The Way I See It

ASP.NET Debugger Extension – Manual Install / Uninstall

vijaysk — Tue, 10 Nov 2009 02:57:00 GMT

In case you have problems with the setup files for ASP.NET Debugger Extension you can manually install the module.

FILES

ADE.dll	This is the main module that loads in IIS Location : GAC
ADEWOWHelper.exe	This is a helper exe that is used in x64 environments to support WOW worker processes Location : system32\inetsrv
MdbgCore.dll	This is the dll that supports the debugging stuff. Location : system32\inetsrv

All the files are in this zip file.

Getting Files In Place

To get ADE.dll in the GAC (Global Assembly Cache) you can just drop it in the c:\windows\assembly folder.

You need ADEWOWHelper.exe only on x64 machines. Or you can skip this file. You need to drop the ADEWOWHelper.exe and MdbgCore.dll in the c:\windows\system32\inetsrv folder.

Registering the module to show up in IIS Manager

You need to edit the administration.config so that ADE will show up in the IIS Manager.

Stop the WAS service so that the file is not locked

net stop WAS /y

Open the file C:\Windows\System32\inetsrv\config\administration.config in notepad ( You need “Run as administrator”)

You need to edit two sections <modulesProvider> and <modules>

In the <moduleProviders> section add

In the <modules> section you need to add

Start your WAS and IIS services and open a new instance of IIS.

To uninstall you can remove the files and the entries in the administration.config

ASP.NET Debugger Extension – Trace Process for Debug Events

vijaysk — Fri, 06 Nov 2009 02:27:00 GMT

With ASP.NET Debugger Extension you can also trace the process for events. This is actually a wrapper around the MdbgEngine (mdbgcore.dll) options to interrupt a process when an event occurs.

You can use it to trace exceptions / module loads etc. For example below we are tracing for exceptions. Every time an exceptions occurs you will get a callstack leading to that exception message.

ASP.NET Debugger Extension – Find Debug Modules

vijaysk — Thu, 05 Nov 2009 11:44:00 GMT

ASP.NET Debugger Extension has an useful feature to find modules that are built in debug mode.

You start by selecting a website, ADE then scans all the folders under that website to figure out the modules that are built in debug mode.

Debug modules should usually not be deployed on production servers as the code generated is not optimized.

ASP.NET Debugger Extension – Callstack Viewer

vijaysk — Wed, 04 Nov 2009 22:54:59 GMT

I recently created an ASP.NET Debugger Extension for IIS 7 that you can use to troubleshoot issues that would usually involve taking a memory dump of the process.

One of the features in this extension is the ability to get a managed stack trace of all the threads in the worker process that are running .net code.

All you need to do is to select the worker process that you want to examine and hit Get Callstacks. In a few seconds you will get a list of threads with their callstacks.

This feature can be used to figure out what a process is doing during performance/hang issues. For example the above picture tells you that on one of the threads sleep.aspx was running and it is currently in the Page_Load function.

The extension uses mdbgcore.dll to attach to the process and will only lists callstacks for threads that are running managed code.

ASP.NET Debugger Extension for IIS 7

vijaysk — Wed, 04 Nov 2009 00:59:00 GMT

Just finished writing an extension for IIS 7 that will provide advanced debugging features for IIS worker processes running managed code.

It basically does three things

1. Find Debug Modules

This feature will help you scan your website content to spot modules that have been built in debug mode.

2. Callstack Viewer

This feature will dump out the callstacks of all the threads in the process running managed code. It is basically a snapshot of all the managed threads in the worker process. This is helpful when you are troubleshooting worker process hangs / performance issues.

3. Trace Process for Debug Events

This feature will help in tracing useful events in the worker process. For example it can display callstacks whenever an exception occurs in the process.

This extension uses mdbgcore.dll to debug the IIS worker process.

INSTALLATION

Use “Run as Administrator” while launching the following installers.

x86 : adeInstallx86.msi

x64 : adeInstallx64.msi

Both the setup files are in this zip file.

DETAILED GUIDES

ASP.NET Debugger Extension – Find Debug Modules

ASP.NET Debugger Extension – Callstack Viewer

ASP.NET Debugger Extension – Trace Process for Debug Events

ASP.NET Debugger Extension - Manual Install / Uninstall

If you have any suggestions / feedback / bugs I would love to hear about them.

IIS 7 FTPS module does not pick up the Firewall IP and Data Port Range settings.

vijaysk — Tue, 06 Oct 2009 00:34:00 GMT

I have seen at least 5 separate instances where users have complained that the FTP 7 module that ships for IIS 7 does not honor the “Data Channel Port Range” and the “External IP Address of Firewall” settings.

Whenever you make a change to this setting you need to restart the FTP service for the change to take effect.

In all the instances that were brought to my notice users had run iisreset after making the change. But an iisreset does not help.

In IIS 6.0 the FTP Service used to run in inetinfo.exe. So whenever you run iisreset the FTP service is also restarted. But with IIS 7 the FTP service (FTP 7) runs in an independent svchost.exe. So the iisreset does not restart the FTP service.

You will have to restart the Microsoft FTP Service from the Services MMC console.

From a command prompt you can run

net stop ftpsvc

net start ftpsvc

SSL Diagnostics Tool for IIS 7

vijaysk — Sun, 20 Sep 2009 13:49:00 GMT

The SSL Diagnostics tool is a very useful tool for troubleshooting SSL issues. It generates a detailed report of SSL settings for all the websites on an IIS server which helps in quickly identifying SSL issues.

But the tool was built for IIS 5 and 6, there is no version available which is compatible with IIS 7. The SSL Diagnostics tool does succeed in generating a report on IIS 7 if the IIS 6.0 Metabase Compatibility feature is installed.

To help troubleshoot SSL issues on IIS 7 I have written a tool which works in a similar fashion. It scans all the websites and FTPS sites configured on the server and generates a report which can help in identifying SSL issues.

If any certificate has issues you will get a report as follows.

FEATURES

Generate Report – Scans all websites and FTPS sites on the local server. If a certificate association is found it will list details of the certificate. It also performs a certificate validation on the certificate. For SSL bindings it also attempts to check if a TCP connection can be established.

Simulate SSL Web Request – Right clicking on a https binding gives you this option. It generates a SSL Web request based on the selected binding and displays the response received.

Verify Store – Basically is the output of certutil –verifyStore MY. Useful in identifying certain issues with certificates.

INSTALLATION & USAGE

Attached SSLDiag.zip contains SSLDiag.exe.
You do not have to install this but just run the exe. (“Run as Administrator”)
You do not need the IIS 6.0 Metabase Compatibility feature to be installed.
You can also save the report generated for your notes or latter analysis.
Requires .NET 2.0.

Hope it helps in reducing your troubleshooting time on SSL issues.

FTP Service 7.5 for IIS 7.0 can be installed only on Windows Server 2008

vijaysk — Thu, 17 Sep 2009 04:17:45 GMT

On Windows 2008 RTM (SP1) you would install the FTP 7.5 Out Of Band module from http://www.iis.net/extensions/ftp. But when you try to install it on Windows 2008 R2 you will get the following error.

This version of the operating system is not supported. FTP Service 7.5 for IIS 7.0 can be installed only on Windows Server 2008.

Windows 2008 RTM (SP1) shipped with the legacy FTP service from IIS 6.0.

Latter FTP 7.0 and 7.5 where shipped as Out Of Band Modules.

Windows 2008 R2 already ships with FTP 7.5 and the legacy FTP service has been discontinued.

So you no longer have to install an Out Of Band module for FTP 7.5 on Windows 2008 R2. You can directly install it from the Server Manager > Role Services.

You must use the Role Management Tool to install or configure Microsoft .NET Framework 3.5.

vijaysk — Sun, 16 Aug 2009 13:57:00 GMT

While trying to install Visual Studio 2008 on a Windows 2008 R2 machine you may get the following error.

This is because Windows 2008 R2 ships with the .NET 3.5.1 framework. You just need to enable the feature from Server Manager.

So before starting the Visual Studio 2008 Setup install the .NET Framework 3.5.1 Features from the Add Features Wizard in Server Manager.

After that when you run the Visual Studio 2008 Setup, the installer will detect that the 3.5 framework is already installed and skip to the next step.

IIS 7 Tip # 11 You can restrict SSL to only the Control Channel on FTPS

vijaysk — Wed, 08 Jul 2009 02:04:23 GMT

The File Transfer Protocol (FTP) has been around even before I was born :) It is a good protocol for transferring files across the network but has one major flaw. If you use authentication it sends the password in a Base64 encoded format over the wire. If someone intercepts this he/she can easily decode the password. So if someone intercepts the traffic for your FTP site that allows a user to write files he/she can get access to an username and password that has write permissions on the server.

FTPS (FTP-Secure) address this flaw. FTPS allows you to use TLS or SSL cryptography to encrypt the data that is being transferred.

With Windows 2008 the FTP service was rewritten to support FTPS and shipped as an extension for IIS 7.0. Earlier versions of IIS only support FTP.

With FTPS you no longer have to worry about someone intercepting your password because of the encryption. But encryption comes with a performance overhead. (Consider situations where users frequently transfer files in 100s of MBs to the server all that has to go through en/decryption)

The best thing about the IIS FTPS extension is that you can control the encryption levels.

The FTP (even FTPS) protocol uses two channels(basically two ports) to communicate with the server. The Control Channel is used to transfer the commands (it also carries the credentials) and the Data Channel to transfer the files.

In situations where protecting just the password is enough and you are not concerned about the content being transferred you can remove the encryption on the Data Channel. This will lower the CPU cycles burnt for en/decrypting the large files that are transferred.

Even the Control Channel can be tweaked to just use encryption for credentials. But commands sometimes contain folder locations so its better to keep it encrypted.

Disappearing SSL certificates from IIS 7.0 manager

vijaysk — Sat, 23 May 2009 00:37:33 GMT

“I install a SSL server certificate using the ‘Complete Certificate Request’ wizard in IIS manager and when I refresh the view the certificate disappears. “

I have heard that a couple of times and every time I used to go “What ?” Until someone showed it to me.

If you are one of those who are wondering about this read on.

The Server Certificates module in IIS manager displays a list of certificates from the Local Machine SSL store.

But it only lists the certificate if

1. The certificate has a private key

2. The certificate is meant for Server Authentication

And this is where the disappearing act occurs.

The IIS Manager enumerates all the extensions of the certificate and checks if OID 2.5.29.37 (Extended Key Usage) exists. If it does the certificate Enhanced Key Usage section must contain 1.3.6.1.5.5.7.3.1 (Server Authentication).

In the repro’ I was shown the user had actually downloaded the intermediate certificate and used that .cer file to complete the certificate request. In this case the wizard will go thro’ all the steps but when you refresh the view the certificate will not be listed.

IIS 7 Tip # 10 You can generate machine keys from the IIS manager

vijaysk — Thu, 14 May 2009 01:10:27 GMT

The machineKey element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. By default the validationKey and the decryptionKey keys are set to AutoGenerate which means the runtime will generate a random key for use. This works fine for applications that are deployed on a single server. When you use webfarms a client request can land on any one of the servers in the webfarm. Hence you will have to hardcode the validationKey and the decryptionKey on all your servers in the farm with a manually generated key.

There are a lot of articles that describe how to use RNGCryptoServiceProvider to generate a random key. There are also a lot of online tools that generate random keys for you. But I would suggest writing your own script because any one who has access to these keys can do evil things like tamper your forms authentication cookie or viewstate.

With IIS 7 you no longer have to do this manually. The IIS 7.0 manager has a built in feature that you can use to generate these keys.

It uses RNGCryptoServiceProvider internally to create a random key. The value is stored locally in the web.config of that application something like

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <machineKey decryptionKey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2,IsolateApps" validationKey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45,IsolateApps" />
    </system.web>
</configuration>

You can copy it and paste it in the web.config file of all the servers in the webfarm.

Setting SMTP RelayIpList from a script.

vijaysk — Fri, 08 May 2009 01:58:00 GMT

SMTP service running on IIS 6.0 provides you options to restrict IP addresses of computers that can relay mail messages through this server.

The value(list of IP addresses) is stored in the RelayIpList metabase property as an octet string. I was recently contacted by a server administrator to figure out if there is an automatic script that can add IP addresses to this list. He wanted to add around 200 IP address and grant them access.

I have written a script that you can use in such scenarios. It reads IP addresses from a text file and populates them into the RelayIpList.

USAGE : cscript ImportRelayList.vbs

PREREQUISITE : This script needs ip.txt in the same folder.

Store your IP addresses in ip.txt FORMAT: Each line should be IP,MASK

I have attached the script to this blog post. Hope it helps.

IIS 7 Tip # 9 Set Application Pool Defaults…

vijaysk — Wed, 06 May 2009 01:57:25 GMT

When ever you create a new application pool IIS only asks you for four things 1. Name, 2. .NET Framework version, 3. Managed pipeline mode and 4. Weather to start the application pool immediately

What about the remaining advanced settings like the identity that application pool has to run under? The application pool inherits the rest of the settings.

If you want to change the default settings that IIS uses to create a new application pool you can do it under the Set Application Pool Defaults… section

For example if you change the Managed Pipeline Mode to Classic in the defaults and add a new application pool the mode dropdown will be set to Classic.

Can the validity period of the Self-Signed Certificate that IIS 7.0 manager creates be changed ?

vijaysk — Fri, 01 May 2009 15:31:00 GMT

IIS 7.0 has a nice feature of creating self-signed certificates … very handy for creating test certificates.

I was recently asked if there is a way to modify the validity period of the certificate it creates.

Unfortunately No!

The module that creates the certificate uses a simple logic of incrementing the year by 1. Something like

SYSTEMTIME systemtime = new SYSTEMTIME();

systemtime.wYear = (short) (DateTime.Now.Date.Year + 1);

systemtime.wMonth = (short) DateTime.Now.Date.Month;

systemtime.wDay = (short) DateTime.Now.Date.Day;

It’s hardcoded and hence the validity of the certificate will always be 1 year from the current date.

Also the name of the certificate will always be the FQDN.

In case you want to create certificates with a shorter validity period or different names there are are a lot of tools like SelfSSL that you can use to generates self-signed certificates.