EzDevInfo.com

How do I find out the W3SVC number of a given IIS7.5 website?

I have a server running multiple websites under IIS7.5. I want to view the log files for one website in particular. In C:\inetpub\logs\LogFiles I see a number of folders, W3SVC1 through 6.

How do I find out which website corresponds to which folder? In IIS6.0 it used to tell you, but I can't find this anywhere in IIS7.5.

IIS 7.5 (Windows 7) - HTTP Error 401.3 - Unauthorized

I'm trying to test my ASP.Net website on localhost and I'm getting this error:

HTTP Error 401.3 - Unauthorized
You do not have permission to view this directory or page because of
the access control list (ACL) configuration or encryption settings for
this resource on the Web server.

I have the following users on the website application folder, with full read/write permissions:

• NETWORK SERVICE
• IIS_IUSRS
• SYSTEM
• Administrators
• Nathan (me)

What can I try to fix this?

What should I do to make sure that IIS does not recycle my application?

I have a WCF service app hosted in IIS. On startup, it goes and fetches a really expensive (in terms of time and cpu) resource to use as local cache.

Unfortunately, IIS seems to recycle the process on a fairly regular basis. So I am trying to change the settings on the Application Pool to make sure that IIS does not recycle the application. So far, I've change the following:

• Limit Interval under CPU from 5 to 0.
• Idle Time-out under Process Model from 20 to 0.
• Regular Time Interval under Recycling from 1740 to 0.

Will this be enough? And I have specific questions about the items I changed:

1. What specifically does Limit Interval setting under CPU mean? Does it mean that if a certain CPU usage is exceeded, the application pool will be recycled?
2. What exactly does "recycled" mean? Is the application completely torn down and started up again?
3. What is the difference between "Worker Process shutdown" and "Application Pool recycling"? The documentation for the Idle Time-out under Process Model talks about shutting down the worker process. While the docs for Regular Time Interval under Recycling talk about application pool recycling. I don't quite grok the difference between the two. I thought the w3wp.exe is the worker process which runs the application pool. Can someone explain the difference to the application between the two?

The reason for having IIS7 and IIS7.5 tags is because the app will run in both and hope the answers are the same between the versions.

Image for reference:

IIS 7.5: How to configure custom Authentication Error page with Windows Authentication. 401 header problems

I have a php website running under IIS 7.5. The site is secured by Windows authentication and that works fine:

When users go to the site, they are asked for username/password and get through if authenticated. If users click Cancel or mistype password 3 times, they are shown 401 error page:

Now I would like to show custom page explaining how to log-in. So I go to Error pages, select status code 401.2 and point it to the page I would like to display:

Then make sure the custom errors are turned on for everybody. And kaa-boom! Authentication does not work any more, users are not presented with the password prompt. As documentation says, Windows Authentication works by sending 401 reply first, then browser asks user to provider credentials and then they work out what to do next.

What happens here: on first request for the page IIS tries to send 401-header, but notices that web.config says "on 401 redirect to this page". And instead of authentication, it just gives the redirect page.

I've tried replacing 401, 401.1, 401.2 - made no difference.

What am I doing wrong and how to give custom page on user authentication error?

p.s. Here is the web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpErrors errorMode="Custom">
            <remove statusCode="500" subStatusCode="-1" />
            <remove statusCode="404" subStatusCode="-1" />
            <remove statusCode="401" subStatusCode="-1" />
            <error statusCode="401" subStatusCode="2" prefixLanguageFilePath="" path="/not_restricted/401.htm" responseMode="ExecuteURL" />
            <error statusCode="404" prefixLanguageFilePath="" path="/not_restricted/404.htm" responseMode="ExecuteURL" />
        </httpErrors>
        <httpProtocol>
            <customHeaders>
                <remove name="X-Powered-By" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
    <system.web>
        <identity impersonate="false" />
        <customErrors defaultRedirect="http://www.myserver.com/not_restricted/500.htm" mode="Off">
        </customErrors>
    </system.web>
</configuration>

ApplicationPoolIdentity IIS 7.5 to SQL Server 2008 R2 not working

I have a small ASP.NET test script that opens a connection to a SQL Server database on another machine in the domain. It isn't working in all cases.

Setup:

IIS 7.5 under W2K8R2 trying to connect to a remote SQL Server 2008 R2 instance. All machines are in the same domain.

Using the ApplicationPoolIdentity for the web site it fails to connect to the SQL Server with the following:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

However if I switch the Process Model Identity to NETWORK SERVICE or my domain account the database connection is successful.

I've granted the \$ access in SQL Server.

I am not doing any sort of authentication on the web site, it is just a simple script to open a connection to a database to make sure it works.

I have Anonymous Authentication enabled and set to use the Application pool identity.

How do I make this work? Why is the ApplicationPoolIdentity trying to use ANONYMOUS LOGON? Better yet, how do I make it stop using the Anonymous logon?

Load-Balanced IIS 7.5 Web Server ASP.NET Session State problem

we have a problem with an ASP.NET website where the users' sessions are behaving oddly - session data appearing, disappearing and re-appearing.

I think I know what the problem is:

1. Our setup is 2 x Load balanced WebServers + single session state database.
2. ASP.NET SQL session state storage appears to depend on the IIS Website Instance ID (Metabase ID) to uniquely identify the incoming session cookie ID and retrieve/store values.
3. The IIS Website Instance ID of the website is different on each of the live servers (ID /W3SVC/1/Root on WebServer A, ID /W3SVC/2/Root on Webserver B).
4. Load balancing is not using client affinity so each user HTTP request could go to either server.

Therefore, as a user logs onto the site and moves around, each HTTP call can go to either web server, and hence use a Session State record with different IDs depending on the server. In effect the user would simultaneously have 2 separate session instances. I believe I have verified this as in the database ASPStateTempSessions table, each session cookie ID seems to correspond to 2 almost-identically named records (their IDs only differ by the last few characters, which I believe are a modifier based on the AppID from the AspStateTempApplications table) created within seconds of each other.

Therefore Session State will appear to misbehave as changes made to one session record will only persist against that web server. If the User moves to the other load-balanced server, session values will seem to disappear or revert.

I believe the solution is to synchronise the IIS Instance IDs of the sites (e.g. make them both /W3SVC/1/Root), but I tried to edit that value in IIS under Advanced Settings, and although it saved OK, it just made the site return 404s on that server until I changed it back.

I found a VBS script for this problem but it seems to be for IIS 6 only so I'm worried about trying it. Has anybody else encountered this situation on IIS 7.5, and how did you fix it?

EDIT / SOLUTION

My mistake was that I forgot to restart IIS after I changed the Site Instance ID in IIS. After this, the ID was updated and ASP.NET sessions were synced on the two web servers.

Full instructions:

1. Remote Desktop onto server LIVE1, open IIS Mgr, click on the problem Site and choose Advanced Settings in the sidebar.
2. Change the ID to something unique e.g. 10. Click OK.
3. Restart the web service (c:\windows\system32\iisreset /restart)

Do the same for LIVE2 (ensure the Site ID is the same as on LIVE1)

Note that the site ID does affect the location of site files e.g log file folder would become C:\inetpub\logs\LogFiles\W3SVC10 for example.

Note also that you could do these changes manually by editing the site id attribute in the IIS config file on each server: C:\Windows\System32\inetsrv\config\applicationHost.config . Requires admin privs and still needs a reset afterwards.

Does generating a CSR through IIS 7.5 on Windows Server 2008 R2 always create a new private key?

Generating a CSR for a Windows 2008 R2 server and need to ensure that the private key used for the CSR is new.

I have used OpenSSL before to create my own self-signed certs for testing and if I remember correctly, I was able to specify a private key to use.

In IIS Server Certificates, I am never asked to generate nor pick a private key.

So, does generating a CSR on a Windows-based server always create a new private key for it? If not, how do I ensure a new private key is made/used?

What's the process name for IIS in Windows 7?

In Windows XP the process name for IIS was inetinfo.exe. I don't see it in Windows 7 in the task manager? It seems things have changed. Is it still a separate process?

IIS 7.5 - Disable Overlapped Recycle property not being obeyed when web.config is updated

I have a site which holds an exclusive lock on some resources. I used the .NET Application_Start and Application_End events to aquire and release the lock on these resources at the appropriate time. For this to work properly, there can only ever be one instance of my application running at any given time.

To get this to happen, I've set the Disable Overlapped Recycle property on the Application pool to True. This property is supposed to ensure that the old worker process shuts down completley before a new one starts up whenever the app pool is recycled. This works fine whenever the app pool is recycled manually through IIS, automatically as the result of the idle-timeout being reached or automatially according to any specific time/time interval rules.

However, when the web.config for the site is updated, this rule isn't getting applied - A new worker process starts up before the old one finishes shutting down. This causes bad things to happen. I have the Disable Recycling for Configuration Changes property set to False as I do want the app pool to get recycled when the web.config is updated - this happens frequently during development.

Is this something which is expected, or is it a bug in IIS? IS my only option to set up so that changing the web.config doesn't recycle the app pool? I'd rather not do this, since I'm pretty sure it will cause many headaches with people changing the configuration and then forgetting to recycle the app pool.

Update:

To be more clear, when the new worker process 'start' event is called before the old worker process has finished shutting down, then the old worker process 'end' event never gets called - It doesn't happen out of sequence, it never happens at all.

IIS 404 error where file exists

I have a fresh VPS installation from my provider (Windows 2008 R2, IIS 7.5).

The default web site works fine: http://5.9.251.167/
I created a new website, and binding for http://new.ianquigley.com
On that server and everywhere else that Domain maps to the IP address. (ping new.ianquigley.com for example).

I created the sub folder c:\inetpub\wwwroot\com.ianquigley and created an HTML file index.html with the content "<html>cake</html>"

The default document for the web site is index.html

On the server, in Chrome I browse to http://new.ianquigley.com/index.html and get a 404 Error.

The page says;

HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had it's name changed, 
or is temporarily unavailable.

Detail:
Module: IIS Web Core
Notification: HttpRequestHandler
Handler: StaticFile
Error Code: 0x80007002
Request URL: http://new.ianquigley.com/index.html
Physical path: c:\inetpub\wwwroot\com.ianquigley\index.html
Logon Method: Anonymous
Logon User: Anonymous
Failed Request Log: c:\inetpub\logs\FailedRequestLog

The Physical Path does exist. The folder wwwroot and com.ianquigley both have "Everyone" and "Read" permission.

The c:\inetpub\wwwroot\logfiles\w3svc2\u_ex130201 file contains the request for the index.html with the 404 error code.

update (from comment below)
I created c:\cake with "Everyone" "Full Control" permissions. Moved my index.html file in there and changed the mapping in IIS. Checking the page in the browser on the server again gives me the same as above except Physical Path is c:\cake\index.html

update 2 The default web site (which works fine/can read from disk) runs in the "DefaultAppPool", which originally used the account "ApplicationPoolIdentity". The new website also uses this same app pool. I've tried changing the account to; NetworkService, LocalService and LocalSytem (refreshing the app pool each time).. still no joy!

W3SVC2 log

#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-02-02 20:00:02
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2013-02-02 20:00:02 5.9.251.167 GET /index.html - 80 - 5.9.251.167 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.17+(KHTML,+like+Gecko)+Chrome/24.0.1312.57+Safari/537.17 404 0 2 1151

The sc-win32-status: 2 means "file not found". So this is probably simply a file access permission sort of problem. If it is, why can the default web site read from c:\inetpub\wwwroot folder sucesfully but not a sub-folder with permission.

Right now I'm completely stumped.

What role does "App Pool Identity" play for an Application Pool?

When talking about IIS 7.5 security, AFAIK:

App Pool Identity decides whom my web application runs as.

Authentication Method decides whom the clients are authenticated as.

I have a virtual folder configured like this:

• I use Anonymous Authentication with the expectation that all clients should be authenticated as IUSR.
• I give IUSR full control of the folder.
• My App Pool Identity is set as the XXX account, which doesn't have any permission to the folder. (I intentionally set this)

But it turns out that I cannot browse the files in that folder. Once I give the XXX account permission to access that folder, things goes well.

So what role does the App Pool Identity play in anonymous authentication? It's totally unexpected that I have to give the App Pool Identity account permission to access the folder. I thought Anonymous Authentication would be enough?

Thanks.

Properly handle IIS request with percent sign in url (/%)

I am looking for any kind of solution to properly get an IIS request such as http://stackoverflow.com/% and http://bing.com/% to not display a 400 Bad Request page, but display a custom error page similar to how http://google.com/% and http://facebook.com/% do (obviously those examples are not on IIS).

I believe I have tried setting all the applicable http.sys registry settings (AllowRestrictedChars, PercentUAllowed) per http://support.microsoft.com/kb/820129 but that has not helped. Setting AllowRestrictedChars and a custom 400 page has fixed urls such as http://stackoverflow.com/%12 but not /%.

How to resolve FTP Error “Failed to retrieve directory listing” for Administrator account in IIS 7.5

Using my administrator account, I FTP connected to my IIS 7.5 FTP Site with FileZilla. I was able to successfully upload a file, but I keep getting a "Failed to retrieve directory listing" in response.

In passive mode, the command, response and error are:

Command:    LIST
Response:   150 Opening BINARY mode data connection.
Response:   550 The network connection was aborted by the local system. 
Error:  Failed to retrieve directory listing

In active mode, the command, response and error are:

Command:    PORT 192,168,1,129,102,151
Response:   501 Server cannot accept argument.
Error:  Failed to retrieve directory listing

What have I done wrong?

Should I impersonate PHP via FastCGI?

I am installing the latest version of PHP onto IIS 7.5 via FastCGI, and all of the instructions say that FastCGI should impersonate the calling client by setting

 fastcgi.impersonate = 1

If my website will have this configuration

• dedicated application pool
• application pool identity of ApplicationPoolIdentity
• anonymous authentication only (as IUSR)

why do I want to impersonate?

I come from an ASP.NET background, where the IUSR gets read-only permissions and the application pool identity gets any write permissions. Giving write access to the IUSR usually opens the door for WebDAV vulnerabilities. So I hesitate to let PHP run as the IUSR.

I can't find many people asking this question (1 | 2) so I think I must be missing something. Can someone clarify this for me?

How to disable SSL 2.0 on IIS 7.5? [duplicate]

I've seen this KB Article which Microsoft put out covering how to remove SSL 2.0 on IIS 7.0 and earlier, but I can't find anything advising on how to do the same on IIS 7.5. The registry keys mentioned on that KB article are no longer in the registry.