module:

Network Capabilities Status
----------------------------------------------------------------------
    InternetClient                Used and Declared
    PrivateNetworkClientServer    Not Used and Insecure

Detailed Traffic Report
----------------------------------------------------------------------

    InternetClient                Used and Declared

 ------------------------------------------------------------------
      The following resources had some other network error *
      10.64.6.149

    PrivateNetworkClientServer    Not Used and Insecure

 ------------------------------------------------------------------

Any additional thoughts given the output from this tool?

---

Please remember to mark replies as answers if they help you.

Answer 13

With your app running bring up the Charms bar and choose settings.  Then look at the permissions of the app.

---

Jeff Sanders (MSFT)

Answer 14

Brain lapse, sorry:

Your Windows credentials

Your home or work networks

Your Internet connection

---

Please remember to mark replies as answers if they help you.

Answer 15

OK, what about other URLs.  Is this the only problem URL?  Is it listed as untrusted?

-Jeff

---

Jeff Sanders (MSFT)

Answer 16

No, there is another URL that we get content from for an iframe.  It has the same problem (listed as untrusted). FWIW, both sites are in the Trusted Sites zone via Desktop IE.

---

Please remember to mark replies as answers if they help you.

Answer 17

I want to stay with the C# troubleshooting Nino.

Can you check other URLs from that program?

-Jeff

---

Jeff Sanders (MSFT)

Answer 18

Apologies for not being clear. I attempted to access the content URL from the C# test app and the app again gives me the "An attempt was made to access a socket in a way forbidden by its access permissions" message.

I'm working to get a Win8 RTM environment up to see if the issue presents under RTM as it does on Release Preview.

---

Please remember to mark replies as answers if they help you.

Answer 19

Nino,

I missed this in the flurry of activity.

This says you do not have PrivateNetwork enabled and you need to have it enabled.

-Jeff

---

Jeff Sanders (MSFT)

Answer 20

Jeff,

Correct, but I have privateNetworkClientServer enabled and still get this message.

-Nino

---

Please remember to mark replies as answers if they help you.

Answer 21

Are you using a Name for the URI or an IP address?

---

Jeff Sanders (MSFT)

Answer 22

I have used the host name (e.g. fooserver), fully-qualified host name (fooserver.company.com), and IP with the same results each time.

---

Please remember to mark replies as answers if they help you.

Answer 23

Try turning off Windows Firewall (just to test).  Perhaps there is a rule in there blocking you.

---

Jeff Sanders (MSFT)

Answer 24

No change with Windows Firewall off. 

FWIW, we are seeing the issue when:
-connecting over VPN via WiFi
-connecting over VPN via Ethernet (wired)
-connecting on LAN via WiFi

When connection on the LAN via Ethernet, it does not present.

Additionally, we have started testing with Win8 RTM and have not seen the issue present yet, but are waiting some additional parties to test before we attribute this to a pre-RTM defect.

---

Please remember to mark replies as answers if they help you.

Answer 25

Thanks Nino,

Let's see if you have issues with RTM before we do any more troubleshooting. Sound good?

-Jeff

---

Jeff Sanders (MSFT)

Answer 26

Yes, that's the plan on our end as well.

---

Please remember to mark replies as answers if they help you.

Answer 27

Hi -

I'm still waiting on my customer to upgrade their machine(s) to Win8 RTM to verify that this is working for them under RTM.  Today I fired up the app so that I could get some screenshots and, frustratingly, the 0x2efd error now presents in the JS app and in my C# test app, I receive the "An attempt was made to access a socket in a way forbidden by its access" message.  There have been no code changes (I checked the source repository), so I am left (I think) with something environmental on my machine.

I do have the service and site URLs in the Trusted Sites zone, and I do still have privateNetworkClientServer capability selected in the manifest. I have also attached/inserted a screenshot of my C# test app below.  The permissions on the JS app are the same.

I also ran CheckNetIsolation again and it shows the same as previously posted (August 14, 3:53 PM): 

      The following resources had some other network error *
      10.64.6.149

    PrivateNetworkClientServer    Not Used and Insecure

Any other suggestions of ways to debug this issue and determine what is causing these issues?

 

 ot

---

Please remember to mark replies as answers if they help you.

Answer 28

I have resolved my issue from September 7 by repaving my laptop, which was a frustrating resolution.   More importantly, my customer has finally upgraded to Win8 RTM and they are still experiencing the original issue, but only on WiFi.  When their slate is in the dock (and thus using the wired connection), the issue does not manifest.

Any suggestions for additional debugging approaches, or other things to look at?

---

Please remember to mark replies as answers if they help you.