M2133 Configuration Guide -...
Transcript of M2133 Configuration Guide -...
WebAssembler System Installation and Configuration Guide
1
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 1 of 66
WebAssembler .NET v5.0
Installation and Configuration Guide
Version 1.1
WebAssembler System Installation and Configuration Guide
2
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 2 of 66
Table of Contents
A. Introduction ....................................................................................................................... 4
1.1.Executive summary.............................................................................................................. 4
1.2.Purpose .............................................................................................................................. 4
1.3.Scope and Target Audience ................................................................................................... 4
B. System Infrastructure ......................................................................................................... 4
2.1.Deployment Platform ........................................................................................................... 4
2.2.System Infrastructure ........................................................................................................... 4
2.3.Server Installation Overview ................................................................................................. 5
C. Setting up and configuring Database Server ........................................................................ 6
3.1.Prerequisites ........................................................................ Error! Bookmark not defined.
3.2.Installation Procedure for New SQL Server 2008 R2 Instances on Windows 2008 R2 ................ 6
3.3.Application Database Restore Procedure .............................................................................. 27
3.4.Create database users ......................................................................................................... 29
3.4.Users already exist ............................................................................................................ 29
3.4.2.No Users in the Restored Database ................................................................................... 29
3.5.Setting Up Database Mirroring Using Certificates (Transact-SQL) .......................................... 33
3.5.1General Considerations .................................................................................................... 33
3.5.2Configuring Outbound Connections ................................................................................... 34
3.5.3Configuring Inbound Connections ..................................................................................... 37
3.5.4Creating the Mirror Database ........................................................................................... 40
3.5.5Configuring the Mirroring Partners ................................................................................... 40
3.6.MS SQL Server Security Tightening .................................................................................... 41
3.6.1Configuring Services' Accounts ......................................................................................... 41
3.6.2Authentication Mode ........................................................................................................ 41
3.6.3Surface Area Reduction .................................................................................................... 41
3.6.4Password Policy .............................................................................................................. 41
3.6.5Server hardening using the SQL Server Security Template .................................................... 42
D. Setting Up Web Server ...................................................................................................... 43
4.1.Prerequisites ..................................................................................................................... 43
4.2.Install IIS 7 on Windows Server 2008 R2 ............................................................................. 43
4.3.General Web Site Configuration .......................................................................................... 46
4.4.Server hardening using the Web Server Security Template ..................................................... 56
E. Deploying Web Applications ............................................................................................ 57
4.5.Deployment from Archived File .......................................................................................... 57
F. Configuration of Web Application Settings ........................................................................ 57
6.1.SQL Connection Configuration ........................................................................................... 57
6.2.Setting Up Shared ASP.NET Session State Storage ............................................................... 58
6.2.1SQL Server Session Management Mode .............................................................................. 59
WebAssembler System Installation and Configuration Guide
3
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 3 of 66
6.3.Security ............................................................................................................................ 60
6.3.1Debug ............................................................................................................................ 60
6.3.2Request Validation ........................................................................................................... 60
6.3.3Tracing ........................................................................................................................... 60
6.3.4Errors handling ............................................................................................................... 60
6.3.5Cross site scripting (XSS) vulnerability preventing ............................................................... 60
G. Troubleshooting Installation and initial Setup .................................................................... 61
7.1.SQL Server Setup Issues .................................................................................................... 61
7.1.1Description of the SQL Server 2008 log files ....................................................................... 61
7.2.IIS Related Issues .............................................................................................................. 63
WebAssembler System Installation and Configuration Guide
4
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 4 of 66
A. Introduction
1.1. Executive summary
WebAssembler Installation and Configuration Guide provide the description of sequence for
system components installing, which are necessary for its deploying on to the prepared
operational network and server infrastructure. The Guide points out all the necessary
installation steps for system deployment based on Microsoft installation procedures. Activities
related to the installation of network infrastructure, hardware and networking server
platform, as well as installation and configuration of the system services other than WWW
and SQL are out of the scope of this document.
1.2. Purpose
The purpose of this document is to provide the guidelines to system administrators on how to
configure and deploy the WebAssembler Platform.
1.3. Scope and Target Audience
This Installation and Configuration Guide describes actions for configuring web application
supporting services and presumes that operating system, Microsoft Windows Server 2008
Standard is already installed on the server computer.
The guide is addressed to System Administrators, Database Administrators and Application
Developers. The minimum knowledge required to use this guide are: MS SQL Server
Administration, Implementing IIS for ASP.NET web applications and understanding of
ASP.NET Configuration file structure.
B. System Infrastructure
2.1. Deployment Platform
The system components can be deployed on to the Windows 2008/2012 Server
Standard/Enterprise Edition server platform and Microsoft SQL 2008R2/SQL 2012 linked
using 100Mbit/1Gbit/10Gbit TCP/IP network.
2.2. System Infrastructure
The following diagram displays three possible implementations of WebAssembler
Infrastructure:
WebAssembler System Installation and Configuration Guide
5
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 5 of 66
“Small Business” Model
“Standard” Model
LANRouter
Application and
Database server
Remote Users
WAN/Internet
“Standard” Model
LANRouter
Application server
Remote Users
WAN/Internet
Database server
“Enterprise” Model
Router
Single Application
server or NLB Cluster
Remote Users
WAN/Internet
Highly Available
Database server
`
SQL
Witness
LAN
Figure 2.1 WebAssembler Infrastructure
Small Business Model assumes that system workload is low enough to consolidate
Application Server and Database server on the same physical server to reduce final cost of the
system. Standard Model requires separate servers for Application and Database Engine. If
security of Data requires it, Database engine may also be located in separate LAN segment.
Enterprise Model should be used in mission-critical applications and under heavy system
load (1000 simultaneous users, etc...)
Please note, all presented models can be implemented both in physical and virtual
environments.
2.3. Server Installation Overview
There are several types of servers employed into the production architecture of the
WebAssembler Platform:
1. Web application server(s) - hosting Application Portal;
2. Database server(s) - managing Application databases;
3. SQL Witness server - hosting SQL Mirroring witness service (only if Enterprise Model
is used).
The installation procedure presumes the following major steps:
1. Setting up the database servers first as the most independent services, then
2. Setting up the web servers,
3. Deploying and configuring the web applications to work with the installed database
servers.
WebAssembler System Installation and Configuration Guide
6
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 6 of 66
C. Setting up and configuring Database Server
3.1. Installation Procedure for New SQL Server 2008 R2 Instances on Windows 2008
R2
1. Log on to machine with Remote Desktop and load installation media. Click on Setup from the
root. Prerequisite is that you ensure Dot Net Framework core role is enabled, thus click OK
for the update.
Figure 3.1.1 Microsoft .Net Framework Warning
2. Click on Installation, then 'New SQL Server stand-alone installation…' (top)
WebAssembler System Installation and Configuration Guide
7
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 7 of 66
Figure 3.1.2 Installation options
3. Let the setup rules check run:
Figure 3.1.3 Setup Rules Validation
Enter key or make sure there is key automatically taken from the ISO, or enter it manually.
4. Accept the terms and conditions
WebAssembler System Installation and Configuration Guide
8
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 8 of 66
Figure 3.1.4 Terms and Conditions
5. Click install
Figure 3.1.5 Istalation
6. Make sure the pre-install checklist provides a Passed Status for each rule.
then click Next.
WebAssembler System Installation and Configuration Guide
9
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 9 of 66
Figure 3.1.6 Preinstall check-list
7. DB Server - Do not choose default, continue with Feature Selection for a Server install
Figure 3.1.7 Feature selection
8. A new installation step added in 2008 R2 is this Installation Rule Confirmation:
WebAssembler System Installation and Configuration Guide
10
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 10 of 66
Figure 3.1.8 Installation Rules
9. Chose Default instance (so that the machine is accessed directly at ServerName), or specify
instance name (as in ServerName\InstanceName) if it is required and several are on the same
machine.
Figure 3.1.9 Instance Configuration
Click Next (make sure everything is run on C drive)
Here is where, as mentioned above, if you need to create a specific instance\alias name, you
would specify it by selecting named instance.
10. Validate Disk Space Requirements and click next
WebAssembler System Installation and Configuration Guide
11
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 11 of 66
Figure 3.1.10 Disk space requirements
11. Server Configuration.
Click on Use the Same account for all SQL Server services.
Figure 3.1.11 SQL Server Configuration
Leave the Collation tab as is, SQL_Latin1_General_CP1_CI_AS is the default and is Accent
Sensitive and Case Insensitive.
12. Select Authentication Mode
Select Mixed Authentication mode, and provide the strong password for "sa" account
13. Set root directories for SQL data base files
Provide paths for Data, System DBs., User DBs., Temp and Backups.
In case of placing the data onto the separate drive, follow the screenshot.
WebAssembler System Installation and Configuration Guide
12
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 12 of 66
Figure 3.1.12 Placing data on separate drive
14. Verify Installation Configuration Rules.
Figure 3.1.13 Installation Configuration Rules
WebAssembler System Installation and Configuration Guide
13
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 13 of 66
15. Validate the installation (this is the point of no return):
Figure 3.1.14 Ready to Install
The install will take a while (20-25 minutes depending on the strength of the machine).
Be patient, this will take a long time…
Figure 3.1.15 Installation Progress
WebAssembler System Installation and Configuration Guide
14
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 14 of 66
16. Confirmation of successful install.
Figure 3.1.16 Install Complete Screen
17. Reboot the server once the installation is finished.
Figure 3.1.17 Shutdown event Tracker
18. Configure the network access:
WebAssembler System Installation and Configuration Guide
15
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 15 of 66
Figure 3.1.18 Network Access Configuration
19. Enable the address in which will be used to connect.
Figure 3.1.19 Connection address enablement
20. Check the Model Database - A typical Databases' configuration should be like this:
WebAssembler System Installation and Configuration Guide
16
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 16 of 66
Figure 3.1.20 New Database
Verify that the default recovery model is set to Full.
21. On the Windows 2008 Server hosting the MS SQL Server, you will have to configure the
windows Firewall allowing inbound connections to ports: 1433 (TCP and UDP), 1434 (TCP
and UDP) and 7024 (TCP). Please note, if Database Server located in separate network
segment, you should also open the same ports on the router, which manage these network
segments.
a. Open Windows Firewall with Advanced Security.
b. Add new Inbound Rule of type "Port"
WebAssembler System Installation and Configuration Guide
17
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 17 of 66
Figure 3.1.21Rule Type
c. Specify TCP port numbers 1434 and 1433
Figure 3.1.22 Protocol and Ports
WebAssembler System Installation and Configuration Guide
18
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 18 of 66
d. Specify action as "Allow Connection"
Figure 3.1.23 Action Type Specification
e. Leave profile default settings - all checked
f. Specify the name and description of the rule
WebAssembler System Installation and Configuration Guide
19
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 19 of 66
Figure 3.1.24 Rule’s name and direction specification
g. Inbound Rule for TCP ports configuration complete.
22. Return to P. 21, and proceed through items (a-g) again, to create additional "Inbound"
rule to allow UDP traffic for the same ports (1433, 1434).
23. Return to P. 21, and proceed through items (a-g) two more times, to create additional rules
in "Outbound" firewall settings section for ports TCP (1433,1434) and UDP (1433,1434)
ports.
24. If Microsoft SQL Database mirroring is used in WebAssembler setup, mirroring end-
point port should also be opened on windows firewall. Microsoft manuals suggest 7022
or 7023 ports as default values. In this manual TCP port 7024 is used for Database
mirroring (see 3.5.2 and 3.5.5). Return to P. 21, and proceed through items (a-g) to create
additional rules in "Inbound" and "Outbound" firewall settings sections for port TCP 7024.
25. Technet.microsoft.com also recommends configuring MSSQL service and MSSQL
browser service access on windows firewall, (especially when SQL Instances and dynamic
TCP ports are used).
a. Open Windows Firewall advanced settings and create additional rule in "Inbound"
firewall settings for Microsoft SQL service (execution file):
WebAssembler System Installation and Configuration Guide
20
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 20 of 66
b. Open "Services" Microsoft Management Console, scroll to SQL Server instance,
you need to sallow on firewall, select "Properties":
c. Open "General" Tab locate "Path to executable" section and copy string to
clipboard: (D:\MSSQL\MSSQL11.MSSQL2012\MSSQL\Binn\sqlservr.exe on
screenshot):
WebAssembler System Installation and Configuration Guide
21
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 21 of 66
d. Paste copied string from Clipboard to "Program" window of firewall rule creation
wizard:
WebAssembler System Installation and Configuration Guide
22
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 22 of 66
e. Allow the connection; click "Next" and save created rule as "MSSQL Service"
Return to P.25 and perform (a-e) in "Outbound" firewall settings for Microsoft SQL
service (execution file).
26. Perform (a-e) two more times for "Inbound" and "Outbound" rules, to allow SQL
Browser process access the network (this is necessary to locate remote SQL instance by name)
Copy "Path to Executable" sqlbrowser.exe (C:\Program Files (x86)\Microsoft SQL
Server\90\Shared\sqlbrowser.exe , it may vary!) to firewall rule "Program" window.
WebAssembler System Installation and Configuration Guide
23
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 23 of 66
Paste "Path to Executable" to firewall rule "Program" window, click Next:
Set Action "Allow" and proceed with configuration.
WebAssembler System Installation and Configuration Guide
24
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 24 of 66
Please note, Windows Firewall rules for TCP/UDP ports 1433, 1434, 7024 and SQL
Server/SQL Browser services should be configured on both mirrored MS SQL server
computers and Witness computer!
WebAssembler System Installation and Configuration Guide
25
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 25 of 66
27. Installing and troubleshooting .NET 3.51 Installations for SQL Server 2012 on Windows
Server 2012
If .NET 3.51 is not installed, SQL Server will detect this during Setup as shown in Figure 1.
As you can see, SQL Server knows it needs to be enabled (“Windows feature(s) to be turned
on:”), and will attempt to do so during the installation process.
Figure 1. Setup showing .NET 3.51 needs to be installed
Once you get through the configuration screens, Setup will start installing SQL Server. The
status shown in Figure 2 is where Feature NetFx3 installation is attempted.
Installation failed because it couldn’t find the path to install .NET 3.51 from.
WebAssembler System Installation and Configuration Guide
26
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 26 of 66
Use command line tool dism as Administrator.
dism /online /enable-feature /all /featurename:NetFx3 /source:h:\sources\sxs
Where <Drive>\sources\sxs - path to Windows installation disk (D:\sources\sxs\)
Figure 5. Successful installation of .NET 3.51 NetFx3 feature
Now when you run SQL Sever 2012′s Setup again, it reflects that .NET 3.51 is installed:
Figure 6. .NET 3.51 installed – SQL Server should install just fine
WebAssembler System Installation and Configuration Guide
27
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 27 of 66
3.2. Application Database Restore Procedure
The application databases are restored from the Full Database Backups. Backup files are
obtained either from the actual backup repository of the client, or created from the test server
databases.
WARNING: Test server databases do not contain the latest versions of data!
Note: The screenshots display sample database name and backup set. During the restore
procedure you must select appropriate names of restoring database.
1. Start SQL server Management Studio on the database server:
Figure 3.2.1 SQL server Management Studio Path
2. Right-click on “Databases” node of the console and select “Restore Database…”
Figure 3.2.2 Restore Database Menu Item
3. Select “From Device” in “Source for restore” section of the “General” node, click […] button
at the right. “Specify Backup” window will open. Select “Backup Media” File, click
“Add” button, select path to database backup file and click OK to confirm:
WebAssembler System Installation and Configuration Guide
28
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 28 of 66
Figure 3.2.3 Backup Window
4. Tick “Restore” checkbox in “Select the backup set to restore” and select the database name in
“Destination to Restore” “To database” field.
Figure 3.2.4 Destination Window
5. Switch to “Options” node, make sure checkbox is set to “Leave database ready for use” in
“Recovery state” section. Set “Overwrite” checkbox to overwrite existing database or remove
this checkbox if the database does not exist yet:
WebAssembler System Installation and Configuration Guide
29
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 29 of 66
Figure 3.2.5 Restore Options
6. Click “OK” to confirm database restore. Check that restore operation finished with no errors.
3.3. Create database users
A user is a database level security principal. Logins must be mapped to a database user to
connect to a database.
In order to enable applications to connect to the database servers, there must be SQL logins
and database users created.
3.3.1. Users already exist
If there are already users in database backups you should create a login in the SQL Server and
map it to the existing user with the following T-SQL script amended for each database and
login with user.
Note: replace the #-values with appropriate data
CREATE LOGIN #ServerLogin
WITH PASSWORD = '#password';
USE #Database;
GO
ALTER USER #DatabaseUser WITH LOGIN #ServerLogin;
GO
Run the script for each database amending the login, user, password and database name.
3.3.2. No Users in the Restored Database
Follow the next steps to create logins and database users:
Note: The steps starting from the 4th must be repeated for each database.
1. Connect to the MS SQL server instance using the SQL Server Management Studio
where you have restored the databases,
2. Login as SQL server administrator
WebAssembler System Installation and Configuration Guide
30
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 30 of 66
3. In Object Explorer, expand the Databases folder.
4. Expand the database in which to create the new database user.
5. Right-click the Security folder, point to New, and select User….
6. In the Database User – New dialog box, on the General page, select the Login name
in radio button.
7. In the User name box, enter a name for the new user. Follow the template
#sitename_user
8. In the Login name box, enter the login for the user. Follow the template
#sitename_login
9. In the Owned schemas box, specify db_datareader and db_datawriter.
10. Click OK.
11. Repeat from step 4 for each database.
Alternatively the logins and users can be created with the following T-SQL script amended for
each database and login with user.
Note: replace the #-values with appropriate data
CREATE LOGIN #ServerLogin
WITH PASSWORD = '#password';
USE #Database;
GO
CREATE USER #DatabaseUser FOR LOGIN #ServerLogin;
GO
Run the script for each database amending the login, user, password and database name.
3.4.3. Configure access rights for NT/ANONYMOUS LOGON User.
To tighten Internet Information Service IIS security settings System Administrator may
consider to use "Integrated User Authentication" (The user name and password are hashed
before being sent across the network. Client browser proves its knowledge of the password
through a cryptographic exchange with your Web server, involving hashing). This approach
requires configuring access to the database for NT/ANONYMOUS LOGON User. More
details on this will be given in P.11 of Application configuration.
If this not configured properly, [Login failed for user 'NT AUTHORITY\ANONYMOUS
LOGON...] Error is displayed in client browser, due to SQL Server Engine not having the
login account for your windows login account.
To fix this issue,
a. Open Microsoft SQL Management Studio console, navigate Security -> Logins,
right-click and select "New Login" from pop-up menu:
WebAssembler System Installation and Configuration Guide
31
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 31 of 66
b. Click "Search" button next to "Login Name" field. "Select User and Group" window
will open.
c. Click "Advanced" button, then "Find Now" button in newly opened "Select User
and Group" window.
d. Find "ANONYMOUS LOGON" in the list of available users
WebAssembler System Installation and Configuration Guide
32
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 32 of 66
e. Right-click on "NT AUTHORITY/ANONYMOUS LOGON" user, select
"Properties".
f. In "Logon Properties Window" select "User Mapping" node and make sure "NT
AUTHORITY/ANONYMOUS LOGON" user have "db_owner" check box set in
"Database Role Membership for:" section for target database, selected in "Users
Mapped to this Login" section:
WebAssembler System Installation and Configuration Guide
33
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 33 of 66
3.4. Setting Up Database Mirroring Using Certificates (Transact-SQL)
This section shows all the stages required to create a database mirroring session using
certificate-based authentication. The examples in this topic use Transact-SQL. Unless you can
guarantee that your network is secure, we recommend that you use encryption for database
mirroring connections.
When copying a certificate to another system, use a secure copy method. Be extremely careful
to keep all of your certificates secure.
If System Administrator configures WebAssembler in Small Business or Standard Model,
this section should be omitted.
3.4.1. General Considerations
The following example demonstrates what must be done on one partner that resides on
HOST_A. In this example, the two partners are the default server instances on three computer
systems. The two server instances run in nontrusted Windows domains, so certificate-based
authentication is required.
Figure 3.4.1.1 SQL Server Mirroring Schema
The initial principal role is taken by HOST_A(Master DB Server), and the mirror role is taken
by HOST_B (Mirror DB Server).
Setting up database mirroring using certificates involves four general stages. These stages are
as follows:
1. Configuring Outbound Connections
This example shows the steps for:
a. Configuring Host_A for outbound connections.
WebAssembler System Installation and Configuration Guide
34
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 34 of 66
b. Configuring Host_B for outbound connections.
c. Need to be done on Witness server also!
2. Configuring Inbound Connections
This example shows the steps for:
a. Configuring Host_A for inbound connections.
b. Configuring Host_B for inbound connections.
c. Need to be done on Witness server also!
3. Creating the Mirror Database
4. Configuring the Mirroring Partners
3.4.2. Configuring Outbound Connections
Please note: 1) Computer Name (Start -> Computer -> Properties -> Computer name,
domain, and workgroup settings -> Computer Name) should be different for Principal,
Mirror and Witness servers in Workgroup and Domain environment. 2) Use Computer
Name or Computer Name\Instance Name (Depends on MS SQL installation, see Figure
3.4.2.1 Instance Configuration) instead of IP-addresses during SQL mirroring setup.
To configure Host_A for outbound connections
1. On the master database, create the database master key.
USE master;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<1_Strong_Password!>';
GO
*** To remove existing Master Key use:
DROP MASTER KEY
2. Make a certificate for this server instance.
USE master;
CREATE CERTIFICATE HOST_A_cert
WITH SUBJECT = 'HOST_A certificate';
GO
*** To view the certificates in the master database, you can use the following Transact-SQL
statements:
USE master;
SELECT * FROM sys.certificates;
3. Create a mirroring endpoint for server instance using the certificate.
CREATE ENDPOINT Endpoint_Mirroring
STATE = STARTED
AS TCP (
LISTENER_PORT=7024
, LISTENER_IP = ALL
WebAssembler System Installation and Configuration Guide
35
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 35 of 66
)
FOR DATABASE_MIRRORING (
AUTHENTICATION = CERTIFICATE HOST_A_cert
, ENCRYPTION = REQUIRED ALGORITHM AES
, ROLE = ALL
);
GO
*** To ensure that the database mirroring endpoint exist on each of the server instances.
If a database mirroring endpoint already exists for the server instance, you should reuse that
endpoint for any other sessions you establish on the server instance. To determine whether a
database mirroring endpoint exists on a server instance and to view its configuration, use the
following statement:
SELECT name, role_desc, state_desc, connection_auth_desc, encryption_algorithm_desc
FROM sys.database_mirroring_endpoints;
*** To remove old (existing) endpoint use:
DROP ENDPOINT endPointName
1. Back up the HOST_A certificate, and copy it to other systems, HOST_B and Witness. The
certificate file can be saved to any other location, where the SQL server service has the
writing permissions.
BACKUP CERTIFICATE HOST_A_cert TO FILE = 'C:\HOST_A_cert.cer';
GO
2. Using any secure copy method, copy C:\HOST_A_cert.cer to HOST_B and WITNESS server.
To configure Host_B for outbound connections
1. On the master database, create the database master key.
USE master;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<Strong_Password_#2>';
GO
2. Make a certificate on the HOST_B server instance.
CREATE CERTIFICATE HOST_B_cert
WITH SUBJECT = 'HOST_B certificate for database mirroring';
GO
3. Create a mirroring endpoint for the server instance on HOST_B.
CREATE ENDPOINT Endpoint_Mirroring
STATE = STARTED
AS TCP (
LISTENER_PORT=7024
WebAssembler System Installation and Configuration Guide
36
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 36 of 66
, LISTENER_IP = ALL
)
FOR DATABASE_MIRRORING (
AUTHENTICATION = CERTIFICATE HOST_B_cert
, ENCRYPTION = REQUIRED ALGORITHM AES
, ROLE = ALL
);
GO
4. Back up HOST_B certificate.
BACKUP CERTIFICATE HOST_B_cert TO FILE = 'C:\HOST_B_cert.cer';
GO
5. Using any secure copy method, copy C:\HOST_B_cert.cer to HOST_A and WITNESS server.
To configure Witness for outbound connections
1. On the master database, create the database master key.
USE master;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '<Strong_Password_#3>';
GO
2. Make a certificate on the Witness server instance.
CREATE CERTIFICATE Witness_cert
WITH SUBJECT = 'Witness certificate for database mirroring';
GO
3. Create a mirroring endpoint for the server instance on Witness.
CREATE ENDPOINT Endpoint_Mirroring
STATE = STARTED
AS TCP (
LISTENER_PORT=7024
, LISTENER_IP = ALL
)
FOR DATABASE_MIRRORING (
AUTHENTICATION = CERTIFICATE Witness_cert
, ENCRYPTION = REQUIRED ALGORITHM AES
, ROLE = WITNESS
WebAssembler System Installation and Configuration Guide
37
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 37 of 66
);
GO
4. Back up Witness certificate.
BACKUP CERTIFICATE Witness_cert TO FILE = 'C:\Witness_cert.cer';
GO
5. Using any secure copy method, copy C:\Witness_cert.cer to HOST_A and HOST_B server.
3.4.3. Configuring Inbound Connections
To configure Host_A for inbound connections
1. Create a login on HOST_A for HOST_B and Witness server.
USE master;
CREATE LOGIN HOST_B_login WITH PASSWORD = '1Sample_Strong_Password!@#';
GO
USE master;
CREATE LOGIN Witness_login WITH PASSWORD = '2Sample_Strong_Password!@#';
GO
2. Create a user for that login.
CREATE USER HOST_B_user FOR LOGIN HOST_B_login;
GO
CREATE USER Witness_user FOR LOGIN Witness_login;
GO
3. Associate the certificate with the user.
CREATE CERTIFICATE HOST_B_cert
AUTHORIZATION HOST_B_user
FROM FILE = 'C:\HOST_B_cert.cer'
GO
CREATE CERTIFICATE Witness_cert
AUTHORIZATION Witness_user
FROM FILE = 'C:\Witness_cert.cer'
WebAssembler System Installation and Configuration Guide
38
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 38 of 66
GO
4. Grant CONNECT permission on the login for the remote mirroring endpoint.
GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [HOST_B_login];
GO
GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [Witness_login];
GO
To configure Host_B for inbound connections
1. Create a login on HOST_B for HOST_A and Witness server.
USE master;
CREATE LOGIN HOST_A_login WITH PASSWORD = '=Sample#2_Strong_Password2';
GO
USE master;
CREATE LOGIN Witness_login WITH PASSWORD = '=Sample#2_Strong_Password3';
GO
2. Create a user for that login.
CREATE USER HOST_A_user FOR LOGIN HOST_A_login;
GO
CREATE USER Witness_user FOR LOGIN Witness_login;
GO
3. Associate the certificate with the user.
CREATE CERTIFICATE HOST_A_cert
AUTHORIZATION HOST_A_user
FROM FILE = 'C:\HOST_A_cert.cer'
GO
CREATE CERTIFICATE Witness_cert
AUTHORIZATION Witness_user
FROM FILE = 'C:\Witness_cert.cer'
GO
WebAssembler System Installation and Configuration Guide
39
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 39 of 66
4. Grant CONNECT permission on the login for the remote mirroring endpoint.
GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [HOST_A_login];
GO
GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [Witness_login];
GO
To configure Witness for inbound connections
1. Create a login on Witness server for HOST_A and HOST_B.
USE master;
CREATE LOGIN HOST_A_login WITH PASSWORD = '=Sample#2_Strong_Password1';
GO
USE master;
CREATE LOGIN HOST_B_login WITH PASSWORD = '=Sample#2_Strong_Password2';
GO
2. Create users for that login.
CREATE USER HOST_A_user FOR LOGIN HOST_A_login;
GO
CREATE USER HOST_B_user FOR LOGIN HOST_B_login;
GO
3. Associate the certificate with the user.
CREATE CERTIFICATE HOST_A_cert
AUTHORIZATION HOST_A_user
FROM FILE = 'C:\HOST_A_cert.cer'
GO
CREATE CERTIFICATE HOST_B_cert
AUTHORIZATION HOST_B_user
FROM FILE = 'C:\HOST_B_cert.cer'
GO
4. Grant CONNECT permission on the login for the remote mirroring endpoint.
WebAssembler System Installation and Configuration Guide
40
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 40 of 66
GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [HOST_A_login];
GO
GRANT CONNECT ON ENDPOINT::Endpoint_Mirroring TO [HOST_B_login];
GO
3.4.4. Creating the Mirror Database
1. Connect to principal server instance.
2. Create a full database backup of the principal database.
3. Backup the transaction log on the principal database.
4. Copy the database and log backups to the system that will host the mirror server
instance.
5. Connect to mirror server instance.
6. Using RESTORE WITH NORECOVERY, create the mirror database by restoring
the full database backup onto the mirror server instance.
7. Using RESTORE WITH NORECOVERY, apply any outstanding log backup or
backups to the mirror database.
3.4.5. Configuring the Mirroring Partners
Note: Here we describe the configuration procedure for WebAssemblerDB database. The
configuring must be repeated for each of the databases, require mirroring.
1. On the mirror server instance on HOST_B, set the server instance on HOST_A as the partner
(making it the initial principal server instance). Substitute a valid network address for
TCP://HOST_A:7024.
Make sure that the recovery model of the restored database is set to Full. At HOST_B, set
server instance on HOST_A as partner (principal server):
ALTER DATABASE WebAssemblerDB
SET PARTNER = 'TCP://HOST_A:7024';
GO
2. On the principal server instance on HOST_A, set the server instance on HOST_B as the
partner (making it the initial mirror server instance). Substitute a valid network address for
TCP://HOST_B:7024.
At HOST_A, set server instance on HOST_B as partner (mirror server).
ALTER DATABASE WebAssemblerDB
SET PARTNER = 'TCP://HOST_B:7024';
GO
3. On Principal Server ( HOST A) set the Witness server instance to WITNESS. Substitute a
valid network address for TCP://Witness:7024.
ALTER DATABASE WebAssemblerDB
WebAssembler System Installation and Configuration Guide
41
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 41 of 66
SET WITNESS = 'TCP://Witness:7024';
GO
Leave transaction safety set to FULL (the default setting) and add the witness as soon as
possible after executing the second SET PARTNER 'partner_server' statement.
Note that the witness must first be configured for outbound and inbound connections.
3.5. MS SQL Server Security Tightening
3.5.1. Configuring Services' Accounts
SQL Server services must be configured a specially created Windows accounts as local user
account with no Windows administrative privileges. The accounts must be set up for the
following main services:
Sql Server - NT Service\MSSQL$SQLEXP2008 with strong password (this account
needs to be created in Windows users database)
Sql Server Agent - NT AUTHORITY\NETWORKSERVICE - this account must be
able to write to the backup folder.
Sql Server Browser - NT AUTHORITY\LOCALSERVICE
In this manner there are exactly two concepts: minimum privileges and account
isolation.
3.5.2. Authentication Mode
In an environment with Mixed Mode Authentication, to avoid the attacks against "sa" user, is
required to:
rename "sa" with another name
use a strong password that is difficult to brute-force for the renamed "sa"
3.5.3. Surface Area Reduction
The following features of the Database Engine are disabled by default:
Ad hoc distributed queries
Common language runtime (CLR) integration
Dedicated administrator connection (DAC)
Database Mail (required)
Native XML Web services
OLE Automation stored procedures
Service Broker
Web Assistant stored procedures
xp_cmdshell
3.5.4. Password Policy
Because the connection settings for the application are stored in application configuration file,
some of the usual password policy restrictions cannot be applied.
It is required to maintain the following restrictions:
Minimum password length (minimum number of characters. The range is [1-14]) set at
least to 10.
WebAssembler System Installation and Configuration Guide
42
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 42 of 66
Password must meet complexity requirements (no two consecutive character of account
name, minimum 6 character belonging at least at three of the categories [A-Z], [a-z],
[0-9], or characters like !, %, #, $ etc...)
Other restrictions, like account lockout, password expiration and others are not applicable.
3.5.5. Server hardening using the SQL Server Security Template
Security Template can control almost any security option or setting on a server. Security
Templates can control user rights, permissions, password policies, software policies, and so
forth. We provided the security template tuned for SQL Server operation.
1. Use the MMC (Start -> Run -> MMC).
2. Then go to File -> Add/Remove Snap-in, click Add, and choose Security Templates.
3. Click Add, Close, and OK. The policies present will be listed.
4. Apply the template using the Security Configuration and Analysis Snap-in for the
MMC:
5. Open Database-> New
6. Import Template from file "SQLServer.inf"
7. Analyze Computer Now
8. Check View Log File
Verify the settings suggested in the template and current system settings. Apply the settings
where required.
Note: however the template has been tested on the Windows 2008 R2 Server with SQL Server
installed, it may require the system administrator's attention and responsibility ownership for
applying the settings.
WARNING: The configuration cannot be undone, backup the system first.
WebAssembler System Installation and Configuration Guide
43
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 43 of 66
D. Setting Up and Configuration Application (Web) Server
4.1. Prerequisites
The configuration of Internet Information Services is performed on the Windows 2008 Server
R2.
The installation presumes the availability of the following hardware:
Server Name Processor RAM HDD Software
Application
Server
Quad or Six Core
2.5GHz
8GB 50 GB free disk
space
Windows 2008
Server Standard
or Web Edition
Table 4.1.1 Hardware Availability
All Web servers must allow incoming connections to the following ports: 80(TCP), 443(TCP),
The user, who installs the IIS 7.5 must have administrative rights in server OS.
4.2. Install IIS 7 on Windows Server 2008 R2
IIS is one of the Windows Server® server roles. IIS 7 can be installed through the graphical
user interface (GUI) by using the new Server Manager interface after the Windows Server
operating system is installed.
Server Manager provides a single dashboard to install or uninstall server roles and features.
Server Manager also gives an overview of all currently installed roles and features.
When IIS 7 is chosen from the Server Manager, the basic components and services
needed for IIS are automatically selected.
1. Start Server manager:
Click Start -> All Programs -> Administrative Tools -> Server Manager.
Figure 4.2.1 Server Manager in Windows Menu
2. Add Roles
In the Server Manager window, scroll down to Roles Summary, and then click Add Roles.
The Add Roles Wizard will start with a Before You Begin page. The wizard asks for
verification of the following:
a. The administrator account has a strong password.
b. The network settings, such as IP addresses, are configured.
WebAssembler System Installation and Configuration Guide
44
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 44 of 66
c. The latest security updates from Windows® Update are installed.
Figure 4.2.2 Add Server Roles Screenshot
3. Select Web Server (IIS) on the Select Server Roles page, click “Next”. An introductory page
will open with links for further information.
Note: When you use the Add Roles Wizard to install IIS, you get the default installation,
which has a minimum set of role services. If you need additional IIS role services, such
as Application Development or Health and Diagnostics, make sure to select the check
boxes associated with those features in the Select Role Services page of the wizard.
Figure 4.2.3 List of available Server Roles
4. Select the IIS services to be installed on the Select Role Services page. Add only the
following for application development: ASP.NET, .NET, ISAPI Filters, ISAPI extensions:
WebAssembler System Installation and Configuration Guide
45
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 45 of 66
Figure 4.2.4 Selected Server Roles
Figure 4.2.5 Selected Server Roles Continued
5. Click “Install” to proceed, check that final status is “Installation Succeeded”.
Figure 4.2.6 Installation Status Screen
WebAssembler System Installation and Configuration Guide
46
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 46 of 66
6. Deploy the web site application code to c:\inetpub\wwwroot (default IIS files/websites
location) as described in section 5 Deploying Web Applications:
Figure 4.2.7 Deploying Program Files
7. Download from www.microsoft.com and install .Net Framework 3.5 ServicePack1.
URL and direct link below:
http://download.microsoft.com/download/0/6/1/061F001C-8752-4600-A198-
53214C69B51F/dotnetfx35setup.exe
8. Download from www.microsoft.com and install .Net Framework 4.0
The installer can be downloaded here:
http://www.microsoft.com/en-us/download/details.aspx?id=17851
9. Register .Net Framework 4.0 in IIS metabase
run cmd
CD <WindowsFolder>\Microsoft.NET\Framework64\v4.0.30319
aspnet_regiis -i
4.3. General Web Site Configuration
1. Open IIS management console (Start Programs Administrative Tools Internet
Information Services (IIS) Manager)
WebAssembler System Installation and Configuration Guide
47
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 47 of 66
Figure 4.3.1 IIS Manager
2. Right-click on “Application Pools” and select “Add Application pool…”
Figure 4.3.2 Application Pools Menu
3. Put the name of the site as Application Pool Name, make sure that .NET framework is set to
v4.0.xxxx and “Managed pipeline mode” is set to “Integrated”:
Figure 4.3.3 Application pool configuration
4. Update advanced settings of the application pool to use NetworkService as Identity of Process
Model (by default Identity is set to ApplicationPoolIdentity)
WebAssembler System Installation and Configuration Guide
48
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 48 of 66
Figure 4.3.4 Application Pool Process Identity
5. Right-click on “Sites” and select “Add WebSite”
Figure 4.3.5 Add Web Site
6. Configure web-site settings:
a. Enter “Site Name”.
b. Click “Select” button next to the “Application Pools” field and select your site's name
application pool (created on step 3) from drop-down list.
c. Configure (select from the tree) Content Directory -> Physical path (the path where the all
files of the site's are located ).
d. Configure binding Type – “http://”, IP Address – “All Unassigned” (or select specific IP
address from drop-down list if you have multi-homed server- n/a for selected config),
WebAssembler System Installation and Configuration Guide
49
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 49 of 66
make sure you have Port – “80”.
e. Put “Host Name” which can be resolved via DNS service, or add “Host name” to hosts
file (we used webassembler.local just for presentation purposes) which can be found at:
c:/windows/system32/drivers/etc/ folder*.
f. Click “OK” to confirm settings:
Figure 4.3.6 Web Site Properties
* Note: you should run Command prompt as Administrator to see hosts file in Windows 2008;
the example of hosts file content is shown below:
** NB: For accessing all other web sites in the solution, their names must be included into the
hosts file, resolving into the correct IP addresses.
Figure 4.3.7 Hosts File Screenshot
On save hosts file make sure Site name is resolving properly (according to the record created).
Issue ping webassembler.local command and make sure you have reply from IP 127.0.0.1:
WebAssembler System Installation and Configuration Guide
50
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 50 of 66
Figure 4.3.8 Ping Console Screenshot
7. Binding SSL certificate:
a. Select Edit Site->Bindings in the Actions menu.
b. Press Add to add new port binding of the site
c. Set Type to https, IP address to All Unassigned, Port to 443 and select appropriate
certificate from the drop down.
Figure 4.3.9 Site Binding Properties
*NB: In order to appear in the dropdown the certificates must be installed in trusted
certificate authority storage of the server machine.
8. Switch to IIS management console and edit permissions for Webassembler Site (right-click on
WebAssembler site and select “Edit Permissions”):
Figure 4.3.10 Permissions Menu
9. Make sure “NETWORK SERVICE” user has “Modify” or “Full Control” permissions on to
the web site folder:
WebAssembler System Installation and Configuration Guide
51
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 51 of 66
Figure 4.3.11 Web Site Permissions List
10. Propagate permissions settings to all sub-folders and files.
a. Click “Advanced” button on Website "Properties” “Security” tab
b. Click “Edit” button on “Advanced security settings” window
Figure 4.3.12 Advanced Security Settings for Web Site
c. On new “Advanced security settings” for web site root folder window set checkbox
“Replace All Existing Inheritable Permissions…” and click “OK” to confirm permissions
propagation:
WebAssembler System Installation and Configuration Guide
52
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 52 of 66
Figure 4.3.13 Advanced Security Settings Continued
11. Important Note: To increase level of security of the web-site access System
Administrator may consider using "ApplicationPoolIdentity" (default setting) for web-site IIS
impersonate user and use Integrated Security=true; in application Web.config file (The user
name and password are hashed before being sent across the network. Client browser proves its
knowledge of the password through a cryptographic exchange with your Web server,
involving hashing):
For this setup System Administrator should configure Web Site "Advanced Settings"
according to screenshots below:
WebAssembler System Installation and Configuration Guide
53
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 53 of 66
Propagation of the "Modify" Permissions on step 10 should be done for IIS_IUSRS user
(instead of NETWORK SERVICE):
WebAssembler System Installation and Configuration Guide
54
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 54 of 66
WebAssembler System Installation and Configuration Guide
55
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 55 of 66
d. Please, note, to allow File download and Printing features in Microsoft Internet Explorer on
Client Side, add site to “Trusted” zone.
a) Double click on “Internet” at the bottom of Internet Explorer window. “Internet Security
Properties” window will open:
b) Select “Trusted” sites zone and click “Sites” button. Make sure http://webassembler.local
is listed in “Add this site…” field, uncheck “Require server verification (https:)”, click “Add”
button, then “Close” button.
WebAssembler System Installation and Configuration Guide
56
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 56 of 66
4.4. Server hardening using the Web Server Security Template
Security Template can control almost any security option or setting on a server. Security
Templates can control user rights, permissions, password policies, software policies, and so
forth. We provided the security template tuned for Web Server operation.
1. Use the MMC (Start -> Run -> MMC).
2. Then go to File -> Add/Remove Snap-in, click Add, and choose Security Templates.
3. Click Add, Close, and OK. The policies present will be listed.
4. Apply the template using the Security Configuration and Analysis Snap-in for the
MMC:
5. Open Database-> New
6. Import Template from file "WebServer.inf"
7. Analyze Computer Now
8. Check View Log File
Verify the settings suggested in the template and current system settings. Apply the settings
where required.
Note: however the template has been tested on the Windows 2008 R2 Server prepared for IIS,
it may require the system administrator's attention and responsibility ownership for applying
the settings.
WARNING: The configuration cannot be undone, backup the system first.
WebAssembler System Installation and Configuration Guide
57
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 57 of 66
E. Deploying Web Applications
4.5. Deployment from Archived File
Each archived file contains the ready for copy contents of each web site's home directory. just
unpack the contents to the web site home folder and proceed to section Configuration of Web
Application Settings.
Note: The archive files could be created using the test servers' application files.
F. Configuration of Web Application Settings
6.1. SQL Connection Configuration
Please, note, data used in web site connection String settings is that, which was configured as
logins in MS SQL Installation.
1. Use Windows Explorer to navigate to c:\inetpub\wwwroot\Webassembler\WebConfig\
folder. Locate and edit database.config file via Notepad.exe or Wordpad.exe:
Figure 6.1.1 Web.Config File Edit Screenshot
2. Find (use Ctrl-F) <connectionStrings> section of web.config file and check or edit:
a. DataSource (SQL Server name\Instance or IP address\Instance),
b. Initial Catalog (Database name ),
c. User ID(Uid) used by IIS to access SQL database,
d. Password(Pwd) used by IIS to access SQL database.
WebAssembler System Installation and Configuration Guide
58
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 58 of 66
Figure 6.1.2 Web.Config SQL Connection Settings
3. Save your changes
6.2. Setting Up Shared ASP.NET Session State
6.2.1. SQL Server Session State Service (WebAssembler Standard Model)
If WebAssembler is deployed in Standard Model, local server Session State management
should be configured.
1. Open Start-> Administrative Tools -> Services
2. Locate ASP.NET State Service item in the list (It is stopped and disabled by default).
3. Right-click on ASP.NET State Service item, select "Properties".
4. Configure ASP.NET State Service to "Start Automatically during system startup"
Figure 6.2.12.1 ASP.NET State Service Settings.
5. Start ASP.NET State Service if it is stopped, make sure it's running (see screenshot below).
WebAssembler System Installation and Configuration Guide
59
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 59 of 66
Figure 6.2.12.2 ASP.NET State Service Configuration.
6.2.2. SQL Server Session Management Mode (WebAssembler Enterprise Model)
If Application Servers are deployed in clustered server environment, local session state
management is not applicable. The Session State for all of the web applications is managed
in SQL Server Mode.
SQL Server mode stores session state in a SQL Server database. This ensures that session state
is preserved if the Web application is restarted and also makes session state available to
multiple Web servers in a Web farm. The SQL Server session state must be configured for
each of the applications - Portal, MPass, Notification and Journaling.
1. The command line utility is aspnet_regsql.exe, it must be run with the following
parameters:
aspnet_regsql -S [server] -E -ssadd -sstype c -d SessionStateDB
// add websitename suffix for each database, eg: SessionStateDBPortal,
SessionStateDBMPass, etc.
2. The final step is to include the necessary data in to the web.config file. Configure the
connection string to the SessionStateDB( for parameter details refer to section 6.1 above):
<sessionState
mode="SQLServer"
allowCustomSqlDatabase="true"
sqlConnectionString="Data Source= 11.11.11.16;Failover Partner=11.11.11.17;Initial
Catalog=SessionStateDB;UID=UserName;PWD=123;"
cookieless="false"
timeout="20"
/>
Start Microsoft Internet Explorer and try to access configured site by its domain name If
portal code compilation finishes successfully, you should see “Home” page.
WebAssembler System Installation and Configuration Guide
60
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 60 of 66
6.3. Security
The following sections do not require any amendments/configuration by administrators and
are presented as are in the web site template.
6.3.1. Debug
Compilation should be debug=false on production. No need to change.
<compilation debug="false" strict="false" explicit="true">
6.3.2. Request Validation
Pages validateRequest="true" on production. No need to change.
<pages validateRequest="true" enableEventValidation="false">
6.3.3. Tracing
Trace should be enabled=false on production. No need to change.
<trace enabled="false" localOnly="false" writeToDiagnosticsTrace="true" />
6.3.4. Errors handling
No need to change.
<customErrors mode="On" defaultRedirect="~/ServerError.aspx?error=1" />
6.3.5. Cross site scripting (XSS) vulnerability preventing
URL filtering prevents servicing the URLs with script, <script> and <, > characters. No need
to change.
<security>
<requestFiltering allowDoubleEscaping="false" allowHighBitCharacters="true">
<denyUrlSequences>
</denyUrlSequences>
<fileExtensions allowUnlisted="true" />
<verbs allowUnlisted="true">
</verbs>
<denyQueryStringSequences>
<add sequence="script" />
<add sequence="e%3cscript%3e" />
<add sequence="e%3" />
<add sequence="%3e" />
</denyQueryStringSequences>
<filteringRules>
</filteringRules>
</requestFiltering>
</security>
WebAssembler System Installation and Configuration Guide
61
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 61 of 66
G. Troubleshooting Installation and initial Setup
7.1. SQL Server Setup Issues
When you run SQL Server Setup, log files are created in a new timestamped log folder. The
log folder is located at%programfiles%\Microsoft SQL Server\100\Setup Bootstrap\Log\. The
time-stamped log folder name is in the formatYYYYMMDD_hhmmss.
To troubleshoot issues the following files must be reviewed:
ConfigurationFile.ini
Summary.txt
Detail.txt
Detail_ComponentUpdate.txt
Sql_common_core_Cpu<32 and or 64>_1.log
Sql_common_core_loc_Cpu<32 and or 64>_1033_1.log
Sql_engine_core_inst_Cpu<32 and or 64>_1.log
Sql_engine_core_inst_loc_Cpu<32 and or 64>_1033_1.log
Sql_engine_core_shared_Cpu<32 and or 64>_1.log
Sql_engine_core_shared_loc_Cpu<32 and or 64>_1033_1.log
Sql_tools_Cpu<32 and or 64>_1.log
Sql_tools_loc_Cpu<32 and or 64>_1033_1.log
SqlBrowser_Cpu32_1.log
Sqlncli_Cpu<32 and or 64>_1.log
Note: In your environment, the file name and number of the log files might differ from the list
based on the installation features that are selected when you install SQL Server 2008.
7.1.1. Description of the SQL Server 2008 log files
7.1.1.1. File Summary.txt
Location: %ProgramFiles%\Microsoft SQL Server\100\Setup Bootstrap\Log\
Purpose: This log is the clean and user friendly log file that contains the basic information
about the problem. This file shows which SQL server components were detected, the
operating system environment, the command-line parameters that were specified, the values
that were specified, and the overall status of each MSI and MSP file that was executed.
Troubleshooting: To find errors in this file, search for “error” or “failed” keywords. For more
information about details of the failure, open the file that is listed in the line starting with
“Log with failure”.
7.1.1.2. File Summary_<%ComputerName%_YYYYMMDD_HHMMSS>.txt
Location: %ProgramFiles%\Microsoft SQL Server\100\Setup
Bootstrap\Log\<YYYYMMDD_HHMMSS>\Summary_<%ComputerName%_YYYYMMD
D_HHMM>txt
Purpose: This log file contains the same information as the Summary.txt file. This log might
WebAssembler System Installation and Configuration Guide
62
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 62 of 66
also contain information about any previous SQL Server Setup attempt.
Troubleshooting: To find errors in this file, you can generally search for “error” or “failed”
keywords. For more information about details of the failure, open the file that is listed in the
line starting with “Log with failure”.
7.1.1.3. File Detail.txt
Location: %ProgramFiles%\Microsoft SQL Server\100\Setup
Bootstrap\Log\<YYYYMMDD_HHMM>\Detail.txt
Purpose: This log file provides a detailed log of the execution. It is organized on lines that
begin with the time stamp followed by the extension that produced the log. This is one of the
most important log files because it can be used to identify the failures that occur. The logs are
generated on a time basis. This means that the actions are logged here not by the component
that generated them but by the time at which they are invoked. This is useful to determine the
execution process step by step, the order in which actions are executed, and the dependencies
between actions. This file is generated for the main workflow such as the install, or the
upgrade workflow.
Troubleshooting: If an error occurs in the setup process, the exception or error will be logged
at the end of the file. To locate errors in this file, you must go to the end of the file and read
the actions in reverse from bottom to top to find where the exception or error is logged. Find
the line that starts with “Exit facility code” in the Summary.txt file, and then search for
“error,” “Watson bucket,” or “exception” keywords in the Detail.txt file. The search results
near the exit facility code will help you identify when and where the error first occurred.
7.1.1.4. File Detail_ComponentUpdate.txt
Location: %ProgramFiles%\Microsoft SQL Server\100\Setup
Bootstrap\Log\<YYYYMMDD_HHMMSS>\Detail_ComponentUpdate.txt
Purpose: This log file resembles the Detail.txt file. This file is generated for the component
update workflow.
Troubleshooting: Follow the same steps as those in the Detail.txt section.
7.1.1.5. File Detail_GlobalRules.txt
Location: %ProgramFiles%\Microsoft SQL Server\100\Setup
Bootstrap\Log\<YYYYMMDD_HHMMSS>\Detail_GlobalRules.txt
Purpose: This log file resembles the Detail.txt file. This file is generated for the global rules
execution.
Troubleshooting: This log file is used only if the Summary.txt file shows failures in the
SystemConfigurationCheck section. Generally, you can open and use the
SystemConfigurationCheck_Report.htm file to obtain all the information that is needed.
However, if you want additional information from this log, search for the “Rule evaluation
done : Failed” phrase in this file.
7.1.1.6. MSI log files:
<Feature>_<Architecture>_<Iteration>.log
<Feature>_<Architecture>_<Language>_<Iteration>.log
<Feature>_<Architecture>_<Iteration>_<workflow>.log
WebAssembler System Installation and Configuration Guide
63
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 63 of 66
Location: %ProgramFiles%\Microsoft SQL Server\100\Setup
Bootstrap\Log\<YYYYMMDD_HHMMSS>\<Name>.log
Purpose: These log files provide a detailed log of the package installation process. These logs
are generated by the Msiexec.exe process when you install the specified package. If the setup
was successful and no errors were encountered, the log entry “Product: Product_Name -
Installation completed successfully” displays.
Troubleshooting: When you use the MSI log files, make sure that you are looking at the
original source of the problem instead of the reactive error messages. To do this, follow these
steps:
1. Sort the MSI logs in the same directory by the changed date.
2. Open each MSI log file from the bottom of the log files to each previous log. For each
log file, search for “Return value 3” or “@Microsoft” without the quotation marks.
3. Note the error message for each file until you find no error at the end of the logs. The last
log contains the original error. When you find the first occurrence in the log, you must
determine whether the entries are valid because not all “Return value 3” errors are
problems. Some of those errors are expected. If you can't determine whether the errors
are valid, we recommend that you try one of the Microsoft SQL Server support options.
7.1.1.7. SystemConfigurationCheck_Report.htm
Location: %ProgramFiles%\Microsoft SQL Server\100\Setup
Bootstrap\Log\<YYYYMMDD_HHMMSS>\SystemConfigurationCheck_Report.htm
Purpose: This file contains a friendly version of the rules execution status. It also provides a
short description of each executed rule.
Troubleshooting: You can open the SystemConfigurationCheck_Report.htm file and look for
the “Failed” keyword and examine if any “Warning” entries apply to your environment.
7.2. IIS Related Issues
7.2.1. Disable IE “Friendly HTTP error messages”
IE will by default replace the actual error messages coming from the server with a “friendly”
error message, which hides the error contents we need to see. For example, for a 404 Not
Found error, you may instead see the following:
WebAssembler System Installation and Configuration Guide
64
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 64 of 66
Figure 7.2.1 IE User Friendly Error
To disable this and see the real error coming from the server, you need to go to “Tools >
Internet Options”, choose the Advanced tab, and clear the “Show friendly HTTP error
messages” checkbox. Then, close the browser, open it again, and re-request the page.
Figure 7.2.2 IE Advances Internet Options
7.2.2. Enable IIS7 detailed errors
WARNING: This troubleshooting step enables data disclosure vulnerability!
Make sure you disable the detailed errors, when obtained the error text.
IIS7 introduces a new custom errors feature, which by default hides the error responses issued
by the server to remote clients, replacing them with a basic error message. This is critical for
security of your site, as errors frequently contain sensitive information that you don’t want
others to see, but makes getting to the bottom of the problem harder since you cannot see
those very error details. So, if you are requesting your site from another machine, you may
still get a basic error that looks like this:
WebAssembler System Installation and Configuration Guide
65
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 65 of 66
Figure 7.2.3 Server Error Message
There are two options here:
1) Make the request locally from the server machine.
By default, you will get the detailed error.
2) Enable detailed errors for remote clients.
First, if your error is an ASP.NET exception (you can tell if it says “Runtime Error” and has
the framework version), please be aware that ASP.NET overrides the IIS custom error
mechanism with its own implementation of custom errors, so you should turn the ASP.NET
custom errors off to see detailed ASP.NET exceptions. You DO NOT have to configure IIS7
custom errors for ASP.NET exceptions (it would be silly to have to do it in two places). To
turn off ASP.NET custom errors, place the following in your web.config:
<system.web>
<customErrors mode=”Off” />
</system.web>
If the error is not an ASP.NET error, turning off IIS7 custom errors will allow error responses
from your application to be sent to remote clients without being censored by the IIS7’s custom
errors module.
Now, you should be getting detailed errors back:
WebAssembler System Installation and Configuration Guide
66
WebAssembler 5.0 Installation Guide Version 1.1, Developed by ALFA-XP, LLC. Page 66 of 66
Figure 7.2.4 Detailed IIS Error