Migrating Classic ASP websites from Windows 2003 IIS 6 to 2012 R2 IIS 8

I have recently been working on getting some major applications off a Windows 2003 platform, as this platform no longer meets security requirements, as we all know Microsoft stopped supporting the servers in July 2015.

To do this process I started by using Windows Server 2003 Migration Planning Assistant and Atlassian’s JIRA to map out the key steps and outcomes. I then worked with our Service / Storage and Networks teams to get the new servers spin up in VMware and get them to open o’so important firewalls so the new servers have the same access as the old one.

It was then a case of modelling the structure on my local installation of IIS (Internet Information Services) there were some parts that weren’t straight forward as it seems this I will explain here. I hope for your sake that your company has already migrated away from Classic ASP code.

  • Global.asa – This file now needs to be in each application, rather than just one on your top level website.
  • In your AppPools – Make sure that you’ve set ‘Enable 32-bit applications’ to True.
  • Oracle – You still need to be install the Oracle 32-bit client, if of course your website is connecting to oracle databases using Microsoft ODBC for Oracle.
  • WebDeploy – Use WebDeploy from Visual Studio to the server to deploy your code, much easier than using a FTP server also saves having to deploy to each individual server, you can write a PowerShell script which will deploy to all your servers in one go.

How to show your debug messages on screen… I’ll come back to this in a few days, it late at night and I’m too tired to continue explaining.

The above should get you started. Good Luck!

Right, I’m back to finish off the post.

Within IIS click the server name in the left hand tree, double click ASP within the IIS panel, open up the ‘Debugging Properties‘ and change ‘Send Errors To Browser‘ to True. You can do this as described above for the whole site and all it’s web applications or a application basis. To do this, select the application name on the left before double clicking on ASP.

ASP-IIS-Debug

You might also need to switch on Detailed errors for a particular error page. Let say your page is reporting 500 not found and you know that the page is there, a index.html file in the root displays correctly (a good test of sanity). To turn these on, Double click on Error Pages within IIS panel on the site or the application as above, then select the error code on the left and click ‘Edit Feature Settings…‘ on the right.

DetailedErrors

This then shows the following dialog box, where you click ‘Detailed errors‘.

DetailedErrors2

This process creates or appends a web.config file in the root of your site or application which contains the following:

<?xml version="1.0" encoding="UTF-8">
<configuration>
    <system.webServer>
        <httpErrors errorMode="Detailed">
    </system.webServer>
</configuration>
Microsoft OLE DB Provider for ODBC Drivers error ‘80004005’
If you’re getting this in a Classic ASP application and you’ve done all the above steps, then your Global.asa file has the wrong connection, maybe your oracle client doesnt have it in its tnsnames.ora file
Microsoft OLE DB Provider for ODBC Drivers error ‘80004005’

[Microsoft][ODBC driver for Oracle][Oracle]ORA-12154: TNS:could not resolve the connect identifier specified

/blah/blah.asp, line 26

 

Mailto subject / body in Android email client broken?

The following section of mailto: code wasn’t working on the default Android email client and Gmail client.

<div class="panel-body">
Please contact the <a href="mailto:it.helpline@random.com?Subject=No%20Tiles%20within%20Application&amp;Body=Please%20could%20you%20check%20my%20account%20@(Model.LoggedInUser.Id)%0D%0A%0D%0AMany%20Thanks" target="_top">IT Helpline</a></div>

The reason is down to a simple issue ?Subject and &Body both started with capital letters, replace these to be lowercase ?subject and &body and the following code works across all clients on all platforms.

<div class="panel-body">
Please contact the <a href="mailto:it.helpline@random.com?subject=No%20Tiles%20within%20Application&amp;body=Please%20could%20you%20check%20my%20account%20@(Model.LoggedInUser.Id)%0D%0A%0D%0AMany%20Thanks" target="_top">IT Helpline</a></div>

I’ve tested on :

Android : Default mail, Gmail, Nine

iOS : Safari, Gmail

Windows : Outlook, Gmail

Achieve ‘A’ rating on SSLABS server test using IIS 8.5 Windows 2012 R2

Do you want to reach the heights of having an A graded server on SSLABS server tests? 

First thing you need to do on a fresh install of Windows server 2012 R2 and IIS 8.5 is disable SSL3 functionality, this can be achieved by following this guide. Come back here once you have done this. Or if you trust me here’s my exported regedit key, which you can just import to your server.

Below is the Cipher Key string that I put into the Local Group Policy Editor. To do so click the Windows icon and type in gpedit.msc and press enter to launch the Policy Editor.  Open on the left the folder titled ‘Administrative Templates / ‘Network’  / ‘SSL Configuration Settings’ & double click on ‘SSL Cipher Suite Order‘ to open. Now Enable the SSL Cipher Suites and copy and paste the below list in. Click OK and restart your server, now run the SSL server test again to see the result.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Cipher suite from above all on one line for copying into GPEDIT.MSC

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

The following 2 Cipher’s currently only work on Windows server 2016 & IIS 10

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

*Note: I’ve included ‘TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256‘ & ‘TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384‘ in a separate code block below the main cipher keys, although these do not currently work on Windows 2012 with IIS 8.5 – I’m hoping that a patch with come through from Microsoft soon which enables them, as these will take the ‘A’ to an ‘A+’ rating, as they do when using Windows Server 2016 IIS 10.

So if you are using IIS 10 on Windows Server 2016 then add these to the top and removed the bottom two as all keys will not fit within the cipher field.

Chrome updates disabled by Administrator?

You might run into this issue in a large corporation, where an overzealous Administrator thinks that they know better than Google and therefore try and stop your machine from staying up to date with the latest Google release.

Please note to edit your Registry you need to be a Local Administrator.

To ‘fix’ this issue, it might need to done using a batch script as your policies might get reset on each login or at a set time.

Run the Registry Editor, Start/Run: regedit

Browse to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update

Double-click at the UpdateDefault or DefaultUpdate (depends on what version installed)

Change the 0 to a 1

Exit Registry Editor and return to the Help/About Google Chrome section,  your browser will then start to auto update!

IIS 6 Http to Https Redirect

Yes, why on earth would you still be using a server which can only support IIS6?! But somethings in this world cannot be pushed into the future fast enough, in the case of our organisation there are quite a few Windows 2003 servers which are still in use, which is shocking.

So what do I need to do to get a redirect in place?

Create a blank file called HttpRedirect.htm in the directory root of your website, copy in the below code.

<!-- beginning of HttpRedirect.htm file -->

<script type="text/javascript">

function redirectToHttps()

{

var httpsPort = ":4443"

<!-- Add +httpsPort after the window.location.hostname if the standard https port is not 443 -->

var httpURL = window.location.hostname+window.location.pathname;

var httpsURL = "https://" + httpURL ;

window.location = httpsURL ;

}

redirectToHttps();

</script>

<!-- end of HttpRedirect.htm file -->

Set the 403.4 error page to use this file instead of the regular error file. Do this in IIS6, right click and select ‘Properties‘ on your website, click on ‘Custom Errors‘ tab, find 403.4 in the list click ‘Edit‘ and ‘Browse‘ point it at the file which you created above.

Select the ‘Directory Security‘ tab, select ‘Edit’ in the Secure Communications section

Check on the ‘Require secure channel (SSL)‘ option. (This will only allow pages on this site to be viewed only with Https.)

Now browse to a URL on this website and your be redirect from http to https.

Lost your BASH’fulness?

The dreaded moment when you are on your Unix / Linux server and you type ‘ls‘ and up pops ‘Command not found‘.

Before running about screaming, asking yourself why did you run that last command.

Check your PATH

$ echo $PATH

If yours is not showing /bin , /usr/bin or /usr/local/bin directories, then this is why you are getting ‘Command not found‘ these are the directories that hold the systems user commands.

So, you’ll need to add them back into the PATH

export PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

Now try the ‘ls‘ command again. It should now work.

If you want to change it later, do

export PATH=$PATH:/my/new/directory

That way it will keep the existing PATH and add the new directory to the end.

If you need to add the above so it is available at startup, you need to Google your “(OS) add path to startup” or “(OS) add path to profile“, there is too much and too many OS variations on this topic to be covered here.

Port opened? Telnet is your friend

Do you want to know if the problem you are having is a network \ firewall issue?

You can simply use Telnet to check if the port you are trying to connect to is open or not.

You can test any port using this simple method, not just connections open to telnet.

First off you need to install Telnet Client on your machine.

To do so, open a command prompt window. Click Start, type cmd in the Start Search box, and then press ENTER.

pkgmgr /iu:"TelnetClient"

Next step close the current command prompt and reopen it again, this is so the path to Telnet which you’ve just installed will work.

Now type the connection & port to test

telnet <server> <port>

Example

telnet google.co.uk 80

If it goes to a blank screen or a screen with funny characters then this means that port is open.

If you get :

Connecting To google.co.uk..Could not open connection to the host, on port 80:Connect failed

Then you’ll need to get onto your network team to open some firewall rules for the required port access or iptables if on unix servers.