Welcome to Community Server Sign in | Join | Help

Browse by Tags

All Tags » IIS   (RSS)
One of the benefits of working at Avanade is the chance to work on some very large, enterprise scale projects. Last year I worked on a platform refresh project for one of Australia's largest commercial organisations - over 30,000 clients and over Read More...
Filed under:
There are a few good resources out there for troubleshoting crash/hang situations in Windows. Some of the resources I regularly look to include: Tess's Blog Raymond Chen's Blog David Wang's blog Windows Internals (by Mark Russinovich and David Read More...
Filed under: ,
Microsoft released two IIS-related updates in this month's batch of security patches. The first involves ASP, and the second ASP.NET. Both are listed as Important. What are the actual risks and vulnerability details though? ASP.NET The ASP.NET patch Read More...
Filed under: , ,
Blink, and you would have missed it, but I authored the April IIS Insider column on TechNet. I'm scheduled to do the August column, so if you have any IIS questions you'd like answered, please feel free to contact me with your query. Thanks! Read More...
Filed under:
It's official - I'm starting on my second book. The contract from the publisher was delivered whilst I was away at Tech.Ed and I'll be signing and returning it today. Look for "Professional IIS 7.0" next year coinciding with the Read More...
Filed under:
For the last week, I've been at Tech.Ed 2006 in Boston. Tech.Ed is one of Microsoft's largest technical conferences, and is run in a number of locations around the world. The Boston event had over 11,000 attendees. IIS was strongly represented Read More...
Filed under: ,
Received from Michael Leworthy at MSFT Congratulations, you have been selected to speak at TechEd 2006 in the Developer or Web Track **Please read email in full** With the sold out success of last year’s event, we expect a total of 13,000 attendees Read More...
Filed under:
See in the IIS Security newsgroup no less: Configuring Internet Explorer to use proxy server has never been easier: If you want to configure it from command line, look at: If you take a look at the webpage, you are offered the download of an .exe (without Read More...
Filed under: ,

Recently seen in the IIS newsgroup was the following problem:

We have a Dell Powervault 745N running Windows 2003 standard, SP1. We have generated and installed an SSL certificate from rapidssl (geotrust) in IIS and it works ok.

However, upon reboot, when we check the IIS certificate settings in the virtual directory, we can see that IIS is once again using the old, machine certificate. ... No error messages in the event log. ... The IIS metabase is working ok otherwise - does not appear to be corrupt as other settings I change seem to stay as part of the config.

The first step is to verify that the correct SSL certificate information is actually being persisted into the IIS metabase. To do that, we look at the website's properties in the metabase, particularly the SSLHash property, as shown below.

SSLHash Property

We then verify that this is the correct certificate that should be used. To do that we use the Certificates MMC Snapin to examine the computer's certificate store. To do this click Start - Run - MMC.exe

Inside MMC.exe click File - Add/Remote Snapin. add the Certificates snapin and point it to the Computer account when prompted.

Expand the Personal - Certificates nodes and locate the certificate that you want IIS to use (the certificates should be listed by their common name so you should be able to locate the one you want easily). Double-click the certificate to bring up its properties, and on the details tab scroll down to the thumbprint property. Verify that the value for the thumbprint is the same as the SSLHash stored in the metabase. If it is, then you know that IIS is currently configured (both in-memory, and in the metabase) to use the correct certificate.

Certificate Properties

Since the correct certificate has been persisted to the metabase, the change in certificate must be caused by some external agent. The next step is to enable Metabase Auditing. This enables us to see what process or user account is making changes to the metabase, what they are changing, and the old and new values. Detailed steps on enabling metabase auditing are available here.

In the current situation the following event was logged, indicating that a program called taskcord.exe was changing the SSLHash value in the metabase

Primary User Name: SYSTEM
Primary User Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Path: /LM/W3SVC/6633
Property ID: 5506
Property Name: SSLCertHash
Old Value: 84 37 c2 d0 61 --snipped --
New Value: d7 48 f1 ba 6b --snipped --
Caller PID: 2776
Caller Image Path \WINDOWS\system32\ServerAppliance\taskcord.exe
Result: 0x0

A quick search turns up the following MSDN documentation on TaskCord. The Task Coordinator stores it's jobs in the registry at HKLM\SOFTWARE\Microsoft\ServerAppliance\ApplianceManager\ObjectManagers\Microsoft_SA_Task. Under the ApplianceInitializationTask key there was a task called SelfSignCert.SelfSignCert.1, which was run each time the box was booted. That task was causing a self-signed certificate to be generated and applied to the default website each time the box was booted. Removing that entry stopped the SSL certificate from being changed. Case closed!

On a completely unrelated note, I graduated with a Masters of Business and Technology (MBT) from the University of New South Wales last Friday (24th).

Filed under:

Bruce mentioned that IIS didn't appear to support the use of commas in filenames when configuring redirects in IIS.

This is true. When you configure a redirect in IIS the data is stored in field of type string. However IIS actually stores several pieces of data in this one field, and separates those bits of data using commas. The bits of data include what URL the user should be redirected to, and whether this is a permanent redirect or not

A sample node from the IIS metabase looks like this:


If the URL you are redirecting to contains commas, then any part of the URL following the comma is ignored.

So how can we get around this? We can encode the comma. The HTTP encoded value for a comma is %2C. Instead of entering your target URL with commas, use %2C instead. How do we know to use %2C? Well the ASCII value for a comma is 44, and the Hex value for 44 is 2C. How do we know what the ACSII value for a comma is? The following code VBscript snippet will tell you:

WScript.Echo Asc(",")

To generate a table of all ASCII and corresponding hex values for common characters, you can use the following script (it's best to run at a command line using cscript.exe scriptname.vbs)

For i = 20 to 255
   WScript.Echo Chr(i) & " = " & i & " = " & Hex(i)
(Comments Off)
Filed under:

Jonno Downes (aka Jamtronix) has performed an experiment designed to work out how IE handles various HTTP status codes, following on from a discussion over at Intertwingly

As Aristotle pointed out in the discussion, it’s quite possible for a server to return a 404 or 500 HTTP status code, and IE (or any other browser) to render any provided HTML. Webservers have been serving custom 404 or 500 error pages for a long time now.

To add to Jonno’s experiment, I would like to tender Microsoft KB article 218155. This details the behavior of IE when seeing certain HTTP status codes, and friendly HTTP errors are turned on. If the HTTP body is less than a certain amount, then IE will substitute a "friendly" error page for certain codes. If the HTTP body is more than a certain amount, then IE will render the HTML sent by the server. Presumably this helps novice users who might otherwise be intimidated by a server that sets a HTTP status (e.g. 404), but provides nothing else.

The default threshold values are stored in: HKLM\Software\Microsoft\Internet Explorer\Main\ErrorThresholds and user specific overrides can be stored in a corresponding key under the HKCU hive.

(Comments Off)
Filed under:

A few friends and I have been in discussions with a publisher about a book on IIS 7.0. On the weekend, we handed over the latest draft proposal. We already think we have a number of things that will make this book the book to have on IIs 7.0 - it'll cover everything that most other books do and then some, and it'll be written by people who have real-world experience running large scale IIS facilities. But we really want to ensure that this is the best book on IIS 7.0 out there, so we'd like to hear from you about what you'd like to see in a book on IIS 7.0 - what types of things would make you get hold of such a book?

Filed under:

Based on various questions received on using IIS7, here are some tips.

To install IIS you can use the Package Manager. Run the following at a command prompt:

pkgmgr.exe /iu:IIS-WebServerRole;IIS-WebServerFeature;IIS-FTPServerFeature

If you are using Longhorn Server, you can also use the Server Manager tool.

To uninstall IIS 7.0 use the /up switch instead of /ip (up = uninstall package)

To administer IIS use the webmgr.exe tool not inetmgr. Use InetMgr results in lots of errors when trying to do anything useful (like start the default website). Run the webmgr.exe tool using the /nommc switch for best results

Installing PHP
To install PHP, perform the following steps:

  • Download and extract the PHP ZIP from www.php.net to c:\php
  • Add c:\php to the Windows Path environment variable (at a command prompt type: Path=%Path%;c:\php)
  • Rename c:\php.ini-recommended to c:\php.ini (and adjust any settings contained within that .ini file if required)
  • Open WebMgr.exe and select the local webserver.
  • Double-click "Handlers" under the "Server Components" heading
  • Click New Server Module Handler
  • Enter the following properties:
     Name: PHP
     Path: *.php
     Path Type: File
     Path Access: Script
     Request Type: enter the HTTP verbs you want to allow (GET, POST, HEAD etc)
    and then click Next
  • On the next screen choose:
     Module: ISAPIModule
     Script Processor: c:\php\php5isapi.dll
    and then click Next, and then Finish
  • Click the Home button to return the Web Server's properties home page
  • Double-click ISAPI and CGI Restrictions under "Security"
  • Click "New Restiction"
  • Enter the following properties:
     ISAPI Dynamic Link Library (.dll): c:\php\php5isapi.dll
     Group ID: PHP
     Description: PHP
     Select (check) the "Allow extension to execute" checkbox
    and click OK
  • Now create a sample PHP page (e.g. one containing <? phpinfo(); >) and save it in c:\inetpub\wwwroot\test.php
  • Access your new page at http://localhost/test.php

Hope that helps you all. If there are additional questions, please feel free to contact me

Filed under:

If you've ever been interested in knowing how large scale IIS implementations are managed, you don't want to miss webcasts coming up next week involving members of the team that manage Microsoft.com.

Included topics include microsoft.com's architecture (Mon 7th), configuration management strategies (Tue 8th), change management (Wed 9th), monitoring and operations management (Thu 10th) and identifying and debugging issues (Fri 11th).

If you want an idea of the scale of MS.com's operations, the main microsoft.com website has around 300,000 concurrent connections at any one time, with 70 million page views and 13 million unique visitors a day. The WindowsUpdate site gets around 150 million unique scan requests a day, and supports 12,000 page requests/sec. All this runs on an infrastructure of around 1600 (mostly quad-proc) servers. Pretty impressive!

You can get details of all these webcasts, and signup, at the main IIS Webcast Page.

Filed under:

Each month Microsoft TechNet publishes an IIS Insider column answering questions from readers. This month I was privileged to be able to write the column, and it's now up on the Microsoft Technet website.

This month we cover using ASP.NET's forms authentication to protect non-ASP.NET resources, creating a trusted connection between IIS and SQL Server in a workgroup environment, and populating ASP's Logon_User Server Variable.

An archive of previous Q&A is also available.

Filed under: