WordPress on IIS

These are my notes for getting WordPress on IIS 10 (1809) on Windows Server 2019 Core working.  I ran into a problem with MySQL 8.0 so I reverted back to MySQL 5.6 until I can spend a little more time troubleshooting and document my experience.

[This is a running draft currently]

  1. Install and Configure: IIS 10 (1809)
    1. IIS Role
      1. Features > CGI, Dynamic Compression
    2. Configure IIS FastCGI parameters – can be done with Administration pack, but I’m running Core and did from commandline.
      1. %windir%\system32\inetsrv\appcmd set config -section:system.webServer/fastCgi /[fullPath='c:\{php_folder}\php-cgi.exe'].instanceMaxRequests:10000
      2. %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/fastCgi /+"[fullPath='C:\{php_folder}\php-cgi.exe'].environmentVariables.[name='PHP_FCGI_MAX_REQUESTS',value='10000']"
    3. GZIP (static/dynamic compression)
  2. Install and Configure: PHP 7.3
    1. Non-thread safe PHP 7.3 x64 installed to C:\PHP
    2. Needs VC15 redistributable (x64)
    3. Configure date.timezone, upload_tmp_dir, etc.
      1. Set permissions for tmp file location using icacls
        1. icacls tmppath /grant "IIS_IUSRS":(OI)(CI)F
  3. Install and Configure: MySQL Community Server 5.6.42
    1. Needs VC13 redistributable
    2. Configure bind-address for 127.0.0.1 in C:\ProgramData\MySQL\my.cnf
  4. Install and Configure WordPress
    1. Folder permissions required (IIS_IUSR) using icacls
      1. icacls websiteroot /grant "IIS_IUSRS":(OI)(CI)F
    2. Download latest ZIP
      1. Tip: PowerShell Extract-Archive latest.zip works great – seemed slow, but it worked.
    3. IIS Rewrites (2.1 is required – I used x64 download)
      1. Permissions
        1. Note:  example.com is the name of  a website I created in IIS, so permissions use the App Pool Identity.
        2.   icacls "C:\inetpub\example.com" /grant:r "IIS APPPOOL\example.com:(OI)(CI)(RX,W)" /T
        3. Some notes I need to revise:
          1. iis permissions setup
            
            icacls PATH /remove "UserOrGroup" /t (removes recursively)
            
            i use:
            icacls httproot /inheritance:d
            icacls httproot /remove "BUILTIN\Users" /t
            icacls httproot /grant "IIS APPPOOL\domain.com" (this will propagate via inheritance to httproot\*)
            
            
            icacls httproot /grant "IIS APPPOOL\domain.com:(OI)(CI)F" /t
            
            PS C:\inetpub\domain.com> icacls httproot
            httproot IIS APPPOOL\domain.com:(F)
            NT SERVICE\TrustedInstaller:(F)
            NT SERVICE\TrustedInstaller:(OI)(CI)(IO)(F)
            NT AUTHORITY\SYSTEM:(F)
            NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
            BUILTIN\Administrators:(F)
            BUILTIN\Administrators:(OI)(CI)(IO)(F)
            CREATOR OWNER:(OI)(CI)(IO)(F)
            
            
            create site
            authentication > anonymouse authentication > edit > change to Application Pool Identity > OK
            
            right click on site > manage > advanced > ensure application pool is selected for correct application pool (domain.com)
            
            application pools > right click domain.com pool > ensure Process Model section > Identity is set to ApplicationPoolIdentity
      2.         
                    
                        
                            
                                
                                
                            
                        
                    
                
        
  5. LetsEncrypt SSL
  6. benchmark
  7. Php 5.7 on old iis 7.5 (2008R2) vs new server (2019 core) with php 7.3

 

Error: This operation was blocked by role based access control settings or other network issue

I’m attempting to upload a file via Windows Admin Center and encountered the following error: Error: This operation was blocked by role based access control settings or other network issue.

Cursory search points to an issue with role-based access, so within Windows Admin Center dashboard, I hit the settings (bottom left) and choose Role Based Access Control.

In here, I attempt to apply Role Based Access Control (RBAC) and get the following error.

Couldn’t apply role-based access control to the computer. Error: The network path was not found.

Another cursory search leads me to think, via Windows Admin Center known issues, that it could be the Windows Defender Application Control (WDAC).  So for kludge purposes, I just decide to remove Windows Defender itself;  I’ll be utilizing a different security suite anyway whenever this makes it to production.

To remove Windows Defender completely from Server 2019 using powershell, I use the following command: Uninstall-WindowsFeature -Name Windows-Defender

Note:  This will require a reboot of your server.

After my server came back up, I again tried to apply Role Based Access Control and it failed with the same error.  Now I will dig in a little deeper and update this post soon with new information and hopefully a solution I’ve found.

Resolution

The firewall was the culprit — disabling it, Set-NetFirewallProfile -Profile domain,public,private -Enabled false, resolved the upload error.  I have not attempted to apply RBAC yet.

Tip:  Ensure PSRemoting is enabled on the target server as well as firewall rules are added.  From an elevated PowerShell prompt:

Enable-PSRemoting

Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress Any

I also needed to allow port 445 as those two didn’t solve my issue:

New-NetFirewallRule -DisplayName “WAC File Upload” -Direction Inbound -Action Allow -Protocol TCP -Port 445 -RemoteAddress 192.168.1.100 -Profile Public,Domain,Private

The next error I get, and I’m not sure why yet, is the following AFTER uploading a file.  The file does upload and the file content is good, but I get the following notification error.

Failed to upload to C:\PHP\TEST. Error: QueryCache: Unable to refresh data; call createObservable() and fetch() first.

Cursory search shows not much info out there.  A couple GitHub repos with JSON file this string belongs in and some stuff for Excel / SQL linking.

When in doubt, procmon reboot.

Well, that didn’t work.  But uploads work, and I guess that’s good enough for Government work.

Ah wait.  I had a look at that error message again and it seemed “webbrowserish” (like jQuery or something) so I restarted my browser and I no longer get that error.

Success.

How to Join a Debian Linux Server to a Windows Domain

I’ve added a few servers to a test Windows domain and some of those servers include Debian Linux operating systems. Here are the basic steps on joining a Debian server to Windows Active Directory Domain and setting up domain user login on the Linux server.

I assume you have an installation of Debian up and running.  I used Debian 8 Jessie in my post.

Install Necessary Packages

$ apt-get install realmd ntp adcli sssd

Post Installation Tasks

$ mkdir -p /var/lib/samba/private
$ systemctl enable sssd

Join Domain

Make sure we can get information about the domain we want to join.

$ realm discover techish.local
techish.local
  type: kerberos
  realm-name: TECHISH.LOCAL
  domain-name: techish.local
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

All looks good, now join.

$ realm join --user=administrator techish.local
Password for administrator:
 * Installing necessary packages: samba-common-bin, sssd-tools

Start SSSD

$ systemctl start sssd

At this point, should be joined and we can now test authentication for users…

$ getent passwd rkreider@techish.local
rkreider@techish.local:*:485401343:485400513:Richard J. Kreider:/home/techish.local/rkreider:/bin/bash

Home Directory Setup

$ echo session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 | tee -a /etc/pam.d/common-session

Local Admin Privileges

Think Domain Admin on a Windows PC, but for Linux – sudo.

On Debian 8.6, this was installed when sssd was installed – but, just to make sure:

$ apt-get install libsss-sudo
$ echo %domain admins@techish.local ALL= ALL | tee -a /etc/sudoers.d/domain_admins

Logging in as Domain User

login as: techish
kreider
techish
kreider@debian's password:
rkreider@techish.local@debian:~$

Windows Server 2012 Weekend Reading…

width=341

Free

Interested in the next Windows Server release?  Windows Server 2012 RC is available for download as well as an ebook (PDF) introduction to Windows Server 2012 and a whitepaper from Microsoft for free.

Lots of reading to do this weekend.  Yippee!

http://www.microsoft.com/en-us/server-cloud/new.aspx

Intro to Windows Server 2012:  http://go.microsoft.com/FWLink/?Linkid=251464 (17MB – PDF)

 
 

Download Windows Server 2012 RC: http://technet.microsoft.com/en-US/evalcenter/hh670538.aspx?ocid=&wt.mc_id=TEC_108_1_33  (ISO or VHD)

 

 

width=314

Windows

Windows Server 2012 Technical Whitepaper: Download Direct Link  (2MB – PDF)