m2133 configuration guide -...

WebAssembler System Installation and Configuration Guide

1

WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. of 66

WebAssembler .NET v5.0

Installation and Configuration Guide

Version 1.1


2


Table of Contents

A. Introduction ....................................................................................................................... 4

1.1.Executive summary.............................................................................................................. 4

1.2.Purpose .............................................................................................................................. 4

1.3.Scope and Target Audience ................................................................................................... 4

B. System Infrastructure ......................................................................................................... 4

2.1.Deployment Platform ........................................................................................................... 4

2.2.System Infrastructure ........................................................................................................... 4

2.3.Server Installation Overview ................................................................................................. 5

C. Setting up and configuring Database Server ........................................................................ 6

3.1.Prerequisites ........................................................................ Error! Bookmark not defined.

3.2.Installation Procedure for New SQL Server 2008 R2 Instances on Windows 2008 R2 ................ 6

3.3.Application Database Restore Procedure .............................................................................. 27

3.4.Create database users ......................................................................................................... 29

3.4.Users already exist ............................................................................................................ 29

3.4.2.No Users in the Restored Database ................................................................................... 29

3.5.Setting Up Database Mirroring Using Certificates (Transact-SQL) .......................................... 33

3.5.1General Considerations .................................................................................................... 33

3.5.2Configuring Outbound Connections ................................................................................... 34

3.5.3Configuring Inbound Connections ..................................................................................... 37

3.5.4Creating the Mirror Database ........................................................................................... 40

3.5.5Configuring the Mirroring Partners ................................................................................... 40

3.6.MS SQL Server Security Tightening .................................................................................... 41

3.6.1Configuring Services' Accounts ......................................................................................... 41

3.6.2Authentication Mode ........................................................................................................ 41

3.6.3Surface Area Reduction .................................................................................................... 41

3.6.4Password Policy .............................................................................................................. 41

3.6.5Server hardening using the SQL Server Security Template .................................................... 42

D. Setting Up Web Server ...................................................................................................... 43

4.1.Prerequisites ..................................................................................................................... 43

4.2.Install IIS 7 on Windows Server 2008 R2 ............................................................................. 43

4.3.General Web Site Configuration .......................................................................................... 46

4.4.Server hardening using the Web Server Security Template ..................................................... 56

E. Deploying Web Applications ............................................................................................ 57

4.5.Deployment from Archived File .......................................................................................... 57

F. Configuration of Web Application Settings ........................................................................ 57

6.1.SQL Connection Configuration ........................................................................................... 57

6.2.Setting Up Shared ASP.NET Session State Storage ............................................................... 58

6.2.1SQL Server Session Management Mode .............................................................................. 59


3


6.3.Security ............................................................................................................................ 60

6.3.1Debug ............................................................................................................................ 60

6.3.2Request Validation ........................................................................................................... 60

6.3.3Tracing ........................................................................................................................... 60

6.3.4Errors handling ............................................................................................................... 60

6.3.5Cross site scripting (XSS) vulnerability preventing ............................................................... 60

G. Troubleshooting Installation and initial Setup .................................................................... 61

7.1.SQL Server Setup Issues .................................................................................................... 61

7.1.1Description of the SQL Server 2008 log files ....................................................................... 61

7.2.IIS Related Issues .............................................................................................................. 63


4


A. Introduction

1.1. Executive summary

WebAssembler Installation and Configuration Guide provide the description of sequence for

system components installing, which are necessary for its deploying on to the prepared

operational network and server infrastructure. The Guide points out all the necessary

installation steps for system deployment based on Microsoft installation procedures. Activities

related to the installation of network infrastructure, hardware and networking server

platform, as well as installation and configuration of the system services other than WWW

and SQL are out of the scope of this document.

1.2. Purpose

The purpose of this document is to provide the guidelines to system administrators on how to

configure and deploy the WebAssembler Platform.

1.3. Scope and Target Audience

This Installation and Configuration Guide describes actions for configuring web application

supporting services and presumes that operating system, Microsoft Windows Server 2008

Standard is already installed on the server computer.

The guide is addressed to System Administrators, Database Administrators and Application

Developers. The minimum knowledge required to use this guide are: MS SQL Server

Administration, Implementing IIS for ASP.NET web applications and understanding of

ASP.NET Configuration file structure.

B. System Infrastructure

2.1. Deployment Platform

The system components can be deployed on to the Windows 2008/2012 Server

Standard/Enterprise Edition server platform and Microsoft SQL 2008R2/SQL 2012 linked

using 100Mbit/1Gbit/10Gbit TCP/IP network.

2.2. System Infrastructure

The following diagram displays three possible implementations of WebAssembler

Infrastructure:


5


“Small Business” Model

“Standard” Model

LANRouter

Application and

Database server

Remote Users

WAN/Internet

“Standard” Model

LANRouter

Application server

Remote Users

WAN/Internet

Database server

“Enterprise” Model

Router

Single Application

server or NLB Cluster

Remote Users

WAN/Internet

Highly Available

Database server

`

SQL

Witness

LAN

Figure 2.1 WebAssembler Infrastructure

Small Business Model assumes that system workload is low enough to consolidate

Application Server and Database server on the same physical server to reduce final cost of the

system. Standard Model requires separate servers for Application and Database Engine. If

security of Data requires it, Database engine may also be located in separate LAN segment.

Enterprise Model should be used in mission-critical applications and under heavy system

load (1000 simultaneous users, etc...)

Please note, all presented models can be implemented both in physical and virtual

environments.

2.3. Server Installation Overview

There are several types of servers employed into the production architecture of the

WebAssembler Platform:

1. Web application server(s) - hosting Application Portal;

2. Database server(s) - managing Application databases;

3. SQL Witness server - hosting SQL Mirroring witness service (only if Enterprise Model

is used).

The installation procedure presumes the following major steps:

1. Setting up the database servers first as the most independent services, then

2. Setting up the web servers,

3. Deploying and configuring the web applications to work with the installed database

servers.


6


C. Setting up and configuring Database Server

3.1. Installation Procedure for New SQL Server 2008 R2 Instances on Windows 2008

R2

1. Log on to machine with Remote Desktop and load installation media. Click on Setup from the

root. Prerequisite is that you ensure Dot Net Framework core role is enabled, thus click OK

for the update.

Figure 3.1.1 Microsoft .Net Framework Warning

2. Click on Installation, then 'New SQL Server stand-alone installation…' (top)


7


Figure 3.1.2 Installation options

3. Let the setup rules check run:

Figure 3.1.3 Setup Rules Validation

Enter key or make sure there is key automatically taken from the ISO, or enter it manually.

4. Accept the terms and conditions


8


Figure 3.1.4 Terms and Conditions

5. Click install

Figure 3.1.5 Istalation

6. Make sure the pre-install checklist provides a Passed Status for each rule.

then click Next.


9


Figure 3.1.6 Preinstall check-list

7. DB Server - Do not choose default, continue with Feature Selection for a Server install

Figure 3.1.7 Feature selection

8. A new installation step added in 2008 R2 is this Installation Rule Confirmation:


10


Figure 3.1.8 Installation Rules

9. Chose Default instance (so that the machine is accessed directly at ServerName), or specify

instance name (as in ServerName\InstanceName) if it is required and several are on the same

machine.

Figure 3.1.9 Instance Configuration

Click Next (make sure everything is run on C drive)

Here is where, as mentioned above, if you need to create a specific instance\alias name, you

would specify it by selecting named instance.

10. Validate Disk Space Requirements and click next


11


Figure 3.1.10 Disk space requirements

11. Server Configuration.

Click on Use the Same account for all SQL Server services.

Figure 3.1.11 SQL Server Configuration

Leave the Collation tab as is, SQL_Latin1_General_CP1_CI_AS is the default and is Accent

Sensitive and Case Insensitive.

12. Select Authentication Mode

Select Mixed Authentication mode, and provide the strong password for "sa" account

13. Set root directories for SQL data base files

Provide paths for Data, System DBs., User DBs., Temp and Backups.

In case of placing the data onto the separate drive, follow the screenshot.


12


Figure 3.1.12 Placing data on separate drive

14. Verify Installation Configuration Rules.

Figure 3.1.13 Installation Configuration Rules


13


15. Validate the installation (this is the point of no return):

Figure 3.1.14 Ready to Install

The install will take a while (20-25 minutes depending on the strength of the machine).

Be patient, this will take a long time…

Figure 3.1.15 Installation Progress


14


16. Confirmation of successful install.

Figure 3.1.16 Install Complete Screen

17. Reboot the server once the installation is finished.

Figure 3.1.17 Shutdown event Tracker

18. Configure the network access:


15


Figure 3.1.18 Network Access Configuration

19. Enable the address in which will be used to connect.

Figure 3.1.19 Connection address enablement

20. Check the Model Database - A typical Databases' configuration should be like this:


16


Figure 3.1.20 New Database

Verify that the default recovery model is set to Full.

21. On the Windows 2008 Server hosting the MS SQL Server, you will have to configure the

windows Firewall allowing inbound connections to ports: 1433 (TCP and UDP), 1434 (TCP

and UDP) and 7024 (TCP). Please note, if Database Server located in separate network

segment, you should also open the same ports on the router, which manage these network

segments.

a. Open Windows Firewall with Advanced Security.

b. Add new Inbound Rule of type "Port"


17


Figure 3.1.21Rule Type

c. Specify TCP port numbers 1434 and 1433

Figure 3.1.22 Protocol and Ports


18


d. Specify action as "Allow Connection"

Figure 3.1.23 Action Type Specification

e. Leave profile default settings - all checked

f. Specify the name and description of the rule


19


Figure 3.1.24 Rule’s name and direction specification

g. Inbound Rule for TCP ports configuration complete.

22. Return to P. 21, and proceed through items (a-g) again, to create additional "Inbound"

rule to allow UDP traffic for the same ports (1433, 1434).

23. Return to P. 21, and proceed through items (a-g) two more times, to create additional rules

in "Outbound" firewall settings section for ports TCP (1433,1434) and UDP (1433,1434)

ports.

24. If Microsoft SQL Database mirroring is used in WebAssembler setup, mirroring end-

point port should also be opened on windows firewall. Microsoft manuals suggest 7022

or 7023 ports as default values. In this manual TCP port 7024 is used for Database

mirroring (see 3.5.2 and 3.5.5). Return to P. 21, and proceed through items (a-g) to create

additional rules in "Inbound" and "Outbound" firewall settings sections for port TCP 7024.

25. Technet.microsoft.com also recommends configuring MSSQL service and MSSQL

browser service access on windows firewall, (especially when SQL Instances and dynamic

TCP ports are used).

a. Open Windows Firewall advanced settings and create additional rule in "Inbound"

firewall settings for Microsoft SQL service (execution file):


20


b. Open "Services" Microsoft Management Console, scroll to SQL Server instance,

you need to sallow on firewall, select "Properties":

c. Open "General" Tab locate "Path to executable" section and copy string to

clipboard: (D:\MSSQL\MSSQL11.MSSQL2012\MSSQL\Binn\sqlservr.exe on

screenshot):


21


d. Paste copied string from Clipboard to "Program" window of firewall rule creation

wizard:


22


e. Allow the connection; click "Next" and save created rule as "MSSQL Service"

Return to P.25 and perform (a-e) in "Outbound" firewall settings for Microsoft SQL

service (execution file).

26. Perform (a-e) two more times for "Inbound" and "Outbound" rules, to allow SQL

Browser process access the network (this is necessary to locate remote SQL instance by name)

Copy "Path to Executable" sqlbrowser.exe (C:\Program Files (x86)\Microsoft SQL

Server\90\Shared\sqlbrowser.exe , it may vary!) to firewall rule "Program" window.


23


Paste "Path to Executable" to firewall rule "Program" window, click Next:

Set Action "Allow" and proceed with configuration.


24


Please note, Windows Firewall rules for TCP/UDP ports 1433, 1434, 7024 and SQL

Server/SQL Browser services should be configured on both mirrored MS SQL server

computers and Witness computer!


25


27. Installing and troubleshooting .NET 3.51 Installations for SQL Server 2012 on Windows

Server 2012

If .NET 3.51 is not installed, SQL Server will detect this during Setup as shown in Figure 1.

As you can see, SQL Server knows it needs to be enabled (“Windows feature(s) to be turned

on:”), and will attempt to do so during the installation process.

Figure 1. Setup showing .NET 3.51 needs to be installed

Once you get through the configuration screens, Setup will start installing SQL Server. The

status shown in Figure 2 is where Feature NetFx3 installation is attempted.

Installation failed because it couldn’t find the path to install .NET 3.51 from.


26


Use command line tool dism as Administrator.

dism /online /enable-feature /all /featurename:NetFx3 /source:h:\sources\sxs

Where <Drive>\sources\sxs - path to Windows installation disk (D:\sources\sxs\)

Figure 5. Successful installation of .NET 3.51 NetFx3 feature

Now when you run SQL Sever 2012′s Setup again, it reflects that .NET 3.51 is installed:

Figure 6. .NET 3.51 installed – SQL Server should install just fine


27


3.2. Application Database Restore Procedure

The application databases are restored from the Full Database Backups. Backup files are

obtained either from the actual backup repository of the client, or created from the test server

databases.

WARNING: Test server databases do not contain the latest versions of data!

Note: The screenshots display sample database name and backup set. During the restore

procedure you must select appropriate names of restoring database.

1. Start SQL server Management Studio on the database server:

Figure 3.2.1 SQL server Management Studio Path

2. Right-click on “Databases” node of the console and select “Restore Database…”

Figure 3.2.2 Restore Database Menu Item

3. Select “From Device” in “Source for restore” section of the “General” node, click […] button

at the right. “Specify Backup” window will open. Select “Backup Media” File, click

“Add” button, select path to database backup file and click OK to confirm:


28


Figure 3.2.3 Backup Window

4. Tick “Restore” checkbox in “Select the backup set to restore” and select the database name in

“Destination to Restore” “To database” field.

Figure 3.2.4 Destination Window

5. Switch to “Options” node, make sure checkbox is set to “Leave database ready for use” in

“Recovery state” section. Set “Overwrite” checkbox to overwrite existing database or remove

this checkbox if the database does not exist yet:


29


Figure 3.2.5 Restore Options

6. Click “OK” to confirm database restore. Check that restore operation finished with no errors.

3.3. Create database users

A user is a database level security principal. Logins must be mapped to a database user to

connect to a database.

In order to enable applications to connect to the database servers, there must be SQL logins

and database users created.

3.3.1. Users already exist

If there are already users in database backups you should create a login in the SQL Server and

map it to the existing user with the following T-SQL script amended for each database and

login with user.

Note: replace the #-values with appropriate data

CREATE LOGIN #ServerLogin

WITH PASSWORD = '#password';

USE #Database;

GO

ALTER USER #DatabaseUser WITH LOGIN #ServerLogin;

GO

Run the script for each database amending the login, user, password and database name.

3.3.2. No Users in the Restored Database

Follow the next steps to create logins and database users:

Note: The steps starting from the 4th must be repeated for each database.

1. Connect to the MS SQL server instance using the SQL Server Management Studio

where you have restored the databases,

2. Login as SQL server administrator


30


3. In Object Explorer, expand the Databases folder.

4. Expand the database in which to create the new database user.

5. Right-click the Security folder, point to New, and select User….

6. In the Database User – New dialog box, on the General page, select the Login name

in radio button.

7. In the User name box, enter a name for the new user. Follow the template

#sitename_user

8. In the Login name box, enter the login for the user. Follow the template

#sitename_login

9. In the Owned schemas box, specify db_datareader and db_datawriter.

10. Click OK.

11. Repeat from step 4 for each database.

Alternatively the logins and users can be created with the following T-SQL script amended for

each database and login with user.

Note: replace the #-values with appropriate data

CREATE LOGIN #ServerLogin

WITH PASSWORD = '#password';

USE #Database;

GO

CREATE USER #DatabaseUser FOR LOGIN #ServerLogin;

GO

Run the script for each database amending the login, user, password and database name.

3.4.3. Configure access rights for NT/ANONYMOUS LOGON User.

To tighten Internet Information Service IIS security settings System Administrator may

consider to use "Integrated User Authentication" (The user name and password are hashed

before being sent across the network. Client browser proves its knowledge of the password

through a cryptographic exchange with your Web server, involving hashing). This approach

requires configuring access to the database for NT/ANONYMOUS LOGON User. More

details on this will be given in P.11 of Application configuration.

If this not configured properly, [Login failed for user 'NT AUTHORITY\ANONYMOUS

LOGON...] Error is displayed in client browser, due to SQL Server Engine not having the

login account for your windows login account.

To fix this issue,

a. Open Microsoft SQL Management Studio console, navigate Security -> Logins,

right-click and select "New Login" from pop-up menu:


31


b. Click "Search" button next to "Login Name" field. "Select User and Group" window

will open.

c. Click "Advanced" button, then "Find Now" button in newly opened "Select User

and Group" window.

d. Find "ANONYMOUS LOGON" in the list of available users


32


e. Right-click on "NT AUTHORITY/ANONYMOUS LOGON" user, select

"Properties".

f. In "Logon Properties Window" select "User Mapping" node and make sure "NT

AUTHORITY/ANONYMOUS LOGON" user have "db_owner" check box set in

"Database Role Membership for:" section for target database, selected in "Users

Mapped to this Login" section:


33


3.4. Setting Up Database Mirroring Using Certificates (Transact-SQL)

This section shows all the stages required to create a database mirroring session using

certificate-based authentication. The examples in this topic use Transact-SQL. Unless you can

guarantee that your network is secure, we recommend that you use encryption for database

mirroring connections.

When copying a certificate to another system, use a secure copy method. Be extremely careful

to keep all of your certificates secure.

If System Administrator configures WebAssembler in Small Business or Standard Model,

this section should be omitted.

3.4.1. General Considerations

The following example demonstrates what must be done on one partner that resides on

HOST_A. In this example, the two partners are the default server instances on three computer

systems. The two server instances run in nontrusted Windows domains, so certificate-based

authentication is required.

Figure 3.4.1.1 SQL Server Mirroring Schema

The initial principal role is taken by HOST_A(Master DB Server), and the mirror role is taken

by HOST_B (Mirror DB Server).

Setting up database mirroring using certificates involves four general stages. These stages are

as follows:

1. Configuring Outbound Connections

This example shows the steps for:

a. Configuring Host_A for outbound connections.


34


b. Configuring Host_B for outbound connections.

c. Need to be done on Witness server also!

2. Configuring Inbound Connections

This example shows the steps for:

a. Configuring Host_A for inbound connections.

b. Configuring Host_B for inbound connections.

c. Need to be done on Witness server also!

3. Creating the Mirror Database

4. Configuring the Mirroring Partners

3.4.2. Configuring Outbound Connections

Please note: 1) Computer Name (Start -> Computer -> Properties -> Computer name,

domain, and workgroup settings -> Computer Name) should be different for Principal,

Mirror and Witness servers in Workgroup and Domain environment. 2) Use Computer

Name or Computer Name\Instance Name (Depends on MS SQL installation, see Figure

3.4.2.1 Instance Configuration) instead of IP-addresses during SQL mirroring setup.

To configure Host_A for outbound connections

1. On the master database, create the database master key.

USE master;

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<1_Strong_Password!>';

GO

*** To remove existing Master Key use:

DROP MASTER KEY

2. Make a certificate for this server instance.

USE master;

CREATE CERTIFICATE HOST_A_cert

WITH SUBJECT = 'HOST_A certificate';

GO

*** To view the certificates in the master database, you can use the following Transact-SQL

statements:

USE master;

SELECT * FROM sys.certificates;

3. Create a mirroring endpoint for server instance using the certificate.

CREATE ENDPOINT Endpoint_Mirroring

STATE = STARTED

AS TCP (

LISTENER_PORT=7024

, LISTENER_IP = ALL


35


)

FOR DATABASE_MIRRORING (

AUTHENTICATION = CERTIFICATE HOST_A_cert

, ENCRYPTION = REQUIRED ALGORITHM AES

, ROLE = ALL

);

GO

*** To ensure that the database mirroring endpoint exist on each of the server instances.

If a database mirroring endpoint already exists for the server instance, you should reuse that

endpoint for any other sessions you establish on the server instance. To determine whether a

database mirroring endpoint exists on a server instance and to view its configuration, use the

following statement:

SELECT name, role_desc, state_desc, connection_auth_desc, encryption_algorithm_desc

FROM sys.database_mirroring_endpoints;

*** To remove old (existing) endpoint use:

DROP ENDPOINT endPointName

1. Back up the HOST_A certificate, and copy it to other systems, HOST_B and Witness. The

certificate file can be saved to any other location, where the SQL server service has the

writing permissions.

BACKUP CERTIFICATE HOST_A_cert TO FILE = 'C:\HOST_A_cert.cer';

GO

2. Using any secure copy method, copy C:\HOST_A_cert.cer to HOST_B and WITNESS server.

To configure Host_B for outbound connections


USE master;

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<Strong_Password_#2>';

GO

2. Make a certificate on the HOST_B server instance.

CREATE CERTIFICATE HOST_B_cert

WITH SUBJECT = 'HOST_B certificate for database mirroring';

GO

3. Create a mirroring endpoint for the server instance on HOST_B.


STATE = STARTED

AS TCP (

LISTENER_PORT=7024


36


, LISTENER_IP = ALL

)


AUTHENTICATION = CERTIFICATE HOST_B_cert


, ROLE = ALL

);

GO

4. Back up HOST_B certificate.

BACKUP CERTIFICATE HOST_B_cert TO FILE = 'C:\HOST_B_cert.cer';

GO

5. Using any secure copy method, copy C:\HOST_B_cert.cer to HOST_A and WITNESS server.

To configure Witness for outbound connections


USE master;

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<Strong_Password_#3>';

GO

2. Make a certificate on the Witness server instance.

CREATE CERTIFICATE Witness_cert

WITH SUBJECT = 'Witness certificate for database mirroring';

GO

3. Create a mirroring endpoint for the server instance on Witness.


STATE = STARTED

AS TCP (

LISTENER_PORT=7024

, LISTENER_IP = ALL

)


AUTHENTICATION = CERTIFICATE Witness_cert


, ROLE = WITNESS


37


);

GO

4. Back up Witness certificate.

BACKUP CERTIFICATE Witness_cert TO FILE = 'C:\Witness_cert.cer';

GO

5. Using any secure copy method, copy C:\Witness_cert.cer to HOST_A and HOST_B server.

3.4.3. Configuring Inbound Connections

To configure Host_A for inbound connections

1. Create a login on HOST_A for HOST_B and Witness server.

USE master;

CREATE LOGIN HOST_B_login WITH PASSWORD = '1Sample_Strong_Password!@#';

GO

USE master;

CREATE LOGIN Witness_login WITH PASSWORD = '2Sample_Strong_Password!@#';

GO

2. Create a user for that login.

CREATE USER HOST_B_user FOR LOGIN HOST_B_login;

GO

CREATE USER Witness_user FOR LOGIN Witness_login;

GO

3. Associate the certificate with the user.


AUTHORIZATION HOST_B_user

FROM FILE = 'C:\HOST_B_cert.cer'

GO


AUTHORIZATION Witness_user

FROM FILE = 'C:\Witness_cert.cer'


38


GO

4. Grant CONNECT permission on the login for the remote mirroring endpoint.

GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [HOST_B_login];

GO

GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [Witness_login];

GO

To configure Host_B for inbound connections

1. Create a login on HOST_B for HOST_A and Witness server.

USE master;

CREATE LOGIN HOST_A_login WITH PASSWORD = '=Sample#2_Strong_Password2';

GO

USE master;

CREATE LOGIN Witness_login WITH PASSWORD = '=Sample#2_Strong_Password3';

GO

2. Create a user for that login.

CREATE USER HOST_A_user FOR LOGIN HOST_A_login;

GO

CREATE USER Witness_user FOR LOGIN Witness_login;

GO



AUTHORIZATION HOST_A_user

FROM FILE = 'C:\HOST_A_cert.cer'

GO


AUTHORIZATION Witness_user

FROM FILE = 'C:\Witness_cert.cer'

GO


39



GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [HOST_A_login];

GO

GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [Witness_login];

GO

To configure Witness for inbound connections

1. Create a login on Witness server for HOST_A and HOST_B.

USE master;

CREATE LOGIN HOST_A_login WITH PASSWORD = '=Sample#2_Strong_Password1';

GO

USE master;

CREATE LOGIN HOST_B_login WITH PASSWORD = '=Sample#2_Strong_Password2';

GO

2. Create users for that login.

CREATE USER HOST_A_user FOR LOGIN HOST_A_login;

GO

CREATE USER HOST_B_user FOR LOGIN HOST_B_login;

GO



AUTHORIZATION HOST_A_user

FROM FILE = 'C:\HOST_A_cert.cer'

GO


AUTHORIZATION HOST_B_user

FROM FILE = 'C:\HOST_B_cert.cer'

GO



40


GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [HOST_A_login];

GO

GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [HOST_B_login];

GO

3.4.4. Creating the Mirror Database

1. Connect to principal server instance.

2. Create a full database backup of the principal database.

3. Backup the transaction log on the principal database.

4. Copy the database and log backups to the system that will host the mirror server

instance.

5. Connect to mirror server instance.

6. Using RESTORE WITH NORECOVERY, create the mirror database by restoring

the full database backup onto the mirror server instance.

7. Using RESTORE WITH NORECOVERY, apply any outstanding log backup or

backups to the mirror database.

3.4.5. Configuring the Mirroring Partners

Note: Here we describe the configuration procedure for WebAssemblerDB database. The

configuring must be repeated for each of the databases, require mirroring.

1. On the mirror server instance on HOST_B, set the server instance on HOST_A as the partner

(making it the initial principal server instance). Substitute a valid network address for

TCP://HOST_A:7024.

Make sure that the recovery model of the restored database is set to Full. At HOST_B, set

server instance on HOST_A as partner (principal server):

ALTER DATABASE WebAssemblerDB

SET PARTNER = 'TCP://HOST_A:7024';

GO

2. On the principal server instance on HOST_A, set the server instance on HOST_B as the

partner (making it the initial mirror server instance). Substitute a valid network address for

TCP://HOST_B:7024.

At HOST_A, set server instance on HOST_B as partner (mirror server).


SET PARTNER = 'TCP://HOST_B:7024';

GO

3. On Principal Server ( HOST A) set the Witness server instance to WITNESS. Substitute a

valid network address for TCP://Witness:7024.



41


SET WITNESS = 'TCP://Witness:7024';

GO

Leave transaction safety set to FULL (the default setting) and add the witness as soon as

possible after executing the second SET PARTNER 'partner_server' statement.

Note that the witness must first be configured for outbound and inbound connections.

3.5. MS SQL Server Security Tightening

3.5.1. Configuring Services' Accounts

SQL Server services must be configured a specially created Windows accounts as local user

account with no Windows administrative privileges. The accounts must be set up for the

following main services:

Sql Server - NT Service\MSSQL$SQLEXP2008 with strong password (this account

needs to be created in Windows users database)

Sql Server Agent - NT AUTHORITY\NETWORKSERVICE - this account must be

able to write to the backup folder.

Sql Server Browser - NT AUTHORITY\LOCALSERVICE

In this manner there are exactly two concepts: minimum privileges and account

isolation.

3.5.2. Authentication Mode

In an environment with Mixed Mode Authentication, to avoid the attacks against "sa" user, is

required to:

rename "sa" with another name

use a strong password that is difficult to brute-force for the renamed "sa"

3.5.3. Surface Area Reduction

The following features of the Database Engine are disabled by default:

Ad hoc distributed queries

Common language runtime (CLR) integration

Dedicated administrator connection (DAC)

Database Mail (required)

Native XML Web services

OLE Automation stored procedures

Service Broker

Web Assistant stored procedures

xp_cmdshell

3.5.4. Password Policy

Because the connection settings for the application are stored in application configuration file,

some of the usual password policy restrictions cannot be applied.

It is required to maintain the following restrictions:

Minimum password length (minimum number of characters. The range is [1-14]) set at

least to 10.


42


Password must meet complexity requirements (no two consecutive character of account

name, minimum 6 character belonging at least at three of the categories [A-Z], [a-z],

[0-9], or characters like !, %, #, $ etc...)

Other restrictions, like account lockout, password expiration and others are not applicable.

3.5.5. Server hardening using the SQL Server Security Template

Security Template can control almost any security option or setting on a server. Security

Templates can control user rights, permissions, password policies, software policies, and so

forth. We provided the security template tuned for SQL Server operation.

1. Use the MMC (Start -> Run -> MMC).

2. Then go to File -> Add/Remove Snap-in, click Add, and choose Security Templates.

3. Click Add, Close, and OK. The policies present will be listed.

4. Apply the template using the Security Configuration and Analysis Snap-in for the

MMC:

5. Open Database-> New

6. Import Template from file "SQLServer.inf"

7. Analyze Computer Now

8. Check View Log File

Verify the settings suggested in the template and current system settings. Apply the settings

where required.

Note: however the template has been tested on the Windows 2008 R2 Server with SQL Server

installed, it may require the system administrator's attention and responsibility ownership for

applying the settings.

WARNING: The configuration cannot be undone, backup the system first.


43


D. Setting Up and Configuration Application (Web) Server

4.1. Prerequisites

The configuration of Internet Information Services is performed on the Windows 2008 Server

R2.

The installation presumes the availability of the following hardware:

Server Name Processor RAM HDD Software

Application

Server

Quad or Six Core

2.5GHz

8GB 50 GB free disk

space

Windows 2008

Server Standard

or Web Edition

Table 4.1.1 Hardware Availability

All Web servers must allow incoming connections to the following ports: 80(TCP), 443(TCP),

The user, who installs the IIS 7.5 must have administrative rights in server OS.

4.2. Install IIS 7 on Windows Server 2008 R2

IIS is one of the Windows Server® server roles. IIS 7 can be installed through the graphical

user interface (GUI) by using the new Server Manager interface after the Windows Server

operating system is installed.

Server Manager provides a single dashboard to install or uninstall server roles and features.

Server Manager also gives an overview of all currently installed roles and features.

When IIS 7 is chosen from the Server Manager, the basic components and services

needed for IIS are automatically selected.

1. Start Server manager:

Click Start -> All Programs -> Administrative Tools -> Server Manager.

Figure 4.2.1 Server Manager in Windows Menu

2. Add Roles

In the Server Manager window, scroll down to Roles Summary, and then click Add Roles.

The Add Roles Wizard will start with a Before You Begin page. The wizard asks for

verification of the following:

a. The administrator account has a strong password.

b. The network settings, such as IP addresses, are configured.


44


c. The latest security updates from Windows® Update are installed.

Figure 4.2.2 Add Server Roles Screenshot

3. Select Web Server (IIS) on the Select Server Roles page, click “Next”. An introductory page

will open with links for further information.

Note: When you use the Add Roles Wizard to install IIS, you get the default installation,

which has a minimum set of role services. If you need additional IIS role services, such

as Application Development or Health and Diagnostics, make sure to select the check

boxes associated with those features in the Select Role Services page of the wizard.

Figure 4.2.3 List of available Server Roles

4. Select the IIS services to be installed on the Select Role Services page. Add only the

following for application development: ASP.NET, .NET, ISAPI Filters, ISAPI extensions:


45


Figure 4.2.4 Selected Server Roles

Figure 4.2.5 Selected Server Roles Continued

5. Click “Install” to proceed, check that final status is “Installation Succeeded”.

Figure 4.2.6 Installation Status Screen


46


6. Deploy the web site application code to c:\inetpub\wwwroot (default IIS files/websites

location) as described in section 5 Deploying Web Applications:

Figure 4.2.7 Deploying Program Files

7. Download from www.microsoft.com and install .Net Framework 3.5 ServicePack1.

URL and direct link below:

http://download.microsoft.com/download/0/6/1/061F001C-8752-4600-A198-

53214C69B51F/dotnetfx35setup.exe

8. Download from www.microsoft.com and install .Net Framework 4.0

The installer can be downloaded here:

http://www.microsoft.com/en-us/download/details.aspx?id=17851

9. Register .Net Framework 4.0 in IIS metabase

run cmd

CD <WindowsFolder>\Microsoft.NET\Framework64\v4.0.30319

aspnet_regiis -i

4.3. General Web Site Configuration

1. Open IIS management console (Start Programs Administrative Tools Internet

Information Services (IIS) Manager)

http://www.microsoft.com/

http://download.microsoft.com/download/0/6/1/061F001C-8752-4600-A198-53214C69B51F/dotnetfx35setup.exe

http://download.microsoft.com/download/0/6/1/061F001C-8752-4600-A198-53214C69B51F/dotnetfx35setup.exe

http://www.microsoft.com/

http://www.microsoft.com/en-us/download/details.aspx?id=17851


47


Figure 4.3.1 IIS Manager

2. Right-click on “Application Pools” and select “Add Application pool…”

Figure 4.3.2 Application Pools Menu

3. Put the name of the site as Application Pool Name, make sure that .NET framework is set to

v4.0.xxxx and “Managed pipeline mode” is set to “Integrated”:

Figure 4.3.3 Application pool configuration

4. Update advanced settings of the application pool to use NetworkService as Identity of Process

Model (by default Identity is set to ApplicationPoolIdentity)


48


Figure 4.3.4 Application Pool Process Identity

5. Right-click on “Sites” and select “Add WebSite”

Figure 4.3.5 Add Web Site

6. Configure web-site settings:

a. Enter “Site Name”.

b. Click “Select” button next to the “Application Pools” field and select your site's name

application pool (created on step 3) from drop-down list.

c. Configure (select from the tree) Content Directory -> Physical path (the path where the all

files of the site's are located ).

d. Configure binding Type – “http://”, IP Address – “All Unassigned” (or select specific IP

address from drop-down list if you have multi-homed server- n/a for selected config),


49


make sure you have Port – “80”.

e. Put “Host Name” which can be resolved via DNS service, or add “Host name” to hosts

file (we used webassembler.local just for presentation purposes) which can be found at:

c:/windows/system32/drivers/etc/ folder*.

f. Click “OK” to confirm settings:

Figure 4.3.6 Web Site Properties

* Note: you should run Command prompt as Administrator to see hosts file in Windows 2008;

the example of hosts file content is shown below:

** NB: For accessing all other web sites in the solution, their names must be included into the

hosts file, resolving into the correct IP addresses.

Figure 4.3.7 Hosts File Screenshot

On save hosts file make sure Site name is resolving properly (according to the record created).

Issue ping webassembler.local command and make sure you have reply from IP 127.0.0.1:


50


Figure 4.3.8 Ping Console Screenshot

7. Binding SSL certificate:

a. Select Edit Site->Bindings in the Actions menu.

b. Press Add to add new port binding of the site

c. Set Type to https, IP address to All Unassigned, Port to 443 and select appropriate

certificate from the drop down.

Figure 4.3.9 Site Binding Properties

*NB: In order to appear in the dropdown the certificates must be installed in trusted

certificate authority storage of the server machine.

8. Switch to IIS management console and edit permissions for Webassembler Site (right-click on

WebAssembler site and select “Edit Permissions”):

Figure 4.3.10 Permissions Menu

9. Make sure “NETWORK SERVICE” user has “Modify” or “Full Control” permissions on to

the web site folder:


51


Figure 4.3.11 Web Site Permissions List

10. Propagate permissions settings to all sub-folders and files.

a. Click “Advanced” button on Website "Properties” “Security” tab

b. Click “Edit” button on “Advanced security settings” window

Figure 4.3.12 Advanced Security Settings for Web Site

c. On new “Advanced security settings” for web site root folder window set checkbox

“Replace All Existing Inheritable Permissions…” and click “OK” to confirm permissions

propagation:


52


Figure 4.3.13 Advanced Security Settings Continued

11. Important Note: To increase level of security of the web-site access System

Administrator may consider using "ApplicationPoolIdentity" (default setting) for web-site IIS

impersonate user and use Integrated Security=true; in application Web.config file (The user

name and password are hashed before being sent across the network. Client browser proves its

knowledge of the password through a cryptographic exchange with your Web server,

involving hashing):

For this setup System Administrator should configure Web Site "Advanced Settings"

according to screenshots below:


53


Propagation of the "Modify" Permissions on step 10 should be done for IIS_IUSRS user

(instead of NETWORK SERVICE):


54



55


d. Please, note, to allow File download and Printing features in Microsoft Internet Explorer on

Client Side, add site to “Trusted” zone.

a) Double click on “Internet” at the bottom of Internet Explorer window. “Internet Security

Properties” window will open:

b) Select “Trusted” sites zone and click “Sites” button. Make sure http://webassembler.local

is listed in “Add this site…” field, uncheck “Require server verification (https:)”, click “Add”

button, then “Close” button.

http://webassembler.local/


56


4.4. Server hardening using the Web Server Security Template

Security Template can control almost any security option or setting on a server. Security

Templates can control user rights, permissions, password policies, software policies, and so

forth. We provided the security template tuned for Web Server operation.

1. Use the MMC (Start -> Run -> MMC).

2. Then go to File -> Add/Remove Snap-in, click Add, and choose Security Templates.

3. Click Add, Close, and OK. The policies present will be listed.

4. Apply the template using the Security Configuration and Analysis Snap-in for the

MMC:

5. Open Database-> New

6. Import Template from file "WebServer.inf"

7. Analyze Computer Now

8. Check View Log File

Verify the settings suggested in the template and current system settings. Apply the settings

where required.

Note: however the template has been tested on the Windows 2008 R2 Server prepared for IIS,

it may require the system administrator's attention and responsibility ownership for applying

the settings.

WARNING: The configuration cannot be undone, backup the system first.


57


E. Deploying Web Applications

4.5. Deployment from Archived File

Each archived file contains the ready for copy contents of each web site's home directory. just

unpack the contents to the web site home folder and proceed to section Configuration of Web

Application Settings.

Note: The archive files could be created using the test servers' application files.

F. Configuration of Web Application Settings

6.1. SQL Connection Configuration

Please, note, data used in web site connection String settings is that, which was configured as

logins in MS SQL Installation.

1. Use Windows Explorer to navigate to c:\inetpub\wwwroot\Webassembler\WebConfig\

folder. Locate and edit database.config file via Notepad.exe or Wordpad.exe:

Figure 6.1.1 Web.Config File Edit Screenshot

2. Find (use Ctrl-F) <connectionStrings> section of web.config file and check or edit:

a. DataSource (SQL Server name\Instance or IP address\Instance),

b. Initial Catalog (Database name ),

c. User ID(Uid) used by IIS to access SQL database,

d. Password(Pwd) used by IIS to access SQL database.


58


Figure 6.1.2 Web.Config SQL Connection Settings

3. Save your changes

6.2. Setting Up Shared ASP.NET Session State

6.2.1. SQL Server Session State Service (WebAssembler Standard Model)

If WebAssembler is deployed in Standard Model, local server Session State management

should be configured.

1. Open Start-> Administrative Tools -> Services

2. Locate ASP.NET State Service item in the list (It is stopped and disabled by default).

3. Right-click on ASP.NET State Service item, select "Properties".

4. Configure ASP.NET State Service to "Start Automatically during system startup"

Figure 6.2.12.1 ASP.NET State Service Settings.

5. Start ASP.NET State Service if it is stopped, make sure it's running (see screenshot below).


59


Figure 6.2.12.2 ASP.NET State Service Configuration.

6.2.2. SQL Server Session Management Mode (WebAssembler Enterprise Model)

If Application Servers are deployed in clustered server environment, local session state

management is not applicable. The Session State for all of the web applications is managed

in SQL Server Mode.

SQL Server mode stores session state in a SQL Server database. This ensures that session state

is preserved if the Web application is restarted and also makes session state available to

multiple Web servers in a Web farm. The SQL Server session state must be configured for

each of the applications - Portal, MPass, Notification and Journaling.

1. The command line utility is aspnet_regsql.exe, it must be run with the following

parameters:

aspnet_regsql -S [server] -E -ssadd -sstype c -d SessionStateDB

// add websitename suffix for each database, eg: SessionStateDBPortal,

SessionStateDBMPass, etc.

2. The final step is to include the necessary data in to the web.config file. Configure the

connection string to the SessionStateDB( for parameter details refer to section 6.1 above):

<sessionState

mode="SQLServer"

allowCustomSqlDatabase="true"

sqlConnectionString="Data Source= 11.11.11.16;Failover Partner=11.11.11.17;Initial

Catalog=SessionStateDB;UID=UserName;PWD=123;"

cookieless="false"

timeout="20"

/>

Start Microsoft Internet Explorer and try to access configured site by its domain name If

portal code compilation finishes successfully, you should see “Home” page.


60


6.3. Security

The following sections do not require any amendments/configuration by administrators and

are presented as are in the web site template.

6.3.1. Debug

Compilation should be debug=false on production. No need to change.

<compilation debug="false" strict="false" explicit="true">

6.3.2. Request Validation

Pages validateRequest="true" on production. No need to change.

<pages validateRequest="true" enableEventValidation="false">

6.3.3. Tracing

Trace should be enabled=false on production. No need to change.

<trace enabled="false" localOnly="false" writeToDiagnosticsTrace="true" />

6.3.4. Errors handling

No need to change.

<customErrors mode="On" defaultRedirect="~/ServerError.aspx?error=1" />

6.3.5. Cross site scripting (XSS) vulnerability preventing

URL filtering prevents servicing the URLs with script, <script> and <, > characters. No need

to change.

<security>

<requestFiltering allowDoubleEscaping="false" allowHighBitCharacters="true">

<denyUrlSequences>

</denyUrlSequences>

<fileExtensions allowUnlisted="true" />

<verbs allowUnlisted="true">

</verbs>

<denyQueryStringSequences>

<add sequence="script" />

<add sequence="e%3cscript%3e" />

<add sequence="e%3" />

<add sequence="%3e" />

</denyQueryStringSequences>

<filteringRules>

</filteringRules>

</requestFiltering>

</security>


61


G. Troubleshooting Installation and initial Setup

7.1. SQL Server Setup Issues

When you run SQL Server Setup, log files are created in a new timestamped log folder. The

log folder is located at%programfiles%\Microsoft SQL Server\100\Setup Bootstrap\Log\. The

time-stamped log folder name is in the formatYYYYMMDD_hhmmss.

To troubleshoot issues the following files must be reviewed:

ConfigurationFile.ini

Summary.txt

Detail.txt

Detail_ComponentUpdate.txt

Sql_common_core_Cpu<32 and or 64>_1.log

Sql_common_core_loc_Cpu<32 and or 64>_1033_1.log

Sql_engine_core_inst_Cpu<32 and or 64>_1.log

Sql_engine_core_inst_loc_Cpu<32 and or 64>_1033_1.log

Sql_engine_core_shared_Cpu<32 and or 64>_1.log

Sql_engine_core_shared_loc_Cpu<32 and or 64>_1033_1.log

Sql_tools_Cpu<32 and or 64>_1.log

Sql_tools_loc_Cpu<32 and or 64>_1033_1.log

SqlBrowser_Cpu32_1.log

Sqlncli_Cpu<32 and or 64>_1.log

Note: In your environment, the file name and number of the log files might differ from the list

based on the installation features that are selected when you install SQL Server 2008.

7.1.1. Description of the SQL Server 2008 log files

7.1.1.1. File Summary.txt

Location: %ProgramFiles%\Microsoft SQL Server\100\Setup Bootstrap\Log\

Purpose: This log is the clean and user friendly log file that contains the basic information

about the problem. This file shows which SQL server components were detected, the

operating system environment, the command-line parameters that were specified, the values

that were specified, and the overall status of each MSI and MSP file that was executed.

Troubleshooting: To find errors in this file, search for “error” or “failed” keywords. For more

information about details of the failure, open the file that is listed in the line starting with

“Log with failure”.

7.1.1.2. File Summary_<%ComputerName%_YYYYMMDD_HHMMSS>.txt

Location: %ProgramFiles%\Microsoft SQL Server\100\Setup

Bootstrap\Log\<YYYYMMDD_HHMMSS>\Summary_<%ComputerName%_YYYYMMD

D_HHMM>txt

Purpose: This log file contains the same information as the Summary.txt file. This log might


62


also contain information about any previous SQL Server Setup attempt.

Troubleshooting: To find errors in this file, you can generally search for “error” or “failed”

keywords. For more information about details of the failure, open the file that is listed in the

line starting with “Log with failure”.

7.1.1.3. File Detail.txt


Bootstrap\Log\<YYYYMMDD_HHMM>\Detail.txt

Purpose: This log file provides a detailed log of the execution. It is organized on lines that

begin with the time stamp followed by the extension that produced the log. This is one of the

most important log files because it can be used to identify the failures that occur. The logs are

generated on a time basis. This means that the actions are logged here not by the component

that generated them but by the time at which they are invoked. This is useful to determine the

execution process step by step, the order in which actions are executed, and the dependencies

between actions. This file is generated for the main workflow such as the install, or the

upgrade workflow.

Troubleshooting: If an error occurs in the setup process, the exception or error will be logged

at the end of the file. To locate errors in this file, you must go to the end of the file and read

the actions in reverse from bottom to top to find where the exception or error is logged. Find

the line that starts with “Exit facility code” in the Summary.txt file, and then search for

“error,” “Watson bucket,” or “exception” keywords in the Detail.txt file. The search results

near the exit facility code will help you identify when and where the error first occurred.

7.1.1.4. File Detail_ComponentUpdate.txt


Bootstrap\Log\<YYYYMMDD_HHMMSS>\Detail_ComponentUpdate.txt

Purpose: This log file resembles the Detail.txt file. This file is generated for the component

update workflow.

Troubleshooting: Follow the same steps as those in the Detail.txt section.

7.1.1.5. File Detail_GlobalRules.txt


Bootstrap\Log\<YYYYMMDD_HHMMSS>\Detail_GlobalRules.txt

Purpose: This log file resembles the Detail.txt file. This file is generated for the global rules

execution.

Troubleshooting: This log file is used only if the Summary.txt file shows failures in the

SystemConfigurationCheck section. Generally, you can open and use the

SystemConfigurationCheck_Report.htm file to obtain all the information that is needed.

However, if you want additional information from this log, search for the “Rule evaluation

done : Failed” phrase in this file.

7.1.1.6. MSI log files:

<Feature>_<Architecture>_<Iteration>.log

<Feature>_<Architecture>_<Language>_<Iteration>.log

<Feature>_<Architecture>_<Iteration>_<workflow>.log


63



Bootstrap\Log\<YYYYMMDD_HHMMSS>\<Name>.log

Purpose: These log files provide a detailed log of the package installation process. These logs

are generated by the Msiexec.exe process when you install the specified package. If the setup

was successful and no errors were encountered, the log entry “Product: Product_Name -

Installation completed successfully” displays.

Troubleshooting: When you use the MSI log files, make sure that you are looking at the

original source of the problem instead of the reactive error messages. To do this, follow these

steps:

1. Sort the MSI logs in the same directory by the changed date.

2. Open each MSI log file from the bottom of the log files to each previous log. For each

log file, search for “Return value 3” or “@Microsoft” without the quotation marks.

3. Note the error message for each file until you find no error at the end of the logs. The last

log contains the original error. When you find the first occurrence in the log, you must

determine whether the entries are valid because not all “Return value 3” errors are

problems. Some of those errors are expected. If you can't determine whether the errors

are valid, we recommend that you try one of the Microsoft SQL Server support options.

7.1.1.7. SystemConfigurationCheck_Report.htm


Bootstrap\Log\<YYYYMMDD_HHMMSS>\SystemConfigurationCheck_Report.htm

Purpose: This file contains a friendly version of the rules execution status. It also provides a

short description of each executed rule.

Troubleshooting: You can open the SystemConfigurationCheck_Report.htm file and look for

the “Failed” keyword and examine if any “Warning” entries apply to your environment.

7.2. IIS Related Issues

7.2.1. Disable IE “Friendly HTTP error messages”

IE will by default replace the actual error messages coming from the server with a “friendly”

error message, which hides the error contents we need to see. For example, for a 404 Not

Found error, you may instead see the following:


64


Figure 7.2.1 IE User Friendly Error

To disable this and see the real error coming from the server, you need to go to “Tools >

Internet Options”, choose the Advanced tab, and clear the “Show friendly HTTP error

messages” checkbox. Then, close the browser, open it again, and re-request the page.

Figure 7.2.2 IE Advances Internet Options

7.2.2. Enable IIS7 detailed errors

WARNING: This troubleshooting step enables data disclosure vulnerability!

Make sure you disable the detailed errors, when obtained the error text.

IIS7 introduces a new custom errors feature, which by default hides the error responses issued

by the server to remote clients, replacing them with a basic error message. This is critical for

security of your site, as errors frequently contain sensitive information that you don’t want

others to see, but makes getting to the bottom of the problem harder since you cannot see

those very error details. So, if you are requesting your site from another machine, you may

still get a basic error that looks like this:


65


Figure 7.2.3 Server Error Message

There are two options here:

1) Make the request locally from the server machine.

By default, you will get the detailed error.

2) Enable detailed errors for remote clients.

First, if your error is an ASP.NET exception (you can tell if it says “Runtime Error” and has

the framework version), please be aware that ASP.NET overrides the IIS custom error

mechanism with its own implementation of custom errors, so you should turn the ASP.NET

custom errors off to see detailed ASP.NET exceptions. You DO NOT have to configure IIS7

custom errors for ASP.NET exceptions (it would be silly to have to do it in two places). To

turn off ASP.NET custom errors, place the following in your web.config:

<system.web>

<customErrors mode=”Off” />

</system.web>

If the error is not an ASP.NET error, turning off IIS7 custom errors will allow error responses

from your application to be sent to remote clients without being censored by the IIS7’s custom

errors module.

Now, you should be getting detailed errors back:


66


Figure 7.2.4 Detailed IIS Error

m2133 configuration guide -...

Documents