Closed nhasanit closed 7 years ago
Error 1 - can you please check the windows event viewer and look for any events related to ASP.NET as the source? Paste the error here so we can get some more info on what's causing the 500 error.
Error 2 - Try running the following command on the target host (i.e. the one you are connecting to with orchestrator). In a production environment you should use the explicit IP of the Orchestrator server instead of the * wildcard.
winrm set winrm/config/client @{TrustedHosts="*"}
Event code: 3005 Event message: An unhandled exception has occurred. Event time: 4/5/2017 4:43:01 PM Event time (UTC): 4/5/2017 8:43:01 PM Event ID: f72dab1d33d646009fc821add497a4bb Event sequence: 105 Event occurrence: 5 Event detail code: 0
Application information: Application domain: /LM/W3SVC/2/ROOT-1-131358951512286501 Trust level: Full Application Virtual Path: / Application Path: C:\Inetpub\Falcon Orchestrator\ Machine name: Redacted
Process information: Process ID: 6580 Process name: w3wp.exe Account name: IIS APPPOOL\FalconOrchestrator
Exception information:
Exception type: FileNotFoundException
Exception message: Could not find file 'C:\Inetpub\Falcon Orchestrator\App_Data\Artifacts\401-3.htm.zip'.
at System.IO.Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileInfo.get_Length()
at FalconOrchestratorWeb.Areas.Forensics.Controllers.FileExtractionController.DownloadFile(String fileName) in C:\Orchestrator\falcon-orchestrator\FalconOrchestrator.Web\Areas\Forensics\Controllers\FileExtractionController.cs:line 52
at lambda_method(Closure , ControllerBase , Object[] )
at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters)
at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary
2 parameters)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass42.1.<BeginSynchronous>b__7(IAsyncResult _) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult
1.End()
at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass37.<>cDisplayClass39.1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) at System.Web.Mvc.Controller.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult
1.End()
at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.<>cDisplayClass4.1.End() at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult
1.End()
at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Request information: Request URL: http://(IPADDRESS REDACTED)/forensics/file-extraction/downloadfile?fileName=401-3.htm Request path: /forensics/file-extraction/downloadfile User host address: (IPADDRESS REDACTED) User: BDBC_NT(Username Redacted) Is authenticated: True Authentication Type: Negotiate Thread account name: IIS APPPOOL\FalconOrchestrator
Thread information:
Thread ID: 43
Thread account name: IIS APPPOOL\FalconOrchestrator
Is impersonating: False
Stack trace: at System.IO.Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileInfo.get_Length()
at FalconOrchestratorWeb.Areas.Forensics.Controllers.FileExtractionController.DownloadFile(String fileName) in C:\Orchestrator\falcon-orchestrator\FalconOrchestrator.Web\Areas\Forensics\Controllers\FileExtractionController.cs:line 52
at lambda_method(Closure , ControllerBase , Object[] )
at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters)
at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary
2 parameters)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass42.1.<BeginSynchronous>b__7(IAsyncResult _) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult
1.End()
at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>cDisplayClass37.<>cDisplayClass39.1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) at System.Web.Mvc.Controller.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult
1.End()
at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
at System.Web.Mvc.Async.AsyncResultWrapper.<>cDisplayClass4.1.End() at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult
1.End()
at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
at System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details:
When I run the powershell command I get an error:
PS C:\Windows\system32> winrm set winrm/config/client @{TrustedHosts="*"} Error: Invalid use of command line. Type "winrm -?" for help. PS C:\Windows\system32>
I missed the single quotes on that command, it should be winrm set winrm/config/client '@{TrustedHosts="*"}'
.
Looks like the file 401-3.htm doesn't actually exist in the C:\Inetpub\Falcon Orchestrator\App_Data\Artifacts directory since the upload wasn't successful. Are there any other errors present aside from that one in the event viewer?
The only other event i see that is related to that seems to be this one:
Event code: 4011 Event message: An unhandled access exception has occurred. Event time: 4/5/2017 4:38:16 PM Event time (UTC): 4/5/2017 8:38:16 PM Event ID: 1fb0d786586f4e8999cea01bc03d36d8 Event sequence: 69 Event occurrence: 2 Event detail code: 0
Application information: Application domain: /LM/W3SVC/2/ROOT-1-131358951512286501 Trust level: Full Application Virtual Path: / Application Path: C:\Inetpub\Falcon Orchestrator\ Machine name: Redacted
Process information: Process ID: 6580 Process name: w3wp.exe Account name: IIS APPPOOL\FalconOrchestrator
Request information:
Request URL: http://(Redacted)/forensics/file-extraction/receiver
Request path: /forensics/file-extraction/receiver
User host address: (Redacted)
User:
Is authenticated: False
Authentication Type:
Thread account name: IIS APPPOOL\FalconOrchestrator
Custom event details:
Yup that's the right one...not much info in the exception though. Did you setup the permissions for the Artifacts directory as outlined below?
https://github.com/CrowdStrike/falcon-orchestrator/wiki/Installation-&-Deployment#file-permissions
I think so. This is what the artifacts folder permissions looks like:
Cancel that. I made a change on permissions and it works now. I think something was hung. Thanks!
Glad to hear you got it sorted! Going to close this ticket. If you have any other issues/questions feel free to open a new one. Cheers!
I am having issues using only the File Extraction forensic tool. If I try to extract a file from a remote host using the hostname I get:
•Exception calling "UploadFile" with "2" argument(s): "The remote server returned an error: (500) Internal Server Error."
If I try to extract using the IP address as the computer, i get:
•Connecting to remote server 10.XX.XXX.XXX failed with the following error message : The WinRM client cannot process the request. Default authentication may be used with an IP address under the following conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more information on how to set TrustedHosts run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
I have tried accessing the console via the IP address and via the hostname. I have tried accessing the portal remotely as well as on the server that it sits on. All other forensics tools work so I dont believe this is firewall related.