CICLO 2014-II Mdulo:1

Unidad: 1

Semana: 2

TECNOLOGIA e-BUSINESS

MSc. Carlos Pea

IIS 7: The Administrators Guide

IIS6 Request Processing

Authentication
NTLM

Basic

Anon

Monolithic implementation
Install all or nothing

CGI

Determine
Handler

Static
File

ASP.NET

ISAPI

Send Response
Log

Compress

PHP

Extend server functionality only

through ISAPI

IIS7 Request Processing

Server functionality is split

into ~ 40 modules...

Authentication
NTLM

Basic

Anon

Authorization

ResolveCache CGI

Determine
Static
File
Handler
ExecuteHandler
ISAPI

UpdateCache
Send Response
SendResponse
Log
Compress

Modules plug into a

generic request pipeline
Modules extend server functionality
through a public module API.

Many, Many Modules

Install, manage, and patch only the modules you use
Reduces attack surface
Reduces in-memory footprint
Provides fine grained control

replace core server components with custom

components

Consistently install the same set of modules

Avoid:
503 Service Unavailable
[module is enabled but not installed]
Application doesnt work as expected
[web.config references a module that isnt installed]
[unexpected module conflicts with custom module]

IIS6 ASP.NET Integration

Runtime limitations
Only sees ASP.NET
requests
Feature duplication

Authentication
NTLM

Basic

Anon

CGI

Determine
Handler

Static
File
ISAPI

Send Response
Log

Compress

aspnet_isapi.dll
Authentication
Forms

Windows

Map
Handler

ASPX
Trace

IIS7 ASP.NET Integration

Two Modes
Basic
Anon

Authentication
Authorization

ResolveCache

ExecuteHandler

Integrated Mode
.NET modules
aspnet_isapi.dll

Static
File
ISAPI

/
handlers plug directly
Authentication
intoWindows
pipeline
Forms
Process all requests
ASPX
Full runtime
fidelity
Map
Handler

UpdateCache
SendResponse

Classic (runs as ISAPI)

Integrated

Compress
Log

Trace

Replicate Content and Config

Main IIS configuration file (applicationHost.config)
Built-in IUSR account, no more machine specific SIDs
Simple file copy, no command line tools required
watch for machine specific data like IPs and drive letters

IIS config web.config, XCOPY with application

Centralize Content and Config

IIS config web.config, centralize on file server
File System:
Client Side Caching (CSC)
provides a local disk cache

Distributed File System Replication (DFSR)

abstracts multiple file servers to one share name
provides content replication

Configuration moves to .config

files
Configure IIS and ASP.NET properties in the same file
Use locking to provide delegation
Built for simple, schema-based extensibility
welcome to a world of xcopy deployment

Configuration Layout
Inheritance

IIS

IIS +
ASP.NET +
.NET Framework

ASP.NET

applicationHost.config

.NET
Framework

web.config

root web.config

machine.config
root configuration files

web.config files

Configuration
Delegation
Delegation is:
Configuration locking, overrideMode
ACLs on configuration files

By default
All IIS sections locked except:

Default Document
Directory Browsing
HTTP Header
HTTP Redirects

All .NET Framework / ASP.NET sections are unlocked

Determine your configuration lockdown policy

Be conservative at first
Unlock as necessary (locking later could break apps)

Compatibility: ABO Mapper

Provides compatibility for:

scripts
command line tools
native calls into ABO

IIS6
ADSI Script

Not installed by default

Can only do what IIS6 could do

Cant read/write new IIS properties

Application Pools: managedPipelineMode,
managedRuntimeVersion
Request Filtering
Failed Request Tracing

Cant read/write ASP.NET properties

Cant read/write web.config files
Cant access new runtime data, e.g. worker
processes, executing requests

IISADMIN

ABOMapper

applicationHost.config

Management Tools
GUI

IIS Manager

Command Line

appcmd

Script

WMI (root\WebAdministration)

Managed Code

Microsoft.Web.Administration

Manage IIS and ASP.NET

View enhanced runtime data
worker processes, appdomains, executing requests

Manage delegation
Use whichever management tool suits your
needs

IIS Manager

Remotes over HTTP, making it firewall friendly

(remoting is not installed by default)

Provides managed extensibility

Supports non-admin management of sites and
applications

Educate end users who publish their application and

use IIS Manager configure it
Scenario:
User publishes application
User changes apps web.config using IIS Manager
User copies updated web.config to his local version of the
application
Several days later, user re-publishes application
** modifications make to the apps web.config using IIS Manager
have just been blown away**

C:\>
SITE
SITE
SITE

Appcmd Listing and Filtering

appcmd list sites

"Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started)
"Site1" (id:2,bindings:http/*:81:,state:Started)
"Site2" (id:3,bindings:http/*:82:,state:Stopped)

C:\>
C:\> appcmd list requests
REQUEST "fb0000008000000e" (url:GET
/wait.aspx?time=10000,time:4276 msec,client:localhost)
C:\>
C:\> appcmd list requests /apppool.name:DefaultAppPool
C:\> appcmd list requests /wp.name:3567
C:\> appcmd list requests /site.id:1

Filter results by
application pool, worker
process, or site

Scripting: IIS6 WMI Provider

Set oIIS = GetObject("winmgmts:root\MicrosoftIISv2")
' Create binding for new site
Set oBinding = oIIS.Get("ServerBinding").SpawnInstance_
oBinding.IP = ""
oBinding.Port = "80"
oBinding.Hostname = "www.site.com"

NOT CONSISTENT

Create Site

' Create site and extract site name from return value
Set oService = oIIS.Get("IIsWebService.Name='W3SVC'")
strSiteName = oService.CreateNewSite("NewSite", array(oBinding), "C:\inetpub\wwwroot")
Set objPath = CreateObject("WbemScripting.SWbemObjectPath")
objPath.Path = strSiteName
strSitePath = objPath.Keys.Item("")
Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'")
oSite.Start

Create Virtual Directory

' Create the vdir for our application

Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting").SpawnInstance_
oVDirSetting.Name = strSitePath & "/ROOT/bar"
oVDirSetting.Path = "C:\inetpub\bar"
oVDirSetting.Put_
' Make the VDir an application
Set oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'")
oVDir.AppCreate2 1

Create Application

Scripting: new WMI Provider

CONSISTENT
Set oService = GetObject("winmgmts:root\WebAdministration")
' Create binding for site
Set oBinding = oService.Get("BindingElement").SpawnInstance_
oBinding.BindingInformation = "*:80:www.site.com"
oBinding.Protocol = "http"

Static Create methods

' Create site
oService.Get("Site").Create _
"NewSite", array(oBinding), "C:\inetpub\wwwroot"
' Create application
oService.Get("Application").Create _
"/foo", "NewSite", "C:\inetpub\wwwroot\foo"

Coding:
Microsoft.Web.Administration
ServerManager iisManager = new ServerManager();
foreach(WorkerProcess w3wp in iisManager.WorkerProcesses) {
Console.WriteLine("W3WP ({0})", w3wp.ProcessId);
foreach(Request request in w3wp.GetRequests(0)) {
Console.WriteLine("{0} - {1},{2},{3}",
request.Url,
request.ClientIPAddr,
request.TimeElapsed,
request.TimeInState);
}
}

New Troubleshooting Features

Detailed custom errors, just like ASP.NET
Failed Request Tracing
No more ETW tracing and waiting for a repro

New runtime data:

worker processes
appdomains
currently executing requests

Failed Request Tracing

No-repro tracing for failed requests

Configure custom failure definitions per URL
Time taken
Status/substatus codes
Error level

Persist failure log files

Will it tell me whats wrong?

Sometimes for example, ACL issues
Look for clues

Can use for all requests to see whats going on

Summary

Deploy
~ 40 modules, install only what you need
Migrate to ASP.NET Integrated Mode
Easier centralization/replication

Manage
Manage IIS and ASP.NET through the same tools
Use ABO Mapper compatibility (not installed by default)
Determine configuration lockdown policy
Troubleshoot
Use: Detailed Errors, Failed Request Tracing, Currently
Executing requests

New home for IIS Community!

TechCenter to easily find the info you need
Advice and assistance in Forums
Insider info on new technology (IIS7!)
Online labs, play with IIS7 in your browser

Some upcoming IIS sessions

Today
3:15 4:30 Chalktalk: Configuration Management of Web Platform

Tomorrow
8:30 9:45 IIS 7: Under the Hood for Web Request Tracing
10:15 11:30 Chalktalk: Using Managed Code to Administer IIS 7
1:00 2:15 Chalktalk: Introducing the New and Improved IIS Manager in IIS 7
2:45 4:00 IIS 6: Effective Management of Web Farms
4:30 5:45 IIS 6: Everything the Web Administrator Needs to Know about MOM

Wednesday
8:30 9:45 Chalktalk: Extending the IIS Manager Tool in IIS 7
2:00 3:15 Chalktalk: IIS 6.0 Security: Setting the Record Straight
4:45 5:00 Chalktalk: IIS and Microsoft.com Operations: Migrating IIS 6.0 to 64 bit
5:30 6:45 Chalktalk: IIS 7 Q&A

Fill out a session

evaluation on
CommNet and

Win an XBOX 360!

Additional Information

Installation Options

Lots of components
Static server by default
[client] Use Windows
Features

Replaces sysocmgr

File format is
completely different
[client] Pick components,
cannot set configuration

Install, Migration, Upgrade

Install log: \Windows\IIS7.log

Uninstall

Stop services to avoid a reboot

Deletes configuration files, backup before uninstall

Migration: none for Vista, LH Server TBD

Upgrade
All web and/or FTP components are installed, uninstall
unnecessary components afterwards
Application pools will be ISAPI mode, configured for no
managed code => all ASP.NET requests will fail

ASP.NET: Migration

Application Pools

ASP.NET Integrated mode by default

Configure to load a specific version of the .NET Framework

Integrated Mode
Different server environment for some pipeline notifications
e.g. request is not authenticated for BeginRequest

Handler and module configuration integrated with IIS

system.webServer/handlers, system.webServer/modules

Validation warns on httpHandlers, httpModules, or identity

config
Remove managedHandler precondition on an ASP.NET
module to have it execute for all content

ISAPI Mode
Cant configure HTTP handlers and modules from the UI

Replicating applicationHost.config
Will cause all application pools to recycle:
changes to default settings for all application pools
changes to the <globalModules> list

Will cause one application pool to recycle:

application pool settings

Use only RSA machine-encryption (default), replicate

RSA machine key
http://msdn2.microsoft.com/enus/library/yxw286t2(VS.80).aspx

Gotcha's:
Machine specific data, like IP addresses or drive letters
Servers must have same set of modules installed (reference
to non-existent module in <globalModules> causes 503's)

Configuration Delegation
Two kinds of configuration locking:
overrideMode (similar to "allowOverride")
granular locking, e.g. lockItem, lockElements

By default
All IIS sections locked (overrideMode=Deny) except:
Default Document, Directory Browsing, HTTP Header, HTTP
Redirects, Validation

All .NET Framework / ASP.NET sections are unlocked

Determine your configuration lockdown policy

be conservative at first
unlock as necessary (locking later could break apps)

Configuration Schema
Use the schema file to see all config settings:
%windir%\system32\inetsrv\config\schema\IIS_schema.xml

Schema describes:

property types
default values
validation
encrypted by default?

note: config is case sensitive

Appcmd Viewing Config Schema

C:\> appcmd list config /section:? | findstr system.webServer
system.webServer/globalModules
IIS sections also
system.webServer/serverSideInclude
system.webServer/httpTracing
system.web and
...

try

system.applicationHost

C:\> appcmd list config /section:directoryBrowse

<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
C:\> appcmd list config /section:directoryBrowse /config:*
<system.webServer>
<directoryBrowse enabled="true" showFlags="Extension, Size, Time, Date" />
</system.webServer>
C:\> appcmd list config /section:directoryBrowse /text:*
CONFIG
CONFIG.SECTION: system.webServer/directoryBrowse
path: MACHINE/WEBROOT/APPHOST
overrideMode: Inherit
[system.webServer/directoryBrowse]
enabled:"true"
showFlags:"Extension, Size, Time, Date"

Shows attributes that

arent set explicitly

Coding:
Microsoft.Web.Administration
First managed code API for administering IIS
Same objects and functionality as WMI, appcmd

What about System.Configuration?

System.Configuration:
Strongly typed ASP.NET and .NET Framework config

Microsoft.Web.Administration:
Weakly typed IIS, ASP.NET, and .NET Framework config
Strongly typed IIS objects like Sites and Application Pools

GRACIAS