IIS 7: The Administrator’s Guide

Alexis Eller
Program Manager
Microsoft Corporation
IIS6 Request Processing

Authentication Monolithic implementation

NTLM Basic Anon Install all or nothing…
…
CGI
Determine Static
File
Handler ASP.NET
ISAPI
… PHP
Send Response
Log Compress Extend server functionality only
through ISAPI…
IIS7 Request Processing

Server functionality is split

Authentication into ~ 40 modules...
NTLM Basic Anon
Authorization
…
ResolveCache CGI
Modules plug into a generic
… request pipeline…
Determine Static
Handler File
ExecuteHandler
ISAPI
Modules extend server
…
… functionality through a
UpdateCache
Send Response public module API.
LogSendResponse
Compress
Many, Many Modules

Install, manage, and patch only the modules you

use…
Reduces attack surface
Reduces in-memory footprint
Provides fine grained control

… replace core server components with custom

components…
Installing IIS7
Consistently install the same set of modules…

Avoid:
503 “Service Unavailable”
[module is enabled but not installed]
Application doesn’t work as expected
[web.config references a module that isn’t installed]
[unexpected module conflicts with custom module]
IIS6 ASP.NET Integration
Runtime limitations
Only sees ASP.NET requests
Authentication
NTLM Basic Anon
Feature duplication
…
CGI aspnet_isapi.dll
Determine Static Authentication
Handler File Forms Windows

ISAPI …
ASPX
… Map
Handler Trace
Send Response
…
Log Compress
…
IIS7 ASP.NET Integration
Basic
Two Modes
Anon
Authentication Classic (runs as ISAPI)
Integrated
Authorization
ResolveCache
… Integrated
aspnet_isapi.dllMode
Static
File .NET modules / handlers
Authentication
ExecuteHandler FormsplugWindows
directly into pipeline
… ISAPI …
Process all requests
ASPX
UpdateCache MapFull runtime fidelity
Handler Trace
SendResponse Compress …
…
Log
Migrating to Integrated ASP.NET
Replicate Content and Config
Main IIS configuration file (applicationHost.config)
Built-in “IUSR” account, no more machine specific SID’s
Simple file copy, no command line tools required
…watch for machine specific data like IP’s and drive letters

IIS config  web.config, XCOPY with application

Centralize Content and Config
IIS config  web.config, centralize on file server

File System:
Client Side Caching (CSC)
provides a local disk cache
Distributed File System Replication (DFSR)
abstracts multiple file servers to one share name
provides content replication
Configuration moves to .config files…

Configure IIS and ASP.NET properties in the same

file
Use locking to provide delegation
Built for simple, schema-based extensibility

… welcome to a world of xcopy deployment…

Configuration Layout
IIS +
Inheritance… ASP.NET +
.NET Framework
IIS

ASP.NET
applicationHost.config web.config
.NET
Framework

root web.config

machine.config

root configuration files web.config files

Configuration Delegation
Delegation is:
Configuration locking, “overrideMode”
ACL’s on configuration files

By default…
All IIS sections locked except:
Default Document
Directory Browsing
HTTP Header
HTTP Redirects
All .NET Framework / ASP.NET sections are unlocked
Determine your configuration lockdown policy…

Be conservative at first
Unlock as necessary (locking later could break apps)
Compatibility: ABO Mapper
Provides compatibility for:
scripts IIS6
ADSI Script
command line tools
native calls into ABO
Not installed by default
IISADMIN
Can only do what IIS6 could do…
Can’t read/write new IIS properties ABOMapper
Application Pools: managedPipelineMode,
managedRuntimeVersion
Request Filtering
Failed Request Tracing
Can’t read/write ASP.NET properties
Can’t read/write web.config files
applicationHost.config
Can’t access new runtime data, e.g. worker processes,
executing requests
Management Tools
GUI IIS Manager
Command Line appcmd
Script WMI (root\WebAdministration)
Managed Code Microsoft.Web.Administration

Manage IIS and ASP.NET

View enhanced runtime data
worker processes, appdomains, executing requests
Manage delegation
Use whichever management tool suits your needs…
IIS Manager

Remotes over HTTP, making it firewall friendly

(remoting is not installed by default)
Provides managed extensibility
Supports non-admin management of sites and applications
Educate end users who publish their application and
use IIS Manager configure it…

Scenario:
User publishes application
User changes app’s web.config using IIS Manager
User copies updated web.config to his local version of the
application
Several days later, user re-publishes application
** modifications make to the app’s web.config using IIS
Manager have just been blown away**
Appcmd – Listing and Filtering
C:\> appcmd list sites
SITE "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started)
SITE "Site1" (id:2,bindings:http/*:81:,state:Started)
SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped)

C:\> appcmd list requests

REQUEST "fb0000008000000e" (url:GET /wait.aspx?
time=10000,time:4276 msec,client:localhost)

C:\> appcmd list requests /apppool.name:DefaultAppPool

C:\> appcmd list requests /wp.name:3567

C:\> appcmd list requests /site.id:1

Filter results by
application pool, worker
process, or site
appcmd
Scripting: IIS6 WMI Provider
Set oIIS = GetObject("winmgmts:root\MicrosoftIISv2")
NOT CONSISTENT
' Create binding for new site
Set oBinding = oIIS.Get("ServerBinding").SpawnInstance_
oBinding.IP = ""
oBinding.Port = "80" Create Site
oBinding.Hostname = "www.site.com"

' Create site and extract site name from return value
Set oService = oIIS.Get("IIsWebService.Name='W3SVC'")
strSiteName = oService.CreateNewSite("NewSite", array(oBinding), "C:\inetpub\wwwroot")

Set objPath = CreateObject("WbemScripting.SWbemObjectPath")

objPath.Path = strSiteName
strSitePath = objPath.Keys.Item("")

Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'") Create Virtual Directory
oSite.Start

' Create the vdir for our application

Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting").SpawnInstance_
oVDirSetting.Name = strSitePath & "/ROOT/bar"
oVDirSetting.Path = "C:\inetpub\bar"
oVDirSetting.Put_
Create Application
' Make the VDir an application
Set oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'")
oVDir.AppCreate2 1
Scripting: new WMI Provider
CONSISTENT
Set oService = GetObject("winmgmts:root\WebAdministration")

' Create binding for site

Set oBinding = oService.Get("BindingElement").SpawnInstance_
oBinding.BindingInformation = "*:80:www.site.com"
oBinding.Protocol = "http"
Static Create methods
' Create site
oService.Get("Site").Create _
"NewSite", array(oBinding), "C:\inetpub\wwwroot"

' Create application

oService.Get("Application").Create _
"/foo", "NewSite", "C:\inetpub\wwwroot\foo"
WMI – Unloading AppDomains
…through script
…through PowerShell
Coding: Microsoft.Web.Administration
ServerManager iisManager = new ServerManager();

foreach(WorkerProcess w3wp in iisManager.WorkerProcesses) {
    Console.WriteLine("W3WP ({0})", w3wp.ProcessId);
            
    foreach(Request request in w3wp.GetRequests(0)) {
        Console.WriteLine("{0} - {1},{2},{3}",
                    request.Url,
                    request.ClientIPAddr,
                    request.TimeElapsed,
                    request.TimeInState);
    }
}
New Troubleshooting Features

Detailed custom errors, just like ASP.NET

Failed Request Tracing
No more ETW tracing and waiting for a repro…
New runtime data:
worker processes
appdomains
currently executing requests
Failed Request Tracing
No-repro tracing for “failed requests”
Configure custom failure definitions per URL
Time taken
Status/substatus codes
Error level
Persist failure log files

Will it tell me what’s wrong?

Sometimes… for example, ACL issues
Look for clues
Can use for all requests to see what’s going on
Failed Request Tracing
Summary
Deploy…
~ 40 modules, install only what you need
Migrate to ASP.NET Integrated Mode
Easier centralization/replication
Manage…
Manage IIS and ASP.NET through the same tools
Use ABO Mapper compatibility (not installed by default)
Determine configuration lockdown policy
Troubleshoot…
Use: Detailed Errors, Failed Request Tracing, Currently
Executing requests
[email protected]
New home for IIS Community!
TechCenter to easily find the info you need
Advice and assistance in Forums
Insider info on new technology (IIS7!)
Online labs, play with IIS7 in your browser
Some upcoming IIS sessions…
Today
3:15 – 4:30 Chalktalk: Configuration Management of Web Platform

Tomorrow
8:30 – 9:45 IIS 7: Under the Hood for Web Request Tracing
10:15 – 11:30 Chalktalk: Using Managed Code to Administer IIS 7
1:00 – 2:15 Chalktalk: Introducing the New and Improved IIS Manager in IIS 7
2:45 – 4:00 IIS 6: Effective Management of Web Farms
4:30 – 5:45 IIS 6: Everything the Web Administrator Needs to Know about MOM

Wednesday
8:30 – 9:45 Chalktalk: Extending the IIS Manager Tool in IIS 7
2:00 – 3:15 Chalktalk: IIS 6.0 Security: Setting the Record Straight
4:45 – 5:00 Chalktalk: IIS and Microsoft.com Operations: Migrating IIS 6.0 to 64 bit
5:30 – 6:45 Chalktalk: IIS 7 Q&A
 Fill out a session
evaluation on
CommNet and
Win an XBOX 360!
 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Additional Information
Installation Options

• Lots of components
• Static server by default
• [client] Use Windows
Features

• Replaces sysocmgr

• File format is
completely different
• [client] Pick components,
cannot set configuration
Install, Migration, Upgrade
Install log: \Windows\IIS7.log
Uninstall
Stop services to avoid a reboot
Deletes configuration files, backup before uninstall
Migration: none for Vista, LH Server TBD…
Upgrade
All web and/or FTP components are installed, uninstall
unnecessary components afterwards…
Application pools will be ISAPI mode, configured for no
managed code => all ASP.NET requests will fail
ASP.NET: Migration
Application Pools
ASP.NET Integrated mode by default
Configure to load a specific version of the .NET Framework

Integrated Mode
Different server environment for some pipeline notifications
e.g. request is not authenticated for BeginRequest
Handler and module configuration integrated with IIS
system.webServer/handlers, system.webServer/modules
Validation warns on httpHandlers, httpModules, or identity config
Remove “managedHandler” precondition on an ASP.NET module to
have it execute for all content
ISAPI Mode
Can’t configure HTTP handlers and modules from the UI
Replicating applicationHost.config
Will cause all application pools to recycle:
changes to default settings for all application pools
changes to the <globalModules> list
Will cause one application pool to recycle:
application pool settings
Use only RSA machine-encryption (default), replicate RSA
machine key
http://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspx

Gotcha's:
Machine specific data, like IP addresses or drive letters
Servers must have same set of modules installed (reference to non-
existent module in <globalModules> causes 503's)
Configuration Delegation
Two kinds of configuration locking:
overrideMode (similar to "allowOverride")
granular locking, e.g. lockItem, lockElements
By default…
All IIS sections locked (overrideMode=“Deny”) except:
Default Document, Directory Browsing, HTTP Header, HTTP
Redirects, Validation
All .NET Framework / ASP.NET sections are unlocked

Determine your configuration lockdown policy

be conservative at first
unlock as necessary (locking later could break apps)
Configuration Schema

Use the schema file to see all config settings:

%windir%\system32\inetsrv\config\schema\IIS_schema.xml

Schema describes:
property types
default values
validation
encrypted by default?

note: config is case sensitive

Appcmd – Viewing Config Schema
C:\> appcmd list config /section:? | findstr system.webServer
system.webServer/globalModules
system.webServer/serverSideInclude IIS sections – also try
system.webServer/httpTracing “system.web” and
... “system.applicationHost”
C:\> appcmd list config /section:directoryBrowse
<system.webServer>
  <directoryBrowse enabled="true" />
</system.webServer>

C:\> appcmd list config /section:directoryBrowse /config:*

<system.webServer>
  <directoryBrowse enabled="true" showFlags="Extension, Size, Time, Date" />
</system.webServer>
Shows attributes that
C:\> appcmd list config /section:directoryBrowse /text:* aren’t set explicitly
CONFIG
  CONFIG.SECTION: system.webServer/directoryBrowse
  path: MACHINE/WEBROOT/APPHOST
  overrideMode: Inherit
  [system.webServer/directoryBrowse]
    enabled:"true"
    showFlags:"Extension, Size, Time, Date"
Coding: Microsoft.Web.Administration
First managed code API for administering IIS
Same objects and functionality as WMI, appcmd

What about System.Configuration?

System.Configuration:
Strongly typed ASP.NET and .NET Framework config
Microsoft.Web.Administration:
Weakly typed IIS, ASP.NET, and .NET Framework config
Strongly typed IIS objects like Sites and Application Pools