IIS Insider - September 2004

  • Article

By Brett Hill

Can I Customize IIS 6 Error Messages?

Q: On our IIS 6 server, it is necessary occasionally for us to shut down our production application pool for maintenance. During that time, IIS 6 sends only very basic message to the client as shown:

If your browser does not support inline frames, click here to view on a separate page.

The httperr logs show the following entry:

2004-08-26 17:06:33 127.0.0.1 1035 127.0.0.1 80 HTTP/1.1 GET / 503 1 Disabled

From this we can see that the error is recorded as 503.1, but the user does not get this or any other information. We would like to able to customize this error message in order to present our company logo and other information to the customer about when the site will be back up. How can we do this?

A: The IIS 6 architecture introduces the http.sys component which runs in kernel mode. Many IIS 6 errors can be customized, but those which are delivered by http.sys cannot be modified. There are a couple of reasons for this:

First, it is very important that no user code runs in the kernel. Many customized error pages are actually script or programs that operate on the error to take specific actions as required by our organization. If these programs were permitted to run in kernel mode, it could have severe security or performance issues should that code be buggy.

Second, if you don't run the code in the kernel then you have to hop to user mode to execute the code and since the application pool is not available, what pool should be used? There are a host of assumptions that would need to be made.

These complexities aside, I agree that being able to send these requests to at least a custom static page would be useful.

Until that feature appears (and I don't know if it will), you have other choices. One choice would be to have a second server that is a clone of the first that you use in an NLB cluster. One of the chief benefits of this kind of arrangement is the ability to take an entire server offline without interruption in service.

Alternately, create a duplicate website on the same box and uses a different application pool. Turn the production site off and then turn on the duplicate. This is often easier to do than it sounds.

Finally, you can setup a simple site whose purpose is to deliver a "Site undergoing maintenance" message that conforms to your requirements. Set this site up to respond to the same IP+Port number+Host Header configuration used on your production site and configure it run a unique application pool. Turn off your production site and turn on the "in service" site. Once your maintenance is completed, you can turn off the in service site and enable the production site.

Any of these options will give you control of what happens when you bring your site down for maintenance.

Windows XP SP2 and IIS 5.1

Q: We are wondering if there are any changes for IIS 5.1 on Windows XP Pro related to SP2?

A: IIS 5.1 for the most part behaves the same pre and post SP2, but there are some things to be aware of. If you slipstream an installation of XP SP2 and then install IIS 5.1 you will find some differences in the way the default configuration is setup.

(from https://go.microsoft.com/fwlink/?LinkId=28022):

  • The "Check if file exists" check box is selected for newly registered ISAPIs.
  • Request size limits are reduced to 16k.
  • No executable virtual directories are present by default.
  • No samples are shipped.
  • The Front page server extensions configuration option is not selected for installation.

You will not see any differences in the above settings if you install SP2 on XP Pro where IIS 5.1 is already installed.

The new SP2 firewall can block incoming connections to IIS 5.1 so after installation, you should add an exception to the firewall for the ports that IIS uses, typically port 80.

Finally, if a client uses a web folder via WebDAV to connect to your IIS 5.l services, it will not be allowed if:

  • The client is using XP and has applied SP2
  • The client is connecting to IIS 5.1 with a web folder created using My Network Places (as opposed to Internet Explorer)
  • The folder on IIS requires Basic authentication

In this specific case, WebDAV is disabled because Basic authentication is an unsecured protocol. This can be re-enabled if needed. You can enable BasicAuth by adding the following registry key and setting it to a non-zero value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \WebClient\Parameters\UseBasicAuth (DWORD)

See https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx for all the details regarding XP SP2 and changes in functionality.

Groups, Domains, and Forests with IIS 5.

Q: I have installed IIS5 on Windows 2000 Server. It is a member of an NT4 domain. Now my client wants to move this server to a workgroup (as a stand alone server). Later the client intends to move the server back to a different NT4 domain or possibly join to AD Forest. The server currently has two ASP applications that each access a SQL backend.

Can change my server from domain to workgroup to domain/AD at will without reinstalling IIS5?

A: IIS 5 and IIS 6 both operate independently of domain membership. In other words, IIS doesn't care if you are stand alone or a member of the domain. So, yes, you can join and unjoin without problems. There are a few things to keep in mind. You cannot join or unjoin a domain if you have Certificate Services installed. Certificates Services can be a very important part of a network and you wouldn't want just any ole certificate server to be online. Also, identity any domain level dependencies you have. Examples would include NTFS permissions assigned to local resources for domain users or groups, SQL authentication that relies on domain privileges, or changing the anonymous user to a domain account. If you can identity these dependencies, or if you have none, then IIS is can be joined and unjoined with no problems.