Professional Documents
Culture Documents
What is the Default location of IIS Logs? And how to change the folder path?
The default location for IIS is C:\windows\System32\Log files with W3SVC\exyymmdd.log format. For customized this path,
Go to website properties-> Enable logging->properties
How many web.config files are there in 1 project we can overwrite the web.config files?
Multiple
Performance Monitor Configure counters to watch resource usage over time. Use the usage information to gauge
the performance of IIS and determine areas that can be optimized.
Access logs Use information in the access logs to find problems with pages, applications, and IIS. Entries logged
with a status code beginning with a 4 or 5 indicate a potential problem.
Event logs Use information in the event logs to troubleshoot system-wide problems, including IIS and Indexing
Service problems.
Many other monitoring tools are available in the Microsoft Windows 2000 Resource Kit. The resource kit tools you'll want to use include
HTTP Monitoring Tool Monitors Hypertext Transfer Protocol (HTTP) activity on the server and records the tracking information to a
file or to the Windows Event logs. The information tracked can alert you to changes in HTTP activity. You can import the output file
generated by the tool directly into Microsoft SQL Server as well.
Playback is a tool suite that includes two components: PLAYBACK.EXE and RECORDER.DLL. RECORDER.DLL records
ongoing activity at a Web site so that it can be played back. PLAYBACK.EXE plays back the recorded activity on a Web site so that you
can simulate real-world traffic on development or testing servers.
Web Application Stress Tool Simulates Web activity so that you can evaluate server performance. Parameters you can set
include the number of users, the frequency of requests, and the type of request. The tool produces a detailed report that tells you the
number of requests, number of errors, elapsed time for processing requests, and more.
Web Capacity Analysis Tool (WCAT) Tests different server and network configurations using workload simulations and
content developed specifically for WCAT. When you change your hardware and software configuration and repeat the testing, you can
identify how the new configuration affects server response.
http://technet.microsoft.com/en-us/library/bb727100(TechNet.10).aspx
[Type here]
What is the default value for HTTP Keep alive? And where you find this option?
The default value for Enable HTTP keep alives value is 120. It is available in Website properties->connections tab.
Process Crashes
Process Hangs or Slow Performance
Memory or Handle Usage
Analyzing Memory Dumps
Crash/Hang Analyzers
Memory Pressure Analyzers
http://www.microsoft.com/downloads/details.aspx?FamilyID=28bd5941-c458-46f1-b24d-f60151d875a3&displaylang=en
UrlScan Security Tool-This tool helps prevent potentially harmful HTTP requests from reaching IIS Web servers.
IIS Lockdown Tool-This tool reduces the attack surface of earlier versions of Internet Information Services
(IIS) and includes URLScan to provide multiple layers of protection against attackers.
What is Virtual directory? How to create it? And what are the advantages this?
A virtual directory is a directory that is not contained in the home directory but appears to client browsers as though it were.
An IIS Virtual Directory is essentially an alias to the physical directory. The IIS Virtual Directory is a directory name, which may be
accessed from the Internet to access the physical directory on the server. For creating Virtual Directories open IIS, expand the Web
Sites or FTP Sites folder, right-click the site or folder within which you want to create the virtual directory, point to New, and then click
Virtual Directory. The Virtual Directory Creation Wizard appears.
[Type here]
There are several ways you can open the Internet Information Services tool.
Method 1: Open the 'Control Panel', select 'Administrative Tools' and then double click the shortcut 'Internet Information Services'
Method 2: Go to the "start" menu, select "Run" and then type "inetmgr". Press "OK" to open the IIS tool.
The IIS admin tool look like this:
In the above image, the name "MANJU" represents the computer name. Under the node "Web Sites", it displays all the web sites. When
you install IIS, it creates a default web site for you. Under the "Default Web Site" node, you can see all virtual directories listed.
Only on server operating systems like 'Windows 2000 Server' or 'Windows 2003 Server', you can create multiple Web Sites. In other
systems like Windows XP, Windows 2000 Professional etc, you can have only 1 web site (which is the 'Default Web Site' created by the
system). But you can have any number of web applications under this default web site. Each web application will need to be created as
a 'virtual directory' under any one of the 'web sites'. If you do not have a server operating system, you have to always create your web
applications under the 'Default Web Site'.
Each web application you create in your machine needs a virtual directory. In the above image, we have two web applications (named
'WebApplication1' and 'WebApplication2')
When you create a new ASP.NET project using Visual Studio .NET, it will automatically create a virtual directory for you.
For example, if you create a new ASP.NET project using Visual Studio .NET called "ShoppingCart", it will create a new virtual directory
[Type here]
with the name "ShoppingCart". After you create the ASP.NET project, you can see the virtual directory listed in the IIS.
You can right click on the virtual directory name in IIS and select 'Properties' to view various properties of the virtual directory. One
important property is "Local Path". The "Local Path" property represents the actual location of the web application.
By default, when you create a new ASP.NET project, visual studio creates the project under the folder "C:\Inetpub\WWWRoot". For
example, if you create a new ASP.NET project called "ShopCart", VS.NET creates a folder called "C:\Inetpub\WWWRoot\ShopCart" and
all files related to the proejct will be placed inside this folder. This folder will be set as a "Virtual Folder" so that you can access the web
site using the URL "http://localhost/ShopCart".
If you are working on several projects, you may want to organize your projects in some specific folder instead of
"C:\Inetpub\WWWRoot". What you need to do is, create a virtual folder manually before you create the project.
For example, if you need to create an ASP.NET applciation called "Shopcart" under the folder "C:\MyProjects", first create the folder
"C:\MyProjects\Shopcart". Now convert this folder as a virtual folder. Now you are ready to create the project using VS.NET. If the virtual
folder already exists, VS.NET will NOT create a new virtual folder under the WWWRoot folder. It will use the existing virtual folder.
Virtual directories provide several options:
[Type here]
IIS 5.0
IIS 5.1
IIS 6.0
Platform
NT4
Windows 2000
Windows XP Professional
Architecture
32-bit
32-bit
TCP/IP kernel
TCP/IP kernel
Application
TCP/IP kernel
process model
MTX.exe
application isolation)
application isolation)
Metabase
configuration
Security
Remote
administration
Cluster support
Binary
Binary
Windows
Windows authentication
authentication
SSL
SSL
Kerberos
HTMLA
In
Windows NT 4.0
HTMLA
IIS clustering
Personal Web Manager on
Windows 9x
IIS on Windows 2000
Binary
Windows authentication
SSL
Kerberos
Security wizard
No HTMLA
Terminal Services
XML
Windows authentication
SSL
Kerberos
Security wizard
Passport support
Remote Administration Tool (HTML)
Web Server Appliance Kit (SAK).
Terminal Services
Windows support
Windows support
IIS optionally on
Windows XP Professional
[Type here]
imposed by NTFS file system permissions, that designate the level of access and the type of content that is available to public users.
To edit the Windows account used for anonymous access, click Browse in the Anonymous access box.
Important If you turn on anonymous access, IIS always tries to authenticate users by using anonymous authentication first, even if you
turn on additional authentication methods.
Integrated Windows authentication: Formerly named NTLM or Windows NT Challenge/Response authentication, this method sends
user authentication information over the network as a Kerberos ticket, and provides a high level of security. Windows Integrated
authentication uses Kerberos version 5 and NTLM authentication. To use this method, clients must use Microsoft Internet Explorer 2.0
or later. Additionally, Windows Integrated authentication is not supported over HTTP proxy connections. This option is best used for an
intranet, where both the user and Web server computers are in the same domain, and administrators can make sure that every user is
using Internet Explorer 2.0 or later.
Note If multiple authentication options are selected, IIS tries to negotiate the most secure method first, and then it works down the list
of available authentication protocols until both client and server support a mutual authentication protocol.
Digest authentication for Windows domain servers: Digest authentication requires a user ID and password, provides a medium
level of security, and may be used when you want to grant access to secure information from public networks. This method offers the
same functionality as basic authentication. However, this method transmits user credentials across the network as an MD5 hash, or
message digest, in which the original user name and password cannot be deciphered from the hash. To use this method, clients must
use Microsoft Internet Explorer 5.0 or later.
If you turn on digest authentication, type the realm name in the Realm box.
Basic authentication (password is sent in clear text): Basic authentication requires a user ID and password, and provides a low
level of security. User credentials are sent in clear text across the network. This format provides a low level of security because almost
all protocol analyzers can read the password. However, it is compatible with the widest number of Web clients. This option is best used
when you want to grant access to information with little or no need for privacy.
If you turn on basic authentication, type the domain name that you want to use in the Default domain box. You can also optionally
enter a value in the Realm box.
Microsoft .NET Passport authentication: .NET Passport authentication provides single sign-in security, which provides users with
access to diverse services on the Internet. When you select this option, requests to IIS must contain valid .NET Passport credentials on
either the query string or in the cookie. If IIS does not detect .NET Passport credentials, requests are redirected to the .NET Passport
logon page.
What is HTTP-Analyzer?
It allows you to capture HTTP/HTTPS traffic in real-time. It displays a wide range of information, including Header,
Content, Cookies, Query Strings, Post data, redirection URLs and more. It also provides cache information and session clearing, as well
as HTTP status code information and several filtering options. A useful developer tool for performance analysis, debugging and
diagnostics
[Type here]
When IIS 6.0 runs in IIS 5.0 isolation mode, HTTP.sys runs like it runs in worker process isolation mode, except that it routes
requests to a single request queue.
If a defective application causes the user-mode worker process to terminate unexpectedly, HTTP.sys continues to accept and
queue requests, provided that the WWW service is still running, queues are still available, and space remains in the queues.
When the WWW service identifies an unhealthy worker process, it starts a new worker process if outstanding
requests are waiting to be serviced. Thus, although a temporary disruption occurs in user-mode request
processing, an end user does not experience the failure because TCP/IP connections are maintained, and
requests continue to be queued and processed.
How Application Pools Work (IIS 6.0)
When you run IIS 6.0 in worker process isolation mode, you can separate different Web applications and Web sites into groups
known as application pools. An application pool is a group of one or more URLs that are served by a worker process or set of
worker processes. Any Web directory or virtual directory can be assigned to an application pool.
Every application within an application pool shares the same worker process. Because each
worker process operates as a separate instance of the worker process executable, W3wp.exe,
the worker process that services one application pool is separated from the worker process that
services another. Each separate worker process provides a process boundary so that when an
application is assigned to one application pool, problems in other application pools do not
affect the application. This ensures that if a worker process fails, it does not affect the
applications running in other application pools.
Use multiple application pools when you want to help ensure that applications and Web sites are confidential and secure. For
example, an enterprise organization might place its human resources Web site and its finance Web site on the same server, but in
different application pools. Likewise, an ISP that hosts Web sites and applications for competing companies might run each companies
Web services on the same server, but in different application pools. Using different application pools to isolate applications helps
prevent one customer from accessing, changing, or using confidential information from another customers site.
In HTTP.sys, an application pool is represented by a request queue, from which the user-mode worker processes that service an
application pool collect the requests. Each pool can manage requests for one or more unique Web applications, which you assign to the
application pool based on their URLs. Application pools, then, are essentially worker process configurations that service groups of
namespaces.
Multiple application pools can operate at the same time. An application, as defined by its URL, can only be served by one
application pool at any time. While one application pool is servicing a request, you cannot route the request to another application pool.
However, you can assign applications to another application pool while the server is running.
Worker Processes (IIS 6.0)
A worker process is user-mode code whose role is to process requests, such as processing requests to return a static page,
invoking an ISAPI extension or filter, or running a Common Gateway Interface (CGI) handler. We can configure IIS to run multiple
worker processes that serve different application pools concurrently. This design separates applications by process boundaries and
Helps achieve maximum Web server reliability.
What are different errors in IIS like 500, 200, 404, 300, 400etc
Error or
Description
Status
Code
100 Series Informational - These status codes indicate a provisional response. The client should be prepared to receive one
or more 1xx responses before receiving a regular response.
100
Continue.
101
Switching protocols.
[Type here]
Description
200 Series Success - This class of status codes indicates that the server successfully accepted the client request.
200
Okay - The client request has succeeded This status code indicates that the Web server has successfully processed the
request
201
Created.
202
Accepted.
203
Non-authoritative information.
204
No content.
205
Reset content.
206
Partial content.
300 Series Redirection - The client browser must take more action to fulfill the request. For example, the browser may have to
request a different page on the server or repeat the request by using a proxy server.
302
Object moved.
304
Not modified. The client requests a document that is already in its cache and the document has not been modified since it
was cached. The client uses the cached copy of the document, instead of downloading it from the server
307
Temporary redirect.
400 Series Client Error - An error occurs, and the client appears to be at fault. For example, the client may request a page that
does not exist, or the client may not provide valid authentication information.
400
Bad request.
401
Access denied.
401.1
Logon failed. The logon attempt is unsuccessful, probably because of a user name or password that is not valid.
401.2
401.3
Unauthorized due to ACL on resource. This indicates a problem with NTFS permissions. This error may occur even if the
permissions are correct for the file that you are trying to access. For example, you see this error if the IUSR account does
not have access to the C:\Winnt\System32\Inetsrv directory.
401.4
401.5
401.7
Access denied by URL authorization policy on the Web server. This error code is specific to IIS 6.0.
403
Forbidden.
Execute access forbidden. The following are two common causes of this error message:
You do not have enough Execute permissions. For example, you may receive this error message if you try to access an
403.1
ASP page in a directory where permissions are set to None, or you try to execute a CGI script in a directory with Scripts
Only permissions.
The script mapping for the file type that you are trying to execute is not set up to recognize the verb that you are using (for
example, GET or POST).
[Type here]
403.2
Read access forbidden. Verify that you have Read access to the directory. Also, if you are using a default document, verify
that the document exists.
403.3
Write access forbidden. Verify that you have Write access to the directory
403.4
403.5
403.6
IP address rejected.
403.7
Client certificate required. You do not have a valid client certificate installed
403.8
403.9
Too many users. The number of users who are connected to the server exceeds the connection limit.
403.10
Invalid configuration.
403.11
Password change.
403.12
Mapper denied access. The page that you want to access requires a client certificate, but the user ID that is mapped to
your client certificate has been denied access to the file.
403.13
403.14
403.15
403.16
403.17
403.18
Cannot execute requested URL in the current application pool. This error code is specific to IIS 6.0.
403.19
Cannot execute CGIs for the client in this application pool. This error code is specific to IIS 6.0.
403.20
404
Not found. This error may occur if the file that you are trying to access has been moved or deleted.
404.0
404.1
404.2
404.3
405
HTTP verb used to access this page is not allowed (method not allowed).
406
Client browser does not accept the MIME type of the requested page.
407
412
Precondition failed.
413
414
415
416
417
Execution failed.
[Type here]
423
Locked error.
500 Series Server Error - The server cannot complete the request because it encounters an error.
500
Internal server error. You see this error message for a wide variety of server-side errors.
500.12
Application is busy restarting on the Web server. Indicates that you tried to load an ASP page while IIS was in the process
of restarting the application. This message should disappear when you refresh the page. If you refresh the page and the
message appears again, it may be caused by antivirus software that is scanning your Global.asa file.
500.13
500.15
500.16
UNC authorization credentials incorrect. This error code is specific to IIS 6.0.
500.18
URL authorization store cannot be opened. This error code is specific to IIS 6.0.
500.100
Internal ASP error. You receive this error message when you try to load an ASP page that has errors in the code.
501
502
Bad Gateway. Web server received an invalid response while acting as a gateway or proxy. You receive this error
message when you try to run a CGI script that does not return a valid set of HTTP headers.
502.1
502.2
503
504
Gateway timeout.
505
%SystemRoot%\system32\inetsrv\MetaBack folder. If you want to save your backup file to another location, you can copy the file
from this default location to another location. Keep a copy in the default location to allow for an easy restoration. Note that by
default, C:\Winnt is the %SystemRoot% folder in Microsoft Windows 2000.
Click Close.NOTE: This backup method provides a way to restore only your IIS settings, not your content files. This backup
4. method does not work if you reinstall your operating system. Backup files cannot be used to restore an IIS configuration on other
computers that are running Windows 2000.
How to setup a website and how to setup multiple sites on same IP?
Setting Host Headers in IIS 6.0
Preface:
[Type here]
Many people would like to have several web sites hosted on their own computer, maybe they want something like hello.domain.com
and goodbye.domain.com both on the same computer. IIS can use host headers to see what the end user tried viewing, and it will
show the correct web page based on that.
Method:
Load IIS from the Administrative tools in the Control Panel by clicking Start -> Administrative Tools -> IIS Manager (or loading the
Control Panel, entering the Administrative Tools folder, and double clicking IIS Manager).
On the left side, expand your computer name, then click "Web Sites", right click in the right side, put your mouse over "New" and select
"Web Site..."
Click Next in the dialog, then put in a description of the new web site you are creating (can be anything)
[Type here]
Now here's the important part. Go to the last text box and put in what you want the new Host Header to be
Now put in the path to your new site and make sure you keep "Allow anonymous access" checked
For added security, if you don't plan on using ASP or anything similar, then uncheck "Run scripts". You can always enable it at another
time
[Type here]
[Type here]
Put in the TCP port 80 (port 80 is the default website port, so people can type http://some.site instead of having to type
http://some.site:port) and your new header below it
[Type here]
Generating an IIS SSL Certificate Signing Request (CSR) using Microsoft IIS 5.x / 6.x
A CSR is a file containing your IIS SSL certificate application information, including your Public Key. Generate your CSR email
the copy to Arvind Maskara for the enrollment process:
Generate keys and Certificate Signing Request:
Select Administrative Tools
Start Internet Services Manager
Open the properties window for the website the CSR is for. You can do this by right clicking on the Default Website and selecting
Properties from the menu
Open Directory Security by right clicking on the Directory Security tab
[Type here]
[Type here]
Provide a name for the certificate, this needs to be easily identifiable if you are working with multiple domains. This is for your records
only. If your server is 40 bit enabled, you will generate a 512 bit key. If your server is 128 bit you can generate up to 1024 bit keys. We
recommend you stay with the default of 1024 bit key if the option is available. Click Next
[Type here]
Enter Organisation and Organisation Unit, these are your company name and department respectively. Click Next.
The Common Name field should be the Fully Qualified Domain Name (FQDN) or the web address for which you plan to use your IIS
SSL Certificate, e.g. the area of your site you wish customers to connect to using SSL. For example, an SSL Certificate issued for
cscdev.com will not be valid for secure.cscdev.com. If the web address to be used for SSL is secure.cscdev.com, ensure that the
common name submitted in the CSR is secure.cscdev.com. Click Next.
[Type here]
Enter a filename and location to save your CSR. You will need this CSR to enroll for your IIS SSL Certificate. Click Next.
[Type here]
Check the details you have entered. If you have made a mistake click Back and amend the details. Be especially sure to check the
domain name the Certificate is to be "Issued To". Your IIS SSL Certificate will only work on this domain. Click Next when you are happy
the details are absolutely correct.
When you make your application, make sure you include the CSR in its entirety into the appropriate section of the enrollment form including
-----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST----Click Next
Confirm your details in the enrollment form
Finish
To save your private key:
Go to: Certificates snap in in the MMC
Select Requests
Select All tasks
Select Export
We recommend that you make a note of your password and backup your key as only you know these, so if you loose them we can't
help! A floppy diskette or other removable media is recommended for your backup files.
Part 2
Installing your IIS SSL Certificate on Microsoft IIS 5.x / 6.x
1. Installing the Root & Intermediate Certificates:
You will have received 3 Certificates from CSC. Save these Certificates to the desktop of the webserver machine, then:
Click the Start Button then selct Run and type mmc
Click File and select Add/Remove Snap in
Select Add, select Certificates from the Add Standalone Snap-in box and click Add
Select Computer Account and click Finish
Close the Add Standalone Snap-in box, click OK in the Add/Remove Snap in
Return to the MMC
To install the EntrustSecureServerCA Certificate:
[Type here]
Right click the Trusted Root Certification Authorities, select All Tasks, select Import.
Click Next.
[Type here]
Right click the Intermediate Certification Authorities, select All Tasks, select Import.
Complete the import wizard again, but this time locating the TrustedSecureCA Certificate when prompted for the Certificate file.
Ensure that the EntrustSecureServerCA certificate appears under Trusted Root Certification Authorities
Ensure that the TrustedSecureCA appears under Intermediate Certification Authorities
Installing your IIS SSL Certificate:
Select Administrative Tools
[Type here]
Open the properties window for the website. You can do this by right clicking on the Default Website and selecting Properties from the
menu.
Open Directory Security by right clicking on the Directory Security tab
[Type here]
Choose to Process the Pending Request and Install the Certificate. Click Next.
Enter the location of your IIS SSL certificate (you may also browse to locate your IIS SSL certificate), and then click Next.
Read the summary screen to be sure that you are processing the correct certificate, and then click Next.
You will see a confirmation screen. When you have read this information, click Next.
You now have an IIS SSL server certificate installed.
Important: You must now restart the computer to complete the install
You may want to test the Web site to ensure that everything is working correctly. Be sure to use when you test connectivity to the site.
[Type here]
[Type here]
Restarting or stopping IIS, or rebooting your Web server, is a severe action. When you restart the Internet service, all sessions
connected to your Web server (including Internet, FTP, SMTP, and NNTP) are dropped. Any data held in Web applications is lost. All
Internet sites are unavailable until Internet services are restarted. For this reason, you should avoid restarting, stopping, or rebooting
your server if at all possible. IIS 6.0 includes application pool recycling and several other features that provide alternatives to restarting
IIS. For a list of features designed to improve IIS reliability and remedy the need to restart IIS, see "Alternatives to Restarting IIS" in this
topic.
Note
Changes to the metabase can be lost when restarting IIS. To avoid losing metabase changes and to trigger history files that back up the
metabase, use the SaveData method. For more information about the SaveData method, see "SaveData" in the Platform SDK on
MSDN.
With IIS 6.0, the World Wide Web Publishing Service (WWW service) lives in the service host, Svchost.exe. The FTP, NNTP, and SMTP
services and the IIS metabase, known as the IIS Admin service, lives in Inetinfo.exe. If the IIS Admin service terminates abnormally, IIS
restarts automatically. This feature is known as Automatic Restart. Previously, in IIS 5.0, if the IIS Admin service terminated abnormally,
both the WWW service and IIS Admin service had to be restarted because they shared the same application space. In IIS 6.0, if the IIS
Admin service terminates abnormally, the WWW service does not go down because the IIS Admin service and the WWW service run in
separate process spaces. In this case, the WWW service acknowledges that the metabase has terminated abnormally and checks to
see if the IISReset command-line utility is configured on the IIS Admin service. If IISReset is configured on the IIS Admin service, IIS
waits for the IIS Admin service to start again and reconnects the WWW service.
All of the Internet services listed below, if installed, are affected when you restart IIS. Not all of the services listed below are installed by
default.
Service Description
IIS Admin service
This service manages all the services of IIS other than the WWW service (FTP, NMTP, and SMTP).
WWW service
This service provides Web connectivity between clients and Web sites.
FTP service
This service provides FTP connectivity and administration through IIS Manager.
SMTP service
This service transports electronic mail across the network.
NNTP service
This service transports network news across the network.
Important
[Type here]
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As
a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas
command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc
%systemroot%\system32\inetsrv\iis.msc".
Procedures
To restart IIS using IIS Manager
1. In IIS Manager, right click the local computer, point to All Tasks, then click Restart IIS.
2. In the What do you want IIS to do list, click Restart Internet Services on computername.
3. IIS attempts to stop all services before restarting. IIS waits up to five minutes for all services to stop. If the services cannot be
stopped within five minutes, all IIS services are terminated, and IIS restarts. In addition, clicking End now forces all IIS services to stop
immediately, and IIS is restarted.
Important
You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best
practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run
your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer\Administrator cmd to open a
command window with administrator rights and then type cscript.exeScriptName (include the script's full path and any parameters).
[Type here]