【茶包射手日記】ASP.NET Core Kestrel 網站無權繫結錯誤與 Windows 10 Port 限制

修改久未維護 ASP.NET Core 專案，在 Visual Studio 2019 要用 Kestrel 偵錯時冒出以下錯誤：

info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[0]
      User profile is available. Using 'C:\Users\Jeffrey\AppData\Local\ASP.NET\DataProtection-Keys' as key repository and Windows DPAPI to encrypt keys at rest.
warn: Microsoft.AspNetCore.Server.Kestrel[0]
      Unable to bind to http://localhost:50246 on the IPv4 loopback interface: 'An attempt was made to access a socket in a way forbidden by its access permissions'.
warn: Microsoft.AspNetCore.Server.Kestrel[0]
      Unable to bind to http://localhost:50246 on the IPv6 loopback interface: 'An attempt was made to access a socket in a way forbidden by its access permissions'.
crit: Microsoft.AspNetCore.Server.Kestrel[0]
      Unable to start Kestrel.
System.IO.IOException: Failed to bind to address http://localhost:50246. ---> System.AggregateException: One or more errors occurred. (An attempt was made to access a socket in a way forbidden by its access permissions) (An attempt was made to access a socket in a way forbidden by its access permissions) ---> System.Net.Sockets.SocketException: An attempt was made to access a socket in a way forbidden by its access permissions
   at System.Net.Sockets.Socket.UpdateStatusAfterSocketErrorAndThrowException(SocketError error, String callerName)
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)

嘗試以下解法，都沒能解決問題：

1. 開權限 netsh http add urlacl url=http://+:50246/ user=JEFFWIN10\jeffrey 無效。(且印象中僅本機存取應不需要)
2. 改用 Administrator 執行 Visual Studio 2019，一樣出現存取權被拒錯誤。
3. 爬到一篇 SuperUser 討論有人遇到相似狀況但無解，
4. 改用 IIS Express 偵測，則出現 Unable to connect to web server 'IIS Express'. 錯誤。
   
   並在 Log 檔看到以下訊息：(IIS Express 用 50245，與 Kestrel 不同)
   Failed to register URL "http://localhost:50245/" for site "Miniblog.Core" application "/". Error description: The process cannot access the file because it is being used by another process. (0x80070020)
   由此推測應與權限無關，而是 50245 Port 被佔用了。
5. 執行 netstat -a 檢查沒看到有其他程序佔用 50245 或 50246 Port。
   
6. 嘗試重開機無濟於事。
7. 修改 Port 為 50247、50248、50348 結果相同。

一籌莫展之際，我將 Port 改成 50046，竟意外成功了。

再試了幾個 Port 發現似乎是特定範圍的 Port 有問題。於是我寫了一支程式下去掃瞄：

Bingo! 我抓出 50060-50459 這個區間的 Port 無法繫結：

用 50060、50459 關鍵字，爬到一篇 gRPC 討論，提到在 2018 二月 Windows 10 KB4074588 更新之後封鎖了一些 Port：

After installing this update, applications may not be able to reserve or bind to ports that previously worked.

而 netsh interface ipv4 show excludedportrange protocol=tcp 指令可查詢禁用範圍：

依查詢結果，49703-59902、50060-50459、50472-50571、50791-50890 都是禁區，有趣的是，我一開始測試成功的 50046 也列在 50000-50059 禁區，但是有加註 Administrated port exclusions 行為似與其他區段不同，不想深究，決定以後測試都用 60000 以上的 Port 就是了。

【心得】在 Windows 10 遇到 An attempt was made to access a socket in a way forbidden by its access permissions 或 Port 'xxxx' is already being used by another appicatoin 錯誤時，請優先查詢 netsh interface ipv4 show excludedportrange protocol=tcp，排除誤入 Port 保留範圍之可能。

[2019-11-25 更新] 感謝讀者 Steven Huang 補充，保哥也分享過相關問題 - Windows 10 無法 LISTEN Port 4200 與 Port 3000 的靈異事件整理，文末還有新增自訂保留區的做法。 (文章我應該也有看到，可惜沒留在腦海，這次沒省到時間，最終還是自己走過一遍，噗。)

Kestrel failed to start because of 'An attempt was made to access a socket in a way forbidden by its access permissions' error. After investigation, I found the reserved ports of Windows 10.