.Net, AWS, IIS, Programming, Security, Troubleshooting, Visual Studio, Web

AWS Elastic Beanstalk ebextensions: Update the IIS App Pool using commands to another App Pool Identity

So I had a .Net application that needed to leverage the Network Service application identity instead of the OOB ApplicationPoolIdentity that comes with a default shipped EBS windows server with IIS. The solution? An ebextenion of course!

0) We’re going to have a step 0 assuming you already have a development AWS account with credits to push servers to Elastic Beanstalk. If you have not do this part then do some reading here: https://aws.amazon.com/elasticbeanstalk/

1) Once you have an account and have configured your Visual Studio environment to your account appropriately then proceed to open your VS solution.

2) Create a folder in your solution called .ebextensions

3) Create your config file (if you don’t have an editor Notepad++ will do) within that folder and edit it in YAML format

The following example below will update the DefaultAppPool app identity to Network Service leveraging powershell and the commands/command features:

files:
  "C:\\Robo\\Update_App_Pool.ps1":
    content: |
      Write-Verbose 'Update the application pool'
      Set-Location C:\\Robo
      import-module WebAdministration
      Set-ItemProperty IIS:\AppPools\DefaultAppPool -name processModel.identityType -value 2
  
commands:
  update_app_pool: 
    command: powershell.exe -ExecutionPolicy Bypass -File "C:\\Robo\\Update_App_Pool.ps1"
    ignoreErrors: False
    waitAfterCompletion: 0	

4) Save the Deploy this with your application into EBS you should see the updated app pool identity as the application is deployed.

Hope this helps. Questions are welcome!

If you want to venture deeper into this then start here: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers.html

Validate here: http://www.yamllint.com/

.Net, CRM, IIS, MVC, Programming, Security, SharePoint, Sitecore, Troubleshooting, Visual Studio, Web, Web Service, Windows

Solved: The length of the URL for this request exceeds the configured maxUrlLength value.

Anyone ever run into the following before? I ran into this regarding a request into the SharePoint Rest API.

The length of the URL for this request exceeds the configured maxUrlLength value.

This because the IIS default maximum length for an URL is 260 characters. If a URL request is longer, the above error will occur.

To fix this you can increase the maxURLlength value, add it to your web.config file in the IIS virtual Directory.

<configuration>

  <system.web>

    <httpRuntime maxUrlLength="5000" />

  </system.web>

</configuration>

It will be likely you will already have most of this snippet in place so don’t break your config; just add the maxUrlLength property into your existing httpRuntime section and you should be good to go. Do know any web.config changes may cause a service interruption so test in dev, beta, QA and pre-prod before ever changing in prod! Hope this helps, questions are welcome!

PowerShell, Programming, Security, SharePoint, Troubleshooting, Windows

SharePoint/PowerShell – Get the AD groups associated with a site collection and output to CSV file

Need to deliver or better understand the AD groups associated with your SharePoint site collection? Try this:

$SPWebApp = Get-SPWebApplication http://sitecollectionURLhere/

foreach ($SPSite in $SPWebApp.Sites)
{
    write-host -foregroundcolor green "Working on Site Collection: " + $SPsite.RootWeb.Title 
    $SiteURL = $SPsite.RootWeb.URL
    $ADgroup=Get-SPUser -Web $SiteURL -Limit ALL | Where { $_.IsDomainGroup }
}
echo $ADgroup | Export-Csv "C:\Temp\FileNameGoesHere.csv"

PS1 download is here: https://1drv.ms/u/s!Ag4C3w6EUQIggowvfXrE0Z3tfWKJeA

Certificates, IIS, Security, SSL, Troubleshooting, Web

Dealing with SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

A lot of you may be getting emails from your sys admins telling you about needing to protect yourself from the POODLE vulnerability. I wanted to post my response back to what I did to bring my servers into compliance.

I used a tool called IISCrypto to place the server in best practice template from the command line. You can do it to be in PCI, PCI31 or FIPS140 compliance as well.

Here’s what I ran for what got fixed:

ss1

They also offer a GUI that you can run to see exactly what’s being used. Here’s the box after I applied the command ran above to confirm the removal of PCT 1.0 & SSL 2.0/3.0:ss2

My recommendation would be to deploy the command line version of the tool and execute the best practice template, let it apply the best practice template and restart the box.

However, if you don’t prefer a 3rd party tool then you can follow the Microsoft suggested actions to update the registry entries and build a .reg script to run.

Hope this helps.

Apache, PHP, Security, Troubleshooting, Web

Ubuntu 12.04.5 LTS to 14.04.4 LTS Upgrade on Apache Web Server – Steps, Issues/Fixes & Tips

I was recently upgrading a Ubuntu server from 12.04.5 LTS to 14.04.4 LTS and for the most part had a pleasant experience. I’m going to attempt to document my steps I used for the upgrade below and comment to any issues I found (and tips to fix).

  • I ran the following to download the most up-to-date set of updates and packages to upgrade on the system:
sudo apt-get update

Issue: When I first was experimenting on a clone I noticed after running this command I received a bunch of 503s on the apt-get attempt.

Fix: After opening up the firewall to allow outbound traffic to http://us.archive.ubuntu.com then the Get attempts were successful.

  • Once I received the most up-to-date set of updates and packages I ran the command to perform the upgrade:
sudo do-release-upgrade -d

Tips:

  • You may be prompted about disabling ssh authentication for root. If you are unsure of whether this is enabled/disabled previously my recommendation is that you leave the default of “No” and enable it if you need it after the fact.

root_warning_14_04_ubuntu_u

  • If prompted about being asked to automatically allow restarts of services without notification you may want to consider saying no if you have a significant amount of upgrades.

sshot-server-3

Once the upgrade/removal process is complete you are (usually) prompted to restart the server itself. Should you not be prompted for such you can run the following command to restart the server:

sudo reboot

Now then, you should now have your server up to date and installed. This should mean your web site comes right up without problems, right? Wrong. Chances are you need to go and verify everything still runs after the upgrade. I’ll show what issues I ran into below as proof of that concept.

Issue: All web sites that previously worked before the upgrade now come up with “401 Unauthorized”

Fix: As a part of the Apache2 update in Ubuntu 14.04.4 all of the virtual host files in /etc/apache2/sites-enabled folder have to be updated to have .conf appended to them.

So in this example I had a file called my.website.com that I need to be my.website.com.conf, I made this change using:

cp my.website.com my.website.com.conf

Once I updated all of the files to use .conf related to my web sites I restarted apache2 to enforce the changes:

sudo /etc/init.d/apache2 restart

After this I was able to see my sites as I expect. Now I am seeing some odd error messages at the top…let’s dig a bit more.

Issue: I started getting some unhandled error exceptions (8192) that were in some error handling code

Here was the snippet before I made changes that had the problem:

$errorTypeLookup = array (
E_ERROR =&gt; 'PHP Fatal error',
E_DB_ERROR =&gt; 'Database Error',
E_SYSTEM_ERROR =&gt; 'System Error',
E_SECURITY_ERROR =&gt; 'Security Error',
E_VISIBLE =&gt; 'Warning',
E_WARNING =&gt; 'PHP Warning',
E_PARSE =&gt; 'PHP Parse error',
E_NOTICE =&gt; 'PHP Notice',
E_CORE_WARNING =&gt; 'PHP Core Warning',
E_COMPILE_WARNING =&gt; 'PHP Compile Warning',
E_USER_WARNING =&gt; 'User Warning',
E_USER_NOTICE =&gt; 'User Notice',
E_STRICT =&gt; 'PHP Runtime Notice',
);

Fix: If you read here about error function contstants you’ll find the introduction of 3-4 newer ones after PHP 5.2. The one in particular that I needed to add (related to 8192) was E_DEPRECATED. After I added it (and a couple others) and restarted apache2 those particular issues went away. Below is my updated snippet:

$errorTypeLookup = array (
E_ERROR           => 'PHP Fatal error',
E_DB_ERROR        => 'Database Error',
E_SYSTEM_ERROR    => 'System Error',
E_SECURITY_ERROR  => 'Security Error',
E_RECOVERABLE_ERROR     => 'Recoverable Error',
E_DEPRECATED      => 'Deprecated',
E_USER_DEPRECATED => 'User Deprecated',
E_VISIBLE         => 'Warning',
E_WARNING         => 'PHP Warning',
E_PARSE           => 'PHP Parse error',
E_NOTICE          => 'PHP Notice',
E_CORE_WARNING    => 'PHP Core Warning',
E_COMPILE_WARNING => 'PHP Compile Warning',
E_USER_WARNING    => 'User Warning',
E_USER_NOTICE     => 'User Notice',
E_STRICT          => 'PHP Runtime Notice',
);

After I worked through these issues my web sites functioned as expected. Please do understand that based on your web sites/apps that these steps and issues/fixes will always be unique. The good thing is that for the most part what is documented on the internet will usually help guide you through particular problems you are facing. I hope this helps, questions are always welcome.

Helpful links: