30 April 2004

Microsoft CMS2002 installation notes

Install on Windows 2000 with .Net Framework 1.1 and VS.Net 2003

• To install CMS2002 SP1A you need to install CMS2002.
• If CMS dev tool (VS.NET client) is desired, you cannot just install CMS2002 on top of VS.NET 2003. It complains ‘VS.NET is not found’, you need to install VS.NET, including ‘Windows Component Update’.
• Followed the CMS2002 installation guide.
• Apply SP1A.

Install on Windows 2003 Server
• Remember to check IIS and Server side includes have been installed.
• Apply high security template if you haven’t have .Net Framework or VS.NET install. This is the best opportunities to do so.
• No need for IIS LockDown, that is build-in to IIS 6 on Win2k3.
• Install VS.Net(2002) including ‘Windows Component Update’, if CMS 2002 DEV tool is desired. The dev plug-in only workes on VS.Net 2002.
There is a known issue that you need to enable ASP and FPSE on IIS. Follow this:
• Framework 1.1 is installed when installing Win2k3.

If loop-back adapter is used and MCMS SCA, Public, Authoring sites are configured to use a non-default IP address,i.e. localhost, remember to update your DNS host file, and set internet connection option to bypass local address.

Install sample site Woodgrove Bank
Installation gone through OK but I have problems on hitting the site.


The first problem is about running ASP.NET on a Domain Controller
The server I use is configured as a Domain Controller (with Active Directory) -- Windows 2000 Advanced Server, .NET 1.1. Error page like this:


Access to the path "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Woodgrove\9c4ac7bd\97d3c1c0\global.asax.xml" is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.


This doc offers a solution:
FIX: ASP.NET Does Not Work with the Default ASPNET Account on a Domain Controller

In practice, I use IWAM_(MachineName), instead of ASPNET. All security policies (Domain Controller Security Policy, Domain Security Policy, Local Security Policy) needed to be update to include IWAM_(MachineName) for Log on as a batch job as pointed out in the above.
Then add IWAM_(MachineName) with full control to physical directory C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files

Run iisreset.

Now I am getting a different error: missing SeImpersonatePrivilege

[COMException (0x80041b58)]
Microsoft.ContentManagement.Interop.Publishing.CmsHttpContextClass.Initialize(String currentUrl, String httpHostName, Int32 serverPort, Boolean isSecureServer, Int32 iisInstanceId, String remoteMachineAddress, String authenticationType, String authenticationToken, Int32 windowsUserHandle, String ClientAccountName) +0
Microsoft.ContentManagement.Publishing.CmsHttpContext.initialize(IntPtr windowsToken, String cmsAuthToken, String clientUserName, String clientAccountType) +297
Microsoft.ContentManagement.Publishing.CmsHttpContext.getCmsHttpContextFromIdentity(HttpContext httpContext) +1088
Microsoft.ContentManagement.Publishing.CmsHttpContext.get_Current() +57

As documented in CMS2002 SP1 MCMS 2002 - Debugging FAQ

The Account (IWAM_(MachineName) running the ASPNET_WP worker process is missing the SeImpersonatePrivilege privilege when Windows 2000 SP4 is installed.
There are two steps to resolve this problem:
1) Adding impersonation privileges to IWAM_(MachineName) or any account (such like ASPNET) that runs ASPNET_WP worker process. This can be done by adding ‘Impersonate a client after authentication’ to the account in Local Security Settings. Check Microsoft Content Management Server 2002 Service Pack 1 Documentation.

2) Update Machine.config and/or web.config
(c:\WINNT\Microsoft.NET\Framework\{version number}\CONFIG\Machine.config)
As I am running .NET Framework 1.1 for this, I use version v1.1.4322.
Find the ProcessModel node and update the username, password attribute to be
<processModel [other attributes] userName="<domain Name>\IWAM_(machineName)" password="(actual password)"

Wahoo, this problem gone. Now I can see the Woodgrove initial login page, which prompts me for login credentials-a bit strange. It says:
You are using an insecure connection. If you click Continue it will be possible for others to view information you send or receive.

I try to login using a few different identity CMS_SYSTEM, NT accounts that has been grant Author role. I also use IIS console manager to check the properties- directory security to be anonymous/window authentication--seemed fine.
Then I look up the Web.config – notice the authentication mode has been set to ‘forms’ like this:

<authentication mode="Forms">
<forms name="WoodgroveNet" path="/" loginUrl="/WoodgroveNet/Templates/ManualLogin.aspx"
protection="All" timeout="30" >
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>

I quickly comment out this and uncomment the Windows authentication mode
<authentication mode="Windows">

Finally got the site working!

Posted by Jingye at 10:56 PM

Labels: