IIS Insider - September 2005

By Mike Everest, CTO, Xilo Online Pty Ltd and Chris Adams, Program Manager, Microsoft Corporation

IIS Insider

Repeat IIS Login to Specific Subdirectory


Q. My customer wants to force a secondary Web site login before accessing some private documents. (This user, who is a school teacher, is concerned that some fast-fingered student could continue a browser session and link to an exam)

I've got Basic authentication going now. I can't see a way to cause IIS to instruct IE to null the user's existing authentication such that that next page browsed would require an additional logon.

Any ideas?

A. First, a little bit of background.

When a Web server requires authenticated access and the browser has not provided valid credentials, the server responds with a 401 HTTP response, which is interpreted by the browser as "Need to Supply Username and Password."

This response is what causes the browser to popup the authentication dialog, if necessary. The default behaviour for integrated Windows authentication is to use the credentials of the currently logged on user; therefore, it is not necessary to ask for credentials. Integrated Windows authentication only prompts the user when the supplied credentials do not have access to the content or if a proxy that does not support NTLM resides between the client and server.

In other words, once authenticated, the browser remembers the username and password used to access that Web site, and will send the credentials with every subsequent request to that site. The way that the browser identifies that site is the key to the solution to the question.

When the Web server sends a 401 (Authentication Required) response, it may provide an identifier called the realm that the browser uses as a key to "remember" which site matches the cached user credentials. In order to require different credentials (or even resubmission of the same credentials!) for different parts of the same Web site, we can use this realm value.

Note: The realm value is only relevant when the authentication type is a plain text format mechanism. Therefore, using the method described below will require that user credentials are submitted in an insecure fashion. It is highly recommended that the credentials are protected through the use of an SSL layer on the Web request (for example: an HTTPS connection).

IIS6 provides a simple interface to control the value of the realm presented. Here�s how:

  1. Open IIS Manager, navigate through the branches to find the folder containing the protected content.

  2. Right-click the folder, select Properties.

  3. Select Directory Security, Edit Authentication and Access Control.

  4. Select "Basic" (uncheck the others) and enter descriptive values in the "Realm" field (for example: "secured" or "authorized only access").

  5. Click OK to all open dialog boxes (no restart of IIS or Windows is required).

Now, when the user browses to that folder, an authentication prompt will appear, regardless of the logon state to the rest of the site, or the location they are browsing from (such as the Internet or intranet).

Automatic "Web Site Offline" Notice


Q. I need to take a Web site offline for maintenance. My IIS server hosts many individual Web sites so I can�t just set up a temporary server without making all the other Web sites going offline too. I need to be able to stop just one to update content and other planned maintenance tasks.

Specifically, I need to:

  1. Redirect external requests for any file on the Web site to a single page that says Web site is down for maintenance.

  2. This needs to be done in a way so that internally (on the LAN) we can still use Web site management tools like FrontPage 2003 to publish updates to the Web site.

A. Here is one technique you can use:

First, make sure that all Web sites have host headers configured, as well as a specific IP address. Select the "Web sites" node in IIS Manager, and review the list of Web sites in the right hand pane. Make sure that there is a value under the "Host header" column for every Web site, and that none of them lists "All unassigned" as the IP address.

If one or more of the sites requires multiple IP addresses or multiple host header values, add them explicitly where needed.

Now we are ready to set up a default holding page:

  1. Create a new virtual Web site called something like "offline"

  2. Set the IP address to "All unassigned" and no host header

  3. Make the root location some place like c:\inetpub\offlineroot or something similar.

  4. In that root path, make a new file called "default.htm" and put your offline message in there, like this:

    <html> <head> <title>Sorry this Web site is unavailable</title> </head> <body> This Web site is offline for maintenance </body> </html>
  5. Right-click the new "offline" Web site you have just created and select HTTP headers. Click Custom errors and find the entry for "404 - Page Not Found."

  6. Set that custom file to c:\inetpub\offlineroot\default.htm

Now, when you need to perform maintenance on one of the Web sites, simply right-click the Web site icon and select stop in IIS Manager.

A request to that site will be then handled by the "offline" site and any request to that Web site will return you custom 404 page to report the offline status message.

Using Custom Errors from Another Application Pool


Q. We have two sites, one running under the default application pool and the other running under an HR App Pool, that use the same custom error pages to avoid multiple content being stored on the server. We direct requests for both sites that result in a "404" error message to a virtual directory located in Site 1 (for example: /errors). This virtual directory has a default document, 404error.aspx.

These custom errors (and others) work fine as long as they run in the same application pool but fail when divided between two application pools (a pool per site). When we have individual application pools and attempt to access a site that invokes the custom error, we receive the 403.18 error message: "The Specific Request Cannot Be Executed from Current Application Pool." What do we have to do to get this to work properly?

A. The first thing to understand about how you have your setup is that IIS executes the custom error just as if it was a new request. It does this using the Server Support Function, ExecURL, which allows a current request to execute another remote request.

The failure occurs because this request is to a URL that is not hosted in the same application pool. This was determined when both succeeded when using them in the "DefaultAppPool," but failed in your original configuration.

When IIS executes this request, it will review the metadata for that URL just as it does any other request. At that point, it determines that the request should be executed out of the "DefaultAppPool."

There are two ways to correct this behavior. The first is possibly not one that you are interested in because it would require you to change your current architecture and run both sites in the same application pool (such as share the same worker process memory space). To do this, simply move the /errors virtual directory to run in the same application pool as the site for which it serves the custom error.

The second way is to make use of a registry key provided by IIS 6.0. This registry key makes sure IIS 6.0 does not check the metadata during the execution of the custom error and therefore allowing this to work.

NOTE: It is recommended you back up your registry before modifying the registry with the new data. If you use Registry Editor (Regedit.exe) incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

We can add the following registry key, IgnoreAppPoolForCustomErrors, with a DWORD value of 1 to the w3svc service node. To do this, perform the following:

  1. Click Start, Run, and type Regedit and click Run

  2. In the Registry Editor, navigate to the following location:

    If your browser does not support inline frames, click here to view on a separate page.

  3. In Services, locate the W3SVC node and double-click it.

    If your browser does not support inline frames, click here to view on a separate page.

  4. Add the following key by choosing Edit, New and DWORD Value.

    If your browser does not support inline frames, click here to view on a separate page.

  5. Double-click the new DWORD value, and modify the Value data to equal 1 (decimal).

    If your browser does not support inline frames, click here to view on a separate page.

  6. Select File, then Exit (to leave the Registry Editor).

  7. The last step is to restart the W3SVC service which can be done at the command prompt (or in Services in the Administrative Tools folder):


    This should allow your current setup to work.

The final option is to simply have unique custom error pages for each site. This is the "typical" approach that will lead to the custom errors loading in the same worker process.

For More Information

Submit your questions to the IIS Insider. A response is not guaranteed; however, selected questions along with the answers will be posted in a future IIS Insider column.

For a list of previous months' questions and answers on IIS Insider columns, click here.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.