IIS 7 The Administrators Guide Alexis Eller Program

IIS 7: The Administrator’s Guide Alexis Eller Program Manager Microsoft Corporation

IIS 6 Request Processing Authentication NTLM Basic Anon … Monolithic implementation Install or nothing… CGI Determine Handler Static File ASP. NET ISAPI … Send Response Log Compress PHP Extend server functionality only through ISAPI…

IIS 7 Request Processing Authentication NTLM Basic Server functionality is split into ~ 40 modules. . . Anon Authorization … Resolve. Cache. CGI … Determine Static File Handler Execute. Handler ISAPI … … Update. Cache Send Response Send. Response Log Compress Modules plug into a generic request pipeline… Modules extend server functionality through a public module API.

Many, Many Modules Install, manage, and patch only the modules you use… Reduces attack surface Reduces in-memory footprint Provides fine grained control … replace core server components with custom components…

Installing IIS 7

Consistently install the same set of modules… Avoid: 503 “Service Unavailable” [module is enabled but not installed] Application doesn’t work as expected [web. config references a module that isn’t installed] [unexpected module conflicts with custom module]

IIS 6 ASP. NET Integration Runtime limitations Only sees ASP. NET requests Feature duplication Authentication NTLM Basic Anon … Determine Handler CGI aspnet_isapi. dll Static File Authentication ISAPI … Send Response Log Compress Forms Windows … Map Handler ASPX Trace … …

IIS 7 ASP. NET Integration Basic Authentication Anon Authorization Resolve. Cache … Execute. Handler … Static File ISAPI Update. Cache Send. Response Two Modes Classic (runs as ISAPI) Integrated aspnet_isapi. dll Mode Authentication. NET modules / handlers Formsplug Windows directly into pipeline … Process all requests ASPX Full runtime fidelity Map Handler Compress Log Trace … …

Migrating to Integrated ASP. NET

Replicate Content and Config Main IIS configuration file (application. Host. config) Built-in “IUSR” account, no more machine specific SID’s Simple file copy, no command line tools required …watch for machine specific data like IP’s and drive letters IIS config web. config, XCOPY with application

Centralize Content and Config IIS config web. config, centralize on file server File System: Client Side Caching (CSC) provides a local disk cache Distributed File System Replication (DFSR) abstracts multiple file servers to one share name provides content replication

Configuration moves to. config files… Configure IIS and ASP. NET properties in the same file Use locking to provide delegation Built for simple, schema-based extensibility … welcome to a world of xcopy deployment…

Configuration Layout Inheritance… IIS + ASP. NET +. NET Framework ASP. NET application. Host. config . NET Framework web. config root web. config machine. config root configuration files web. config files

Configuration Delegation is: Configuration locking, “override. Mode” ACL’s on configuration files By default… All IIS sections locked except: Default Document Directory Browsing HTTP Header HTTP Redirects All. NET Framework / ASP. NET sections are unlocked

Determine your configuration lockdown policy… Be conservative at first Unlock as necessary (locking later could break apps)

Compatibility: ABO Mapper Provides compatibility for: scripts command line tools native calls into ABO IIS 6 ADSI Script Not installed by default Can only do what IIS 6 could do… Can’t read/write new IIS properties Application Pools: managed. Pipeline. Mode, managed. Runtime. Version Request Filtering Failed Request Tracing Can’t read/write ASP. NET properties Can’t read/write web. config files Can’t access new runtime data, e. g. worker processes, executing requests IISADMIN ABOMapper application. Host. config

Management Tools GUI Command Line Script Managed Code IIS Manager appcmd WMI (rootWeb. Administration) Microsoft. Web. Administration Manage IIS and ASP. NET View enhanced runtime data worker processes, appdomains, executing requests Manage delegation Use whichever management tool suits your needs…

IIS Manager Remotes over HTTP, making it firewall friendly (remoting is not installed by default) Provides managed extensibility Supports non-admin management of sites and applications

Educate end users who publish their application and use IIS Manager configure it… Scenario: User publishes application User changes app’s web. config using IIS Manager User copies updated web. config to his local version of the application Several days later, user re-publishes application ** modifications make to the app’s web. config using IIS Manager have just been blown away**

Appcmd – Listing and Filtering C: > SITE appcmd list sites "Default Web Site" (id: 1, bindings: HTTP/*: 80: , state: Started) "Site 1" (id: 2, bindings: http/*: 81: , state: Started) "Site 2" (id: 3, bindings: http/*: 82: , state: Stopped) C: > appcmd list requests REQUEST "fb 0000008000000 e" (url: GET /wait. aspx? time=10000, time: 4276 msec, client: localhost) C: > appcmd list requests /apppool. name: Default. App. Pool C: > appcmd list requests /wp. name: 3567 C: > appcmd list requests /site. id: 1 Filter results by application pool, worker process, or site

appcmd

Scripting: IIS 6 WMI Provider Set o. IIS = Get. Object("winmgmts: rootMicrosoft. IISv 2") ' Create binding for new site Set o. Binding = o. IIS. Get("Server. Binding"). Spawn. Instance_ o. Binding. IP = "" o. Binding. Port = "80" o. Binding. Hostname = "www. site. com" NOT CONSISTENT Create Site ' Create site and extract site name from return value Set o. Service = o. IIS. Get("IIs. Web. Service. Name='W 3 SVC'") str. Site. Name = o. Service. Create. New. Site("New. Site", array(o. Binding), "C: inetpubwwwroot") Set obj. Path = Create. Object("Wbem. Scripting. SWbem. Object. Path") obj. Path = str. Site. Name str. Site. Path = obj. Path. Keys. Item("") Set o. Site = o. IIS. Get("IIs. Web. Server. Name='" & str. Site. Path & "'") o. Site. Start Create Virtual Directory ' Create the vdir for our application Set o. VDir. Setting = o. IIS. Get("IIs. Web. Virtual. Dir. Setting"). Spawn. Instance_ o. VDir. Setting. Name = str. Site. Path & "/ROOT/bar" o. VDir. Setting. Path = "C: inetpubbar" o. VDir. Setting. Put_ ' Make the VDir an application Set o. VDir = o. IIS. Get("IIs. Web. Virtual. Dir. Name='" & str. Site. Path & "/ROOT/bar'") o. VDir. App. Create 2 1 Create Application

Scripting: new WMI Provider CONSISTENT Set o. Service = Get. Object("winmgmts: rootWeb. Administration") ' Create binding for site Set o. Binding = o. Service. Get("Binding. Element"). Spawn. Instance_ o. Binding. Information = "*: 80: www. site. com" o. Binding. Protocol = "http" Static Create methods ' Create site o. Service. Get("Site"). Create _ "New. Site", array(o. Binding), "C: inetpubwwwroot" ' Create application o. Service. Get("Application"). Create _ "/foo", "New. Site", "C: inetpubwwwrootfoo"

WMI – Unloading App. Domains …through script …through Power. Shell

Coding: Microsoft. Web. Administration Server. Manager iis. Manager = new Server. Manager(); foreach(Worker. Process w 3 wp in iis. Manager. Worker. Processes) { Console. Write. Line("W 3 WP ({0})", w 3 wp. Process. Id); foreach(Request request in w 3 wp. Get. Requests(0)) { Console. Write. Line("{0} - {1}, {2}, {3}", request. Url, request. Client. IPAddr, request. Time. Elapsed, request. Time. In. State); } }

New Troubleshooting Features Detailed custom errors, just like ASP. NET Failed Request Tracing No more ETW tracing and waiting for a repro… New runtime data: worker processes appdomains currently executing requests

Failed Request Tracing No-repro tracing for “failed requests” Configure custom failure definitions per URL Time taken Status/substatus codes Error level Persist failure log files Will it tell me what’s wrong? Sometimes… for example, ACL issues Look for clues Can use for all requests to see what’s going on

Failed Request Tracing

Summary Deploy… ~ 40 modules, install only what you need Migrate to ASP. NET Integrated Mode Easier centralization/replication Manage… Manage IIS and ASP. NET through the same tools Use ABO Mapper compatibility (not installed by default) Determine configuration lockdown policy Troubleshoot… Use: Detailed Errors, Failed Request Tracing, Currently Executing requests

alexise@microsoft. com

New home for IIS Community! Tech. Center to easily find the info you need Advice and assistance in Forums Insider info on new technology (IIS 7!) Online labs, play with IIS 7 in your browser

Some upcoming IIS sessions… Today 3: 15 – 4: 30 Chalktalk: Configuration Management of Web Platform Tomorrow 8: 30 – 9: 45 IIS 7: Under the Hood for Web Request Tracing 10: 15 – 11: 30 Chalktalk: Using Managed Code to Administer IIS 7 1: 00 – 2: 15 Chalktalk: Introducing the New and Improved IIS Manager in IIS 7 2: 45 – 4: 00 IIS 6: Effective Management of Web Farms 4: 30 – 5: 45 IIS 6: Everything the Web Administrator Needs to Know about MOM Wednesday 8: 30 – 9: 45 Chalktalk: Extending the IIS Manager Tool in IIS 7 2: 00 – 3: 15 Chalktalk: IIS 6. 0 Security: Setting the Record Straight 4: 45 – 5: 00 Chalktalk: IIS and Microsoft. com Operations: Migrating IIS 6. 0 to 64 bit 5: 30 – 6: 45 Chalktalk: IIS 7 Q&A

Fill out a session evaluation on Comm. Net and Win an XBOX 360!

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U. S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Additional Information

Installation Options • Lots of components • Static server by default • [client] Use Windows Features • Replaces sysocmgr • File format is completely different • [client] Pick components, cannot set configuration

Install, Migration, Upgrade Install log: WindowsIIS 7. log Uninstall Stop services to avoid a reboot Deletes configuration files, backup before uninstall Migration: none for Vista, LH Server TBD… Upgrade All web and/or FTP components are installed, uninstall unnecessary components afterwards… Application pools will be ISAPI mode, configured for no managed code => all ASP. NET requests will fail

ASP. NET: Migration Application Pools ASP. NET Integrated mode by default Configure to load a specific version of the. NET Framework Integrated Mode Different server environment for some pipeline notifications e. g. request is not authenticated for Begin. Request Handler and module configuration integrated with IIS system. web. Server/handlers, system. web. Server/modules Validation warns on http. Handlers, http. Modules, or identity config Remove “managed. Handler” precondition on an ASP. NET module to have it execute for all content ISAPI Mode Can’t configure HTTP handlers and modules from the UI

Replicating application. Host. config Will cause all application pools to recycle: changes to default settings for all application pools changes to the <global. Modules> list Will cause one application pool to recycle: application pool settings Use only RSA machine-encryption (default), replicate RSA machine key http: //msdn 2. microsoft. com/en-us/library/yxw 286 t 2(VS. 80). aspx Gotcha's: Machine specific data, like IP addresses or drive letters Servers must have same set of modules installed (reference to non-existent module in <global. Modules> causes 503's)

Configuration Delegation Two kinds of configuration locking: override. Mode (similar to "allow. Override") granular locking, e. g. lock. Item, lock. Elements By default… All IIS sections locked (override. Mode=“Deny”) except: Default Document, Directory Browsing, HTTP Header, HTTP Redirects, Validation All. NET Framework / ASP. NET sections are unlocked Determine your configuration lockdown policy be conservative at first unlock as necessary (locking later could break apps)

Configuration Schema Use the schema file to see all config settings: %windir%system 32inetsrvconfigschemaIIS_schema. xml Schema describes: property types default values validation encrypted by default? note: config is case sensitive

Appcmd – Viewing Config Schema C: > appcmd list config /section: ? | findstr system. web. Server/global. Modules IIS sections – also try system. web. Server/server. Side. Include “system. web” and system. web. Server/http. Tracing. . . “system. application. Host” C: > appcmd list config /section: directory. Browse <system. web. Server> <directory. Browse enabled="true" /> </system. web. Server> C: > appcmd list config /section: directory. Browse : * /section: directory. Browse /config: * <system. web. Server> <directory. Browse enabled="true" show. Flags="Extension, Size, Time, Date" /> </system. web. Server> C: > appcmd list config /section: directory. Browse /text: * CONFIG. SECTION: system. web. Server/directory. Browse path: MACHINE/WEBROOT/APPHOST override. Mode: Inherit [system. web. Server/directory. Browse ] [system. web. Server/directory. Browse] enabled: "true" show. Flags: "Extension, Size, Time, Date" Shows attributes that aren’t set explicitly

Coding: Microsoft. Web. Administration First managed code API for administering IIS Same objects and functionality as WMI, appcmd What about System. Configuration? System. Configuration: Strongly typed ASP. NET and. NET Framework config Microsoft. Web. Administration: Weakly typed IIS, ASP. NET, and. NET Framework config Strongly typed IIS objects like Sites and Application Pools