IIS 7: The Administrator’s Guide

IIS 7: The Administrator’s Guide Alexis Eller Program Manager Microsoft Corporation

Scripting… WMI C#, VB.NET… Microsoft.Web.Administration Command Line… appcmd Server Modules ASP.NET on IIS7 Centralization Detailed Errors Failed Request Tracing IIS Manager Deploy... Manage... Troubleshoot...

IIS6 Request Processing Send Response Log Compress NTLM Basic Determine Handler CGI Static File Authentication Anon Monolithic implementation Install all or nothing … Extend server functionality only through ISAPI … ASP.NET PHP ISAPI … … Deploy...

IIS7 Request Processing Send Response Log Compress NTLM Basic Determine Handler CGI Static File ISAPI Authentication Anon SendResponse Authentication Authorization ResolveCache ExecuteHandler UpdateCache … … Server functionality is split into ~ 40 modules ... Modules plug into a generic request pipeline… Modules extend server functionality through a public module API. … … Deploy...

Many, Many Modules Install, manage, and patch only the modules you use… Reduces attack surface Reduces in-memory footprint Provides fine grained control … replace core server components with custom components … Deploy...

Consistently install the same set of modules … Avoid: 503 “Service Unavailable” [module is enabled but not installed] Application doesn’t work as expected [web.config references a module that isn’t installed] [unexpected module conflicts with custom module] TIP Deploy...

IIS6 ASP.NET Integration Runtime limitations Only sees ASP.NET requests Feature duplication Send Response Log Compress NTLM Basic Determine Handler CGI Static File ISAPI Authentication Anon … … Deploy... Authentication Forms Windows Map Handler ASPX Trace … … … aspnet_isapi.dll

IIS7 ASP.NET Integration Two Modes Classic (runs as ISAPI) Integrated Integrated Mode .NET modules / handlers plug directly into pipeline Process all requests Full runtime fidelity Log Compress Basic Static File ISAPI Anon SendResponse Authentication Authorization ResolveCache ExecuteHandler UpdateCache … … Authentication Forms Windows Map Handler ASPX Trace … … … aspnet_isapi.dll Deploy...

Migrating to Integrated ASP.NET Deploy...

Replicate Content and Config Main IIS configuration file (applicationHost.config) Built-in “IUSR” account, no more machine specific SID’s Simple file copy , no command line tools required … watch for machine specific data like IP’s and drive letters IIS config  web.config, XCOPY with application Deploy...

Centralize Content and Config IIS config  web.config, centralize on file server File System: Client Side Caching (CSC) provides a local disk cache Distributed File System Replication (DFSR) abstracts multiple file servers to one share name provides content replication Deploy...

Configuration moves to .config files… Configure IIS and ASP.NET properties in the same file Use locking to provide delegation Built for simple, schema-based extensibility … welcome to a world of xcopy deployment … Manage...

Configuration Layout root configuration files machine.config root web.config applicationHost.config web.config .NET Framework ASP.NET IIS IIS + ASP.NET + .NET Framework web.config files \Windows\Microsoft.NET\Framework\v2.0.50727\config\web.config \Windows\system32\inetsrv\applicationHost.config \Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config Inheritance… Manage...

Configuration Delegation Delegation is: Configuration locking, “overrideMode” ACL’s on configuration files By default… All IIS sections locked except: Default Document Directory Browsing HTTP Header HTTP Redirects All .NET Framework / ASP.NET sections are unlocked Manage...

Determine your configuration lockdown policy… Be conservative at first Unlock as necessary (locking later could break apps) TIP Manage...

Compatibility: ABO Mapper Provides compatibility for: scripts command line tools native calls into ABO Not installed by default Can only do what IIS6 could do… Can’t read/write new IIS properties Application Pools: managedPipelineMode, managedRuntimeVersion Request Filtering Failed Request Tracing Can’t read/write ASP.NET properties Can’t read/write web.config files Can’t access new runtime data, e.g. worker processes, executing requests applicationHost.config IISADMIN ABOMapper IIS6 ADSI Script Manage...

Management Tools Manage IIS and ASP.NET View enhanced runtime data worker processes, appdomains, executing requests Manage delegation Use whichever management tool suits your needs… GUI Command Line Script Managed Code IIS Manager appcmd WMI (root\WebAdministration) Microsoft.Web.Administration Manage...

IIS Manager Remotes over HTTP, making it firewall friendly (remoting is not installed by default) Provides managed extensibility Supports non-admin management of sites and applications Manage...

Educate end users who publish their application and use IIS Manager configure it… Scenario: User publishes application User changes app’s web.config using IIS Manager User copies updated web.config to his local version of the application Several days later, user re-publishes application ** modifications make to the app’s web.config using IIS Manager have just been blown away** TIP Manage...

Appcmd – Listing and Filtering C:\> appcmd list sites SITE "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started) SITE "Site1" (id:2,bindings:http/*:81:,state:Started) SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped) C:\> appcmd list requests REQUEST "fb0000008000000e" (url:GET /wait.aspx?time=10000,time:4276 msec,client:localhost) C:\> appcmd list requests /apppool.name:DefaultAppPool C:\> appcmd list requests /wp.name:3567 C:\> appcmd list requests /site.id:1 C:\> C:\> Filter results by application pool, worker process, or site C:\> Manage...

Scripting: IIS6 WMI Provider Set oIIS = GetObject("winmgmts:root\MicrosoftIISv2") ' Create binding for new site Set oBinding = oIIS.Get("ServerBinding").SpawnInstance_ oBinding.IP = "" oBinding.Port = "80" oBinding.Hostname = "www.site.com" ' Create site and extract site name from return value Set oService = oIIS.Get("IIsWebService.Name='W3SVC'") strSiteName = oService. CreateNewSite ("NewSite", array (oBinding), "C:\inetpub\wwwroot") Set objPath = CreateObject("WbemScripting.SWbemObjectPath") objPath.Path = strSiteName strSitePath = objPath.Keys.Item("") Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'") oSite.Start ' Create the vdir for our application Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting"). SpawnInstance_ oVDirSetting.Name = strSitePath & "/ROOT/bar" oVDirSetting.Path = "C:\inetpub\bar" oVDirSetting.Put_ ' Make the VDir an application Set oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'") oVDir. AppCreate2 1 Create Site Create Virtual Directory Create Application NOT CONSISTENT Manage...

Scripting: new WMI Provider Set oService = GetObject("winmgmts:root\WebAdministration") ' Create binding for site Set oBinding = oService.Get("BindingElement").SpawnInstance_ oBinding.BindingInformation = "*:80:www.site.com" oBinding.Protocol = "http" ' Create site oService.Get("Site").Create _ "NewSite", array (oBinding), "C:\inetpub\wwwroot" ' Create application oService.Get("Application").Create _ "/foo", "NewSite", "C:\inetpub\wwwroot\foo" Static Create methods CONSISTENT Manage...

WMI – Unloading AppDomains …through script …through PowerShell Manage...

Coding: Microsoft.Web.Administration ServerManager iisManager = new ServerManager(); foreach (WorkerProcess w3wp in iisManager.WorkerProcesses ) { Console.WriteLine("W3WP ({0})", w3wp.ProcessId); foreach (Request request in w3wp.GetRequests (0)) { Console.WriteLine("{0} - {1},{2},{3}", request.Url, request.ClientIPAddr, request.TimeElapsed, request.TimeInState); } } Manage...

New Troubleshooting Features Detailed custom errors, just like ASP.NET Failed Request Tracing No more ETW tracing and waiting for a repro… New runtime data: worker processes appdomains currently executing requests Troubleshoot...

Failed Request Tracing No-repro tracing for “failed requests” Configure custom failure definitions per URL Time taken Status/substatus codes Error level Persist failure log files Will it tell me what’s wrong? Sometimes… for example, ACL issues Look for clues Can use for all requests to see what’s going on Troubleshoot...

Failed Request Tracing Troubleshoot...

Summary Troubleshoot… Use: Detailed Errors, Failed Request Tracing, Currently Executing requests Manage… Manage IIS and ASP.NET through the same tools Use ABO Mapper compatibility (not installed by default) Determine configuration lockdown policy Deploy… ~ 40 modules, install only what you need Migrate to ASP.NET Integrated Mode Easier centralization/replication

TechCenter to easily find the info you need Advice and assistance in Forums Insider info on new technology (IIS7!) Online labs, play with IIS7 in your browser New home for IIS Community!

Some upcoming IIS sessions… Today 3:15 – 4:30 Chalktalk: Configuration Management of Web Platform Tomorrow 8:30 – 9:45 IIS 7: Under the Hood for Web Request Tracing 10:15 – 11:30 Chalktalk: Using Managed Code to Administer IIS 7 1:00 – 2:15 Chalktalk: Introducing the New and Improved IIS Manager in IIS 7 2:45 – 4:00 IIS 6: Effective Management of Web Farms 4:30 – 5:45 IIS 6: Everything the Web Administrator Needs to Know about MOM Wednesday 8:30 – 9:45 Chalktalk: Extending the IIS Manager Tool in IIS 7 2:00 – 3:15 Chalktalk: IIS 6.0 Security: Setting the Record Straight 4:45 – 5:00 Chalktalk: IIS and Microsoft.com Operations: Migrating IIS 6.0 to 64 bit 5:30 – 6:45 Chalktalk: IIS 7 Q&A

Fill out a session evaluation on CommNet and Win an XBOX 360!

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Installation Options Server Manager Package Manager Server Manager Lots of components Static server by default [client] Use Windows Features Package Manager Replaces sysocmgr Unattend File format is completely different [client] Pick components, cannot set configuration Deploy...

Install, Migration, Upgrade Install log: \Windows\IIS7.log Uninstall Stop services to avoid a reboot Deletes configuration files, backup before uninstall Migration: none for Vista, LH Server TBD… Upgrade All web and/or FTP components are installed, uninstall unnecessary components afterwards… Application pools will be ISAPI mode, configured for no managed code => all ASP.NET requests will fail Deploy...

ASP.NET: Migration Application Pools ASP.NET Integrated mode by default Configure to load a specific version of the .NET Framework Integrated Mode Different server environment for some pipeline notifications e.g. request is not authenticated for BeginRequest Handler and module configuration integrated with IIS system.webServer/handlers, system.webServer/modules Validation warns on httpHandlers, httpModules, or identity config Remove “managedHandler” precondition on an ASP.NET module to have it execute for all content ISAPI Mode Can’t configure HTTP handlers and modules from the UI Deploy...

Replicating applicationHost.config Will cause all application pools to recycle: changes to default settings for all application pools changes to the <globalModules> list Will cause one application pool to recycle: application pool settings Use only RSA machine-encryption (default), replicate RSA machine key http://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspx Gotcha's: Machine specific data, like IP addresses or drive letters Servers must have same set of modules installed (reference to non-existent module in <globalModules> causes 503's) Deploy...

Configuration Delegation Two kinds of configuration locking: overrideMode (similar to "allowOverride") granular locking, e.g. lockItem, lockElements By default… All IIS sections locked (overrideMode=“Deny”) except: Default Document, Directory Browsing, HTTP Header, HTTP Redirects, Validation All .NET Framework / ASP.NET sections are unlocked Determine your configuration lockdown policy be conservative at first unlock as necessary (locking later could break apps) Manage...

Configuration Schema Use the schema file to see all config settings: %windir%\system32\inetsrv\config\schema\IIS_schema.xml Schema describes: property types default values validation encrypted by default? note: config is case sensitive Manage...

Appcmd – Viewing Config Schema C:\> appcmd list config /section:? | findstr system.webServer system.webServer/globalModules system.webServer/serverSideInclude system.webServer/httpTracing ... C:\> appcmd list config /section:directoryBrowse <system.webServer> <directoryBrowse enabled="true" /> </system.webServer> C:\> appcmd list config /section:directoryBrowse /config:* <system.webServer> <directoryBrowse enabled="true" showFlags="Extension, Size, Time, Date" /> </system.webServer> C:\> appcmd list config /section:directoryBrowse /text:* CONFIG CONFIG.SECTION: system.webServer/directoryBrowse path: MACHINE/WEBROOT/APPHOST overrideMode: Inherit [system.webServer/directoryBrowse] enabled:"true" showFlags:"Extension, Size, Time, Date" C:\> C:\> IIS sections – also try “system.web” and “system.applicationHost” C:\> C:\> Shows attributes that aren’t set explicitly Manage...

Coding: Microsoft.Web.Administration First managed code API for administering IIS Same objects and functionality as WMI, appcmd What about System.Configuration? System.Configuration: Strongly typed ASP.NET and .NET Framework config Microsoft.Web.Administration: Weakly typed IIS, ASP.NET, and .NET Framework config Strongly typed IIS objects like Sites and Application Pools Manage...

IIS 7: The Administrator’s Guide

More Related Content

What's hot (20)

Viewers also liked (15)

Similar to IIS 7: The Administrator’s Guide (20)

More from Information Technology (20)

Recently uploaded (20)

IIS 7: The Administrator’s Guide

Editor's Notes