Tag Archives: IIS

Problem with PHP mailer sending mail – Result: delayed, Status: 4.1.1 452 4.1.1 requested action aborted: try again later – GL/GL

IIS Tips & Tricks, WordPress Tips

If you see this type of message logged in your outbound mail logs, and your clients are unable to get email delivered to their domain, then I may have the s0lution for you.

In our particular scenario, we have a PHP site running WordPress and the email server is located with IPOWER.  So the website needs to be able to send email from our data center into the IPOWER data center, but in our case the emails were getting bounced due to this error below.  (VERY NON-DESCRIPT!).

Result: delayed, Status: 4.1.1 452 4.1.1 absc@asdasdasd.com requested action aborted: try again later – GL/GL

in your BOUNCE BACK emails, you may find something like this:

X-PHP-Originating-Script: 0:class-phpmailer.php

X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)

In our case, the recipient domain was hosted at IPOWER web.  To solve this issue, we logged into the IPOWER control panel, went to spam settings:

http://www.ipower.com/controlpanel/spamfilter.bml

and went to the WHITELIST and whitelisted our email server’s IP address.  Saved the changes and re-tried sending the email on the PHP (wordpress) site.

Worked immediately.

 

Leave a comment , , , ,

How to get IIS 7.5 web server to pass the BEAST PCI vulnerability compliance scans

IIS Tips & Tricks, Windows Server

If your e-commerce website keeps flunking PCI vulnerability complaince scans with the following error:

BEAST (Browser Exploit Against SSL/TLS) Vulnerability, CVE-2011-3389

and you are running Microsoft Server 2008 R2, I can help you.

If you aren’t on Windows Server 2008 R2, there is no known way to pass this test short of upgrading your server to W2K8R2 and doing the following steps.

This is the exact vulnerability as reported (in our case, by Trustkeeper):

BEAST (Browser Exploit Against SSL/TLS) Vulnerability The SSL protocol encrypts data by using CBC mode with chained initialization vectors. This allows an attacker, which is has gotten access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via a blockwise chosen-boundary attack (BCBA) in conjunction with Javascript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API. This vulnerability is more commonly referred to as Browser Exploit Against SSL/TLS or “BEAST”.

CVE: CVE-2011-3389

NVD: CVE-2011-3389

Bugtraq: 49778

CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N(4.30)

This is the remediation (as stated by Trustkeeper):

Affected users should disable all block-based cipher suites in the server’s SSL configuration and only support RC4 ciphers, which are not vulnerable to fully address this vulnerability. This vulnerability was addressed in TLS version 1.1/1.2, however, support for these newer TLS versions is not widely supported at the time of this writing, making it difficult to disable earlier versions.

Additionally, affected users can also configure SSL to prefer RC4 ciphers over block-based ciphers to limit, but not eliminate, exposure. Affected users that implement prioritization techniques for mitigation as described above should appeal this vulnerability and include details of the SSL configuration.

Here is the evidence (as stated by TrustKeeper):

Service: http
Evidence:
Cipher Suite: SSLv3 : DES-CBC3-SHA
Cipher Suite: SSLv3 : RC4-SHA
Cipher Suite: SSLv3 : RC4-MD5
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : AES128-SHA
Cipher Suite: TLSv1 : DES-CBC3-SHA
Cipher Suite: TLSv1 : RC4-SHA
Cipher Suite: TLSv1 : RC4-MD5

That isn’t much help, of course.

Ok, here is how to solve this.  And you don’t even need REGEDIT!

  1. Make sure your website is on a Windows 2008 R2 server, with a valid SSL certificate.
  2. Download the following FREE – and FANTASTIC program to your web server.
    1. https://www.nartac.com/Products/IISCrypto/Default.aspx
  3. Run the program on your web server.  Please be logged in as full admin, and remote desktop is fine.
  4. Start by clicking the PCI button, then make all your settings look like below:
    1. pci
  5. In some cases you might have a few more listing under SSL Cipher Suite order.  Here is a screenshot from a second server (below).  The settings below are also perfectly fine:
    1. pci2
  6. In all cases – MAKE YOUR SETTINGS JUST LIKE ABOVE – and your site should always pass the BEAST test.
    1. IT IS CRITICAL that you have ONLY the CIPHERS selected in the above two screenshots, and the TOPMOST TWO in THIS SPECIFIC ORDER.
  7. apply the changes
  8. Restart the server.
  9. once the server is back up and running, go to the website below:
    1. https://www.ssllabs.com/ssltest/index.html
  10. Allow the test to complete.  The test will tell you if the site passes all the tests and is BEAST compliant, and it will give you a score for your website.  The website we tested scored 89 which is an “A”.

Hopefully this will help shortcut this process for some of you. I literally spent hours working this solution out.

 

 

15 comments , ,

How to migrate MYSQL to a new Windows server

MYSQL, Windows Server

Here is the easiest process that I know of for migrating (and upgrading) from one version of MYSQL running on Windows server, to a new Windows server.

  1. Setup the new Windows server, give it a fixed IP address (we’ll change that later to be at the same IP as the old server).
  2. Run all Windows updates
  3. Install IIS 7.5 (in our example, we were on W2K8 R2 Standard) and take all defaults.
  4. Go to Google and search for MICROSOFT PLATFORM INSTALLER, go to that Microsoft site, and run the installer.  The current version as of this post was 4.0RC
  5. in the MPI, search for PHP and install PHP.  Allow it to take any extras it chooses, hit next and install those items.
  6. Now that PHP is installed, launch the IIS 7.5 manager, stop the default site and setup a new website that we’ll use to park PHPMYADMIN on.
  7. Go download the latest version of PHPMYADMIN.
  8. extract it to your website directory into the /phpmyadmin/ directory.
  9. you should now be able to access the PHPMYADMIN site via http://localhost/phpmyadmin/
  10. Download and install the latest MSI installer download (of the x64 version if you have an x64 server)
  11. Install MYSQL
  12. Run the configuration wizard and complete the standard setup.  In our case we used a dedicated MYSQL server, set a new password for the admin account and pretty much took all defaults.
  13. At this pount we just need to migrate the data over from the old server to the new server.
  14. Make sure you have MYSQL Workbench installed to do this (under windows).  Current version is 5.2.30 CE.
  15. Under “Server Administration” you need to setup one connection for the old (current server) and one for the new one.
  16. Connect to the old server.
  17. Click Data Export.
  18. Export out ALL databases to one SQL file.  This may take some time depending on the speed of your internet connection.
  19. when this is complete, go check the file to make sure it is (relatively) large depending on the number of databases that you exported out.  MAKE SURE you export out the MYSQL database as well as all databases.
  20. Connect to the new server.
  21. Do a DATA IMPORT/RESTORE and load the SQL file you just exported
  22. Start the import.  Again, this may take some time to complete.
  23. When complete, the new machine is now a clone of the old machine.
  24. Shut down the old server.
  25. Change the IP on the new server to the IP of the old server.  Reboot (just to be sure).
  26. Once the new server is rebooted and it is at the “old IP” any of your sites that connect to MYSQL should now be working once again just as if they were connecting to the old server.

I hope this helps anyone who is in need of migrating/upgrading their Windows-based MYSQL install.

 

One comment , , ,

iPhone iPad “cannot verify server identity” SSL issue and resolution

ASPDOTNETSTOREFRONT, IIS Tips & Tricks, SSL

We recently came across an issue with one of our client sites that runs under ASPDOTNETSTOREFRONT where the site would appear function properly on normal desktop browsers (IE 9, FF, Safari, Chrome), but when the mobile site would run on an iPhone or iPad, and the mobile site would go into SSL mode, it would result in the following error message pop-up:

“Cannot verify server identity” – Safari cannot verify the identity of (your domain goes here).

The issue is that the supplementary Intermediate SSL certificates, in our case, from GoDaddy, are/were not installed correctly on the server.

To resolve this issue, re-download (if needed) the SSL file which includes your SSL cert and the intermediate SSL certs.

To Install an SSL in Microsoft IIS 5 & 6

  1. To install the Intermediate certificate, click Start , and then click Run….
  2. Type mmc, and then click OK. The Microsoft Management Console (Console 1) opens.
  3. From the File menu, click Add/Remove Snap-in… .
  4. In the Add/Remove Snap-in window, click Add.
  5. In the Add Standalone Snap-in window, select Certificates, and then click Add.
  6. In the Certificates snap-in window, select Computer Account, and then click Next.
  7. In the Select Computer window, select Local Computer, then click Finish.
  8. In the Add Standalone Snap-in window, click Close.
  9. In the Add/Remove Snap-ins window, click OK.
  10. In the Console 1 window, click + to expand the Certificates folder.
  11. Right-click Intermediate Certification Authorities, mouse-over All Tasks, and then click Import.
  12. In the Certificate Import Wizard, click Next.
  13. Click Browse to find the certificate file.
  14. In the Open window, select *.p7b for the Files of type.
  15. Select the appropriate intermediate certificate file, and then click Open.
  16. In the Certificate Import Wizard window, click Next.
  17. Select Place all certificates in the following store, and then click Browse.
  18. In the Select Certificate Store window, select Intermediate Certification Authorities, and then click OK.
  19. In the Certificate Import Wizard, click Next.
  20. Click Finish.
  21. Click OK.

At this point you need to RESTART IIS.

After you restart IIS, then your mobile browser should function properly.

 

2 comments , , , ,

IIS WordPress images 500 error

IIS Tips & Tricks, Windows Server

If you are here you probably are having the dreaded “broken images” problem while running WordPress under IIS.

You may have found this issue by looking at the IIS logfiles for your site and seeing 500 errors logged when it’s supposed to be pushing out images.

I will save you a lot of time.

This is all about fixing permissions so that images/media/files uploaded via WordPress will properly render.

This is the fix for the infamous “500” error that is thrown when your server has wrong file permissions and the visual result is all the images you uploaded are “broken images” and won’t display. Also called HTTP Error 500.50 – URL Rewrite Module Error when you have Detailed errors on.

  1. Don’t sweat it, I will save you HOURS of time on this one.   Thanks to the article I found here after HOURS of tracking this issue down, this problem is caused because PHP first uploads the document to a temporary directory (by default C:\Windows\Temp), and then moves it from that directory to the actual /blog/wp-content/uploads/ subdirectory.  What happens is that because IIS does not have any permissions to your “C:\Windows\Temp” directory, when the file is uploaded there, then moved by PHP, the file inherits NO permissions.  So when IIS trys to serve out that file from your /blog/wp-content/uploads/subdirectory it throws a 500 error and that is actually a permissions error.
  2. The solution:  on the Windows\Temp folder, grant “modify” permissions to both IUSR and {servername}\IIS_IUSRS user accounts.
  3. Now when you upload files via PHP and PHP moves them to the correct directory, the files will have the correct permissions and can be accessed.
  4. Important note #1:  If you already have uploaded files and are getting the dreaded broken images issue, go to the /blog/wp-content/uploads/directory and replace/update the permissions to add access for both user accounts noted above.  That will solve that issue.
  5. Important note #2: as with any change off the defaults for Windows, you do this AT YOUR OWN RISK.  It’s up to you if you want to grant the Windows\Temp directory permissions for those two accounts.  If you don’t PHP won’t be able to upload without the 500 issue (unless you move the PHP temp folder elsewhere and grant those accounts access to the other folder).  Do these changes at your own risk… I cannot and won’t take any responsiblity for your systems.  Please know what you are doing.

UPDATE: 04/29/2011:  One reader commented to me that he is concerned about changing security permissions on the Windows TEMP directory, and he noted that you can also edit the php.ini file and change the location of the “upload_tmp_dir” variable and point it to another location.  It’s up to you how you want to do this, as long as you have the right permissions mentioned above, your WP images and future uploads will work fine.

 

34 comments , , ,

WordPress Windows 2008 Web Server R2 IIS 7.5 setup

IIS Tips & Tricks, Windows Server, WordPress Tips

I thought I would share a few important tips on getting WordPress 3.x to work properly – with PERMALINKS / SEO friendly URL’s.  It’s taken me a lot of trial and error to figure out the finer points, but assuming you can get it installed, these tips should help you get it 100% functional.

  1. to install, use the Microsoft Platform Installer 2.0, and let it do the work of installing PHP, WordPress etc.  IT IS FANTASIC!!! It will automatically setup PHP/FASTCGI for you and it is slick!  You can access the direct link to install WordPress on IIS here http://www.microsoft.com/web/wordpress/
  2. Secondly, I am going to make an assumption you are installing this as a subdirectory on your root site, such as www.mysite.com/blog.  If you are installing this to the root the same directions will basically apply but you’ll need to figure out which setting will need to be adjusted to put WP on the root.
  3. Third, we use a dedicated MySQL 5.x box, so we don’t install MySQL as part of the MPI 2.0 install (from step 1).  If you don’t already have a MySQL server you’ll need to let it install that as well, or make a new empty database on your MySQL box and use that info as part of the install process.  For security and speed reasons, a dedicated server for MySQL is the best choice, but not everyone has the resouces to permit a dedicated server.
  4. Under IIS 7.0 or 7.5, make sure you have downloaded and installed the free URL REWRITE 2.0 add-in for IIS.  This is a free download here: http://www.iis.net/download/urlrewrite
  5. PERMALINKS.  Once you get WP installed and are able to login to the admin interface, it’s pretty simple to get permalinks running.
    1. in the WP admin, go to SETTINGS->Permalinks.  We chose to use the “DAY AND NAME” setting.  Any other setting is your choice.  Pick a setting and click save changes.
    2. make sure you have a web.config file in your /blog/ subdirectory. 
    3. here is what your web.config file should look like – customized just for WP 3.0 in the /blog/ subdirectory (below).  (Download a ZIPPED copy of my file here)
    4. <?xml version=”1.0″ encoding=”UTF-8″?>
      <configuration>
        <system.webServer>
          <httpErrors errorMode=”Custom” />
          <rewrite>
            <rules>
             <rule name=”Main Rule” stopProcessing=”true”>
              <match url=”.*” />
              <conditions logicalGrouping=”MatchAll”>
               <add input=”{REQUEST_FILENAME}” matchType=”IsFile” negate=”true” />
               <add input=”{REQUEST_FILENAME}” matchType=”IsDirectory” negate=”true” />
              </conditions>
             <action type=”Rewrite” url=”index.php” />
            </rule>
         </rules>
          </rewrite>
          <defaultDocument>
            <files>
              <clear />
              <add value=”index.php” />
            </files>
          </defaultDocument>
        </system.webServer>
      </configuration>
    5. Save this into your web.config file – this is all you need for WP running in the /blog/ directory.  Once you replace your file with this one your permalinks should work flawlessly.
  6. Troubleshooting.  One easy way to troubleshoot things with your WP install, is to enable DETAILED errormode.  To do this, edit your web.config file within the /blog/ folder and change just the one line above to this <httpErrors errorMode=”Detailed”/>  Of course when you are all done and going live with WP, change that line back to “Custom”
  7. Fixing permissions so that images/media/files uploaded via WordPress will properly render.  This is the fix for the infamous “500” error that is thrown when your server has wrong file permissions and the visual result is all the images you uploaded are “broken images” and won’t display. Also called HTTP Error 500.50 – URL Rewrite Module Error when you have Detailed errors on.
    1. Don’t sweat it, I will save you HOURS of time on this one.   Thanks to the article I found here after HOURS of tracking this issue down, this problem is caused because PHP first uploads the document to a temporary directory (by default C:\Windows\Temp), and then moves it from that directory to the actual /blog/wp-content/uploads/ subdirectory.  What happens is that because IIS does not have any permissions to your “C:\Windows\Temp” directory, when the file is uploaded there, then moved by PHP, the file inherits NO permissions.  So when IIS trys to serve out that file from your /blog/wp-content/uploads/subdirectory it throws a 500 error and that is actually a permissions error.
    2. The solution:  on the Windows\Temp folder, grant “modify” permissions to both IUSR and {servername}\IIS_IUSRS user accounts. 
    3. Now when you upload files via PHP and PHP moves them to the correct directory, the files will have the correct permissions and can be accessed.
    4. Important note #1:  If you already have uploaded files and are getting the dreaded broken images issue, go to the /blog/wp-content/uploads/directory and replace/update the permissions to add access for both user accounts noted above.  That will solve that issue.
    5. Important note #2: as with any change off the defaults for Windows, you do this AT YOUR OWN RISK.  It’s up to you if you want to grant the Windows\Temp directory permissions for those two accounts.  If you don’t PHP won’t be able to upload without the 500 issue (unless you move the PHP temp folder elsewhere and grant those accounts access to the other folder).  Do these changes at your own risk… I cannot and won’t take any responsiblity for your systems.  Please know what you are doing.
  8. Another site with good info on WordPress/IIS installs is here

Best of luck on your Windows 2008 R2 IIS 7.5 WordPress install. We use it here and it is fantastic!

9 comments , , , ,

Classic ASP file upload limit of 200kb in IIS 7

IIS Tips & Tricks, Windows Server

During the process of migrating a site to IIS 7 we came across an issue with Classic ASP file uploads throwing 500 errors when larger than 200kb. There is an EASY fix for this.

In IIS 7, click your site and expand it then click the ASP icon.

Expand the Limits Properties icon, and change the value in the “Maximum Requesting Entity Body Limit” to a value larger than 200000 (which is about 200kb). 2000000 would be roughly 2mb, 20000000 would be 20mb.

Click the APPLY button. That’s it!

13 comments , ,

First access on ASPDOTNETSTOREFRONT on a W2K8 R2 server…

ASPDOTNETSTOREFRONT, IIS Tips & Tricks

Ok, so you’ve completed your install of ASPDNSF 9.x onto a Windows 2008 R2 server, and when you first try to access the domain, you get this error:

Server Error in ‘/’ Application.

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Could not load file or assembly ‘System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ or one of its dependencies. The system cannot find the file specified.

Source Error:

 Line 244:        <add assembly=”System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A” />Line 245:        <add assembly=”System.Configuration.Install, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A” />

Line 246:        <add assembly=”System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089″ />

Line 247:        <add assembly=”System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089″ />

Line 248:        <add assembly=”System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089″ />

Source File: C:\Websites\www.whatevermysiteisnamed.com\www\web.config    Line: 246

Assembly Load Trace: The following information can be helpful to determine why the assembly ‘System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ could not be loaded.

 WRN: Assembly binding logging is turned OFF.To enable assembly bind failure logging, set the registry value [HKLM\Software\Microsoft\Fusion!EnableLog] (DWORD) to 1.

Note: There is some performance penalty associated with assembly bind failure logging.

To turn this feature off, remove the registry value [HKLM\Software\Microsoft\Fusion!EnableLog].

 

Version Information: Microsoft .NET Framework Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927

What to do???

This is an easy fix. 

Go to Start-> Administrative Tools -> Server Manager – > Features ->Add Feature and ADD .NET Framework 3.5.1 Features

Leave a comment , , ,

ASPDOTNETSTOREFRONT Proper Permissions under Windows 2008 server

ASPDOTNETSTOREFRONT

I hope this is of help to anyone trying to get a current version (meaning 8.x or 9.x) of ASPDOTNETSTOREFRONT running on a Microsoft Windows 2008 server, or Windows 2008 R2 Server. One issue that we have experienced that is not documented or explained well are the permissions for certain directories you need to configure for the app to properly run. The official documentation from ASPDNSF is here, but I have not had any success in my setups getting the application to function properly. When I use the settings below the app works properly and can accept image uploads from the admin interface, etc.

You need to grant the following permissions to the directories below:

AddIns
Images
web.config (file in root directory)

{servername}\IIS_IUSRS (Read, Write, and Modify access)

so if your server box name is webserver1, you would grant webserver1\IIS_IUSRS the Read, Write, and Modify access permissions.

The official documentation from ASPDNSF specifies “Network Service” instead of IIS_IUSRS, but I have never been able to get the app to work properly using that permission.  It does seem to work properly with the permission above.

DISCLAIMER: Please do these AT YOUR OWN RISK. We accept NO responsiblity for the integrity of your server. I am just relaying my experiences with the installation and use process of this ASPDNSF application.

Leave a comment , , ,

Exporting IIS 7 web site settings…

IIS Tips & Tricks

Well, now that Microsoft is shipping Windows 2008 Server R2, we need to know how to (easily) migrate a site from one W2K8R2 machine to another, right?  Microsoft didn’t exactly make this an easy process because there is no built-in method in the IIS 7.0 GUI to do the site export.  So to do the export (and import on another IIS 7 box), you need to drop to a command line and run the following commands:

EXPORT site from IIS 7 (Windows 2008 R2 server)

%windir%\system32\inetsrv\AppCmd.exe LIST SITE "www.yoursitenamehere.com" /config /XML > D:\mysitesconfiguration.xml

IMPORT site into IIS 7.0 (after you have created the above export XML file…)

%windir%\system32\inetsrv\AppCmd.exe ADD SITE /IN < D:\mysitesconfiguration.xml

The last step is to create a new application pool and assign this IMPORTED site to the new application pool.

NOTES:  It is very important that you run this from a command prompt, not the “start bar box” on the Start Menu in Windows 2008 R2 Server.  Instead run the command prompt as Administrator and do this command by keying it in, or create a batch file and execute it as the administrator on that machine.

Leave a comment ,
1 2 3