Thursday, June 10, 2010

HTTP 401.1 and DisableLoopbackCheck

A colleague of mine setup a new WSS Virtual Machine a few days ago, made a website in WSS, configured it to work with a FQDN and when he tried to access the website using Internet Explorer, he got the annoying generic error message from his browser.

We looked at IIS logs and saw one of quite common HTTP errors there. It was HTTP 401.1 again. I remembered of the most common cause of that error, made a workaround on my colleague's VM and thought it would be good to blog about it as it happened so many times to people I know.

The error was generated because of a security feature (or security fix) called loopback security check. The feature is present in Windows Server 2003 SP1 and later (including Windows Server 2008).

I will not write here about how to work around this problem because it was already explained in detail in the following KB article: http://support.microsoft.com/kb/896861.

A nice explanation about loopback check and effects it can have on your WSS or MOSS installation can be found here: http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx

Tuesday, March 30, 2010

Creating a 2048 bit certificate request from VisualSVN Server

A few days ago we decided not to use self signed certificates with our Subversion Servers anymore and decided to buy a certificate approved by a certificate authority.

I went to VisualSVN Manager, made a certificate request, pasted it into the certificate request form on the website of one of certificate authorities and submitted the form. I was surprised when I saw an error message saying that certificate request has to be generated with a private key with at least 2048 bit encryption. I went back to VisualSVN Manager to find the step where I can specify the type of the key I want to use but I was not able to find such setting in the certificate request wizard.

It took me a few minutes to find a few posts on the net and to combine them into a working solution so I thought it would be nice to share those findings with others.

Here are the steps you need to take in order to generate a 2048 bit certificate request using VisualSVN Manager:
  1. You first need to create a new private key for VisualSVN Manager to use it when creating a request. To do that you should follow the next steps:
    1. Open command prompt
    2. Type the following command:
      openssl.exe genrsa 2048 > private.key
    3. After that you will be able to find a new file called "private.key" in your working folder. Edit the file in a text editor and leave it for now.
    4. Check if your new private key has the right length by executing next command in command prompt:
      openssl.exe rsa -noout -text -in private.key
    5. Check the output of command executed under 1.d. and see if you can find next text in it: "Private-Key: (2048 bit)"

  2. Now you need to update "server.pem" file for your VisualSVN Server. To do that follow the next steps:
    1. Open Windows Explorer and navigate to root folder of your VisualSVN Server installation (it was in "C:\Program Files\VisualSVN Server\" on my server)
    2. Find "server.pem" file (it was in "conf" folder on my server)
    3. Edit "server.pem" file with a text editor
    4. Replace everything between "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----" with the content from "private.key" you generate in step 1.b. and save changes for "server.pem".

  3. You should now re-create the self signed certificate for your VisualSVN Server to be able to use Subversion until you acquire and setup a new signed certificate. To do that follow the next steps:
    1. Open VisualSVN Manager
    2. Select "Action" and then "Properties" in menu
    3. Go to "Certificate" tab and click no "Change certificate..." button
    4. Choose "Create new self-signed certificate" option and click "Next >" button
    5. Click on "Next" and "Finish" buttons until you finish with self-signed certificate creation.
    6. Check if the new self-signed certificate has the right key length by executing next command:
      openssl.exe x509 -noout -text -in server.pem
    7. NB: you will have to put the full path to "server.pem" to be able to see
      results; when you get the output of above command you should look for the
      following text: "RSA Public Key: (2048 bit)" - if it is there then you have
      a 2048 bit key

  4. The only thing you still need to do is to create a new 2048 bit certificate. To do that follow the next steps:
    1. Open VisualSVN Manager
    2. Select "Action" and then "Properties" in menu
    3. Go to "Certificate" tab and click no "Change certificate..." button
    4. Choose "Prepare certificate request" option and click "Next >" button
    5. Fill-in the name of your domain that will be used by Subversion for SSL communication
    6. Click Next and fill-in the other required information
After completing above mentioned steps I was able to request a signed 2048 bit certificate for our Subversion and to use for all existing and new repositories.

Saturday, March 20, 2010

SharePoint Custom Error Page

As you may already know SharePoint come out with "friendly" standard error page that does not give sufficient information about error that occurred. Since SharePoint web application presents ASP.NET 2.0 web application it should be easy to set custom error page by changing the web.config file. Unfortunately applying the changes will not take the effect as you expected like they would in pure ASP.NET 2.0 web application.

Fortunately there is an option to avoid seeing that standard SharePoint "friendly" error page by changing several settings in SharePoint web application web.config file. Depending on settings you may see the custom error page you've built or standard ASP.NET error page with full stack trace. During development it is very handy to see standard ASP.NET error page but from user perspective when it come to other environments (staging, acceptance, production) it is better to have error page that has the same look & feel as entire web application.

If you are building a SharePoint web application that is based on publishing site template than you will not be satisfied with out of the box error page since it will significantly differ from look & feel that you've built and also content on that page cannot be updated. For web applications that are based on team site template you will on the other hand usually keep the standard SharePoint error page because it fits in standard team site look & feel. It is important to mention that changing the look & feel of standard SharePoint error page should not be taken into consideration for several reasons, one is that changes will take effect on whole SharePoint server instance and all web applications that are created within that instance, second is any possible Microsoft update that can overwrite your custom changes.

Although this post is not about explaining of how to setup the standard ASP.NET error page still I must start my explanation with it because it is a good starting point for setting the custom error page and since most of the developers already know this.

Default configuration inside one SharePoint web application web.config file:

SafeMode
<SafeMode MaxControls="200" CallStack="false" DirectFileDependencies="10" TotalFileDependencies="50" AllowPageLevelTrace="false">
CustomErrors
<customErrors mode="On" >

In order to see the ASP.NET default error page with full stack trace apply next changes to appropriate SharePoint web application web.config file:

SafeMode
<SafeMode MaxControls="200" CallStack="true" DirectFileDependencies="10" TotalFileDependencies="50" AllowPageLevelTrace="false">
CustomErrors
<customErrors mode="Off" >

If you just change the CallStack to true you will see the standard ASP.NET error page but without exception details.

In order to see custom error page you've built (i.e. error.aspx) apply next changes to appropriate SharePoint web application web.config file:

SafeMode
<SafeMode MaxControls="200" CallStack="true" DirectFileDependencies="10" TotalFileDependencies="50" AllowPageLevelTrace="false">
CustomErrors
<customErrors mode="On" defaultRedirect="/Pages/Error.aspx">

Conclusion is quite simple, in order to have the ability to define custom errors mode and default redirect as you already have with standard ASP.NET applications simply set CallStack on true and you will be able to configure your custom error page.