Shadow Folders web page not working

[hutch619]

I just tried to go to the Shadow Folders page for one of my Repositories when I got the following error:


Am I supposed to directly modify the impersonation credentials in the web.config file or is there a front end provided by Fortress that I should be using to do this?

Is Fortress seriously storing these credentials in PLAIN TEXT?

[Beth]

You shouldn't need to modify credentials, and those are not in plain text (unless using impersonation). You can put them in, but let's try a few other things first.

What is the Server OS that you are using?

When you installed, which IIS Process Model did you choose? If you chose custom, did you use an Active Directory user?

Does your admin password have any special characters in it?

[Beth]

Also, which version of Fortress are you on? That can make a huge difference.

[hutch619]

You shouldn't need to modify credentials, and those are not in plain text.

I DO see that the value for the "shadowfolder_password" is encrypted (and converted to base 64) on line 142. However, the error message indicates that the credentials on line 93 is what is causing the problem. Note that the password's value is empty here. I think this is what is causing the problem. As for my concerns regarding security, I found another web.config file that is storing this same domain user's password in plain text. This file is located under the \Inetpub\wwwroot\Fortress\ directory.

What is the Server OS that you are using?

Windows Server 2003

When you installed, which IIS Process Model did you choose?

We wanted to authenticate against Active Directory so we chose the Custom process model.

If you chose custom, did you use an Active Directory user?

Yes. We used a domain user's account.

Does your admin password have any special characters in it?

Yes. Since this account requires that its password never expire we generated a strong password (using Secret Server) that was 17 characters long which happened to contain special characters.

Also, which version of Fortress are you on? That can make a huge difference.

1.1

[hutch619]

Quick Update:

I just manually put the password in the Web.config file to get this thing going. I still don't know why the password was left empty in one config file and not in the other. Anyways, I am getting the following message:

• "The Shadow Folder Service was unable to connect to the Fortress server. Please enter the login to be used by the Shadow Folder Service"

I think I saw an article about this earlier so I will get back to you once I've gone through it.

[hutch619]

I've gone through several threads now and none have seemed to correct my problem. I don't know if I am missing something here. Here is a screen shot of the current error I am getting. Also, should my VaultShadowFolder Web Application be in its own Application pool? Currently I have VaultService, Fortress and VaultShadowFolder running under the same App Pool.

[Beth]

I was thinking it needed to have the password string read as password=, but I think that's only on the vaultservice side. I think the best way to get an idea of what's going on would be to actually see your shadow folder web.config file. You can either post it here (and remove it when we're done), or you can email it to support at sourcegear.com (attn: Beth) with a link to this thread. It would also help to see a Vault Server Log.

One more thing to try. Can you login to the Vault server using the login you created for the Vault impersonation?

Then try accessing the shadow folder area again.

[Beth]

This has turned out to be a bug. We are working on a fix.

The temporary workaround is:

• 1) You will see password="", in the web.configs. Enter in password in the vaultservice web.config and the shadow folder web.config for the user that vault is running under.
  2) Check for the path C:\Program Files\Sourcegear\Vault Shadow Folder Path, and if it isn't present, manually create it.
  3) Login to the shadow page as admin

[hutch619]

You'll also want to check in the VaultShadowFolder/web.config file to make sure that the "shadowfolder_cachepath" key is NOT commented out. It should look something like this:

Code: Select all

<add key="shadowfolder_cachepath" value="c:\Program Files\Sourcegear\Vault Shadow Folder Cache" /> 

[hutch619]

Due to my security concerns about storing passwords in clear text (in the web.config file) I took a slightly different approach than what Beth outlined above. If you are running IIS 6.0 or higher than you can use specify an identity in your Vault App pool to use instead of storing the credentials in the config files. Here are the steps I took:

• 1) Go to the Identity tab in the VaultAppPool properties and select the Configurable radio option. Then enter the credentials for the Domain account you are using for impersonation.

• 2) Open up ALL 3 of the web.config files and turn impersonation off by setting the impersonate attribute in the identity tag to "false":

  Code: Select all

  <identity impersonate="false"/>

  Here is a list of the 3 config files you will need to check:
  • \Inetpub\wwwroot\Fortress\Web.config
  • \Inetpub\wwwroot\VaultService\Web.config
  • \Inetpub\wwwroot\VaultService\VaultShadowFolder\Web.config

Beth was mentioning earlier that their were some issues using passwords with special characters. I imagine it had to do with the passwords being stored in an xml file where it was not being converted to base 64. Taking the impersonation out of the config file probably means we can use special characters in our domain account's password again. I like this better than having a domain account's password that never changes and is made up of only alpha-numeric characters.

[Beth]

Thanks for posting your results.