Little back I wrote a sweet little IIS7 UI module for taking backup and restore of IIS configuration. At that time I didn’t add the shared host configuration since it was in its early stage, and to be honest I didn’t think about it when wrote that module. Below is the sample code which would give you the path of the IIS configuration. You got to read the path from the Redirection.config. It is stored in the configurationRedirection as “path” attribute; when this is null, then IIS takes the configuration store from %Windir%\system32\inetsrv\config path.
ServerManager sm = new ServerManager();
Configuration c = sm.GetRedirectionConfiguration();
this.InetsrvPath = Environment.GetEnvironmentVariable("windir") + @"\system32\inetsrv";
this.configPath = c.GetSection("configurationRedirection").Attributes["path"].Value.ToString();
if (configPath.CompareTo("") == 0)
configPath = InetsrvPath;</PRE< P>
You can just do this backup and restore by appcmd itself, below are the commands:
appcmd add backup "backupname"
appcmd restore backup "backupname"
Here is my updated module, and I’ve not changed any UI for this except adding the shared host functionality. This is how it looks:
In the available Backups drop combo box, you will find all the available backups. Select the one which you want to restore and click "Restore" button. It would look like below:
Here is the link for the DLL:
And, here is the source:
To add this module in your IIS 7 manager follow the below steps:
- Download the IIS7BackupRestore.dll.
- From inetsrv folder Drag and Drop the IIS7BackupRestore.dll into the Global Assembly Cache (C:\Windows\assembly) or use GacUtil -i IIS7BackupRestore.dll to install it to the GAC.
- Under File Menu, browse for the file %WinDir%\System32\InetSrv\config\Administration.config.
- Search for the <moduleProviders> section and add the following
<add name="IIS7BackupRestoreUI" type="IIS7BackupRestoreUI.MyModuleProvider, IIS7BackupRestoreUI, Version=1.0.0.0, Culture=neutral, PublicKeyToken=db9daa3d2ea5f6fd" />
- Search for the <modules> section and add the following
<add name="IIS7BackupRestoreUI" />
- Open Inetmgr and You will see the module listed in your IIS 7 Manager if you would’ve followed the above steps properly.
Let me know if this helps you!
In IIS6.0, you had IisFTP.vbs file which you would use to set msIIS-FTPRoot and msIIS-FTPDir property for the user in Active directory. But, in Windows Server 2008, the IisFTP.vbs won’t work. You need to either set it manually in the Active Directory using ADSIEdit or other tools, or just use this one from me.
Below is how it looks:
Here is the link for the DLL:
To add this module in your IIS 7 manager follow the below steps:
- Download the IIS7ADFTPUI.dll.
- From inetsrv folder Drag and Drop the IIS7ADFTPUI.dll into the Global Assembly Cache (C:\Windows\assembly) or use GacUtil -i IIS7ADFTPUI.dll to install it to the GAC.
- Under File Menu, browse for the file %WinDir%\System32\InetSrv\config\Administration.config.
- Search for the <moduleProviders> section and add the following
<add name="IIS7ADFTPUI" type="IIS7ADFTPUI.MyModuleProvider, IIS7ADFTPUI, Version=1.0.0.0, Culture=neutral, PublicKeyToken=db9daa3d2ea5f6fd" />
- Search for the <modules> section and add the following
<add name="IIS7ADFTPUI" />
- Open Inetmgr and You will see the module listed in your IIS 7 Manager if you would’ve followed the above steps properly.
Below is my entire project of this dll. Download it, and feel free to modify it, distribute it.
Let me know if this helps you!
Do you have a high traffic site where you have a lot of WMV/AVI/FLV/PDF documents (or any other MIME type) where your maximum bandwidth of the site is utilized? Do you ever think where majority of the bandwidth would go? Most of the users do not completely watch the video or listen to audio, or do not read the complete PDF file (or any progressive download document). Assume that they just watch for 5 minutes of your 1 hour long Flash Video (.flv). How much of your bandwidth (for download) would be used for this? You should try answering this question yourself.
But, you will see a significant reduction in your bandwidth cost, if you start using this Bitrate Throttling Module. It would be configured for any video/audio file types, and in fact for any MIME types such as .PDF, .DOC, etc.
I would explain here how to configure throttling setting specifically for PDF files.
In the IIS Manager, select your web site, and select "Bit Rate Throttling" under Media Services. First of all, make sure that the bandwidth throttling is enabled in the site.
Now, Right click on the pane and select "Add Throttle Setting..." or select the same from the "Actions Pane". Type "application/pdf" as the MIME type, and enter "Fast Start" and "Throttle rate" values.
You should see bitrate throttling already added to major media files like .asf, .avi, .flv, .mov, .wmv, etc.,. I'm sure this feature in IIS7 would help you saving bandwidth costs for hosting media files, or any large documents.
Here are the download links:
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1640 => 32-bit
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1641 => 64-bit
Here are some learn.iis.net documents on this module:
In the last post I was talking about writing a simple UI extension which would appear like below:
How about you adding this to the IIS manager hierarchy – just below “Application Pools” and “FTP Sites”? Here is what you need to do additional to the steps you followed using my previous blog on this.
- Add a new class to the project and name it as MyHierarchyProvider, and the file as MyHierarchyProvider.cs
- MyHierarchyProvider should derive from Microsoft.Web.Management.Client.HierarchyProvider
- It should have an internal class deriving from Microsoft.Web.Management.Client.HierarchyInfo where you can extend few properties to specify the display text, and which ModulePage it links to.
Below is a sample code which would define a class deriving from HierarchyProvider, and has an internal class with all its properties set.
MyHierarchyProvider.cs
using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.Web.Management.Client;
namespace MyIIS7UIExtensions
{
internal class MyHierarchyProvider : HierarchyProvider
{
public MyHierarchyProvider(IServiceProvider serviceProvider)
: base(serviceProvider)
{
}
public override HierarchyInfo[] GetChildren(HierarchyInfo item)
{
if (item.NodeType == HierarchyInfo.ServerConnection)
{
return new HierarchyInfo[] { new DemoHierarchyInfo(this) };
}
return null;
}
internal class DemoHierarchyInfo : HierarchyInfo
{
public DemoHierarchyInfo(IServiceProvider serviceProvider)
: base(serviceProvider)
{
}
public override string NodeType
{
get
{
return "MyHierarchyProvider";
}
}
public override bool SupportsChildren
{
get
{
return false;
}
}
public override string Text
{
get
{
return "SimpleIIS7UIModule";
}
}
protected override bool OnSelected()
{
return Navigate(typeof(MyPage));
}
}
}
}
After doing above, you might also want to make some changes in your existing Module class, so that it has the information about the hierarchy. If you have downloaded the sample which I have linked in my earlier post, you should be having 2 lines commented (I forgot to remove them last time.. lol) – uncomment them, and you are good to go. However below are the 2 lines which you need to add to link this hierarchy provider with our module.
IExtensibilityManager extensibilityManager = (IExtensibilityManager)GetService(typeof(IExtensibilityManager));
extensibilityManager.RegisterExtension(typeof(HierarchyProvider), new MyHierarchyProvider(serviceProvider));
This would register the HierarchyProvider class to our module, and after building our assembly, and placing the DLL in GAC successfully, and after having all the administrationHost.config settings, you must see the below:
And, you can change the Text property of our HierachyInfo which is an internal class to change the display name appearing in the UI. Don’t hesitate to put your questions or anything you want to let me know through comments!
Happy learning.
You should follow this article on IIS.net to create your first “simple” IIS7 UI extension which would just display a message box when loaded.
In this blog, I’m going to explain you how you could design a UI module where you can add any UI control that you might add to a WinForm.
Basically, the UI which appears in the middle pane is just an extension of Windows Form, and you can easily design that using Visual Studio. For example, the below “SSL settings” page has few checkboxes, radio buttons, and Apply/Cancel on the Actions pane.
All your controls should be placed or added into a class within your assembly which should derive from Microsoft.Web.Management.Client.Win32.ModulePage.
Before we start adding a class deriving from ModulePage, please make sure you have completed your Module and ModuleProvider classes by following this article, and also make sure your assembly would be put in GAC. Your project should look like below with DemoKey.snk, and also the proper references to the Microsoft.Web.Management, and Microsoft.Web.Administration:
Adding a ModulePage
Add a new class to the existing project, and name it as MyPage.cs. Derive the class from Microsoft.Web.Management.Client.Win32.ModulePage. Now, let’s try to add some code which runs when this ModulePage runs – let’s put a MessageBox on the constructor.
Below is how my code looks now:
Code Snippet displaying a simple message box
using System;
using System.Windows.Forms;
using Microsoft.Web.Management.Client.Win32;
namespace MyIIS7UIExtensions
{
internal class MyPage : ModulePage
{
public MyPage()
{
MessageBox.Show("Testing this!!!!");
}
}
}
You should build the assembly, and put it in the assembly (dll) in the GAC, and add the below to your administrationHost.config:
<moduleProviders>
<add name="MyIIS7UIExtensions" type="MyIIS7UIExtensions.MyModuleProvider, MyIIS7UIExtensions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=db9daa3d2ea5f6fd" />
........
</moduleProviders>
<modules>
<add name="MyIIS7UIExtensions" />
.........
</module>
You should see the below in your IIS manager.
If you double click on the “MyIIS7UIExtensions”, you should see the below message box, and if you click OK, then you would see the whole UI, but no controls. Just because you haven’t added them still J
If you get to this stage, then you are almost there in making your real IIS7 UI extension, rest of the steps are really easy if you are a windows forms programmer.
Adding Winform controls to our UI Extension
Let’s say you want to have a combo box listing all the application pools that are available. How to design that? First, you have to add the combo box inside your ModulePage.
public MyPage()
{
this.Controls.Add(new ComboBox());
}
The above code will add a new combo box. But, you want to really specify how it should appear, and its co-ordinates, don’t you?
Modified constructor to specify the co-ordinates for the combo box
public MyPage()
{
ComboBox comboBox1;
comboBox1 = new System.Windows.Forms.ComboBox();
comboBox1.Location = new System.Drawing.Point(20, 20);
comboBox1.Name = "comboBox1";
comboBox1.Size = new System.Drawing.Size(121, 21);
comboBox1.TabIndex = 0;
this.Controls.Add(this.comboBox1);
}
Now, imagine if you want to add TextBoxes, Buttons, et al, and define the event handlers such as to handle button click, how much time you would invest in designing this manually? Don’t you love dragging and dropping controls to create your ModulePage as a so-called Windows Form?
Don’t worry! I’ve an easy way to overcome this difficulty. Read this earlier blog of mine where I explain this little VS trick to minimize your development time to design this UI extension. But come back to this blog after visiting that, I’m going to further discuss how to display the available application pools on the combo box, and going to provide a button to say the selected application pool to recycle.
And, my IIS UI extension looks like below now:
If you do not see the below after you’ve designed using Visual Studio using the above method, you might also want to verify is the InitializeComponent() method is called in the constructor – that’s the function where all your stuffs get added to the form (ModulePage).
Now, let’s write a method which would fill the combo box with all the application pools that are available by reading the IIS configuration store using Microsoft.Web.Adminsitration. Let’s name our function as LoadAppPoolInfo(), and call that from our constructor after calling InitializeComponent() method.
Your code should look like below:
Added a ServerManager, and modified the constructor to call LoadAppPoolInfo() and defined that as well
Microsoft.Web.Administration.ServerManager manager = new Microsoft.Web.Administration.ServerManager();
public MyPage()
{
InitializeComponent();
LoadAppPoolInfo();
}
private void LoadAppPoolInfo()
{
foreach (Microsoft.Web.Administration.WorkerProcess a in manager.WorkerProcesses)
comboBox2.Items.Add(a.AppPoolName);
}
And, your UI extension should now display the available application pools in the combo box. Go ahead and add a button click event handler for the button which you’ve already put inside our ModulePage like below:
private void button1_Click(object sender, EventArgs e)
{
manager.ApplicationPools[comboBox2.SelectedItem.ToString()].Recycle();
}
Now, go ahead and play with all the classes in Microsoft.Web.Administration to make your own modules to do a lot more than what’s provided in the default IIS7 manager UI.
You can download my sample project here:
Please do post your questions if you have any.
Internet Information Services (IIS) 7.0 adds some significant new functionality to the manageability and customization of error messages. The three main areas of improvement when compared to IIS 6.0 are Custom vs. Detailed error pages, better configurability of custom errors, and language-specific custom errors.
Custom vs. Detailed error
In IIS 7.0, the term “custom error” is used to describe the error information a regular user will see when navigating to your web site from a remote client machine. A “detailed error” is the kind that a local administrator or developer will see when browsing to the website locally on the IIS server itself.
Here is an example of the custom error page for an HTTP 404 response:
You’ll notice that the custom error page is simple and brief, with no extended information. The user is simply told that the page they requested could not be found.
Alternately, here is the detailed version of the HTTP 404 response page:
You’ll notice that the detailed page contains far more information than the custom version. By limiting the amount of information you send to remote users, you increase the security level of your IIS server; the less information about your server and the error condition that is sent to potentially malicious users, the better. Let’s look at the detailed error info more closely.
Error Summary
The information in the Error Summary section is essentially the same as the custom error page.
Detailed Error Information
This is where the new benefits of IIS 7.0’s detailed errors begin to shine. The detailed error section contains very low-level information about the error condition which administrators and developers can use to troubleshoot the problem.
Most Likely Causes and Things You Can Try
To help in the troubleshooting process, IIS 7.0 includes the most likely causes of the problem, and provides a list of steps you can try to resolve the issue.
Links and More Information
One of the coolest new features of IIS 7.0 is the “view more information” link in the detailed error pages. By clicking this link, the user will be taken to the Microsoft Knowledge Base article specific to the HTTP status code they just received. If a KB article doesn’t exist yet, the user will be taken to the general IIS 7.0 HTTP Status Code article (http://support.microsoft.com/kb/943891), and the IIS Support Team will be notified that an article for this particular HTTP status is needed.
Fort this example scenario, clicking the link will take us to the HTTP 404 article, KB942041
Configurability of Custom Errors
IIS 7.0 makes it easier to configure custom errors exactly how you want them. Added configuration options in the UI give administrators more flexibility and granularity; you can edit the existing configuration settings, or add completely new ones. Configuring error pages through the IIS Manager is done via the Error Pages feature in the main pane:
To edit the configuration of an existing customer error page, select the status code entry in the main pane, and choose Edit… in the Actions pane. The Edit Customer Error Page window will appear:
The Add Custom Error Page looks almost the same, except the fields are blank:
In both windows, you’re given the option to set the Response Actions accordingly. You can choose to send content from a static file (for example, create your own custom404.htm page and point to it in the file path directory), you can execute a URL on the site (let’s say you wanted an event log entry written any time someone encounters a specific error code…write an asp.net page that does the logging, and point to the page in the URL field!), or you redirect the user with an HTTP 302 status response.
It is important to note a change we’ve made in IIS 7.0 as compared to IIS 6.0 when it comes to unconfigured HTTP statuses. In IIS6, most of the HTTP statuses had an error page configured by default:
In IIS 7.0, we’ve reduced that list:
When it comes time for IIS to send an HTTP error response and the status doesn’t have an associated custom error configured, IIS 7.0 will send a short one-line message. For example, if you remove the default custom error for an HTTP 404 status and request a non-existent page, the error you get back is:
These one-line messages are hard coded and cannot be changed. They do, however, get localized and will be sent in the language that the server is configured for.
Language-specific Custom Errors
When a web browser sends an HTTP request to a web server, it has the option of including an “Accept-Language” request header. This header tells the server what language the client would prefer to receive its response in.
IIS 7.0 takes into account a request’s Accept-Language header and will attempt to send the custom error page that corresponds to the language in the header. For example, if a client makes a request for a non-existent page and its request included an Accept-Language header with a value of “en-us”, by default the error page that gets sent back to the client in response is “c:\inetpub\custerr\en-us\404.htm”. Note the “en-us” in the file path.
However let’s say that the user is in France and their browser sends an Accept-Language header of “fr-FR”. To send the French version of the 404.htm page as a response, you would install the Windows Language Pack for French; this creates the C:\inetpub\custerr\fr-FR directory. Now the error page that would be sent is C:\inetpub\custerr\fr-FR\404.htm.
More Information
More information on IIS 7.0 HTTP errors can be found at the following locations:
How to Use HTTP Detailed Errors in IIS 7.0
http://learn.iis.net/page.aspx/267/how-to-use-http-detailed-errors-in-iis7/
Configuring HTTP Error Responses in IIS 7.0
http://technet2.microsoft.com/WindowsServer2008/en/library/a35a6d64-2f61-4aa2-a84e-7d1512087aed1033.mspx
---> Credit goes to Mike Laing for this post.
A Web administrator has to have access to the IIS server in order to ensure that any diagnostic/preventive measures can be performed at any point of time. One has to ensure all the web sites are running up and fine during the course of a day. Activities like recycling Application pools, starting/stopping Web sites etc. are an essential part of this process. This may be most painful when you are away having a good time and you get a call that the web sites are having performance issues etc, and you are required to ensure they are recycled, restarted etc. etc.
I have written this Web application to ensure one has access to their IIS 6.0 Web server from any part of the world. I have used WMI features built on top of .Net. It has the following features at this point.
Application Pool related activities
· Recycle/Start/Stop Application Pool(s)
· Change Application Pool Identity.
· Check features like Application Pool Recycling options, Current state of an Application Pool and current Application Pool Identity.
· Enumerate an Application Pool to see the Web applications running underneath it.
Web Site related activities
· Start/Stop Web Site(s)
· Check features like current Web Site state, and some configuration related settings like Web Site physical path, Server Bindings, Secure Bindings, Authentication method, SSL access, Application Pool etc.
IISRESET
· At times the only way to recover from a problem is to restart IIS services. You can restart all IIS services like IISADMIN, SMTP and World Wide Web Publishing service from any where through this application.
There are tools available like MS Administration site, but it had somewhat limited features in my opinion. I intend to modify the existing features in my application as time permits.
Pre-requisites
· You need to have .Net Framework 2.0 installed on the IIS web server.
· If AJAX-enabled version of this application is deployed, you need to have Microsoft ASP.Net 2.0 AJAX Extensions 1.0 installed on the server for it to work.
Steps to deploy the application
1. Download the ZIP file attached with this post.
2. Extract all the contents to some physical folder on the IIS Web server.
3. Create a new web site (or better in my opinion, a new virtual Directory under any of your existing Internet-facing Web sites) and point it to this physical path for the extracted files/folders.
4. ***ENSURE that you create a new application Pool for this Virtual Directory, and put the application under this application pool. In such a scenario this application will not interfere with any of your existing web applications running on the server.
5. This application is built using ASP.Net 2.0 and has two flavors, AJAX-enabled and non-AJAX based. if you are using AJAX-enabled application you need to ensure Microsoft ASP.Net 2.0 AJAX Extensions 1.0 is installed on the server.
6. Open the web.config file associated with this application and modify the <appSettings> to reflect the name of your Application Pool and name of the Web site under which this application is running [Attached ZIP file contains a word document as well with detailed steps for deployment].
I have covered the essential features required for a web server management and plan to modify it with more granular features with time.
Here are some screen captures related to usage
****Ensure the application pool Identity entered forms a part of Local IIS_WPG group on the server.
Click on IIS Reset shown below to restart all IIS services like IISADMIN, FTP, SMTP and WWW.
When you reset IIS, you won't be able to browse to the Web application for a minute or so, depending upon how long it takes for the IIS services to stop and then start back running.
In this interval if you try to access the site you will see the following error:
For AJAX-enabled version, you will get a pop up as shown below:
For Non-AJAX version you will see the following page:
At any point you can check the status of the selected Application Pool and the selected Web site.
This is provided "AS IS".
Any constructive feedback is appreciated ;-)
Till next time, Cheers!
Links for download:
AJAX enabled version: http://cid-d6e3b4cd95f9d0f2.skydrive.live.com/self.aspx/Public/AJAX%20enabled%20version.rar
Non-AJAX version: http://cid-d6e3b4cd95f9d0f2.skydrive.live.com/self.aspx/Public/Non-AJAX%20version.rar
Steps for Deployment: http://cid-d6e3b4cd95f9d0f2.skydrive.live.com/self.aspx/Public/Steps%20for%20Deployment.doc
*You can also download the AJAX version from here www.iis.net/downloads
Passive FTP uses a range of ports to transfer data. This can be a problem because the port range that IIS uses has to be opened up at the Firewall. Many administrators would like to limit the port range between specific values so that they can have a better control on the ports that need to be opened on the Firewall. IIS can be configured to limit the port range but with multiple versions of IIS the configuration has changed a bit. So here is how you configure the port range (say 4000-4025) on IIS 5.0 / IIS 6.0 / IIS 7.0
IIS 5.0
=======
- On IIS 5.0 the Passive FTP Port range is controlled via a registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msftpsvc\ParametersPassivePortRange REG_SZ 4000-4025
IIS 6.0
=======
- On IIS 6.0 the Passive FTP port range is controlled via a metabase key
/MSFTPSVC/PassivePortRange
adsutil.vbs set /MSFTPSVC/PassivePortRange "4000-4025"
IIS 7.0
=======
- IIS 7.0 has two FTP services available
1. Classic FTP Service
-------------------------------------
- The classic FTP service is similar to IIS 6.0 and requires IIS 6.0 Metabase compatibility to be installed
- Here the Passive FTP port range is controlled via the metabase key
/MSFTPSVC/PassivePortRange
- Similar to IIS 6.0
2. FTP7 Module
--------------------------
- This is an OutOfBand Module that is shipped as an addon
- FTP7 module is used when SSL over FTP is required
- Here the Passive FTP port range is controlled via an entry in applicationHost.config
- You can also set this using the IIS Manager UI
Global Level (Server name) > FTP Firewall Support > Data Channel Port Range
Cross posted from Vijay's Blog
Here are last weeks updates to the ASP.NET Debugging blog:
Ever try looking at the IP Address from this object? It isn’t very easy to see what the actual address is, so take a look at this post for how to get the data out:
ASP.NET Tips: Printing an IP Address
Want to see what objects you have added a finalizer too, follow the information here.
If you are going to use a finalizer in your .NET class, be sure to read this post so that you understand when you should and shouldn’t use it:
Understanding when to use a Finalizer in your .NET class
We often get support calls on issues related to Anonymous authentication
failures and this is something which we feel an Admin can fix without requiring our support. Our aim in this post is to ensure people
have a good troubleshooting strategy for anonymous authentication
failures.
You can follow up this link for a detailed troubleshooting strategy for Anonymous authentication failures.
http://blogs.msdn.com/saurabh_singh/archive/2007/07/01/troubleshooting-anonymous-authentication-failures-in-iis.aspx
Cheers!
~Saurabh
Narrowing down a problem is sometimes the hardest part of troubleshooting. Learn how DebugDiag can help save the day in this post:
ASP.NET Tips- How to use DebugDiag to track down where a performance problem is coming from
Overview
I wanted to create this blog to address one of the IIS Support teams top support issues. The issue is with allowing the identity of the user logged into a client machine, to pass through the IIS Server, and onto a back end server. The process of the identity moving from the client machine, to the IIS Machine, and then IIS passing these credentials to a back end server is sometimes referred to as Kerberos Delegation. What follows in this post will contain information on the most common symptoms, root causes, and a tool to help web administrators make sense of it all.
The Reason to Delegate
Organizations may want to use Windows Credentials to control access to certain resource on their intranet. To make things as simple as possible, the following diagram illustrates this.
In this scenario the user that logs onto the client machine accesses a back end server as itself. Unfortunately, setting up your machines to do this is not as easy as drawing the picture. Next I will outline some of the most common symptoms, and root causes for delegation failure.
Common Symptoms
There are many symptoms that would indicate the environment is not set up correctly to delegate credentials from the client to the back-end server. Some of the most common are as follows:
- Users are prompted for credentials on the client machine.
- 401.X Errors returned to the browser
- A user can browse to the IIS Content from the IIS Server, but not from the client machine.
- Access Denied is returned from a custom application.
Common Root Causes
- The same SPN Is registered for multiple accounts in the domain. This is known as a duplicate SPN issue.
- The account the SPN is registered for is not trusted for delegation in Active Directory.
- The Web server is configured to use NTLM authentication and not Negotiate.
- The web browser was not able to get a Kerberos ticket from Active Directory, and it defaults back to NTLM Credentials.
- An SPN Is not registered for the back end server, or there is more than one SPN registered for the back end server.
- File ACLs or other permissions are not configured correctly on the back end.
The Tool to Make Sense of it All
Brian Booth, a Support Escalation Engineer for IIS at Microsoft, created an ASP.NET Application that will run some key checks on the client, server, and back end server to identify problem areas for kerberos delegation. The following link will allow you to download the ASP.NET application that helps identify which common symptoms and Root causes you may be running into when attempting to configure an IIS Server to delegate credentials from the client to a back end server.
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434
Setting up DelegConfig
Extract the files to a local directory on the IIS Server the client machine connects to. Make sure the Everyone Account has access to this directory and ASP.NET is set up correctly on the machine. I am using the Everyone account in order to make this as simple as possible. For more information on common problems with using this ASP.NET application, please read the readme.txt that extracts with the other files. After extracting the files follow the 5 steps below.
- Open the IIS MMC and identify which application you want to delegate the client's identity
- Identify which application pool it is running in
- Create a new Application in the same web site as the real application, and configure it to run with the same version of ASP.NET, and in the same application pool
- Configure the new application to point to the directory that contains the files that were extracted
- Configure the new application for Windows Authentication only
Using the Tool
Now that the tool is set up, log on to the client machine as the domain user you are trying to delegate. Browse to the Default.aspx page in the new web application that was created . You should get a result page similar to the one below. If you do not, first try browsing to the page from the IIS Server, making sure to use the machine name and not http://localhost. Also, please see the readme.txt file that accompanies the tool for known issues.
When you are able to successfully browse to the page you will see output like the following. In my case, I have browsed locally on the IIS Machine, because when browsing from the client I kept getting prompted for credentials, and eventually it responded with a 401.
Turning Red to Green
The explanation in the detailed output has most of the information needed to resolve the issues. I will go through each check box below with information on how to turn the Red 'x' into a Green check.
Authenticated User
The Authenticated-User Section explains who connected to the IIS Server, and whether it used NTLM or Kerberos credentials. In the above case we are connected to the IIS Server using the negotiate header, but with NTLM Credentials. This means that IE was not able to get a Kerberos ticket to connect to the IIS Server. You can read the explanation for even more information. Since I made the HTTP request from the IIS Server, it will always use NTLM, so in this case we can ignore this. However, when you browse from the client machine to the IIS Server, and this check box is RED first make sure everything in the Process Identity section is green, and then make sure that NTAuthenticationProviders contains "Negotiate". If it is not, the page output will look as follows:
If you are browsing locally on the IIS Server and are logged in as the Administrator, you can click the "Fix This" button to resolve the problem. If not, you can run the following command to check this setting with the adsutil.vbs script that comes with IIS 6.0.
cscript.exe adsutil.vbs GET w3svc/siteid/root/DelegConfig NTAuthenticationProviders
Where "siteid" is the id of the web site. Note, if NTAuthenticationProviders is not set at this level, check the value at the previous levels. The default value is "NTLM, Negotiate", so unless you previously removed this, it should be fine.
Keep in mind that the browser is what decides how to send the credentials to the server.
Process Identity
The Process Identity section does a few different checks to see if Delegation will work for this IIS application pool.
First it checks to see if the Application Pool is configured as a domain account. This domain account can be a Computer, or User account in the domain. Second, it checks to see if a valid Service Principal Name is configured for the domain account the application pool is configured for. Third, it checks to see if the domain account is trusted for delegation. Last, it checks for any duplicate SPN’s for host name(not shown above, but covered a little bit later in this blog post).
Application Pool Identity
This is probably the simplest issue to resolve. Simply make sure the identity the application pool runs as a Domain account. There are two ways to do this:
· Set the identity to Network Service, in which case the domain account is the actual Computer Account.
· Set the identity to a Domain User. When doing this the user needs to be added to the IIS_WPG group as well.
Has a Valid SPN
An SPN needs to be registered for the application pool identity for the HTTP Service. By default, the machine account will have a HOST SPN Registered which includes HTTP. To register an SPN you can use the SetSPN.aspx page that comes with the DelegConfig tool, or you can use the SetSpn.exe tool which can be downloaded from Technet here:
When using SetSPN.aspx, you have to view the page on the IIS Server.
To explain my setup a little bit better I have the following configuration for my Web Application.
· Application Pool Identity – BB115730\AppPool
· IIS Machine name BB115730IIS
· Default Web Site with no host header
The DelegConfig tool is telling me I do not have a valid SPN for my BB115730\AppPool account. To verify this with the setspn.exe tool, use the -L switch.
Setspn.exe –L BB115730\AppPool
Where BB115730\AppPool is the machine account, or user account you want to verify SPN's for.
Since I do not have an SPN for my domain user account which the application pool is running as, I can add it using either SetSPN.aspx (used below for deleting duplicate SPN's), or the SetSPN.exe. For this example, I will use SetSPN.exe as follows :
Setspn.exe -A HTTP/BB115730IIS BB115730\AppPool
Setspn.exe -A HTTP/BB115730IIS.BB115730.COM BB115730\AppPool
In the case of IIS, the service the SPN needs to be registered for is HTTP. The information following the HTTP/ is the host name the SPN is being registered for. This host name is what is passed in the HOST header of the HTTP request to the IIS Server. So it depends on how the client application creates the host header. Typically you should register both the machine name, and the fully qualified domain name when using the default web site. If the web site is using host headers, you need to register the appropriate host header.
Once I register my SPN for the application pool identity, if I refresh the DelegConfig Default.aspx page, it will indicate there are Duplicate SPN's:
This section identifies other Domain Accounts that the HTTP/BB115730IIS and HTTP/BB115730IIS.BB115730.COM SPN's are registered for. For this example, since I only have this one Application Pool that requires delegation, I will remove the duplicate SPN's listed in the DelegConfig output. This can be done by clicking "Fix This", which will bring up the SetSpn.aspx page, or using SetSPN.exe. When browsing to SetSPN.aspx on the IIS Server, the following is displayed:
The SetSPN.aspx page can be used to view, add, and delete SPN's. The above example shows how to delete the duplicate SPN "http/BB115730IIS.BB115730.COM" for my configuration. The SetSPN.exe tool can also be used to delete the duplicate SPN's. The commands used to delete the duplicate SPN's listed above are as follows:
Setspn.exe –D HTTP/BB115730IIS BB115730\BB115730IIS$
Setspn.exe –D HTTP/BB115730IIS.BB115730.COM BB115730\BB115730IIS$
The side affect of doing this is that if there are other application pools, running as the identified account in the Duplicate SPN's section, and those application Pools also need to support delegation, then you have a problem. This is an issue that has to be resolved on a need by need basis. For more detailed information on Duplicate SPN's please see the following blog post:
http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/the-biggest-mistake-serviceprincipalname-s.aspx
Trusted for Delegation
This is another simple configuration change. In Active Directory Users and Computers you need to select the Computer Account, or User Account the application pool is running as, and check the box that says "Trust this account for delegation". For a user account you must also uncheck the checkbox "Account is sensitive and cannot be delegated". For a Windows 2003 Domain you can also configure constrained delegation which is outside the scope of this blog post. Please see the references section for a detailed troubleshooting article on Kerberos delegation.
Back End Server
Lastly, you can click the DelegConfig "Add Backend" button, located at the top of the page, to quickly check the Domain Account and SPN's for a back end server. It allows you to specify the remote address of the machine, the service type that needs to be checked, the listening port for that service, and the account the service is running as. After filling in the information on the page for the type of back end server(I used a SQL Server for the output below), you will get output similar to this:
The same goes for the back end server service the IIS Server is trying to delegate credentials too. It must be running as a domain account, and valid SPN's must be registered for that Service.
The End Result
After turning all the red check boxes to green, delegation should work and the output of default.aspx should look as follows when browsing from the client machine:
In the above example, I used a SQL Server as my back end machine. Since everything is green, I can now delegate the client credentials from the client machine, to the IIS Server, and then to my back end SQL Server.
Closing Comments
The above example illustrated how to use DelegConfig to configure an IIS Server to delegate credentials to a back end server. The tool can also be used to verify process identity, and SPN's used for Kerberos Authentication as well. If there are problems with the site or application, after using this tool to verify Kerberos is working correctly, the problem is most likely permissions on the files, or server the applications uses. For example, a file server might not grant access to the user, or SQL server may not allow access to a table or stored procedure. Verify the permissions are correct on the resources the user is trying to access.
Additional Resources
This is the end of the road for this blog post. The following are links referred to in this blog post with more information on resolving the double-hop issues with windows credentials.
-
-
-
SetSpn Tool and documentation -