IIS 7: The Administrator’s Guide
Alexis Eller
Program Manager
Microsoft Corporation
IIS6 Request Processing
Authentication
NTLM
Basic
Anon
…
Monolithic implementation
Install all or nothing…
CGI
Determine
Handler
Static
File
ASP.NET
ISAPI
…
Send Response
Log
Compress
PHP
Extend server functionality only
through ISAPI…
IIS7 Request Processing
Authentication
NTLM
Basic
Server functionality is split
into ~ 40 modules...
Anon
Authorization
…
ResolveCacheCGI
…
Determine
Static
File
Handler
ExecuteHandler
ISAPI
…
…
UpdateCache
Send
Response
SendResponse
Log
Compress
Modules plug into a
generic request pipeline…
Modules extend server
functionality through a
public module API.
Many, Many Modules
Install, manage, and patch only the modules you
use…
Reduces attack surface
Reduces in-memory footprint
Provides fine grained control
… replace core server components with custom
components…
Installing IIS7
Consistently install the same set of modules…
Avoid:
503 “Service Unavailable”
[module is enabled but not installed]
Application doesn’t work as expected
[web.config references a module that isn’t installed]
[unexpected module conflicts with custom module]
IIS6 ASP.NET Integration
Runtime limitations
Only sees ASP.NET
requests
Feature duplication
Authentication
NTLM
Basic
Anon
…
Determine
Handler
CGI
aspnet_isapi.dll
Static
File
Authentication
ISAPI
…
Send Response
Log
Compress
Forms
Windows
…
ASPX
Map
Handler
Trace
…
…
IIS7 ASP.NET Integration
Basic
Anon
Authentication
Authorization
ResolveCache
…
ExecuteHandler
…
Classic (runs as ISAPI)
Integrated
Integrated
aspnet_isapi.dll Mode
Static
File
ISAPI
UpdateCache
SendResponse
Two Modes
Authentication
.NET modules
/ handlers
Formsplug
Windows
directly into pipeline
…
Process
all requests
ASPX
Full
runtime
fidelity
Map
Handler
…
Compress
Log
Trace
…
Migrating to Integrated ASP.NET
Replicate Content and Config
Main IIS configuration file (applicationHost.config)
Built-in “IUSR” account, no more machine specific SID’s
Simple file copy, no command line tools required
…watch for machine specific data like IP’s and drive
letters
IIS config  web.config, XCOPY with application
Centralize Content and Config
IIS config  web.config, centralize on file server
File System:
Client Side Caching (CSC)
provides a local disk cache
Distributed File System Replication (DFSR)
abstracts multiple file servers to one share name
provides content replication
Configuration moves to .config files…
Configure IIS and ASP.NET properties in the
same file
Use locking to provide delegation
Built for simple, schema-based extensibility
… welcome to a world of xcopy deployment…
Configuration Layout
Inheritance…
IIS
IIS +
ASP.NET +
.NET Framework
ASP.NET
applicationHost.config
.NET
Framework
web.config
root web.config
machine.config
root configuration files
web.config files
Configuration Delegation
Delegation is:
Configuration locking, “overrideMode”
ACL’s on configuration files
By default…
All IIS sections locked except:
Default Document
Directory Browsing
HTTP Header
HTTP Redirects
All .NET Framework / ASP.NET sections are unlocked
Determine your configuration lockdown policy…
Be conservative at first
Unlock as necessary (locking later could break apps)
Compatibility: ABO Mapper
Provides compatibility for:
scripts
command line tools
native calls into ABO
IIS6
ADSI Script
Not installed by default
Can only do what IIS6 could do…
Can’t read/write new IIS properties
Application Pools: managedPipelineMode,
managedRuntimeVersion
Request Filtering
Failed Request Tracing
Can’t read/write ASP.NET properties
Can’t read/write web.config files
Can’t access new runtime data, e.g. worker
processes, executing requests
IISADMIN
ABOMapper
applicationHost.config
Management Tools
GUI
Command Line
Script
Managed Code
IIS Manager
appcmd
WMI (root\WebAdministration)
Microsoft.Web.Administration
Manage IIS and ASP.NET
View enhanced runtime data
worker processes, appdomains, executing requests
Manage delegation
Use whichever management tool suits your needs…
IIS Manager
Remotes over HTTP, making it firewall friendly
(remoting is not installed by default)
Provides managed extensibility
Supports non-admin management of sites and applications
Educate end users who publish their application
and use IIS Manager configure it…
Scenario:
User publishes application
User changes app’s web.config using IIS Manager
User copies updated web.config to his local
version of the application
Several days later, user re-publishes application
** modifications make to the app’s web.config using
IIS Manager have just been blown away**
Appcmd – Listing and Filtering
C:\>
SITE
SITE
SITE
appcmd list sites
"Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started)
"Site1" (id:2,bindings:http/*:81:,state:Started)
"Site2" (id:3,bindings:http/*:82:,state:Stopped)
C:\> appcmd list requests
REQUEST "fb0000008000000e" (url:GET
/wait.aspx?time=10000,time:4276 msec,client:localhost)
C:\> appcmd list requests /apppool.name:DefaultAppPool
C:\> appcmd list requests /wp.name:3567
C:\> appcmd list requests /site.id:1
Filter results by
application pool,
worker process, or site
appcmd
Scripting: IIS6 WMI Provider
Set oIIS = GetObject("winmgmts:root\MicrosoftIISv2")
' Create binding for new site
Set oBinding = oIIS.Get("ServerBinding").SpawnInstance_
oBinding.IP = ""
oBinding.Port = "80"
oBinding.Hostname = "www.site.com"
NOT CONSISTENT
Create Site
' Create site and extract site name from return value
Set oService = oIIS.Get("IIsWebService.Name='W3SVC'")
strSiteName = oService.CreateNewSite("NewSite", array(oBinding), "C:\inetpub\wwwroot")
Set objPath = CreateObject("WbemScripting.SWbemObjectPath")
objPath.Path = strSiteName
strSitePath = objPath.Keys.Item("")
Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'")
oSite.Start
Create Virtual Directory
' Create the vdir for our application
Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting").SpawnInstance_
oVDirSetting.Name = strSitePath & "/ROOT/bar"
oVDirSetting.Path = "C:\inetpub\bar"
oVDirSetting.Put_
' Make the VDir an application
Set oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'")
oVDir.AppCreate2 1
Create Application
Scripting: new WMI Provider
CONSISTENT
Set oService = GetObject("winmgmts:root\WebAdministration")
' Create binding for site
Set oBinding = oService.Get("BindingElement").SpawnInstance_
oBinding.BindingInformation = "*:80:www.site.com"
oBinding.Protocol = "http"
Static Create methods
' Create site
oService.Get("Site").Create _
"NewSite", array(oBinding), "C:\inetpub\wwwroot"
' Create application
oService.Get("Application").Create _
"/foo", "NewSite", "C:\inetpub\wwwroot\foo"
WMI – Unloading AppDomains
…through script
…through PowerShell
Coding: Microsoft.Web.Administration
ServerManager iisManager = new ServerManager();
foreach(WorkerProcess w3wp in iisManager.WorkerProcesses) {
Console.WriteLine("W3WP ({0})", w3wp.ProcessId);
foreach(Request request in w3wp.GetRequests(0)) {
Console.WriteLine("{0} - {1},{2},{3}",
request.Url,
request.ClientIPAddr,
request.TimeElapsed,
request.TimeInState);
}
}
New Troubleshooting Features
Detailed custom errors, just like ASP.NET
Failed Request Tracing
No more ETW tracing and waiting for a repro…
New runtime data:
worker processes
appdomains
currently executing requests
Failed Request Tracing
No-repro tracing for “failed requests”
Configure custom failure definitions per URL
Time taken
Status/substatus codes
Error level
Persist failure log files
Will it tell me what’s wrong?
Sometimes… for example, ACL issues
Look for clues
Can use for all requests to see what’s going on
Failed Request Tracing
Summary
Deploy…
~ 40 modules, install only what you need
Migrate to ASP.NET Integrated Mode
Easier centralization/replication
Manage…
Manage IIS and ASP.NET through the same tools
Use ABO Mapper compatibility (not installed by default)
Determine configuration lockdown policy
Troubleshoot…
Use: Detailed Errors, Failed Request Tracing,
Currently Executing requests
alexise@microsoft.com
New home for IIS Community!
TechCenter to easily find the info you need
Advice and assistance in Forums
Insider info on new technology (IIS7!)
Online labs, play with IIS7 in your browser
Some upcoming IIS sessions…
Today
3:15 – 4:30 Chalktalk: Configuration Management of Web Platform
Tomorrow
8:30 – 9:45 IIS 7: Under the Hood for Web Request Tracing
10:15 – 11:30 Chalktalk: Using Managed Code to Administer IIS 7
1:00 – 2:15 Chalktalk: Introducing the New and Improved IIS Manager in IIS 7
2:45 – 4:00 IIS 6: Effective Management of Web Farms
4:30 – 5:45 IIS 6: Everything the Web Administrator Needs to Know about MOM
Wednesday
8:30 – 9:45 Chalktalk: Extending the IIS Manager Tool in IIS 7
2:00 – 3:15 Chalktalk: IIS 6.0 Security: Setting the Record Straight
4:45 – 5:00 Chalktalk: IIS and Microsoft.com Operations: Migrating IIS 6.0 to 64 bit
5:30 – 6:45 Chalktalk: IIS 7 Q&A
Fill out a session
evaluation on
CommNet and
Win an XBOX 360!
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Additional Information
Installation Options
• Lots of components
• Static server by default
• [client] Use Windows
Features
• Replaces sysocmgr
• File format is
completely different
• [client] Pick components,
cannot set configuration
Install, Migration, Upgrade
Install log: \Windows\IIS7.log
Uninstall
Stop services to avoid a reboot
Deletes configuration files, backup before uninstall
Migration: none for Vista, LH Server TBD…
Upgrade
All web and/or FTP components are installed,
uninstall unnecessary components afterwards…
Application pools will be ISAPI mode, configured for no
managed code => all ASP.NET requests will fail
ASP.NET: Migration
Application Pools
ASP.NET Integrated mode by default
Configure to load a specific version of the .NET Framework
Integrated Mode
Different server environment for some pipeline notifications
e.g. request is not authenticated for BeginRequest
Handler and module configuration integrated with IIS
system.webServer/handlers, system.webServer/modules
Validation warns on httpHandlers, httpModules, or identity config
Remove “managedHandler” precondition on an ASP.NET module
to have it execute for all content
ISAPI Mode
Can’t configure HTTP handlers and modules from the UI
Replicating applicationHost.config
Will cause all application pools to recycle:
changes to default settings for all application pools
changes to the <globalModules> list
Will cause one application pool to recycle:
application pool settings
Use only RSA machine-encryption (default), replicate RSA
machine key
http://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspx
Gotcha's:
Machine specific data, like IP addresses or drive letters
Servers must have same set of modules installed (reference to
non-existent module in <globalModules> causes 503's)
Configuration Delegation
Two kinds of configuration locking:
overrideMode (similar to "allowOverride")
granular locking, e.g. lockItem, lockElements
By default…
All IIS sections locked (overrideMode=“Deny”) except:
Default Document, Directory Browsing, HTTP Header, HTTP
Redirects, Validation
All .NET Framework / ASP.NET sections are unlocked
Determine your configuration lockdown policy
be conservative at first
unlock as necessary (locking later could break apps)
Configuration Schema
Use the schema file to see all config settings:
%windir%\system32\inetsrv\config\schema\IIS_schema.xml
Schema describes:
property types
default values
validation
encrypted by default?
note: config is case sensitive
Appcmd – Viewing Config Schema
C:\> appcmd list config /section:? | findstr system.webServer
system.webServer/globalModules
IIS sections – also try
system.webServer/serverSideInclude
“system.web” and
system.webServer/httpTracing
...
“system.applicationHost”
C:\> appcmd list config /section:directoryBrowse
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
C:\> appcmd list config /section:directoryBrowse /config:*
<system.webServer>
<directoryBrowse enabled="true" showFlags="Extension, Size, Time, Date" />
</system.webServer>
C:\> appcmd list config /section:directoryBrowse /text:*
CONFIG
CONFIG.SECTION: system.webServer/directoryBrowse
path: MACHINE/WEBROOT/APPHOST
overrideMode: Inherit
[system.webServer/directoryBrowse]
enabled:"true"
showFlags:"Extension, Size, Time, Date"
Shows attributes that
aren’t set explicitly
Coding: Microsoft.Web.Administration
First managed code API for administering IIS
Same objects and functionality as WMI, appcmd
What about System.Configuration?
System.Configuration:
Strongly typed ASP.NET and .NET Framework config
Microsoft.Web.Administration:
Weakly typed IIS, ASP.NET, and .NET Framework config
Strongly typed IIS objects like Sites and Application Pools