From Mind To Words

Client Certificate Mapping in FTP 7 & FTP 7.5 - Step by Step - Part 4

Client Certificate Mapping – Step by Step – Table of Content

In this post, we will install a User Certificate, enable Named Mapping and test FTPS using a tool.

Install User Certificate:

1. Open Internet Explorer, and open the website https://server1/certsrv
2. Click Request a Certificate
3. Click User Certificate
4. Click Yes on Web Access Confirmation (if it prompts)
5. Click Submit
6. Click Install this certificate
7. You will get a confirmation that a user Certificate has been installed

Confirm Client Certificate has been installed:

1. Open Internet Explorer
2. Click Tools -> Internet Options
3. Click Content and click Certificates
4. You will find a certificate with the User Name in the Personal tab
   
5. You can also confirm the same from Certificate MMC
   
6. Export Client Certificate, by clicking on certificate and click Export…
7. Follow Certificate Export Wizard
8. Select No, do not export the private key, click Next
9. Select Base-64 encoded X.509 (.CER)
10. Browse to location where you want to save the certificate, click Save
11. Click Next, click Finish

Map user certificate against the user account:

Export user certificate:

1. Go to the CA Server (in our case it’s the DC)
2. Open Server Manager -> expand Roles -> expand Active Directory Certificate Services -> expand CA (contoso-Issuing-CA01)
3. Click on Issued Certificates, on the right hand pane you will see the client certificate issued
4. Right click on the certificate -> click Open
5. Click Details -> click Copy to File…
6. The Certificate Export Wizard appears, click Next
7. Select Base-64 encoded X.509 (.CER), click Next
8. Select the location for the certificate and name it (bmayer.cer in our case).
9. Click Next -> click Finish the Export Wizard.

Map the certificate:

1. Go to the DC Server
2. Open Server Manager -> expand Roles -> expand Active Directory Domain Services -> expand Active Directory Users and Computers -> expand domain (contoso.com)
3. I have a OU for the user accounts “People”
4. To view the Advanced Feature, click View -> Advanced Features
   
5. Right click on user name (in our case Barbara Mayer) and click Name Mappings…
   
6. Security Identity Mapping dialog appears
   
7. Under X.509 Certificates, click Add…
8. Browse to the location you have saved the user certificate, click Open
9. Click OK
   
10. Click OK

We now have a client certificate mapped against the user account.

Access FTPS site:

We will use AlexFTPS-1.0.2 (http://ftps.codeplex.com) client to verify our setup. I have it under C: drive. I have a DNS entry for ftp.contoso.com against the IP of Server2.

The command we will use is:

ftps -h ftp.contoso.com -port 21 -ssl All -sslClientCertPath C:\Users\bmayer\Documents\bmayer.cer –l

Here is the actual connection:

C:\AlexFTPS-1.0.2>ftps -h ftp.contoso.com -port 21 -ssl All -sslClientCertPath C:\Users\bmayer\Documents\bmayer.cer -l
 
Alex FTPS version 1.0.2
Copyright (C) Alessandro Pilotti 2008-2009
 
http://www.codeplex.com/ftps
info@pilotti.it
 
This is free software, you may use it under the terms of
the LGPL license 
 
WARNING: SSL/TLS remote certificate name mismatch
 
SSL/TLS Server certificate details:
 
[Subject]
CN=newftpsite, OU=FTP Unit, O=contoso, L=Bangalore, S=Karnataka, C=IN
 
[Issuer]
CN=contoso-Issuing-CA01, DC=contoso, DC=com
 
[Serial Number]
619877AD000000000015
 
[Not Before]
27-10-2009 08:22:31
 
[Not After]
27-10-2011 08:22:31
 
[Thumbprint]
FE3ABE6A25AB447972B769A0C084B92D8DE098F2
 
Accept invalid server certificate? (Y/N) Y
 
Remote directory: /
 
10-27-09  10:40AM       <dir>          myFolder
10-27-09  10:42AM                 1944 sample.txt
10-27-09  10:42AM                 8748 sample1.txt
10-27-09  10:42AM               518454 snap.bmp

Looking good.

We have successfully configured FTPS in IIS 7 & IIS 7.5 using Active Directory enabled One-to-One Client Certificate mapping.

Hope this helps,
Vivek Kumbhar

Client Certificate Mapping in FTP 7 & FTP 7.5 - Step by Step - Part 3

Client Certificate Mapping – Step by Step – Table of Content 

In this post, we will create FTP Site on IIS and configure it to use Client Certificate.

Create FTP Site:

1. Open IIS Manager and right click on Sites Folder
2. Click Add FTP Site…

   

3. Enter the FTP site name: and select the Physical path for the site, click Next

   

4. Select Binding and SSL settings as shown, I have selected the Server Certificate we requested above “newftpsite” under SSL Certificate. Click Next

   

5. We won’t be selecting any Authentication methods here, under Authentication select All Users and select Read, Write permissions. Click Finish.

   

Create User home directory:

1. Right click on the FTP Site (newftpsite), click Explore
2. Create a folder with the domain name (in our case contoso)
3. Create a folder with the user name (bmayer in our case)
4. Right click on the folder (bmayer) and click Properties
5. Click Security, click Advanced
6. Click Change Permissions…
7. Uncheck Include inheritable permissions from this object’s parent, click Add
8. Select Users, CREATOR OWNER and TrustedInstaller and click Remove
9. Click OK twice
10. Click Edit…
11. Click Add… and add user name (bmayer)
12. Give Modify permission for the account
13. Click OK twice

Let us now quickly verify FTP Settings:

FTP Authentication

FTP Authorization Rules

FTP SSL Settings

FTP User Isolation

We have selected User name directory (disable global virtual directories)

Let us now examine the applicationHost.config and enable Client Certificate for the FTP Site. There is no UI to enable Client Certificate, we will need to add the below mentioned text.

<sslClientCertificates clientCertificatePolicy="CertRequire" useActiveDirectoryMapping="true" />
and
<clientCertAuthentication enabled="true" />

            <site name="newftpsite" id="2">
                <application path="/">
                    <virtualDirectory path="/" physicalPath="C:\inetpub\ftproot" />
                </application>
                <bindings>
                    <binding protocol="ftp" bindingInformation="*:21:" />
                </bindings>
                <ftpServer>
                    <security>
                        <ssl serverCertHash="1AB9D34BE5F01B3A213FFEAE1556E180B8BB7BAE" ssl128="true" controlChannelPolicy="SslRequire" dataChannelPolicy="SslRequire" />
                        <sslClientCertificates clientCertificatePolicy="CertRequire" useActiveDirectoryMapping="true" />
                        <authentication>
                            <anonymousAuthentication enabled="false" />
                            <basicAuthentication enabled="false" />
                            <clientCertAuthentication enabled="true" />
                        </authentication>
                    </security>
                    <userIsolation mode="IsolateAllDirectories">
                        <activeDirectory />
                    </userIsolation>
                </ftpServer>
            </site>

OK, so we are good for today. Next, we will Install a User Certificate, map it to an account and then test FTPS using a client. Stay tuned…

Hope that helps,
Vivek Kumbhar

Client Certificate Mapping in FTP 7 & FTP 7.5 - Step by Step - Table of Content

This post links to all Client Certificate Mapping posts in this series.

1. Client Certificate Mapping in FTP 7 & FTP 7.5 - Step by Step - Part 1
2. Client Certificate Mapping in FTP 7 & FTP 7.5 - Step by Step - Part 2
3. Client Certificate Mapping in FTP 7 & FTP 7.5 - Step by Step - Part 3
4. Client Certificate Mapping in FTP 7 & FTP 7.5 - Step by Step - Part 4

More to come.. so stay tuned…

Hope this help,
Vivek Kumbhar

PS. If a link doesn’t work, don’t worry.. they may be in “Draft” mode, and not yet published.

Quote of the day:
The significance of man is that he is insignificant and is aware of it. - Carl Becker

Client Certificate Mapping in FTP 7 & FTP 7.5 - Step by Step - Part 2

Client Certificate Mapping – Step by Step – Table of Content 

This is Part 2 of our series on implementing Client Certificate mapping in FTP 7 or FTP 7.5. Today we will Install Server Certificate on IIS.

In Part 1, I gave you a brief background of the environment we will be working on in our scenario.

Issue Server Certificate

1. Click on the computer name in IIS Manager and double click on Server Certificates

   

2. Click on Create Certificate Request…

   

3. Fill in the textboxes as per your requirement.

   

4. Let the Cryptographic service provider be as default

   

5. Select a location to save the certificate request

   

6. Click Finish
7. Send this file across to your CA to provide a response; in our case we will generate the response by accessing the local CA website.
8. Access the CA, by typing https://server1/certsrv in Internet Explorer
9. Click on Request Certificate
10. Click on advanced certificate request
11. Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
12. Open the certreq.txt, we generated in Step 5 and select the text from the line below ---BEGIN NEW CERTIFICATE REQUEST---- till ----END NEW CERTIFICATE REQUEST---- and copy it.

    

13. Paste the text in Saved Request
14. Under Certificate Template: select Web Server and click Submit
15. Click Yes in the Web Access Confirmation prompt (if it appears)
16. Select Base 64 encoded and click on Download certificate and Download certificate chain and save them.
17. You should have 2 files, one certnew.cer and certnew.p7b
18. Open IIS Manager, click on computer name and double click Server Certificate
19. Click Complete Certificate Request…

    

20. Select certnew.cer we saved earlier, click OK

    

21. We now have Server Certificate installed on IIS

    

22. You should also install the Certificate Chain, as your CA will not be in the Trusted Root CA list.

Next, we will create FTP site and enable Client Certificate on FTP. Stay tuned…

Hope that helps,
Vivek Kumbhar

Client Certificate Mapping in FTP 7 & FTP 7.5 - Step by Step - Part 1

Client Certificate Mapping – Step by Step – Table of Content 

Client Certificate Mapping Authentication Role Service in IIS 7 and IIS 7.5 enables authentication between a Client and the Web Server by presenting client certificates over secure channel. In IIS 7 and IIS 7.5, Client Certificate Mapping Authentication uses Active Directory to map client certificates against a users account in a domain.

NOTE: Client Certificate Mapping in FTP 7 / 7.5 is Active Directory One-to-One Mappings only.

Here is Part 1 of a 4 Part series on implementing Client Certificate mapping in FTP 7 or FTP 7.5.

Here is some background of the environment I will be using to configure the scenario:

Domain Controller

Name: Server1
OS: Windows Server 2008 R2
DC: contoso.com
CA: contoso-Issuing-CA01
Roles enabled:

Active Directory Certificate Services has following Role Services installed:

Active Directory Domain Services has following Role Services installed:

IIS Role Services installed on DC:

IIS Server

Name: Server2
OS: Windows Server 2008 R2
Roles enabled:

Following IIS Role Services installed:

Client

Name: 620-WIN7
OS: Windows 7 Enterprise Edition
AlexFTPS-1.0.2 from http://ftps.codeplex.com/

Next, we will Request and Install Server Certificate on IIS. Stay tuned…

Hope that helps,
Vivek Kumbhar.

“Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.” when debug=”true” in .aspx page

Just recently one of my customer faced the below mentioned error on his Windows Server 2008 SP2 box.

Read my post in our team blog on the issue: Parser Error Message: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

HTH.

Blind drop FTP in IIS 7/7.5

I saw this topic floating around for few days and since it’s very interesting I thought of blogging it for everybody’s benefit.

If you haven’t heard about Blind Drop FTP have a look at this blog Creating a Blind Drop FTP Server.

I thought of testing the same on IIS 7 and IIS 7.5. Here is a step by step of the same..

For IIS 7, you will have to install OOB (Out of Band) Microsoft FTP Publishing Service 7.5 for IIS 7.0 (x64) or Microsoft FTP Publishing Service 7.5 for IIS 7.0 (x86) depending on your platform.

I am using Windows Server 2008 R2 RC1 for this scenario.

Creating directory structure:

I have created FTPRoot on my D drive and it has Incoming directory

Setting NTFS Permission on the directory

Right click on FTPRoot folder -> Properties -> Security

Click on Advanced button -> Change Permissions...

Uncheck the check box “Include inheritable permissions from this object’s parent” -> click Add

Select SYSTEM, Authenticated Users and Users and click Remove

Click OK and click OK again

Click Add... and select IUSR of the local machine

Click OK

Remove Read & execute and Read permission for IUSR as shown below. So IUSR group has only List folder contents permission of FTPRoot folder

Click OK and click OK again

Go to the Incoming folder and right click on the Incoming folder and click Properties.

Click Advanced -> Change Permissions

Uncheck the check box “Include inheritable permissions from this object’s parent” -> click Add

Select IUSR and click Edit...

Click on Apply to: and select “This folder only” -> click Clear All

Select Create files / write data, Create folders / append data, Write attributes, Write extended attributes and Read permissions as shown below

Click OK and click Apply

Click Add... and select IUSR of the local machine, click OK

Select List folder / read data, Read attributes, Read extended attributes and Read permissions as shown below

Click OK

Select the check box “Replace all child object permissions with inheritable permissions from this object” -> Click OK

Permissions on Incoming folder are as follows:

Click OK and click OK again

Configuring FTP in IIS:

Creating the FTP Site Basic Settings

Configuring FTP Authentication

Configuring FTP Authorization

Configuring FTP Request Filtering. Add Deny Command… LIST and NLST as shown below

Click on Incoming and click FTP Authorization Rules and verify that you have Anonymous Users with Read, Write permissions.

Now, let’s test the FTP site from a command prompt

Nice.

Check the FTP logfile and we see the following:

Wondering why we added that FTP Request Filtering setting above.

I tried “ls” command above to see if the files / folder are listed. I got the error 500 i.e. “internal server error” because the command is not allowed with a substatus 5 i.e. “Access is denied.” as per the FTP log above.

If you don’t add the above request filtering you will be able to see the Incoming folder but you won’t be able to change to the folder nor add file / folder in the FTPRoot folder. This looks like a neat workaround to what was default behavior in Windows Server 2003 IIS 6 FTP configuration.

HTH

HTTP Error 404.3 – Not Found, when browsing WCF application after reinstalling IIS

Sometime back my friend had a weird issue on his machine. He was working on his WCF application and as per his requirement he ran some command which brought his IIS down.

So, to resolve the issue he reinstalled IIS and now his WCF application won’t work.

Here is the scenario:

I am using Win 7 RC for our test; his was a Windows Vista box. I have IIS installed and have Microsoft .NET Framework 3.5.1 enabled, here’s the screenshot

I created a simple WCF page such that it proves WCF is working on the machine.

Now, let’s uninstall IIS. Look at the prompt here

The prompt says it will turn off the Windows Communication Foundation HTTP Activation.

On Windows Server 2008, it will prompt you something like this

On Windows Server 2008 R2 RC1, it shows like this

Click Yes

Click OK

IIS is uninstalled.

Check the inetsrv folder and you will find few files and the applicationHost.config remaining

Now, I reinstall IIS again and this time not selecting the WCF HTTP Activation because many of the times we will miss this option.

Start IIS Manager -> Expand Sites and this is what I see

All my other websites have Binding missing.

This is because the old applicationHost.config had the configuration information and when we uninstalled IIS, the skeleton of the new websites stayed. Hence we can see the websites but the configuration missing.

I added the Bindings manually and now the websites are looking good.

Let’s look at the original issue. I will browse the WCF application and it fails

I really love IIS 7 for all the good things. The error is self-explanatory and it clearly says the handler or the MIME mapping is missing.

The error code 0x80070032 means “The request is not supported”. IIS does not know what the file Service.svc is.

Open applicationHost.config and search for .svc and it returns with nothing.

Open, command prompt and go to C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation>

Run the command ServiceModelReg.exe –i

This command acts similar to what aspnet_regiis.exe –i does. ServiceModelReg.exe –i will install Windows Communication Foundation and update scriptmaps at the Metabase root i.e. in the applicationHost.config.

Open applicationHost.config and now look for .svc

You will find the following handler mappings

<add name="svc-Integrated" path="*.svc" verb="*" type="System.ServiceModel.Activation.HttpHandler, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="integratedMode" />
<add name="svc-ISAPI-2.0" path="*.svc" verb="*" modules="IsapiModule" scriptProcessor="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv2.0,bitness32" />
<add name="svc-ISAPI-2.0-64" path="*.svc" verb="*" modules="IsapiModule" scriptProcessor="%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv2.0,bitness64" />

Browse the page again and now Service.svc executed fine.

HTH.

IIS 7/7.5 .net configuration settings using appcmd.exe and IIS Manager

Just recently I came across an issue where customer was using appcmd.exe to make changes to the Application Settings and Configuration Settings he had made using IIS Manager. I am using Application Settings for this post but it holds true for all the ASP.NET settings from IIS Manager.

Application Settings using IIS Manager first at the Server Level, in our example it’s Sample

the setting gets reflected in web.config file in C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG folder.

Now, creating the new application settings on the Default Web Site, in our example it’s Sample2.

An entry is created in the web.config file at the website’s home directory, in our example its C:\inetpub\wwwroot folder.

If you create a new Application Settings at a virdir level, a new web.config will be created with the entry.

Now, the customer was following the article IIS 7.0: Remove an Application Setting and using appcmd.exe he wanted to remove the first entry i.e. Sample

The command he used as per the article was: appcmd.exe set config /commit:MACHINE /section:appSettings /-“[key=’Sample’,value=’1’]”

Result:

So, what’s going wrong?

Here the command is looking for the appSettings parameter and the key in MACHINE i.e. machine.config but it can not find it and hence the error. We now know the key is created in web.config, so what is the command to make the changes in web.config?

The correct command is: appcmd.exe set config /commit:WEBROOT /section:appSettings /-“[key=’Sample’,value=’1’]”

Check the IIS Manager and the entry is now removed.

Similarly, to remove appSettings from Default Web Site, the command is: appcmd.exe set config “Default Web Site” /section:appSettings /-“[key=’Sample2’,value=’2’]”

And to remove appSettings from NewVirDir i.e. the virtual directory under Default Web Site, the command is: appcmd.exe set config “Default Web Site/NewVirDir” /section:appSettings /-“[key=’Sample3’,value=’3’]”

Now, let’s create appSettings using appcmd.exe using the different variant’s and see where they get reflected

Machine.config in C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG

Web.config in C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG

applicationHost.config in C:\Windows\System32\inetsrv\config, since applicationHost.config is the global configuration file for IIS

applicationHost.config in C:\Windows\System32\inetsrv\config. The above command does not make much sense as it is not specific to Default Web Site and since it’s reflected in applicationHost.config it will apply for all web sites/virdir on the server which inherits the setting.

web.config in C:\inetpub\wwwroot folder

HTH.

Manually migrating websites from IIS 5.0 to IIS 6.0 (or even IIS 5.0 to IIS 5.0)

Just recently I came across an issue where a customer wanted to migrate websites from IIS 5 to IIS 6. The best and recommended option is to use “Internet Information Services 6.0 Migration Tool”. But there are a few limitations in using the Migration Tool they are listed in “Before You Begin” in the IIS6MigrationToolUserGuide.doc.

Here in our case we did not had network connectivity between the IIS 5 and IIS 6 servers. So, we decided to manually migrate the websites from IIS 5 to IIS 6.

Steps we follow:

1. Take a backup of IIS 5.0 and IIS 6.0 metabase, here is how you do it in IIS 5.0 and IIS 6.0.
2. Remember, you need to verify that the clients are not accessing the websites.
3. Copy the website contents
4. Install Internet Information Services (IIS) 6.0 Resource Kit Tools on IIS 6.0 server.
5. Copy the Metabase.bin file from IIS 5.0 server and paste it on IIS 6.0 server. You can find the Metabase.bin in C:\WINDOWS\system32\inetsrv folder.
6. Open Metabase Explorer
7. Click on Metabase –> Import Key…
8. Browse to the Metabase.bin and click Open, You will see a prompt as shown below, ignore it. Click OK

   

9. This is what you will see

   

10. Under Archive (Metabase.bin) expand LM –> W3SVC and you will see different nodes. I have 1 to 4 because I have 4 websites.
11. You can verify which website you want to migrate by clicking on the node and checking the ServerComment. In my case I would like to migrate website 3 which is “Dotnet Web Site”.

    

12. I would also like to migrate “Default Web Site” which is website 1.
13. Just click on 1 under Archive (Metabase.bin) and drag and drop it under (local) –> W3SVC. Remember not to drop it on 1 but on W3SVC.

    

14. You will get a prompt. If you don’t see the prompt you are not dropping the website correctly.

    

15. Select Replace the key.
16. Open IIS MMC, (Start –> Run type inetmgr). You will see the virtual directories/files/folder seen in the old IIS 5 mmc now displayed in IIS 6 mmc. See that virtual app PerlEx, that’s Perl website. I need to make sure that C:\Perl\eg\PerlEx folder exists to get it working. If it happens to be in a different location change it in IIS MMC and that should be good.

    

17. You can drag and drop other websites as well using Metabase Explorer and they will get reflected in the IIS 6 MMC.
18. Now, lets get Perl and PHP configured in IIS 6 as they won’t be configured by default. If you are using ActivePerl 5.10 as I am, the job is easy. Just install ActivePerl 5.10 and it will configure all the mappings. But if not, and you are just copy pasting the Perl folder from the old server. You will need to create the mappings for the Perl extensions.
19. This is how you do it.
    1. Right click on Web Site (Default Web Site in our case)
    2. Click Properties
    3. Click Home Directory tab and click the Configuration… button
    4. In Mappings, click Add..
    5. Executable: C:\Perl\bin\PerlEx30.dll
    6. Extensions: .aspl
    7. Verbs, click Limit to: type GET,HEAD,POST
    8. Check “Script engine” and “Verify that file exists”
    9. Click OK
    10. Repeat steps 5 to 9 for the below extensions:
    11. .pl mapped to C:\Perl\bin\perl.exe "%s" %s
    12. .plex mapped to C:\Perl\bin\PerlEx30.dll
    13. .plx mapped to C:\Perl\bin\perlis.dll
20. This is how it will look like:

    

21. Now, when you browse a page with .pl or .plex extension, it gives 404. IIS logfile will show the error code as 404 1260. The error code means “ERROR_ACCESS_DISABLED_BY_POLICY”. This is caused because of the web server extension lockdown policy.
22. Click Web Service Extensions and lets create Web service extensions for Perl.
    1. Click Add a new Web service extension
    2. Extension name: type Perl CGI Extension
    3. Click Add…
    4. In Path to file: type C:\Perl\bin\perl.exe "%s" %s
    5. Check the Set extension status to Allowed
    6. Click OK
    7. Now, create another extension with the name: Perl ISAPI Extension
    8. In Path to file: type C:\Perl\bin\perlis.dll
    9. Click another extension with the name: PerlEx ISAPI Extension
    10. In Path to file: type C:\Perl\bin\PerlEx30.dll
23. We created three web service extensions as they are specific to their functionality. One is CGI, the other is for the ISAPI’s Perl and PerlEx respectively. So, in case if you are interested in serving only .plex or .aspl extensions create and enable only the respective ISAPI mapping and its Web Service extension.

    

24. Browse the Perl website and it works fine.
25. Now, lets create PHP Mapping and Web Service extension.
    1. For Application Mapping
       1. Right click on Web Site (Php Web Site in our case)
       2. Click Properties
       3. Click Home Directory tab and click Configuration… button
       4. In Mappings, click Add..
       5. Executable: C:\PHP\php5isapi.dll
       6. Extensions: .php
       7. Verbs, click All verbs
       8. Check “Script engine” and “Verify that file exists”
       9. Click OK
    2. For Web Service Extension
       1. Click Add a new Web service extension
       2. Extension name: type PHP
       3. Click Add…
       4. In Path to file: type C:\PHP\php5isapi.dll
       5. Check the Set extension status to Allowed
       6. Click OK
26. Browse, .php website and that works fine.
27. Now, for my “Dotnet Web Site”. I was lucky to have my Windows 2000 with a %SystemRoot% folder as WINDOWS. Sometimes you will see WINNT.
28. My “Dotnet Web Site” on IIS 5.0 is using .net 2.0 and I don’t have .net 2.0 installed on Windows Server 2003.
29. Check out the Application Mapping for the website

    

30. So, if your application requires .net 2.0 you need to install .net 2.0 on your machine. If the application is not specific to .net 2.0 and if it will work fine on .net 1.1 then just run “C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322>aspnet_regiis.exe -r” and it will remap all the ASP.NET scripts with .net 1.1 version.
31. I had to install .net 2.0 to get my application running.

Incase if you are planning to restore old IIS 5.0 metabase on a newly installed Windows Server 2000 IIS 5.0 server. The steps above can help you move the websites from old metabase to the new IIS 5 server. You can either install IIS 6 Resource Kit or just copy the Metabase Explorer folder i.e. C:\Program Files\IIS Resources\Metabase Explorer to the IIS 5 server.

NOTE: Please play around with this in your test environment before you use it on your production servers. Leverage Microsoft PSS if you have complexities in your existing websites which you need to migrate.

HTH

Binding Issue: WWW Service did not register the URL prefix http://*:80

Sometime back I was working on an incident with a customer who was facing an issue when trying to access his application on Windows Server 2008. I will reproduce the issue using Apache for everyone’s benefit.

If you have a server that has some kind of monitoring tool which is web based or some application which needs port 80 or port 443, then you can face this issue.

Scenario:

I am installing Apache 2.2.11 on my Windows Server 2008 machine which has IIS 7 installed on it. So, wondering why I am trying to install Apache on Windows Server 2008, simply because it’s a web server.

Checkout the screenshot below. Apache will be installed on Port 80 (default setting). Sometimes some application will silently get installed on your machine on port 80.

After sometime, I get the following error:

Checked the Event Viewer and I see the Event as shown below. Looks like Apache wanted to bind itself on 0.0.0.0:80 and fails as it does not have access.

Opened Command prompt as an Administrator and ran “netstat –ano”

I see port 80 is controlled by PID 4 i.e System.

Now, stopped IIS Services by firing “iisreset /stop”.

Started Apache 2.2 service from Services.msc and fired “iisreset” again.

Opened, IIS Manager and I see all websites on port 80 stopped.

Check the Event Viewer

OR

Run “netstat –ano” and this is what I see:

PID 1256 or Apache HTTP Server has control over port 80 and hence the issue.

So what is the issue, checkout the article: You receive a "The process cannot access the file because it is being used by another process" error message when you try to start a Web site in the Internet Information Services MMC snap-in.

<snip>

Typically, this issue occurs when one or more of the following conditions are true:

</snip>

Solution:

1. Run Apache on a different port i.e. other than port 80
2. Get a new IP Address and configure IIS to run on a particular IP Address by configuring ListenOnlyList

On Windows Server 2008, you can use netsh to add the ListenOnlyList.

Verifying the same in the registry.

HTH.

401.1 – Unauthorized, using Anonymous access (IUSR account)

Just recently I was working on an issue were the customer was getting 401.1 – Unauthorized: Access is denied due to invalid credentials.

The authentication method used on the website was Anonymous access. I checked the Default Web Site and that is working fine. The authentication method on the Default Web Site is Anonymous access and Integrated Windows Authentication selected.

So with only Anonymous access the website seems to be failing with 401.1 – Unauthorized.

Let’s see what’s wrong with IUSR account.

Let’s search Metabase.xml for all occurrence of Anonymous account.

command: cscript.exe adsutil.vbs find anonymoususername

This shows we have anonymoususername configured at the global level.

If you had Anonymous user configured on different websites or at different levels in a website. You will see something like this

Let’s see what is the Anonymous user account we have on W3SVC

command: cscript.exe adsutil.vbs get W3SVC/anonymoususername

You can repeat the above command to check Anonymous account on different websites and levels. For example

Let us now check the occurrence of Anonymous Password. Here you see Anonymous password configured on different websites and at different levels.

command: cscript.exe adsutil.vbs find W3SVC/anonymoususerpass

For me, I am concerned about the IUSR account occurrence in the Metabase as the other’s are working fine.

I am going to remove all anonymoususerpass occurrence of IUSR except the W3SVC

command: cscript.exe adsutil.vbs delete W3SVC/1/ROOT/anonymoususerpass

Verify that you have IUSR only on W3SVC and if there are other websites make sure they have the correct password set.

Now, you can synchronize the anonymoususerpass by following Step 2: Re-synchronize the passwords from the KB article.

HTH

Rename files using PowerShell ‘a one liner’

Back to PowerShell today!

I had few files to be renamed and they were about 500 odd of them. Renaming each and every file by hand would be a real pain. I thought of writing a PowerShell one liner to get this thing done and to my surprise it did my job in a few seconds.

Here is the scenario:

I have files with names like

text1.txt
text2.txt
text3.txt

I don’t like the naming format and wanted them in “Number(dot)(space)(FileName)(Extension)” i.e.

1. text.txt
2. text.txt and so on….

Here is a cool simple script to do this dirty job:

HTH

*Unknown* status for ISAPI Filter

Hello All,

I have seen this issue on IIS 6 a number of times and thought of sharing it with all.

How many times have you seen the below screenshot in the ISAPI Filter tab in IIS MMC ?

Well I reproduced this issue with UrlScan for everybody's benefit but this can happen to any ISAPI Filter. I know I got rid of this error as soon as I requested the web page but most of the times the request will fail.

There are a few key elements for every ISAPI Filter and the two we are concerned with are FilterFlags and FilterState. So if you install an application and that application installs an ISAPI Filter on IIS which shows *Unknown* in IIS MMC., then there is something wrong on registering that ISAPI with IIS and hence the error.

Here is the MSDN article which explains these two parameters FilterFlags and FilterState.

Let’s us see Metabase.xml for the above issue

See those parameters, they are not set correctly, infact sometimes (as I have seen) the parameters are missing.

So, How do you resolve such an issue ?

Firstly, we need to understand what function the ISAPI Filter will perform. If you are not aware of the same contact the vendor.

In our case we know UrlScan will run under High Priority and will do the following “NotifyPreProcHeaders | NotifySendResponse | NotifySendRawData | NotifyEndOfRequest | NotifyEndOfNetSession | NotifyOrderHigh”. The Flags are explained very well in the FilterFlags document on MSDN.

So what do we do, just add the above text for FilterFlags and change the FilterState to ”1”.

Remember to restart IIS after you make the above changes.

Here is what it looks like in Metabase Explorer

Check that Data value “542144” that’s nothing but the total of Bitmask used i.e. “NotifyPreProcHeaders | NotifySendResponse | NotifySendRawData | NotifyEndOfRequest | NotifyEndOfNetSession | NotifyOrderHigh”.

NOTE:

Please keep this in mind <MSDN Snip> "Because this property is internally configured by IIS, you should consider it to be read-only. Do not configure this property." </MSDN Snip>.

HTH

HTTP COMPRESSION in IIS 6 and IIS 7 using Service Account

I have come across few issues on HTTP Compression in IIS 6 and thought I will quickly post it across for everyone’s benefit.

Enterprises prefer to compress their Static and Dynamic web content to save bandwidth. There are articles on how to enable compression and frankly it’s pretty simple. Here is the UI for enabling Compression in IIS 6 and IIS 7:

IIS 6.0

Here is an article for IIS 6: Enabling HTTP Compression

IIS 7.0

Here is an article for IIS 7: IIS 7.0: Enable HTTP Compression of Dynamic Content

The article works fine for default IIS 6 configuration. But as soon as you make some change like using a Service Account (Domain Account) for Application Pool the compression fails.

How do I check if compression is working?, well download a Web Debugger like Fiddler.

Let us walk through the process.

I have a website using DefaultAppPool and the AppPool is configured to use the Domain Account (CORP\w2k3service).

I have added CORP\w2k3service in the IIS_WPG group.

I am browsing my website as http://w2k3website.corp.contoso.com and the URL is a Host(A) Record entry in DNS.

I have added the HTTP SPN for the Service Account (CORP\w2k3service)

I browse the website and it works just fine.

I enable HTTP Compression as mentioned in the article above and to verify I ran Fiddler. Here is what I see

For the request http://w2k3website.corp.contoso.com, Fiddler shows HTTP Compression as “No Compression” odd isn’t it.

Let us check Metabase.xml

Looks good to me.

Now, follow the steps when you have AppPool using Service Account.

• Add the user account to the IIS_WPG group
• Also the user account must have permission on the website folder
• Also the user account must have following permission in the metabase (use Metabase Explorer from IIS Resource Kit tools):
• LM –> Read
• W3SVC –> Read
• AppPools -> Query Unsecure Property (Special Permission)
• AnyNewAppPool -> QueryUnsecure Property (Special Permission)
• Filters -> Read and Write
• Compression –> deflate (Read and Write)
• Compression –> gzip (Read and Write)
• Restart IIS

Let us verify with Fiddler again

Perfect.

Good thing here is we don’t have to worry about the Service Account Permission in IIS 7.

HTH

Chao for now.