Vulnerability in EPiServer.Forms
i´m new to EPiServer but not to the world of complicated systems. I have to move the EPiserver databases to a new SQL-server. The current one is a SQL2000 on a server 2003. The webserver is on a server 2003 as well and EPiServer is of version 4 (yes 4). The databases is moved from the old one to a new temporary SQL2008 with SP2 and then from there to a new 2012 server. All settings in EPiServer manager v.220.127.116.11 is set to the new SQL-server, no web-configs contain the old SQL-server name, the registry contains very few non-important entrys of the old-server, there are no problems connecting to the server with data sources, both with sql-login aswell as with mixed mode...
Here comes the problem. Somehow EPiServer is using the old SQL-server and as soon as i turn that of the webpage is lost with an error. Now the funny part of this is that i can change the error message by editing the connection strings in EPiServer manager, so they have some kind of connection - EPiServer and the new SQL-server. The errors i can get is "Error 500", "SQL server does not exist or access denied" and also different references to pages due to changes in the connection string.
Oh and i´m using a named instance with dynamic ports. And the firewall is configured. So my very basic question is: is there any more places i can set configuration to EPiServer or is this some kind of cached-name-crap-problem? The connection string have been changed from this:
Data Source=xxxx\xxxxx;Database=xxxxx;User Id=xxxxx;Password=xxxxxx;Network Library=DBMSSOCN;
To this for testing purpose without any luck:
Server=xxxx\xxxxx;Database=xxxxxxx;User Id=xxxxx;Password=xxxxx;" providerName="System.Data.SqlClient"
And i can mention that the webpage is up and running with all these settings pointing to the new SQL-server AND still depended on the old SQL-server to be up and running. Go figure...
I think if you are on EPi4 the connectionstring EPi uses resides in <appSettings> with name EPsConnection.
The following is if I'm wrong about v4...
Do you have a separate connectionstrings.config file?
If so you need to (unless you have specified restartOnExternalChanges="true") rewrite web.config as well after changing connectionstrings.config.
The <appSettings> in the web.config file reflects the EpiServer Manager settings, so thats all good.
I do not have a separate connectionstrings.config file that i know of. The problem is that during the last 10 years or so the system have been managaed by different companies and since we are now taking over from another supplier that have absolutely no documenation of this it´s hard to get a full picture of what they have done and not done.
If you were the one that installed this system 10 years ago and did use a separate connectionsstring.config file - where would you put it ;-)?
Thanks 4 your replay.
ConnectionStrings.config usually resides in the same folder as Web.config.
Have you tried a *.* solution search for connection string parts? It could be something hardcoded?
Do you have a stack trace of the server error?
Well, i´ve actually gone through all .config files on the server...ALL ;-). I´ve done a search for the old server name and if it resides anywhere within a file on the disks without luck.
I enabled the stack trace but it didn´t say anything. I couldn´t attach the error message but in short i says:
Page could not be loaded
The link that you.... don´t work, which can depend on temporary maintenance....
And then a box to add text to and send (somewhere)
Open web.config, set appSetting "EPsErrorHandling" to Off.
Find system.web customErrors and replace it with <customErrors mode="Off" />
This should give you more detailed error messages.
Ok, here is the error message in full:
Server Error in '/' Application.
SQL Server des not exist or access denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: SQL Server des not exist or access denied.
An unhandled exception occurred during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[SqlException: SQL Server does not exist or access denied.]
System.Data.SqlClient.ConnectionPool.CreateConnection () +402
System.Data.SqlClient.ConnectionPool.UserCreateRequest () +147
System.Data.SqlClient.ConnectionPool.GetConnection(Boolean& isInTransaction) +464
System.Data.SqlClient.SqlConnectionPoolManager.GetPooledConnection(SqlConnectionString options, Boolean& isInTransaction) +372
System.Data.SqlClient.SqlConnection.Open () +384
development.templates.Units.Intranet.__Contracts.Page_Load(Object sender, EventArgs e) +161
System.Web.UI.Control.OnLoad(EventArgs e) +67
System.Web.UI.Control.LoadRecursive () +35
System.Web.UI.Control.LoadRecursive () +98
And I really appriciate the help i get from you. This is beyond my comfort zone ;-)
I'd have a hard look at that Contracts.Page_Load method. Does it call into the database manually? It could have the connection string hard-coded. It has happened before :-)
Have you tried actually logging onto SQL Management Studio using the database name and credentials from your appsettings section?
Just so you know that the SQL instance is actually accessible and your login details are correct?
My motivation for checking this is to see whether you're actually reaching the correct database and not the old one (if connection string config is correct, it might be a network / dns / firewall routing problem..)
Well, it struck me now when you say hard-coded. Is it possible that when they setup this solution as an intranet they coded everything and then compiled it, hense the reason that i can´t find the information in windows? Do I really have to open this i Visual Studio to i e follow the DataBind??
This is strange, and it does sound like something that is in the actual web site, and not in the Episerver core stuff. On the server, locate the site on disk, from there go to "\templates\Units\Intranet\" there is probably a Contracts.ascx there. If you're lucky, there might be a Contracts.asax.cs there which you can open in notepad to check for any hardcoded values.
Most likely, there are no .cs files there, in which case you have to try locate the source code. Decompiling using a free .NET decompiler tool is also an option (but more advanced).
If the connection string is actually hardcoded, just knowing won't actually help you. You need to change it, and compile the code, which might or might not be easy since it is quite old.
Or, add the old servername used in the connectionstring in your hosts file, point it at the new server. If the database name is the same, the username and password too, it just might work. Ugly, but... well, sometimes ugly is what is needed.
You know what, i´ll try to get this to work by creating an alias in the DNS, and hope that the customer will scrap this system asap ;-). I´ll get back with the result. Thank you all so much for your help. Have a nice weekend.
I can´t say that i´m thrilled about it, but the redirection of the name and ip-address in the DNS worked like a charm ;-). I´ll go with this and concider it solved....yay :-).