The Way I See It

Video – Configuring DebugDiag for process crash

Shinva — Mon, 06 Sep 2010 19:39:00 GMT

This is a video on how you can use DebugDiag to monitor process crashes.

Fingerprinting IIS

Shinva — Wed, 01 Sep 2010 21:30:07 GMT

You can analyze the responses sent from a webserver to determine the version of IIS running (And in turn the version of the Windows Server).

I have seen a lot of people discuss this. So here is my guide ...

The easiest way is to capture a network trace or Fiddler trace and analyze the Server header.

IIS by default sends a Server header indicating the version of IIS that is running

In the above Fiddler trace you see that the IIS version running is IIS 7.5

IIS is tightly coupled with the version of the Windows Server running and based on the version of IIS you can identify the Server OS version.

IIS Version	Windows Server Version
IIS 5.0	Windows 2000
IIS 5.1	Windows XP
IIS 6.0	Windows 2003
IIS 7.0	Windows 2008, Windows Vista
IIS 7.5	Windows 2008 R2, Windows 7

Administrators usually install ISAPI filters like URLScan that remove the Server header. Apart from the above values you might also see the following values being sent for the Server header.

Server Header Value	Windows Server Version
Microsoft-HTTPAPI/2.0	Windows 2003 Sp2, Windows 7, Windows 2008, Windows 2008 R2
Microsoft-HTTPAPI/1.0	Windows 2003

When you see a Server header value containing Microsoft-HTTPAPI instead of the IIS version it means the HTTP.SYS driver handled the request and it did not traverse all the way to the IIS user mode process. For example a request that results in a HTTP 400 status. Hence the version of the HTTPAPI on the server is sent in the Server header. Also since the response is now being generated at the HTTP.SYS layer ISAPI filters like URLScan cannot intervene.

IIS servers usually have the .NET Framework installed. The .NET Framework adds a custom header called X-Powered-By at the global level in IIS.

So by default any website hosted on an IIS server with the .NET Framework installed will have a header X-Powered-By: ASP.NET sent in the response.

Another header that the ASP.NET engine sends (depending on the enableVersionHeader setting) is the X-AspNet-Version header. It indicates the version of the .NET framework that is being used to execute the current website.

Another trick is to analyze the error pages that the server sends. IIS has a set of static html pages that it sends to the client incase of an error. IIS 6.0 uses the files located at C:\WINDOWS\Help\iisHelp\common and in IIS 7+ the files are located at C:\inetpub\custerr. For example when you try to browse a link that is not available you will get a 404 error page. You can analyze the content of the 404 response to figure out the version of IIS.

Administrators can use a feature in IIS that allows them to customize the error pages. ASP.NET also has a feature of custom error pages. You can configure the customErrors element in the web.config so that custom error pages will be sent to the client. You also have to ability to set a generic error page (defaultRedirect) so that for any error (which is not customized) the client will be taken to this page.

The special case of 401.2. If your website is set for any of the authentication schemes like Basic/Windows or Digest an authentication handshake has to happen. When you browse a website that requires authentication for the first time your browser does not know that the website requires authentication. Hence it sends an anonymous GET request to the webserver. The webserver rejects the anonymous request with a 401.2 status code and using the www-authenticate response headers sends the authentication schemes it supports. The browser uses this to generate the required credentials package(either by prompting you or using the logged in users credentials) and sends another request to the server.

In doing so the webserver sends a 401.2 response that is not customized. So even if you have a defaultRedirect IIS sends an uncustomized 401.2 error page. Also you cannot customize the 401.2 page using the IIS Custom Errors feature because in that case IIS will return a 200 status code and that will not help during authentication.

A lot of security scans identify the Server header being sent by IIS and recommend blocking it. A common question that I get is how to block this header so that the identity of the web server is not revealed. But personally I think it is over hyped.

MIB OIDs for IIS 6.0

Shinva — Thu, 28 Jan 2010 16:02:00 GMT

Here is a list of the OID values related to IIS that you can query using SNMP.


TotalBytesSent_HighWord	1.3.6.1.4.1.311.1.7.3.1.1.0
TotalBytesSent_LowWord	1.3.6.1.4.1.311.1.7.3.1.2.0
TotalBytesReceived_HighWord	1.3.6.1.4.1.311.1.7.3.1.3.0
TotalBytesReceived_LowWord	1.3.6.1.4.1.311.1.7.3.1.4.0
TotalFilesSent	1.3.6.1.4.1.311.1.7.3.1.5.0
TotalFilesReceived	1.3.6.1.4.1.311.1.7.3.1.6.0
CurrentAnonymousUsers	1.3.6.1.4.1.311.1.7.3.1.7.0
CurrentNonAnonymousUsers	1.3.6.1.4.1.311.1.7.3.1.8.0
TotalAnonymousUsers	1.3.6.1.4.1.311.1.7.3.1.9.0
TotalNonAnonymousUsers	1.3.6.1.4.1.311.1.7.3.1.10.0
MaxAnonymousUsers	1.3.6.1.4.1.311.1.7.3.1.11.0
MaxNonAnonymousUsers	1.3.6.1.4.1.311.1.7.3.1.12.0
CurrentConnections	1.3.6.1.4.1.311.1.7.3.1.13.0
MaxConnections	1.3.6.1.4.1.311.1.7.3.1.14.0
ConnectionAttempts	1.3.6.1.4.1.311.1.7.3.1.15.0
LogonAttempts	1.3.6.1.4.1.311.1.7.3.1.16.0
TotalOptions	1.3.6.1.4.1.311.1.7.3.1.17.0
TotalGets	1.3.6.1.4.1.311.1.7.3.1.18.0
TotalPosts	1.3.6.1.4.1.311.1.7.3.1.19.0
TotalHeads	1.3.6.1.4.1.311.1.7.3.1.20.0
TotalPuts	1.3.6.1.4.1.311.1.7.3.1.21.0
TotalDeletes	1.3.6.1.4.1.311.1.7.3.1.22.0
TotalTraces	1.3.6.1.4.1.311.1.7.3.1.23.0
TotalMove	1.3.6.1.4.1.311.1.7.3.1.24.0
TotalCopy	1.3.6.1.4.1.311.1.7.3.1.25.0
TotalMkcol	1.3.6.1.4.1.311.1.7.3.1.26.0
TotalPropfind	1.3.6.1.4.1.311.1.7.3.1.27.0
TotalProppatch	1.3.6.1.4.1.311.1.7.3.1.28.0
TotalSearch	1.3.6.1.4.1.311.1.7.3.1.29.0
TotalLock	1.3.6.1.4.1.311.1.7.3.1.30.0
TotalUnlock	1.3.6.1.4.1.311.1.7.3.1.31.0
TotalOthers	1.3.6.1.4.1.311.1.7.3.1.32.0
CurrentCGIRequests	1.3.6.1.4.1.311.1.7.3.1.33.0
CurrentBGIRequests	1.3.6.1.4.1.311.1.7.3.1.34.0
TotalCGIRequests	1.3.6.1.4.1.311.1.7.3.1.35.0
TotalBGIRequests	1.3.6.1.4.1.311.1.7.3.1.36.0
MaxCGIRequests	1.3.6.1.4.1.311.1.7.3.1.37.0
MaxBGIRequests	1.3.6.1.4.1.311.1.7.3.1.38.0
CurrentBlockedRequests	1.3.6.1.4.1.311.1.7.3.1.39.0
TotalBlockedRequests	1.3.6.1.4.1.311.1.7.3.1.40.0
TotalAllowedRequests	1.3.6.1.4.1.311.1.7.3.1.41.0
TotalRejectedRequests	1.3.6.1.4.1.311.1.7.3.1.42.0
TotalNotFoundErrors	1.3.6.1.4.1.311.1.7.3.1.43.0
TotalLockedErrors	1.3.6.1.4.1.311.1.7.3.1.44.0
MeasuredBandwidth	1.3.6.1.4.1.311.1.7.3.1.45.0
CurrentCalAuth	1.3.6.1.4.1.311.1.7.3.1.46.0
MaxCalAuth	1.3.6.1.4.1.311.1.7.3.1.47.0
TotalFailedCalAuth	1.3.6.1.4.1.311.1.7.3.1.48.0
CurrentCalSsl	1.3.6.1.4.1.311.1.7.3.1.49.0
MaxCalSsl	1.3.6.1.4.1.311.1.7.3.1.50.0
TotalFailedCalSsl	1.3.6.1.4.1.311.1.7.3.1.51.0

64 bit IIS manager,32 bit worker process and root web.config settings

Shinva — Fri, 04 Dec 2009 21:08:00 GMT

The IIS 7 manager provides a UI for almost all sections for the web.config. It does simplify things for administrators but I have seen a couple of cases where this has lead to interesting problems.

Let us consider the Machine Key feature that the IIS 7 manager provides. It is well known that when you deploy your web application across a web farm you have to hard-code the machineKey section of the web.config on all servers so that they carry the same keys that are used for encryption/decryption. The IIS 7 manager also has a useful option to generate random keys.

If the keys are not synchronized across all the web servers you can expect authentication or viewstate issues. One of our customers was well aware of this and had hardcoded the machineKeys using the IIS 7 manager. Yet he was facing all the issues related to the machineKeys not being in sync’.

After a lot of troubleshooting the issue came down to the bitness of the worker process.

ASP.NET Debugger Extension – Manual Install / Uninstall

Shinva — Tue, 10 Nov 2009 02:57:00 GMT

In case you have problems with the setup files for ASP.NET Debugger Extension you can manually install the module.

FILES

ADE.dll	This is the main module that loads in IIS Location : GAC
ADEWOWHelper.exe	This is a helper exe that is used in x64 environments to support WOW worker processes Location : system32\inetsrv
MdbgCore.dll	This is the dll that supports the debugging stuff. Location : system32\inetsrv

All the files are in this zip file.

Getting Files In Place

To get ADE.dll in the GAC (Global Assembly Cache) you can just drop it in the c:\windows\assembly folder.

You need ADEWOWHelper.exe only on x64 machines. Or you can skip this file. You need to drop the ADEWOWHelper.exe and MdbgCore.dll in the c:\windows\system32\inetsrv folder.

Registering the module to show up in IIS Manager

You need to edit the administration.config so that ADE will show up in the IIS Manager.

Stop the WAS service so that the file is not locked

net stop WAS /y

Open the file C:\Windows\System32\inetsrv\config\administration.config in notepad ( You need “Run as administrator”)

You need to edit two sections <modulesProvider> and <modules>

In the <moduleProviders> section add

In the <modules> section you need to add

Start your WAS and IIS services and open a new instance of IIS.

To uninstall you can remove the files and the entries in the administration.config

ASP.NET Debugger Extension – Trace Process for Debug Events

Shinva — Fri, 06 Nov 2009 02:27:00 GMT

With ASP.NET Debugger Extension you can also trace the process for events. This is actually a wrapper around the MdbgEngine (mdbgcore.dll) options to interrupt a process when an event occurs.

You can use it to trace exceptions / module loads etc. For example below we are tracing for exceptions. Every time an exceptions occurs you will get a callstack leading to that exception message.

ASP.NET Debugger Extension – Find Debug Modules

Shinva — Thu, 05 Nov 2009 11:44:00 GMT

ASP.NET Debugger Extension has an useful feature to find modules that are built in debug mode.

You start by selecting a website, ADE then scans all the folders under that website to figure out the modules that are built in debug mode.

Debug modules should usually not be deployed on production servers as the code generated is not optimized.

ASP.NET Debugger Extension – Callstack Viewer

Shinva — Wed, 04 Nov 2009 22:54:59 GMT

I recently created an ASP.NET Debugger Extension for IIS 7 that you can use to troubleshoot issues that would usually involve taking a memory dump of the process.

One of the features in this extension is the ability to get a managed stack trace of all the threads in the worker process that are running .net code.

All you need to do is to select the worker process that you want to examine and hit Get Callstacks. In a few seconds you will get a list of threads with their callstacks.

This feature can be used to figure out what a process is doing during performance/hang issues. For example the above picture tells you that on one of the threads sleep.aspx was running and it is currently in the Page_Load function.

The extension uses mdbgcore.dll to attach to the process and will only lists callstacks for threads that are running managed code.

ASP.NET Debugger Extension for IIS 7

Shinva — Wed, 04 Nov 2009 00:59:00 GMT

Just finished writing an extension for IIS 7 that will provide advanced debugging features for IIS worker processes running managed code.

It basically does three things

1. Find Debug Modules

This feature will help you scan your website content to spot modules that have been built in debug mode.

2. Callstack Viewer

This feature will dump out the callstacks of all the threads in the process running managed code. It is basically a snapshot of all the managed threads in the worker process. This is helpful when you are troubleshooting worker process hangs / performance issues.

3. Trace Process for Debug Events

This feature will help in tracing useful events in the worker process. For example it can display callstacks whenever an exception occurs in the process.

This extension uses mdbgcore.dll to debug the IIS worker process.

INSTALLATION

Use “Run as Administrator” while launching the following installers.

x86 : adeInstallx86.msi

x64 : adeInstallx64.msi

Both the setup files are in this zip file.

DETAILED GUIDES

ASP.NET Debugger Extension – Find Debug Modules

ASP.NET Debugger Extension – Callstack Viewer

ASP.NET Debugger Extension – Trace Process for Debug Events

ASP.NET Debugger Extension - Manual Install / Uninstall

If you have any suggestions / feedback / bugs I would love to hear about them.

IIS 7 FTPS module does not pick up the Firewall IP and Data Port Range settings.

Shinva — Tue, 06 Oct 2009 00:34:00 GMT

I have seen at least 5 separate instances where users have complained that the FTP 7 module that ships for IIS 7 does not honor the “Data Channel Port Range” and the “External IP Address of Firewall” settings.

Whenever you make a change to this setting you need to restart the FTP service for the change to take effect.

In all the instances that were brought to my notice users had run iisreset after making the change. But an iisreset does not help.

In IIS 6.0 the FTP Service used to run in inetinfo.exe. So whenever you run iisreset the FTP service is also restarted. But with IIS 7 the FTP service (FTP 7) runs in an independent svchost.exe. So the iisreset does not restart the FTP service.

You will have to restart the Microsoft FTP Service from the Services MMC console.

From a command prompt you can run

net stop ftpsvc

net start ftpsvc

SSL Diagnostics Tool for IIS 7

Shinva — Sun, 20 Sep 2009 13:49:00 GMT

The SSL Diagnostics tool is a very useful tool for troubleshooting SSL issues. It generates a detailed report of SSL settings for all the websites on an IIS server which helps in quickly identifying SSL issues.

But the tool was built for IIS 5 and 6, there is no version available which is compatible with IIS 7. The SSL Diagnostics tool does succeed in generating a report on IIS 7 if the IIS 6.0 Metabase Compatibility feature is installed.

To help troubleshoot SSL issues on IIS 7 I have written a tool which works in a similar fashion. It scans all the websites and FTPS sites configured on the server and generates a report which can help in identifying SSL issues.

If any certificate has issues you will get a report as follows.

FEATURES

Generate Report – Scans all websites and FTPS sites on the local server. If a certificate association is found it will list details of the certificate. It also performs a certificate validation on the certificate. For SSL bindings it also attempts to check if a TCP connection can be established.

Simulate SSL Web Request – Right clicking on a https binding gives you this option. It generates a SSL Web request based on the selected binding and displays the response received.

Verify Store – Basically is the output of certutil –verifyStore MY. Useful in identifying certain issues with certificates.

INSTALLATION & USAGE

Attached SSLDiag.zip contains SSLDiag.exe.
You do not have to install this but just run the exe. (“Run as Administrator”)
You do not need the IIS 6.0 Metabase Compatibility feature to be installed.
You can also save the report generated for your notes or latter analysis.
Requires .NET 2.0.

Hope it helps in reducing your troubleshooting time on SSL issues.

FTP Service 7.5 for IIS 7.0 can be installed only on Windows Server 2008

Shinva — Thu, 17 Sep 2009 04:17:45 GMT

On Windows 2008 RTM (SP1) you would install the FTP 7.5 Out Of Band module from http://www.iis.net/extensions/ftp. But when you try to install it on Windows 2008 R2 you will get the following error.

This version of the operating system is not supported. FTP Service 7.5 for IIS 7.0 can be installed only on Windows Server 2008.

Windows 2008 RTM (SP1) shipped with the legacy FTP service from IIS 6.0.

Latter FTP 7.0 and 7.5 where shipped as Out Of Band Modules.

Windows 2008 R2 already ships with FTP 7.5 and the legacy FTP service has been discontinued.

So you no longer have to install an Out Of Band module for FTP 7.5 on Windows 2008 R2. You can directly install it from the Server Manager > Role Services.

You must use the Role Management Tool to install or configure Microsoft .NET Framework 3.5.

Shinva — Sun, 16 Aug 2009 13:57:00 GMT

While trying to install Visual Studio 2008 on a Windows 2008 R2 machine you may get the following error.

This is because Windows 2008 R2 ships with the .NET 3.5.1 framework. You just need to enable the feature from Server Manager.

So before starting the Visual Studio 2008 Setup install the .NET Framework 3.5.1 Features from the Add Features Wizard in Server Manager.

After that when you run the Visual Studio 2008 Setup, the installer will detect that the 3.5 framework is already installed and skip to the next step.

IIS 7 Tip # 11 You can restrict SSL to only the Control Channel on FTPS

Shinva — Wed, 08 Jul 2009 02:04:23 GMT

The File Transfer Protocol (FTP) has been around even before I was born :) It is a good protocol for transferring files across the network but has one major flaw. If you use authentication it sends the password in a Base64 encoded format over the wire. If someone intercepts this he/she can easily decode the password. So if someone intercepts the traffic for your FTP site that allows a user to write files he/she can get access to an username and password that has write permissions on the server.

FTPS (FTP-Secure) address this flaw. FTPS allows you to use TLS or SSL cryptography to encrypt the data that is being transferred.

With Windows 2008 the FTP service was rewritten to support FTPS and shipped as an extension for IIS 7.0. Earlier versions of IIS only support FTP.

With FTPS you no longer have to worry about someone intercepting your password because of the encryption. But encryption comes with a performance overhead. (Consider situations where users frequently transfer files in 100s of MBs to the server all that has to go through en/decryption)

The best thing about the IIS FTPS extension is that you can control the encryption levels.

The FTP (even FTPS) protocol uses two channels(basically two ports) to communicate with the server. The Control Channel is used to transfer the commands (it also carries the credentials) and the Data Channel to transfer the files.

In situations where protecting just the password is enough and you are not concerned about the content being transferred you can remove the encryption on the Data Channel. This will lower the CPU cycles burnt for en/decrypting the large files that are transferred.

Even the Control Channel can be tweaked to just use encryption for credentials. But commands sometimes contain folder locations so its better to keep it encrypted.

Disappearing SSL certificates from IIS 7.0 manager

Shinva — Sat, 23 May 2009 00:37:33 GMT

“I install a SSL server certificate using the ‘Complete Certificate Request’ wizard in IIS manager and when I refresh the view the certificate disappears. “

I have heard that a couple of times and every time I used to go “What ?” Until someone showed it to me.

If you are one of those who are wondering about this read on.

The Server Certificates module in IIS manager displays a list of certificates from the Local Machine SSL store.

But it only lists the certificate if

1. The certificate has a private key

2. The certificate is meant for Server Authentication

And this is where the disappearing act occurs.

The IIS Manager enumerates all the extensions of the certificate and checks if OID 2.5.29.37 (Extended Key Usage) exists. If it does the certificate Enhanced Key Usage section must contain 1.3.6.1.5.5.7.3.1 (Server Authentication).

In the repro’ I was shown the user had actually downloaded the intermediate certificate and used that .cer file to complete the certificate request. In this case the wizard will go thro’ all the steps but when you refresh the view the certificate will not be listed.

IIS 7 Tip # 10 You can generate machine keys from the IIS manager

Shinva — Thu, 14 May 2009 01:10:27 GMT

The machineKey element of the ASP.NET web.config specifies the algorithm and keys that ASP.NET will use for encryption. By default the validationKey and the decryptionKey keys are set to AutoGenerate which means the runtime will generate a random key for use. This works fine for applications that are deployed on a single server. When you use webfarms a client request can land on any one of the servers in the webfarm. Hence you will have to hardcode the validationKey and the decryptionKey on all your servers in the farm with a manually generated key.

There are a lot of articles that describe how to use RNGCryptoServiceProvider to generate a random key. There are also a lot of online tools that generate random keys for you. But I would suggest writing your own script because any one who has access to these keys can do evil things like tamper your forms authentication cookie or viewstate.

With IIS 7 you no longer have to do this manually. The IIS 7.0 manager has a built in feature that you can use to generate these keys.

It uses RNGCryptoServiceProvider internally to create a random key. The value is stored locally in the web.config of that application something like

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <machineKey decryptionKey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2,IsolateApps" validationKey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45,IsolateApps" />
    </system.web>
</configuration>

You can copy it and paste it in the web.config file of all the servers in the webfarm.

Setting SMTP RelayIpList from a script.

Shinva — Fri, 08 May 2009 01:58:00 GMT

SMTP service running on IIS 6.0 provides you options to restrict IP addresses of computers that can relay mail messages through this server.

The value(list of IP addresses) is stored in the RelayIpList metabase property as an octet string. I was recently contacted by a server administrator to figure out if there is an automatic script that can add IP addresses to this list. He wanted to add around 200 IP address and grant them access.

I have written a script that you can use in such scenarios. It reads IP addresses from a text file and populates them into the RelayIpList.

USAGE : cscript ImportRelayList.vbs

PREREQUISITE : This script needs ip.txt in the same folder.

Store your IP addresses in ip.txt FORMAT: Each line should be IP,MASK

I have attached the script to this blog post. Hope it helps.

IIS 7 Tip # 9 Set Application Pool Defaults…

Shinva — Wed, 06 May 2009 01:57:25 GMT

When ever you create a new application pool IIS only asks you for four things 1. Name, 2. .NET Framework version, 3. Managed pipeline mode and 4. Weather to start the application pool immediately

What about the remaining advanced settings like the identity that application pool has to run under? The application pool inherits the rest of the settings.

If you want to change the default settings that IIS uses to create a new application pool you can do it under the Set Application Pool Defaults… section

For example if you change the Managed Pipeline Mode to Classic in the defaults and add a new application pool the mode dropdown will be set to Classic.

Can the validity period of the Self-Signed Certificate that IIS 7.0 manager creates be changed ?

Shinva — Fri, 01 May 2009 15:31:00 GMT

IIS 7.0 has a nice feature of creating self-signed certificates … very handy for creating test certificates.

I was recently asked if there is a way to modify the validity period of the certificate it creates.

Unfortunately No!

The module that creates the certificate uses a simple logic of incrementing the year by 1. Something like

SYSTEMTIME systemtime = new SYSTEMTIME();

systemtime.wYear = (short) (DateTime.Now.Date.Year + 1);

systemtime.wMonth = (short) DateTime.Now.Date.Month;

systemtime.wDay = (short) DateTime.Now.Date.Day;

It’s hardcoded and hence the validity of the certificate will always be 1 year from the current date.

Also the name of the certificate will always be the FQDN.

In case you want to create certificates with a shorter validity period or different names there are are a lot of tools like SelfSSL that you can use to generates self-signed certificates.

IIS 7 Tip # 8 You can create Self-Signed SSL certificates from the IIS manager

Shinva — Thu, 30 Apr 2009 01:53:00 GMT

IIS 7.0 manager has a nice feature of generating self-signed certificates that you can use for running tests.

At the global level select Server Certificates and in the Actions Pane on the right you get the option to Create Self-Signed Certificate…

The wizard that pops up just asks for a friendly name for the certificate.

Note this is just a friendly name that you can use to identify the certificate. It is not the Common Name / Subject.

Once you hit OK IIS manager will create a Self-Signed certificate that has the Common Name as the FQDN of the machine and is valid for a year.

Again the friendly name that you specify will not change the Common Name / Subject of the certificate meaning the Issued To: field will always be the FQDN of the machine.

Apart from creating the certificate IIS Manager also adds the certificate to the Trusted Root Certification Authorities on the machine.

IIS 7 Tip # 7 You can use the application pool identity for the anonymous authentication credentials

Shinva — Fri, 03 Apr 2009 17:49:00 GMT

When a client accesses a web site on anonymous authentication IIS uses a pre configured account to access the corresponding files on disk. In IIS 5.0 / 6.0 we used a local account called the IUSR_machinename for anonymous authentication. With IIS 7.0 we moved to a generic built in account called IUSR which is now machine dependent.

But in IIS 7.0 you also have the option to use the application pool identity as the anonymous user identity.

In IIS 6.0 if you wanted to use the application pool identity for anonymous access you would have to configure it manually under the Authentication Settings. This would mean the username and password would be saved in multiple locations. Whenever you had to change the password you would have to reset it in the application pool settings and then in the authentication settings.

With IIS 7.0 you just have to configure the user identity in the application pool settings. And in the properties of the Anonymous Authentication module select the Application pool identity option.

Getting better stack traces in Process Monitor / Process Explorer

Shinva — Thu, 02 Apr 2009 08:57:00 GMT

Process Monitor and Process Explorer are great tools for troubleshooting issues on Windows machines. Process Explorer can be used to investigate a running process from handles to dlls loaded. Process Monitor is my favourate and it can be used to monitor file system / registry activity on a machine. It logs all access to the file system / registry by all processes on the machine (can be filtered).

Process Monitor also shows you the call stack of the thread that lead to the file system / registry access.

The call stack in the above image is not very helpful as it is only showing the offset addresses(under Location). Not a lot of people realize that in both Process Monitor and Process Explorer you can configure a symbol server. You can point to the public Microsoft Symbol Server at http://msdl.microsoft.com/download/symbols and Process Monitor / Process Explorer will download the necessary symbol files and show you a better call stack with all the function names instead of the address offsets.

But to enable Process Monitor / Process Explorer to talk to the Microsoft Symbol Server you need to install WinDbg (Microsoft Debugging Tools For Windows) on the machine. You need this because the dbghelp.dll has to upgraded to enable it to connect to a symbol server.

Once you install WinDbg in Process Monitor go to Options > Configure Symbols and configure the dbghelp.dll and the symbol server path.

So here I have configured the dbghelp.dll path to point to the location where my windbg is installed. The Symbols path is pointing to the Microsoft Symbol Server … It specifies c:\symcache as the location where it can cache the symbol files it downloads.

Now if you go back into Process Monitor / Process Explorer and check the call stack it will look something like this.

Now you get proper function names as per the public microsoft symbols. In the symcache folders you will see all the symbols that got downloaded.

Now this is not limited to just Microsoft symbols. If you have symbols created for your application components you can include those as well and get the function names in the call stack.

IIS 7 Tip # 6 You can reset the TCP connection when “Service Unavailable” happens

Shinva — Wed, 01 Apr 2009 11:36:00 GMT

Instead of returning the “Service Unavailable” message to the client you can terminate the TCP connection. This can be helpful in environments where you have a Load Balancer which ’understands’ a TCP reset instead of “Service Unavailable”. In IIS 7.0 you can set it via the IIS manager UI in the Advanced Properties of the Application Pool.

This option is available in IIS 6.0 as well. But you need to set it using the adsutil.vbs script (or edit the metabase directly)

cscript adsutil.vbs set w3svc/apppools/loadbalancercapabilities 1

Caution while xcopying IIS 7.0 config files

Shinva — Sat, 14 Mar 2009 02:11:00 GMT

Metabase.xml is the central store where IIS 6.0 stores most of its configuration information. Its a plain text file and stores all the information in a simple XML format. The XML format naturally raised a notion of being able to XCOPY the config file to another server and transferring the settings with it. But if you copy over a metabase.xml file from another server your IIS admin service will no longer start. This happens because the metabase.xml file contains ACLs that control access to any metabase key. Stored under the AdminACL tag these keys are encoded based on the machinekeys of the server. When you move the metabase.xml to another server the keys can no longer be decoded and hence your IIS Admin service will not be able to start.

With IIS 7.0 we moved to a new XML based configuration store that is modeled after ASP.NET. It is no longer centralized into a single file. The hierarchical store starts with the applicationHost.config file and can be distributed among web.config files under your application.

This move also enables the long lasting idea of xcopy-deployment. You can now have all the settings in a web.config along with your application content and move it around.

Another change that was made is that the local accounts/groups that IIS 6.0 used (IUSR_MACHINENAME / IIS_WPG) were replaced by built-in accounts (IUSR / IIS_IUSRS). The built-in accounts have the same SID across Windows 2008 servers and are not machine specific.

So technically you now have an IIS configuration store that is virtually machine independent and you can just copy your applicationHost.config from one server to another and IIS will pick up the settings and just work.

But there is a catch. Try this.

On an IIS 7.0 server change the application pool identity (for the DefaultAppPool) to a custom domain identity. (Advanced Settings > Application Pool Identity > Custom Account)

Then move the applicationHost.config to a different IIS 7.0 server.

When you try to run a website using the DefaultAppPool you will find that the Application will get disabled with the following error in the event log.

Application pool TestApplicationPool has been disabled. Windows Process Activation Service (WAS) did not create a worker process to serve the application pool because the application pool identity is invalid.

So lets try to change the application pool identity to another domain account or reset the password for that account.

You type in the username and password and hit OK and you will get the following error message

There was an error while performing this operation.

Details: Bad Data. (Exception from HRESULT: 0x80090005)

Any username / password will not work. (You can however set the identity of the application pool to one of the built in accounts.)

Wondering what’s going on ? Initially when you set the application pool identity to a domain account IIS has to keep a local copy of the username and password. So it stores a copy in its applicationHost.config and since it is not advisable to keep the password in clear text format it goes ahead an encrypts it. You will see something like this in the config file.

For the encryption it uses machine specific keys in the iisConfiguration and iisWasKey containers. When the applicationHost.config is moved to a different server IIS can no longer decrypt the settings.

To get this working you can export and import the keys from the original server.

Export using the following commands

aspnet_regiis -px "iisConfigurationKey" "D:\iisConfigurationKey.xml" -pri
aspnet_regiis -px "iisWasKey" "D:\iisWasKey.xml" -pri

And for the import use

aspnet_regiis -pi "iisConfigurationKey" "D:\iisConfigurationKey.xml"
aspnet_regiis -pi "iisWasKey" "D:\iisWasKey.xml"

So whenever you are trying to xcopy-deploy your application on multiple servers you need to check if there are any encrypted sections and if you do ensure you port the iisConfigurationKey and the iisWasKey as well.

Also I would recommend using the Web Deployment Tool ( MSDeploy ) which makes deployment a lot easier. You can create a package (settings and content) of the whole server / specific application and use it to deploy. But the tool is in BETA still.

IIS 7 Tip # 5 Run a command when Rapid Fail Protection is triggered.

Shinva — Fri, 13 Mar 2009 04:26:00 GMT

Rapid-Fail Protection disables application pools if they crash multiple times within in a specified time period. This prevents the failing application pool from getting into a continuous loop of crashing and restarting. This protects other application pools running on the server as repeated failures can consume lot of system resources. When rapid-fail protection kicks in it stops the application pool that is repeatedly crashing and your clients will start getting a 503 – Service Unavailable error. An administrator will have to manually enable the application pool again.

You also have to option to configure an executable to run when ever rapid-fail protection is triggered. For example below I have configured the application pool to restart the IIS service using iisreset.exe … the /rebootonerror will reboot the whole server if iisreset.exe for some reason fails to restart the services.

<applicationPools>
       <add name="DefaultAppPool" autoStart="true">
         <failure autoShutdownExe="c:\windows\system32\iisreset.exe" autoShutdownParams="/rebootonerror" />
       </add>
</applicationPools>

This option is also available on IIS 6.0 but it is not exposed via the IIS manager. You can set is as follows

cscript adsutil.vbs set W3SVC/AppPools/DefaultAppPool/autoshutdownapppoolexe “c:\windows\system32\iisreset.exe”