IIS Insider - August 2002
By Brett Hill
How To Run CDONTS As An Out-of-Process Application
Q: We host many web sites on our servers and it is my understanding that it is preferable to run web sites on IIS 5 in the pooled out-of-process mode. When we do this, I cannot get CDONTS to work. My question is does it matter if I run sites in the same process as IIS or is there a way to get CDONTS working with the "pooled" setting.
A: (References: See IIS Insider February 2002 - http://www.microsoft.com/technet/community/columns/insider/iisi0202.mspx and December 2001 - http://www.microsoft.com/technet/community/columns/insider/iisi1201.mspx columns). You have two questions here. Question 1 is "Should you run applications in-process or is it better to run applications in the application pool on IIS 5?" Question 2 is "How should I configure permissions for running CDONTS out-of-process?" Let's start with the second question first.
Collaborative Data Objects for NT (CDONTS) is an easy to use means for delivering mail through the SMTP server on Windows NT 4.0 and Windows 2000. (Starting with Windows 2000, it is recommended you CDOSYS instead of CDONTS.) These objects run in the context of the process that invokes them instead of in the context of the user that runs the page. When you run CDONTS from a page as part of an application that is marked to run "in-process" (Low Application protection in IIS 5 or the default settings in IIS 4), then CDONTS runs as the SYSTEM account because that is the account running the INETINFO process. If you set the application protection in IIS 5 as Medium (pooled out-of-process) or High (out-of-process), or in IIS 4 set the checkbox marked "Run in an isolated process" then CDONTS runs as the user hosting the out-of-process application (MTX for IIS 4 and DLLHOST in IIS 5). In either of these events, the IWAM_<SERVERNAME> user is used to host the out-of-process applications. Consequently, you will need to assign Add rights to the Mailroot\Pickup folder for the IWAM user account.
Now, about that first question "Does it matter if I run sites in the same process as IIS"? Yes, it matters. As explained above, applications running in the same process as IIS are running the SYSTEM account. If your application can be made to fail in such a way as to give a hacker access to the server, that access would be as the SYTEM account which has access to just about everything on the server. On the other hand, if your application runs out-of-process and fails in the same way, the hacker's access is limited to those rights provided to the IWAM_<servername> user. This user account should have very limited rights. Keep in mind that the IWAM_<servername> use account is a member of Users, Authenticated Users, and Everyone local groups. Running the IIS Lockdown Tool and allowing it to set permissions for you will go a long way in limiting access to the server for the IWAM_<servername> and the IUSR_<servername> accounts.
Regarding performance, you will find that applications running in-process perform better than those that run out-of-process, although performance in IIS 5 pooled out-of-process setting (Medium application protection) is generally excellent.
Does Number of Client Access Licenses Correlate with Number of Web Sites You Can Host?
Q: We bought 5 client access licenses with our Windows 2000 standard server. Does it mean that IIS only can host 5 web sites?
A: Licensing IIS servers is often misunderstood. Obtaining the right number of Client Access Licenses is important but that is only part of the story.
It all hinges on what you mean when you say you want to "host" web sites. Standard Licensing specifies that you may not use the software for "commercial hosting". So if you plan to sell the use of your IIS server like a web hosting provider does you are required to become a Microsoft Certified Partner and obtain proper licensing. There are two ways to meet this requirement, the most common of which is to purchase a Service Provider License Agreement. See http://www.microsoft.com/serviceproviders/licensing/default.asp for details. Once obtained, you are not limited to the number of sites you can host on a single server.
On the other hand, if, for example, your company makes paper airplanes and you wish to sell them using IIS on your server, you are not providing commercial hosting so you do not need a Service Provider License Agreement.
So what about Client Access Licenses? You need a Client Access License for every user that you authenticate with the local SAM or Active Directory, except for the IUSR_<servername> account using anonymous authentication. To quote from http://www.microsoft.com/windows2000/server/howtobuy/pricing/model.asp, "Access to Internet sites by anonymous users does not require a CAL."
In other words, you can have five users authenticated to user accounts on your server and an unlimited number of anonymous users browsing IIS. This can all be with one web site or as many web sites as your server will manage. So, the number of CAL's is independent of the number of web sites you can host.
Software That Analyzes IIS Log Files
Q: We would like to analyze the log files from our IIS 4 and IIS 5 servers. Does Microsoft make any software that will produce traffic reports from these files?
A: Site Server Express on the Windows NT 4 Option Pack CD can be used to analyze log files from both IIS 4 and IIS 5. Site Server Express cannot be installed on Windows 2000 but will report on logs generated by an IIS 5 server. By the way, if you upgrade an NT4 server running Site Server Express to Windows 2000, it will continue to run. Although still available on the NT4 Option Pack CD, Site Server Express is no longer supported.
Commerce Server 2002 can import and do analysis on IIS log files. Along with analysis functions it also performs data warehousing of the IIS data. To read more about the Commerce Server Analysis & Data Warehouse functions, you can find initial summary information at http://www.microsoft.com/commerceserver/evaluation/overview/smart.asp. Just scroll to the Business Analytics System. You can also download the latest documentation on Commerce Server 2002 at http://www.microsoft.com/commerceserver/techinfo/productdoc/2002/CSdownload.asp for more details.
Also SharePoint Team Services provides some traffic reporting features as detailed at http://www.microsoft.com/technet/prodtechnol/sppt/sharepnt/fpseusag.mspx.
In addition to these Microsoft products, there are numerous third-party applications for processing IIS log files.
Submit your questions to the IIS Insider. Selected questions along with the answers may be posted in a future IIS Insider column.
For a list of previous months questions and answers on IIS Insider columns, click here.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.