IIS 7: The Administrator’s Guide Alexis Eller Program Manager Microsoft Corporation

IIS6 Request Processing Send Response LogCompress NTLMBasic Determine Handler CGI Static File Authentication Anon Monolithic implementation Install all or nothing… Extend server functionality only through ISAPI… ASP.NET PHP ISAPI … …

IIS7 Request Processing Send Response LogCompress NTLMBasic Determine Handler CGI Static File ISAPI Authentication Anon SendResponse Authentication Authorization ResolveCache ExecuteHandler UpdateCache … … Server functionality is split into ~ 40 modules... Modules plug into a generic request pipeline… Modules extend server functionality through a public module API. … …

Many, Many Modules Install, manage, and patch only the modules you use… Reduces attack surface Reduces in-memory footprint Provides fine grained control … replace core server components with custom components…

Installing IIS7

Consistently install the same set of modules… Avoid: 503 “Service Unavailable” [module is enabled but not installed] [module is enabled but not installed] Application doesn’t work as expected [web.config references a module that isn’t installed] [web.config references a module that isn’t installed] [unexpected module conflicts with custom module] [unexpected module conflicts with custom module]

IIS6 ASP.NET Integration Runtime limitations Only sees ASP.NET requests Feature duplication Send Response LogCompress NTLMBasic Determine Handler CGI Static File ISAPI Authentication Anon … … Authentication Forms Windows Map Handler ASPX Trace … … …aspnet_isapi.dll

IIS7 ASP.NET Integration Two Modes Classic (runs as ISAPI) Integrated Integrated Mode.NET modules / handlers plug directly into pipeline Process all requests Full runtime fidelity Log Compress Basic Static File ISAPI Anon SendResponse Authentication Authorization ResolveCache ExecuteHandler UpdateCache … … Authentication Forms Windows Map Handler ASPX Trace … … … aspnet_isapi.dll

Migrating to Integrated ASP.NET

Replicate Content and Config Main IIS configuration file (applicationHost.config) Built-in “IUSR” account, no more machine specific SID’s Simple file copy, no command line tools required …watch for machine specific data like IP’s and drive letters IIS config  web.config, XCOPY with application

Centralize Content and Config IIS config  web.config, centralize on file server File System: Client Side Caching (CSC) provides a local disk cache Distributed File System Replication (DFSR) abstracts multiple file servers to one share name provides content replication

Configuration moves to.config files… Configure IIS and ASP.NET properties in the same file Use locking to provide delegation Built for simple, schema-based extensibility … welcome to a world of xcopy deployment…

Configuration Layout root configuration files machine.config root web.config applicationHost.config web.config.NETFramework ASP.NET IIS IIS + ASP.NET +.NET Framework web.config files Inheritance…

Configuration Delegation Delegation is: Configuration locking, “overrideMode” ACL’s on configuration files By default… All IIS sections locked except: Default Document Directory Browsing HTTP Header HTTP Redirects All.NET Framework / ASP.NET sections are unlocked

Determine your configuration lockdown policy… Be conservative at first Unlock as necessary (locking later could break apps)

Compatibility: ABO Mapper Provides compatibility for: scripts command line tools native calls into ABO Not installed by default Can only do what IIS6 could do… Can’t read/write new IIS properties Application Pools: managedPipelineMode, managedRuntimeVersion Request Filtering Failed Request Tracing Can’t read/write ASP.NET properties Can’t read/write web.config files Can’t access new runtime data, e.g. worker processes, executing requests applicationHost.config IISADMIN ABOMapper IIS6 ADSI Script

Management Tools Manage IIS and ASP.NET View enhanced runtime data worker processes, appdomains, executing requests Manage delegation Use whichever management tool suits your needs… GUI Command Line Script Managed Code IIS Manager appcmd WMI (root\WebAdministration) Microsoft.Web.Administration

IIS Manager Remotes over HTTP, making it firewall friendly (remoting is not installed by default) Provides managed extensibility Supports non-admin management of sites and applications

Educate end users who publish their application and use IIS Manager configure it… Scenario: User publishes application User changes app’s web.config using IIS Manager User copies updated web.config to his local version of the application Several days later, user re-publishes application ** modifications make to the app’s web.config using IIS Manager have just been blown away**

Appcmd – Listing and Filtering C:\> appcmd list sites SITE "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started) SITE "Site1" (id:2,bindings:http/*:81:,state:Started) SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped) C:\> appcmd list requests REQUEST "fb e" (url:GET /wait.aspx?time=10000,time:4276 msec,client:localhost) C:\> appcmd list requests /apppool.name:DefaultAppPool C:\> appcmd list requests /wp.name:3567 C:\> appcmd list requests /site.id:1 C:\> C:\> Filter results by application pool, worker process, or site C:\>

appcmdappcmd

Scripting: IIS6 WMI Provider Set oIIS = GetObject("winmgmts:root\MicrosoftIISv2") ' Create binding for new site Set oBinding = oIIS.Get("ServerBinding").SpawnInstance_ oBinding.IP = "" oBinding.Port = "80" oBinding.Hostname = " ' Create site and extract site name from return value Set oService = oIIS.Get("IIsWebService.Name='W3SVC'") strSiteName = oService. CreateNewSite ("NewSite", array(oBinding), "C:\inetpub\wwwroot") Set objPath = CreateObject("WbemScripting.SWbemObjectPath") objPath.Path = strSiteName strSitePath = objPath.Keys.Item("") Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'") oSite.Start ' Create the vdir for our application Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting"). SpawnInstance_ oVDirSetting.Name = strSitePath & "/ROOT/bar" oVDirSetting.Path = "C:\inetpub\bar" oVDirSetting.Put_ ' Make the VDir an application Set oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'") oVDir. AppCreate2 1 Create Site Create Virtual Directory Create Application NOT CONSISTENT

Scripting: new WMI Provider Set oService = GetObject("winmgmts:root\WebAdministration") ' Create binding for site Set oBinding = oService.Get("BindingElement").SpawnInstance_ oBinding.BindingInformation = "*:80: oBinding.Protocol = "http" ' Create site oService.Get("Site").Create _ "NewSite", array(oBinding), "C:\inetpub\wwwroot" ' Create application oService.Get("Application").Create _ "/foo", "NewSite", "C:\inetpub\wwwroot\foo" Static Create methods CONSISTENT

WMI – Unloading AppDomains …through script …through PowerShell

Coding: Microsoft.Web.Administration ServerManager iisManager = new ServerManager(); foreach(WorkerProcess w3wp in iisManager.WorkerProcesses ) { Console.WriteLine("W3WP ({0})", w3wp.ProcessId); foreach(Request request in w3wp.GetRequests (0)) { Console.WriteLine("{0} - {1},{2},{3}", request.Url, request.ClientIPAddr, request.TimeElapsed, request.TimeInState); } }

New Troubleshooting Features Detailed custom errors, just like ASP.NET Failed Request Tracing No more ETW tracing and waiting for a repro… New runtime data: worker processes appdomains currently executing requests

Failed Request Tracing No-repro tracing for “failed requests” Configure custom failure definitions per URL Time taken Status/substatus codes Error level Persist failure log files Will it tell me what’s wrong? Sometimes… for example, ACL issues Look for clues Can use for all requests to see what’s going on

Failed Request Tracing

Summary Troubleshoot… Use: Detailed Errors, Failed Request Tracing, Currently Executing requests Manage… Manage IIS and ASP.NET through the same tools Use ABO Mapper compatibility (not installed by default) Determine configuration lockdown policy Deploy… Deploy… ~ 40 modules, install only what you need Migrate to ASP.NET Integrated Mode Easier centralization/replication

TechCenter to easily find the info you need Advice and assistance in Forums Insider info on new technology (IIS7!) Online labs, play with IIS7 in your browser New home for IIS Community!

Some upcoming IIS sessions… Today 3:15 – 4:30 Chalktalk: Configuration Management of Web Platform Tomorrow 8:30 – 9:45 IIS 7: Under the Hood for Web Request Tracing 10:15 – 11:30 Chalktalk: Using Managed Code to Administer IIS 7 1:00 – 2:15 Chalktalk: Introducing the New and Improved IIS Manager in IIS 7 2:45 – 4:00 IIS 6: Effective Management of Web Farms 4:30 – 5:45 IIS 6: Everything the Web Administrator Needs to Know about MOM Wednesday 8:30 – 9:45 Chalktalk: Extending the IIS Manager Tool in IIS 7 2:00 – 3:15 Chalktalk: IIS 6.0 Security: Setting the Record Straight 4:45 – 5:00 Chalktalk: IIS and Microsoft.com Operations: Migrating IIS 6.0 to 64 bit 5:30 – 6:45 Chalktalk: IIS 7 Q&A

Fill out a session evaluation on CommNet and Win an XBOX 360!

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Additional Information

Installation Options Lots of components Lots of components Static server by default Static server by default [client] Use Windows [client] Use Windows Features Features Replaces sysocmgr Replaces sysocmgr File format is File format is completely different completely different [client] Pick components, [client] Pick components, cannot set configuration cannot set configuration

Install, Migration, Upgrade Install log: \Windows\IIS7.log Uninstall Stop services to avoid a reboot Deletes configuration files, backup before uninstall Migration: none for Vista, LH Server TBD… Upgrade All web and/or FTP components are installed, uninstall unnecessary components afterwards… Application pools will be ISAPI mode, configured for no managed code => all ASP.NET requests will fail

ASP.NET: Migration Application Pools ASP.NET Integrated mode by default Configure to load a specific version of the.NET Framework Integrated Mode Different server environment for some pipeline notifications e.g. request is not authenticated for BeginRequest Handler and module configuration integrated with IIS system.webServer/handlers, system.webServer/modules Validation warns on httpHandlers, httpModules, or identity config Remove “managedHandler” precondition on an ASP.NET module to have it execute for all content ISAPI Mode Can’t configure HTTP handlers and modules from the UI

Replicating applicationHost.config Will cause all application pools to recycle: changes to default settings for all application pools changes to the list Will cause one application pool to recycle: application pool settings Use only RSA machine-encryption (default), replicate RSA machine key Gotcha's: Machine specific data, like IP addresses or drive letters Servers must have same set of modules installed (reference to non-existent module in causes 503's)

Configuration Delegation Two kinds of configuration locking: overrideMode (similar to "allowOverride") granular locking, e.g. lockItem, lockElements By default… All IIS sections locked (overrideMode=“Deny”) except: Default Document, Directory Browsing, HTTP Header, HTTP Redirects, Validation All.NET Framework / ASP.NET sections are unlocked Determine your configuration lockdown policy be conservative at first unlock as necessary (locking later could break apps)

Configuration Schema Use the schema file to see all config settings: %windir%\system32\inetsrv\config\schema\IIS_schema.xml %windir%\system32\inetsrv\config\schema\IIS_schema.xml Schema describes: property types default values validation encrypted by default? note: config is case sensitive

Appcmd – Viewing Config Schema C:\> appcmd list config /section:? | findstr system.webServer system.webServer/globalModules system.webServer/serverSideInclude system.webServer/httpTracing... C:\> appcmd list config /section:directoryBrowse C:\> appcmd list config /section:directoryBrowse /config:* C:\> appcmd list config /section:directoryBrowse /text:* CONFIG CONFIG.SECTION: system.webServer/directoryBrowse path: MACHINE/WEBROOT/APPHOST overrideMode: Inherit [system.webServer/directoryBrowse] enabled:"true" showFlags:"Extension, Size, Time, Date" C:\> C:\> IIS sections – also try “system.web” and “system.applicationHost” C:\> C:\> Shows attributes that aren’t set explicitly

Coding: Microsoft.Web.Administration First managed code API for administering IIS Same objects and functionality as WMI, appcmd What about System.Configuration? System.Configuration: Strongly typed ASP.NET and.NET Framework config Microsoft.Web.Administration: Weakly typed IIS, ASP.NET, and.NET Framework config Strongly typed IIS objects like Sites and Application Pools