IIS 7: The Administrators Guide

Alexis Eller Program Manager Microsoft Corporation

IIS6 Request Processing

Authentication
NTLM Basic
Anon

CGI

Monolithic implementation Install all or nothing

Determine Handler

Static File ISAPI

ASP.NET PHP

Send Response
Log Compress

Extend server functionality only through ISAPI

IIS7 Request Processing

Authentication Authorization ResolveCache CGI Determine Static File Handler ExecuteHandler
NTLM Basic
Anon

Server functionality is split into ~ 40 modules... Modules plug into a generic request pipeline

UpdateCache Send Response SendResponse Log Compress

ISAPI

Modules extend server functionality through a public module API.

Many, Many Modules

Install, manage, and patch only the modules you use Reduces attack surface Reduces in-memory footprint Provides fine grained control replace core server components with custom components

Installing IIS7

Consistently install the same set of modules Avoid:

503 Service Unavailable [module is enabled but not installed] Application doesnt work as expected [web.config references a module that isnt installed] [unexpected module conflicts with custom module]

IIS6 ASP.NET Integration

Authentication
NTLM Basic
Anon

CGI

Runtime limitations Only sees ASP.NET requests Feature duplication

aspnet_isapi.dll Authentication
Forms Windows

Determine Handler

Static File ISAPI

ASPX

Send Response
Log Compress

Map Handler

Trace

IIS7 ASP.NET Integration

Basic Anon

Two Modes
Classic (runs as ISAPI) Integrated

Authentication Authorization ResolveCache ExecuteHandler

Integrated aspnet_isapi.dll Mode

Static File ISAPI

UpdateCache SendResponse

/ handlers Forms Windows plug directly into pipeline Process all requests ASPX Full runtime fidelity Map
Handler
Trace

Authentication .NET modules

Compress
Log

Migrating to Integrated ASP.NET

Replicate Content and Config

Main IIS configuration file (applicationHost.config)
Built-in IUSR account, no more machine specific SIDs Simple file copy, no command line tools required watch for machine specific data like IPs and drive letters

IIS config web.config, XCOPY with application

Centralize Content and Config

IIS config web.config, centralize on file server

File System:
Client Side Caching (CSC)
provides a local disk cache

Distributed File System Replication (DFSR)

abstracts multiple file servers to one share name provides content replication

Configuration moves to .config files

Configure IIS and ASP.NET properties in the same file Use locking to provide delegation Built for simple, schema-based extensibility welcome to a world of xcopy deployment

Configuration Layout
Inheritance
IIS IIS + ASP.NET + .NET Framework

ASP.NET .NET Framework applicationHost.config web.config

root web.config

machine.config root configuration files web.config files

Configuration Delegation
Delegation is:
Configuration locking, overrideMode ACLs on configuration files

By default
All IIS sections locked except:
Default Document Directory Browsing HTTP Header HTTP Redirects

All .NET Framework / ASP.NET sections are unlocked

Determine your configuration lockdown policy

Be conservative at first Unlock as necessary (locking later could break apps)

Compatibility: ABO Mapper

Provides compatibility for:
scripts command line tools native calls into ABO IIS6 ADSI Script

Not installed by default Can only do what IIS6 could do

Cant read/write new IIS properties Application Pools: managedPipelineMode, managedRuntimeVersion Request Filtering Failed Request Tracing

IISADMIN

ABOMapper

Cant read/write ASP.NET properties Cant read/write web.config files Cant access new runtime data, e.g. worker processes, executing requests

applicationHost.config

Management Tools
GUI Command Line Script Managed Code IIS Manager appcmd WMI (root\WebAdministration) Microsoft.Web.Administration

Manage IIS and ASP.NET View enhanced runtime data

worker processes, appdomains, executing requests

Manage delegation Use whichever management tool suits your needs

IIS Manager

Remotes over HTTP, making it firewall friendly

(remoting is not installed by default)

Provides managed extensibility Supports non-admin management of sites and applications

Educate end users who publish their application and use IIS Manager configure it Scenario:
User publishes application User changes apps web.config using IIS Manager User copies updated web.config to his local version of the application Several days later, user re-publishes application ** modifications make to the apps web.config using IIS Manager have just been blown away**

Appcmd Listing and Filtering

C:\> SITE SITE SITE appcmd list sites "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started) "Site1" (id:2,bindings:http/*:81:,state:Started) "Site2" (id:3,bindings:http/*:82:,state:Stopped)

C:\> appcmd list requests REQUEST "fb0000008000000e" (url:GET /wait.aspx?time=10000,time:4276 msec,client:localhost) C:\> appcmd list requests /apppool.name:DefaultAppPool C:\> appcmd list requests /wp.name:3567 C:\> appcmd list requests /site.id:1

Filter results by application pool, worker process, or site

appcmd

Scripting: IIS6 WMI Provider

Set oIIS = GetObject("winmgmts:root\MicrosoftIISv2")

NOT CONSISTENT Create Site

' Create binding for new site Set oBinding = oIIS.Get("ServerBinding").SpawnInstance_ oBinding.IP = "" oBinding.Port = "80" oBinding.Hostname = "www.site.com"
' Create site and extract site name from return value Set oService = oIIS.Get("IIsWebService.Name='W3SVC'")

strSiteName = oService.CreateNewSite("NewSite", array(oBinding), "C:\inetpub\wwwroot") Set objPath = CreateObject("WbemScripting.SWbemObjectPath") objPath.Path = strSiteName strSitePath = objPath.Keys.Item("") Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'") oSite.Start ' Create the vdir for our application Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting").SpawnInstance_ oVDirSetting.Name = strSitePath & "/ROOT/bar" oVDirSetting.Path = "C:\inetpub\bar" oVDirSetting.Put_ ' Make the VDir an application Set oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'") oVDir.AppCreate2 1

Create Virtual Directory

Create Application

Scripting: new WMI Provider

CONSISTENT
Set oService = GetObject("winmgmts:root\WebAdministration")
' Create binding for site Set oBinding = oService.Get("BindingElement").SpawnInstance_ oBinding.BindingInformation = "*:80:www.site.com" oBinding.Protocol = "http" ' Create site oService.Get("Site").Create _ "NewSite", array(oBinding), "C:\inetpub\wwwroot" ' Create application oService.Get("Application").Create _ "/foo", "NewSite", "C:\inetpub\wwwroot\foo"

Static Create methods

WMI Unloading AppDomains

through script through PowerShell

Coding: Microsoft.Web.Administration
ServerManager iisManager = new ServerManager();
foreach(WorkerProcess w3wp in iisManager.WorkerProcesses) { Console.WriteLine("W3WP ({0})", w3wp.ProcessId); foreach(Request request in w3wp.GetRequests(0)) { Console.WriteLine("{0} - {1},{2},{3}", request.Url, request.ClientIPAddr, request.TimeElapsed, request.TimeInState); } }

New Troubleshooting Features

Detailed custom errors, just like ASP.NET Failed Request Tracing
No more ETW tracing and waiting for a repro

New runtime data:

worker processes appdomains currently executing requests

Failed Request Tracing

No-repro tracing for failed requests Configure custom failure definitions per URL
Time taken Status/substatus codes Error level

Persist failure log files Will it tell me whats wrong?

Sometimes for example, ACL issues Look for clues

Can use for all requests to see whats going on

Failed Request Tracing

Summary
Deploy
~ 40 modules, install only what you need Migrate to ASP.NET Integrated Mode Easier centralization/replication

Manage
Manage IIS and ASP.NET through the same tools Use ABO Mapper compatibility (not installed by default) Determine configuration lockdown policy

Troubleshoot
Use: Detailed Errors, Failed Request Tracing, Currently Executing requests

[email protected]

New home for IIS Community!

TechCenter to easily find the info you need Advice and assistance in Forums Insider info on new technology (IIS7!)
Online labs, play with IIS7 in your browser

Some upcoming IIS sessions

Today
3:15 4:30 Chalktalk: Configuration Management of Web Platform

Tomorrow
8:30 9:45 IIS 7: Under the Hood for Web Request Tracing

10:15 11:30 Chalktalk: Using Managed Code to Administer IIS 7

1:00 2:15 Chalktalk: Introducing the New and Improved IIS Manager in IIS 7 2:45 4:00 IIS 6: Effective Management of Web Farms 4:30 5:45 IIS 6: Everything the Web Administrator Needs to Know about MOM

Wednesday
8:30 9:45 Chalktalk: Extending the IIS Manager Tool in IIS 7 2:00 3:15 Chalktalk: IIS 6.0 Security: Setting the Record Straight 4:45 5:00 Chalktalk: IIS and Microsoft.com Operations: Migrating IIS 6.0 to 64 bit 5:30 6:45 Chalktalk: IIS 7 Q&A

Fill out a session evaluation on CommNet and

Win an XBOX 360!

 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Additional Information

Installation Options
Lots of components Static server by default [client] Use Windows Features

Replaces sysocmgr

File format is completely different [client] Pick components, cannot set configuration

Install, Migration, Upgrade

Install log: \Windows\IIS7.log Uninstall
Stop services to avoid a reboot Deletes configuration files, backup before uninstall

Migration: none for Vista, LH Server TBD Upgrade

All web and/or FTP components are installed, uninstall unnecessary components afterwards Application pools will be ISAPI mode, configured for no managed code => all ASP.NET requests will fail

ASP.NET: Migration
Application Pools
ASP.NET Integrated mode by default Configure to load a specific version of the .NET Framework

Integrated Mode
Different server environment for some pipeline notifications
e.g. request is not authenticated for BeginRequest

Handler and module configuration integrated with IIS

system.webServer/handlers, system.webServer/modules

Validation warns on httpHandlers, httpModules, or identity config Remove managedHandler precondition on an ASP.NET module to have it execute for all content

ISAPI Mode
Cant configure HTTP handlers and modules from the UI

Replicating applicationHost.config
Will cause all application pools to recycle:
changes to default settings for all application pools changes to the <globalModules> list

Will cause one application pool to recycle:

application pool settings

Use only RSA machine-encryption (default), replicate RSA machine key

http://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspx

Gotcha's:
Machine specific data, like IP addresses or drive letters Servers must have same set of modules installed (reference to non-existent module in <globalModules> causes 503's)

Configuration Delegation
Two kinds of configuration locking:
overrideMode (similar to "allowOverride") granular locking, e.g. lockItem, lockElements

By default
All IIS sections locked (overrideMode=Deny) except:
Default Document, Directory Browsing, HTTP Header, HTTP Redirects, Validation

All .NET Framework / ASP.NET sections are unlocked

Determine your configuration lockdown policy

be conservative at first unlock as necessary (locking later could break apps)

Configuration Schema
Use the schema file to see all config settings:
%windir%\system32\inetsrv\config\schema\IIS_schema.xml

Schema describes:
property types default values validation encrypted by default?

note: config is case sensitive

Appcmd Viewing Config Schema

C:\> appcmd list config /section:? | findstr system.webServer system.webServer/globalModules IIS sections also try system.webServer/serverSideInclude system.web and system.webServer/httpTracing ... system.applicationHost C:\> appcmd list config /section:directoryBrowse <system.webServer> <directoryBrowse enabled="true" /> </system.webServer> C:\> appcmd list config /section:directoryBrowse /config:* <system.webServer> <directoryBrowse enabled="true" showFlags="Extension, Size, Time, Date" /> </system.webServer>

C:\> appcmd list config /section:directoryBrowse /text:* CONFIG CONFIG.SECTION: system.webServer/directoryBrowse path: MACHINE/WEBROOT/APPHOST overrideMode: Inherit [system.webServer/directoryBrowse] enabled:"true" showFlags:"Extension, Size, Time, Date"

Shows attributes that arent set explicitly

Coding: Microsoft.Web.Administration
First managed code API for administering IIS
Same objects and functionality as WMI, appcmd

What about System.Configuration?

System.Configuration:
Strongly typed ASP.NET and .NET Framework config

Microsoft.Web.Administration:
Weakly typed IIS, ASP.NET, and .NET Framework config Strongly typed IIS objects like Sites and Application Pools