<rakkimk runat="server" />

IIS – Rejecting a request from a specific client type(browser) | ISAPI Filter Example

Recently I’ve come across a discussion where a particular type of client request should be blocked. Say for an example, you need to block requests from a client called “TrustMe”; consider a scenario where you need to serve pages only for Internet Explorer 7 clients, not IE6.0 clients. This kind of requests are not so common, but there would be someone who may need this. Hence, this blog post :-)

So, first of all we need to understand how we can differentiate between client browsers? How does a server identify what is the client browsing the site? It can identify through “User-Agent” request header. Example of an User-Agent sent from my IE6 client is below:

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

So, if you are able to check if your “TrustMe” client is a part of this header, you’ll be able to reject the response with 404 or whatever you want to do. You should now be remembering about URLScan’s [DenyHeaders] section helping here?

You cannot use that to reject requests with “User-Agent: TrustMe”. AFAIK, that section is used to reject *any* requests coming with the mentioned header. It means, you can only decide on the header name, not the value of the header itself.

Below is an example:

[DenyHeaders]

My-Header:

This will reject *any* requests, that have a request header of “My-Header:” regardless of its value. So, all of your requests will be rejected if you add “User-Agent:” to the [DenyHeaders].

AFAIK, only a custom ISAPI Filter can reject a response (with 404 or whatever) if coming from a specific user agent. Below is an example code to check this:

DWORD WINAPI __stdcall HttpFilterProc(HTTP_FILTER_CONTEXT *pfc, DWORD NotificationType, VOID *pvData) 
{ 
    char buffer[256];
    DWORD buffSize = sizeof(buffer);
    HTTP_FILTER_PREPROC_HEADERS *p;
 
    switch (NotificationType)  {

      case SF_NOTIFY_PREPROC_HEADERS :
      p = (HTTP_FILTER_PREPROC_HEADERS *)pvData;
      BOOL bHeader = p->GetHeader(pfc,"User-Agent:",buffer,&buffSize); 
      CString UserAgent(buffer);
      if(UserAgent.Find("TrustMe") != -1) {
        // Found; so changing the URL to be an unavailable URL, so your request would be 
        // rejected with 404; just as URLSCAN does
        p->SetHeader(pfc, "url", "/Rejected-coz-of-Restricted-UserAgent");
      }
      return SF_STATUS_REQ_HANDLED_NOTIFICATION; 
    }
    return SF_STATUS_REQ_NEXT_NOTIFICATION; 
}

But, this is always less secure, because User-Agent is easily configurable.  So, if you are planning to stop your site being used by some “attacking” user-agent, you can try using this. But, most of the time attackers are little intelligent than what we think them as, so they can easily change the request header. You can also think your own logic to accept only the clients you want to, rejecting the rest.

So, if you want your ISAPI filter to reject requests from any IE6, you just need to check if the User-Agent header has the string “MSIE 6.0”. If you want help in writing an ISAPI filter, check my earlier blog posts here.

Feel free to use the above code, but use at your own risk.

Getting “Unable to get the project file from the Web server” while opening a project in Visual Studio

I recently worked with a customer who was getting “Unable to get the project file from the Web server. Unable to open Web project 'project'. The file path 'c:\inetpub\wwwroot\project' does not correspond to the URL 'http://localhost/project'. The two need to map to the same server location" while opening it from Vistual Studio 2003.

While checking found that there is another EXE listening on port 80 on the server. So, our requests from VS to open the website was going to it, hence the error.

While making sure our website is up, we were now getting "Unable to get the project file from the Web server. Visual Studio .NET has detected that the specified Web server is not running ASP.NET version 1.1. You will be unable to run ASP.NET Web applications or services".

Resolved this one my making sure there is no proxy selected in IE (or if the proxy is there, add the server name to the exceptions list).

Just thought of doing this quick post so that it may help someone running into the same problem searching for answers in the Internet.

Hyper-v | Manage from your Vista

There are number of reasons why I like Vista, and this adds to the list. I run WIN2K3 SP2 and Windows Server 2008 Server Core on my Windows Server 2008 Enterprise server, and they run like a champ.

Below are the download location for the Hyper-v remote management client to manage your Hyper-v from Vista:

Hyper-V Remote Management from Windows Vista Update (KB952627) x86 version

Hyper-V Remote Management from Windows Vista Update (KB952627) x64 version

This allows me to manage my Hyper-v from my Vista box which is my primary workstation at office.

Hope this helps you too.

IIS7 – Adding your UI extension to the IIS manager hierarchy

In the last post I was talking about writing a simple UI extension which would appear like below:

How about you adding this to the IIS manager hierarchy – just below “Application Pools” and “FTP Sites”? Here is what you need to do additional to the steps you followed using my previous blog on this.

1. Add a new class to the project and name it as MyHierarchyProvider, and the file as MyHierarchyProvider.cs
2. MyHierarchyProvider should derive from Microsoft.Web.Management.Client.HierarchyProvider
3. It should have an internal class deriving from Microsoft.Web.Management.Client.HierarchyInfo where you can extend few properties to specify the display text, and which ModulePage it links to.

Below is a sample code which would define a class deriving from HierarchyProvider, and has an internal class with all its properties set.

using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.Web.Management.Client;

namespace MyIIS7UIExtensions
{
    internal class MyHierarchyProvider : HierarchyProvider
    {
        public MyHierarchyProvider(IServiceProvider serviceProvider)
            : base(serviceProvider)
        {
        }
        public override HierarchyInfo[] GetChildren(HierarchyInfo item)
        {
            if (item.NodeType == HierarchyInfo.ServerConnection)
            {
                return new HierarchyInfo[] { new DemoHierarchyInfo(this) };
            }

            return null;
        }
        internal class DemoHierarchyInfo : HierarchyInfo
        {

            public DemoHierarchyInfo(IServiceProvider serviceProvider)
                : base(serviceProvider)
            {
            }

            public override string NodeType
            {
                get
                {
                    return "MyHierarchyProvider";
                }
            }

            public override bool SupportsChildren
            {
                get
                {
                    return false;
                }
            }

            public override string Text
            {
                get
                {
                    return "SimpleIIS7UIModule";
                }
            }

            protected override bool OnSelected()
            {
                return Navigate(typeof(MyPage));
            }
        }
    }
}

After doing above, you might also want to make some changes in your existing Module class, so that it has the information about the hierarchy. If you have downloaded the sample which I have linked in my earlier post, you should be having 2 lines commented (I forgot to remove them last time.. lol) – uncomment them, and you are good to go. However below are the 2 lines which you need to add to link this hierarchy provider with our module.

IExtensibilityManager extensibilityManager = (IExtensibilityManager)GetService(typeof(IExtensibilityManager));
extensibilityManager.RegisterExtension(typeof(HierarchyProvider), new MyHierarchyProvider(serviceProvider));

This would register the HierarchyProvider class to our module, and after building our assembly, and placing the DLL in GAC successfully, and after having all the administrationHost.config settings, you must see the below:

And, you can change the Text property of our HierachyInfo which is an internal class to change the display name appearing in the UI. Don’t hesitate to put your questions or anything you want to let me know through comments!

Happy learning.

IIS7 - Writing your first custom UI module with all winform controls

You should follow this article on IIS.net to create your first “simple” IIS7 UI extension which would just display a message box when loaded.

In this blog, I’m going to explain you how you could design a UI module where you can add any UI control that you might add to a WinForm.

Basically, the UI which appears in the middle pane is just an extension of Windows Form, and you can easily design that using Visual Studio. For example, the below “SSL settings” page has few checkboxes, radio buttons, and Apply/Cancel on the Actions pane.

All your controls should be placed or added into a class within your assembly which should derive from Microsoft.Web.Management.Client.Win32.ModulePage.

Before we start adding a class deriving from ModulePage, please make sure you have completed your Module and ModuleProvider classes by following this article, and also make sure your assembly would be put in GAC. Your project should look like below with DemoKey.snk, and also the proper references to the Microsoft.Web.Management, and Microsoft.Web.Administration:

Adding a ModulePage

Add a new class to the existing project, and name it as MyPage.cs. Derive the class from Microsoft.Web.Management.Client.Win32.ModulePage. Now, let’s try to add some code which runs when this ModulePage runs – let’s put a MessageBox on the constructor.

Below is how my code looks now:

using System;
using System.Windows.Forms;
using Microsoft.Web.Management.Client.Win32;

namespace MyIIS7UIExtensions
{
    internal class MyPage : ModulePage
    {
        public MyPage()
        {
            MessageBox.Show("Testing this!!!!");
        }
    }
}

You should build the assembly, and put it in the assembly (dll) in the GAC, and add the below to your administrationHost.config:

<moduleProviders>

       <add name="MyIIS7UIExtensions" type="MyIIS7UIExtensions.MyModuleProvider, MyIIS7UIExtensions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=db9daa3d2ea5f6fd" />

........

</moduleProviders>

<modules>

      <add name="MyIIS7UIExtensions" />

.........

</module>

You should see the below in your IIS manager.

If you double click on the “MyIIS7UIExtensions”, you should see the below message box, and if you click OK, then you would see the whole UI, but no controls. Just because you haven’t added them still J

If you get to this stage, then you are almost there in making your real IIS7 UI extension, rest of the steps are really easy if you are a windows forms programmer.

Adding Winform controls to our UI Extension

Let’s say you want to have a combo box listing all the application pools that are available. How to design that? First, you have to add the combo box inside your ModulePage.

        public MyPage()
        {
            this.Controls.Add(new ComboBox());
        }

The above code will add a new combo box. But, you want to really specify how it should appear, and its co-ordinates, don’t you?

       public MyPage()
        {
            ComboBox comboBox1;
            comboBox1 = new System.Windows.Forms.ComboBox();
            comboBox1.Location = new System.Drawing.Point(20, 20);
            comboBox1.Name = "comboBox1";
            comboBox1.Size = new System.Drawing.Size(121, 21);
            comboBox1.TabIndex = 0;
            this.Controls.Add(this.comboBox1);
        } 

Now, imagine if you want to add TextBoxes, Buttons, et al, and define the event handlers such as to handle button click, how much time you would invest in designing this manually? Don’t you love dragging and dropping controls to create your ModulePage as a so-called Windows Form?

Don’t worry! I’ve an easy way to overcome this difficulty. Read this earlier blog of mine where I explain this little VS trick to minimize your development time to design this UI extension. But come back to this blog after visiting that, I’m going to further discuss how to display the available application pools on the combo box, and going to provide a button to say the selected application pool to recycle.

And, my IIS UI extension looks like below now:

If you do not see the below after you’ve designed using Visual Studio using the above method, you might also want to verify is the InitializeComponent() method is called in the constructor – that’s the function where all your stuffs get added to the form (ModulePage).

Now, let’s write a method which would fill the combo box with all the application pools that are available by reading the IIS configuration store using Microsoft.Web.Adminsitration. Let’s name our function as LoadAppPoolInfo(), and call that from our constructor after calling InitializeComponent() method.

Your code should look like below:

        Microsoft.Web.Administration.ServerManager manager = new Microsoft.Web.Administration.ServerManager();
        public MyPage()
        {
            InitializeComponent();
            LoadAppPoolInfo();
        }

        private void LoadAppPoolInfo()
        {
            foreach (Microsoft.Web.Administration.WorkerProcess a in manager.WorkerProcesses)
                comboBox2.Items.Add(a.AppPoolName);
        }

And, your UI extension should now display the available application pools in the combo box. Go ahead and add a button click event handler for the button which you’ve already put inside our ModulePage like below:

        private void button1_Click(object sender, EventArgs e)
        {
            manager.ApplicationPools[comboBox2.SelectedItem.ToString()].Recycle();
        }

Now, go ahead and play with all the classes in Microsoft.Web.Administration to make your own modules to do a lot more than what’s provided in the default IIS7 manager UI.

You can download my sample project here:

Please do post your questions if you have any.

IIS7 – Prevent the server sending its private IP address for a request made by HTTP/1.0 clients with no host header

Do you remember this problem earlier with IIS sending the server’s private address for a request made for a non host-header site in its headers? You were setting UseHostName or SetHostName property in the metabase to stop the server sending the private IP address. This KB article had the hotfix details, and you need to follow the more information section to be able to stop the server sending.

So, what now in IIS7? No metabase right? There is no equivalent to UseHostName, but system.webServer/serverRuntime/alternateHostName  is the equivalent to the SetHostName. Below is the appcmd syntax to set this:

appcmd.exe set config  -section:system.webServer/serverRuntime /alternateHostName:"YourServerName"  /commit:apphost

Getting "Unable to step. The operation could not be completed. A retry should be performed" while debugging in Visual Studio

Problem Description

Getting below error messages while debugging an ASP.NET website in Visual Studio 2005 SP1

when stepping through, getting

    "Unable to step. The operation could not be completed. A retry should be performed"

After clicking OK on the dialog, getting

    "The debugger cannot continue running the process. The operation could not be completed. A retry should be performed."

Cause

A known issue with the Visual Studio debugger causing this problem. There is a race condition that happens when all of the following are true:

1. Script debugging is enabled in IE
2. User is debugging IE and another process
3. The other process stops (hits breakpoint, step operation completes, stops at an exception, etc) at a moment when IE is not running script code
4. IE starts running script code at roughly the same moment that the user hits F10/F5 in Visual Studio. The most likely reason for this to happen is that the code from 'setTimeout' is run - there could be other reasons as well.

Workaround

1. If you hit this problem, you can try detaching and reattaching the debugger.

-or-
2. This problem happens when debugging ASP.NET and when script debugging is enabled in IE. If you disable script debugging in IE, or toggle it on and off when switching between debugger server-side and client-side problems, you would be able to work around the issue.

-or-
3. If your web application is using setTimeout, you may be able to avoid or at least reduce the problem by doing something to ensure that script runs less often. This could mean increasing the timeout value, or this could mean adding conditions around when setTimeout is used.

Above are the recommendations made by Gregg Miskelly of Visual Studio debugger development team. I’ve worked on this issue from developer support reported by one of our extremely helpful customer who gave us a perfect environment to troubleshoot and identify this issue. For this case I’ve worked on, disabling the script debugging in IE made the trick.

Check out http://forums.msdn.microsoft.com/en-US/vsdebug/thread/2320a943-d52d-437a-abec-6f1e9f929b52 for more details.

IIS7 - Command line tool (managed) to set FTP properties in Active Directory

You would have already seen this UI module of mine to set the FTP properties in Active Directory. With IISFtp.vbs not working on WS2008 or Vista, this would be very handy tool to use the FTP AD user isolation. You can very well set the required properties directly on the Active Directory schema yourself, but here is a command line utility to do this.

If you are an administrator who would not use UI stuffs, or you don't want to put on the IIS manager on the server, this one is for you. I created this for one of my customer, and here is this for all.

Hope this helps!

We are hiring. Do you want to work for Microsoft India GTSC, Bangalore?

Do you have good knowledge in IIS/ASP.NET, and want to help our customers worldwide(mainly US based) solving their simple, complex, very complex real time problems? You are at the right page - here! Send your resumes to me - rakkim *at* microsoft.com with a subject "Resume for GTSC".

This opening is primarily for a developer with good ASP.NET knowledge, and ready to work in night shifts (we help US based customers primarily - so we got to work in the US day time). But, let me tell you, working in night shifts is fun, and I love the fact that when I step out of office on a Saturday morning (Indian time), I can come back to office only on Monday evening - so I got a lots of time on my weekends always.

But, if you want to know what this role all about. Here is a question to you (assuming you are an ASP.NET developer) - whom will you approach if you are stuck on your project after almost used all your knowledge, time and fed up with all Internet searches? Your project leader or your technical lead or any one above you in your organization in a technical stand point. Correct? What if they also couldn't find answers/solutions to the question/problem? That's where our customers contact us, and that's where you as a SUPPORT ENGINEER would start talking to our customers (yeah, if hired). And, this is a phone based support role.

This position is for IIS/ASP.NET developer support team at Microsoft India GTSC, Bangalore. If you want to check out what GTSC is all about - check this video. Pretty Cool place to enhance your knowledge.

Did I say that we've an awesome XBOX 360 play room?

IIS - Sample ISAPI Filter doing Redirection to another website

I know I'm in a very old world of writing ISAPI Filters to do the redirection instead of just creating an IHttpModule and plug it directly in the IIS7 request pipeline. But, one of my customer wanted this ISAPI filter and I made a fairly simple ISAPI Filter to do the redirection.

Below sample doesn't do any checks, or maintains any lists of mapped URLs, but just a simple redirection of all the requests to http://www.live.com. Feel free to modify it accommodating your need.

#include <stdio.h> 
#include <stdlib.h> 
#include <afx.h>
#include <afxisapi.h>

BOOL WINAPI __stdcall GetFilterVersion(HTTP_FILTER_VERSION *pVer) 
{ 
  pVer->dwFlags = (SF_NOTIFY_PREPROC_HEADERS ); 
  CFile myFile("C:\\ISAPILOG\\URLs.html", CFile::modeCreate);
  myFile.Close();
  pVer->dwFilterVersion = HTTP_FILTER_REVISION; 
  strcpy(pVer->lpszFilterDesc, "Sample Redirection ISAPI"); 
  return TRUE; 
} 

DWORD WINAPI __stdcall HttpFilterProc(HTTP_FILTER_CONTEXT *pfc, DWORD NotificationType, VOID *pvData) 
{ 
   char buffer[256];
   DWORD buffSize = sizeof(buffer);
   HTTP_FILTER_PREPROC_HEADERS *p;
   CHttpFilterContext *chc;
   chc = (CHttpFilterContext *)pfc;
   char *newUrl;
   CFile myFile("C:\\ISAPILOG\\URLs.html", CFile::modeWrite);

   switch (NotificationType)  { 

   case SF_NOTIFY_PREPROC_HEADERS :

   p = (HTTP_FILTER_PREPROC_HEADERS *)pvData;

   char newUrl[50];
   wsprintf(newUrl, "http://www.live.com/");

   char szTemp[50];
   wsprintf(szTemp, "Location: %s\r\n\r\n",newUrl);

   pfc->ServerSupportFunction (pfc,
                            SF_REQ_SEND_RESPONSE_HEADER,
                            (PVOID) "302 Redirect",
                            (DWORD) szTemp,0); 

   myFile.SeekToEnd();
   myFile.Write("<BR><B> Orignial URL : </B>",strlen("<BR><B> Orignial URL : </B>"));
   BOOL bHeader = p->GetHeader(pfc,"url",buffer,&buffSize); 
   CString myURL(buffer);
   myURL.MakeLower(); 
   myFile.Write(buffer,buffSize);

   myFile.Write(" <B>New URL : </B> ",strlen(" <B>New URL : </B> "));
   myFile.Write(newUrl,strlen(newUrl));
   myFile.Close();

   return SF_STATUS_REQ_HANDLED_NOTIFICATION; 
   }

  return SF_STATUS_REQ_NEXT_NOTIFICATION; 
 }

Above is my sample, You might want to check my earlier ISAPI blog post to get the .def file and steps to create the DLL.

How to configure IIS 7.0 for ODBC logging?

If you select Log File format as “Custom” in the IIS manager, it doesn’t give you options to configure ODBC logging in the UI. Instead, it just gives you an alert saying it cannot be configured through IIS manager which you already know.

But, in the previous versions of IIS, you would see the below:

So, in this post I will explain how to configure IIS7.0 site for ODBC logging. You still want to check out this KB for the database, table related information which needs to be created prior to this IIS configuration change.

Changing LogFile Format and the customLogPluginClsid

To configure ODBC, you might need to know the log plugin ID for the ODBC logging. In IIS 6.0, it was LogModuleId, and if you do a search for “ODBC logging” in your Metabase.XML file, you might find this property with value “{FF16065B-DE82-11CF-BC0A-00AA006111E0}”. We are going to use the same in IIS 7.0, but in the ApplicationHost.config file as customLogPluginClsid.

You need to find the <logFile> node in ApplicationHost.config, and that should look like below:

<logFile customLogPluginClsid="{FF16065B-DE82-11CF-BC0A-00AA006111E0}" logFormat="Custom" />

Below are the AppCmds to do this:

appcmd set site /site.name:"Default Web Site" /logFile.customLogPluginClsid:"{FF16065B-DE82-11CF-BC0A-00AA006111E0}"
appcmd site set /site.name:"Default Web Site" /logFile.logFormat:"Custom"

Now, we have just configured IIS to use ODBC logging for our default website. We still need to configure the required DSN name, table-name, username and password to do the ODBC logging.

Configuring ODBC logging parameters in ApplicationHost.config

After you’ve followed this KB article to create database, table, and DSN, you need to make sure you configure ApplicationHost.config to contain the information. You need to configure those settings in <odbcLogging> node under <system.webServer>. Below is my sample configuration:

<location path="Default Web Site">
  <system.webServer>
    <odbcLogging dataSource="ODBCLogging" tableName="HTTPLog" userName="Username" password="mypassword” />"
      </system.webServer>
</location>

Below are the AppCmds to configure the above attributes for the site:

appcmd set config "Default Web Site" /section:odbcLogging /dataSource:"ODBCLogging" /commit:appHost
appcmd set config "Default Web Site" /section:odbcLogging /tableName:"ODBCLogTable" /commit:appHost
appcmd set config "Default Web Site" /section:odbcLogging /userName:"Username" /commit:appHost
appcmd set config "Default Web Site" /section:odbcLogging /password: "mypassword" /commit:appHost

Also, we do not support configuring ODBC logging feature in IIS using the SQL Native Client ODBC driver. You must use the SQL Server ODBC driver. You might want to take a look at this KB article on this.

Hope this helps! Do post a comment if you have any questions on this.

ASP.NET - Using the same encryption method used by ActiveDirectoryMembershipProvider to encrypt secret password answer and store it in AD

Okay, this is an interesting stuff. MembershipProvider automatically encrypts most of the sensitive information such as password, secret-question-password. What if you want to use the same encryption method yourself to encrypt data?

Before continuing reading, You need to understand and keep in mind that your <machinekey> section is the one which would be used for the encryption / decryption by the MembershipProvider. If you change it after encryption, your decryption may fail. So, please be careful while modifying anything on <machinekey> section in your web.config.

I've just created a class inheriting from MembershipProvider. I've implemented all the methods of it (just a dummy implementation - VS would be more than happy to do that for you - if you find difficulty in this, write to me; I'll help you). I've also created another new method called EncryptMe which takes a string and returns me a string which is in fact the encrypted string. This method just gets the string in bytes with RNGCryptoServiceProvider and just call the function EncryptPassword of the MembershipProvider class to do the encryption.

In fact, the EncryptPassword method is a protected method of the MembershipProvider class, and by using it, we have just achieved the same encryption which is used by the MembershipProvider class (which our ActiveDirectoryMembershipProvider also uses to encrypt your secret-password-answer). Since it is protected, you can't access it anywhere outside, but inside a derived class.

    public string EncryptMe(string s)
    {
        byte[] bytes = System.Text.Encoding.Unicode.GetBytes(s);
        byte[] data = new byte[0x10];
        new System.Security.Cryptography.RNGCryptoServiceProvider().GetBytes(data);
        byte[] dst = new byte[data.Length + bytes.Length];
        Buffer.BlockCopy(data, 0, dst, 0, data.Length);
        Buffer.BlockCopy(bytes, 0, dst, data.Length, bytes.Length);
        byte[] b = EncryptPassword(dst);
        return Convert.ToBase64String(b);
    }

Now, you can just store the encrypted string to the active directory property which you've mapped to the Secret-question-password. Check this knowledge base article which explains how to modify an attribute of an user in active directory. It just talks about the properties needed by the FTP user isolation, just modify the code to use your own attribute.

Again, please make sure you do not alter your <machinekey> section which has all the information needed to encrypt and decrypt data.

Hope this helps!

Enabling PasswordReset functionality when using ActiveDirectoryMembershipProvider

If you want to use ActiveDirectoryMembershipProvider on your website to manage users specially the password reset functionality, you will also need to create few attributes in the active directory schema for the "USER" object. You can check this MSDN article to know more about this, but again, it doesn't list how to create the needed attributes, but it tells you what are all the attributes needed if you are considering "Password Reset" functionality.

Firstly, ActiveDirectoryMembershipProvider does not support retrieving the password, but you can reset the password by providing secret-question, and secret-answer. You may also need to create few more attributes in the active directory schema associated with this. Below are those attributes:

1. Password Question - Unicode String
2. Password Answer - Unicode String
3. Failed Answer count - Integer
4. Last time at which the user supplied an invalid answer - Large Integer/Interval
5. Account locked out time - Large Integer/Interval

These are the 5 new attributes which you need to add in the active directory schema for the "USER" object. I will explain how to add new attributes and associate them to an existing object.

1. You need to first install the schema snap-in by registering schmmgmt.dll (regsvr32 schmmgmt.dll)
2. Now, open an MMC, and add "Active Directory Schema" snap-in
3. Expand the Active Directory Schema, and right click on Attribute, and select "Create Attribute"
4. Enter the common name, LDAP name, other fields for the attribute you are creating. For example, "PasswordQuestion" - this would be having its type as Unicode String. See the above list of attributes and its types appropriately. If Integer, enter minimum/maximum values too.
5. For the OID, you need to check this MSDN article.

Now follow the above steps to create all the 5 attributes which are needed. After creating these attributes, we need to attach them to the "USER" object.

1. In the same MMC, Expand "CLASSES" and select user object.
2. Right click on user and select properties
3. Go to its attributes tab, and click Add
4. Select the attributes that you've created one by one and click on OK

That's it. Now, your user object would have all those attributes, and you can store values using any method you like. If you create an user using CreateUser wizard control, it would populate and store the values of the secret-question, answer automatically. ActiveDirectoryMembershipProvider would take care of storing, retrieving values of these attributes itself, you no need to program anything for them.

But, there would be some situation the users have been already created, but you need to attach these attributes to them. Follow the above methods to add attributes to the user object. And, now open the particular user's properties in ADSIEDIT.msc, and add values to them.

After following all the above steps, follow the other steps mentioned in this article to configure your web.config sections to map the attributes you've created in AD.

NOTE: Password-answer is the only one attribute out of these 5 which would be stored in an encrypted format. <machinekey> section would be used for the encryption of this, if you create an user using the CreateUser wizard. But, if you have already created the user in the AD, and you want to just store the secret-question and password, you may want to check my next blog where I'll explain how to use the same encryption method used by the MembershipProvider to store the secret-password in the active directory for the user.

IIS7 - Configure Throttling for your documents (any MIME type) and save Bandwidth costs

Do you have a high traffic site where you have a lot of WMV/AVI/FLV/PDF documents (or any other MIME type) where your maximum bandwidth of the site is utilized? Do you ever think where majority of the bandwidth would go? Most of the users do not completely watch the video or listen to audio, or do not read the complete PDF file (or any progressive download document). Assume that they just watch for 5 minutes of your 1 hour long Flash Video (.flv). How much of your bandwidth (for download) would be used for this? You should try answering this question yourself.

But, you will see a significant reduction in your bandwidth cost, if you start using this Bitrate Throttling Module. It would be configured for any video/audio file types, and in fact for any MIME types such as .PDF, .DOC, etc.

I would explain here how to configure throttling setting specifically for PDF files.

In the IIS Manager, select your web site, and select "Bit Rate Throttling" under Media Services. First of all, make sure that the bandwidth throttling is enabled in the site. 

Now, Right click on the pane and select "Add Throttle Setting..." or select the same from the "Actions Pane". Type "application/pdf" as the MIME type, and enter "Fast Start" and "Throttle rate" values.

You should see bitrate throttling already added to major media files like .asf, .avi, .flv, .mov, .wmv, etc.,. I'm sure this feature in IIS7 would help you saving bandwidth costs for hosting media files, or any large documents.

Here are the download links:

Here are some learn.iis.net documents on this module:

• Bit Rate Throttling Setup Walkthrough

• Bit Rate Throttling Configuration Walkthrough

• Bit Rate Throttling Extensibility Walkthrough

IIS7 - Administration Pack - technical preview released

Here are the links to download the new IIS7 admin pack - technical preview version: