IIS Insider - February 2006
By Jeffrey C. Tindillier, IIS MVP, iis-resources.com
IIS Insider is a monthly column designed to answer your questions on how to troubleshoot and make the most of Microsoft Internet Information Services (IIS).
.gif)
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real companies, organizations, products, domain names, e-mail addresses, logos, persons, places, or events are intended or should be inferred.
Setting Up NTFS Permissions for IIS 5.1
Fac1
Q. I am using a Microsoft Access database as the backend for an IIS 5.1-based Web site that I am creating. When I try to do an insert, I get an error message stating that I can not insert a new row. I believe that I need to set NTFS permissions on my database to fix this problem. How do I go about setting the appropriate permissions?
A. IIS 5.1 is part of Windows XP Professional and offers a low-cost solution for developing Web applications. IIS 5.1 should be used for development purposes only, such as what you are attempting to do. To help ensure your system's security, it is recommended that you have the following installed:
To address your question, the general rule is you should not need to set NTFS permissions on a system running Windows XP Professional. You can modify the permissions on a Windows XP Professional system, but do so cautiously to ensure that you do not cause any further problems.
By default, you cannot set permissions on systems running Windows XP Home Edition or Windows XP Professional because Simple File Sharing is enabled. (Windows XP Home Edition-based computers always have Simple File Sharing enabled.)
To disable Simple File Sharing in Windows XP Professional
Open Windows Explorer.
On the Tools menu, click Folder Options.
Click the View tab, click to clear the Use simple file sharing (recommended) checkbox, and then click OK.
.gif)
Now, add your computer name to your database:
Open Access, right-click your database, and then click Properties.
If your browser does not support inline frames, click here to view on a separate page.
Click the Security tab, and then click Add. The Select Users or Groups dialog box opens.
.gif)
Type IUSR_MachineName where MachineName is the name of your computer. In this example, my computer is named JCT-BF084D4751B, so I would type JCT-BF084D4751B and click Check Names. This will verify that that I am using the correct Anonymous User identity.
Note: Windows XP will append the computer name to the user account when you click Check Names.
Your Web site code should now be able to do database inserts.
.gif){kind=link}
For further details about Windows XP Professional, IIS 5.1, and NTFS permissions, see Knowledge Base article 308418.
Obtaining IIS Version 7
Fac2
Q. I�ve been reading a lot on the various blogs and Web sites out there about the upcoming release of IIS 7.0 and would like to install it on my system. Where can I get more information and download a copy of IIS 7.0?
A. This is one of the most commonly seen questions in the IIS newsgroups and other various online communities. Since the release of Windows 2000, IIS has been a part of the operating system and cannot be downloaded separately. Microsoft plans to ship the next version of its Web server (IIS 7.0) with Windows Vista and the next version of Windows Server code name "Longhorn."
There are a few ways to obtain pre-release versions of IIS 7.0. If you have a TechNet or MSDN subscription, you can participate in the Windows Vista Beta 2 program (which will include IIS 7.0). And, later this year, a Windows Vista public beta program will make pre-release code more widely available for public testing. Pre-release versions of Windows Server "Longhorn" are currently available only to private beta testers. However, the Community Technology Preview (CTP) program an initiative designed to regularly involve Microsoft customers in the early stages of product development will provide more details of a public pre-release version in the coming months
IIS 7.0 offers a brand-new configuration system, a slick new graphical interface, as well as a first-class diagnostics system to reduce troubleshooting time. Beyond this, for the first time ever, IIS will now be modularized -- allowing administrators or developers to enable/disable any module that can be loaded by worker processes of IIS. For example, if you want to log requests to your Web site, you can install the logging module, or if you want to run .NET, there will be a module for that. For developers, a very exciting part of IIS 7.0 is that users will be able to write their own modules using native (C++) or managed code (.NET) to do various things on IIS 7.0
DNS is set up in a hierarchical fashion, beginning with the TLD. Finding a host address is quite simple-the system first finds the TLD, moves to the correct domain, and then goes out to the host.
Troubleshooting IIS 6 and Kerberos Issues
Fac3
Q. I need help troubleshooting some IIS 6 and Kerberos issues. Are there any how-to guides or checklists available that will assist me in verifying our configuration?
A. Authentication issues often pose problems to users of IIS. Unfortunately, authentication doesn�t offer a clear and decisive resolution, and there could be a number of root causes. The problem you are experiencing using Windows Integrated Authentication is a common issue, and there are several resources to assist you.
In particular, a tool called "Authentication and Access Control Diagnostics 1.0 (AuthDiag)" helps you find problems related to authentication. For training on AuthDiag, see the following webcast:
Using AuthDiag to Diagnose Problems with Authentication and Authorization in IIS
With limited knowledge of your situation, I would like to provide you with a few other items to check:
Do all the servers belong to the same domain/forest? If not, you�ll need to make sure that the appropriate trusts are configured between domains.
Is the IIS Server configured as "trusted for delegation"? This can be done via the Active Directory Users and Computers MMC, as follows:
Domain\Computers\Computer name\Properties\
For Windows 2000-mixed domains:
On the General Tab, select "Trust computer for delegation."
For Windows Server 2003-native domains:
On the Delegation Tab, select at least "Trust this computer for delegation to any service."
Important: After you change this setting in Active Directory, you will need to purge the client-side tickets using kerbtray.exe or by LogOff/LogOn on the client Kerbtray.exe.
Verify that the account that needs to be delegated is not marked as "Account is sensitive and cannot be delegated" in Active Directory. This can be done via the Active Directory Users and Computers MMC.
\UserAccount\Properties\Account Tab\Account options
If the backend server is an MCS cluster, verify the settings described in the Knowledge Base article 235529: Kerberos support on Windows 2000-based server clusters.
On the client computer, verify that Internet Explorer uses Kerberos if offered by IIS6.
In Internet Explorer, click the Tools menu, and then click Internet Options.
Select the Advanced tab, and ensure that the Enable Integrated Windows Authentication option is selected.
If IIS is being load-balanced via NLB, follow the instructions at:https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kerbnlb.mspx.
Now you need to check your IIS 6 configuration:
The client requesting a Web site or virtual directory needs to be impersonated. If the application needs to delegate the authenticated user, verify that the Web site/virtual directory is not configured to use Anonymous Access via the IIS MMC:
\Website\Virtual Directory\Properties\Directory Security\Authentication Methods
"Enable Anonymous Access" is not selected
�����"Integrated Windows Authentication" is selectedAfter verifying that Integrated Windows Authentication is enabled, ensure that Kerberos is possible by reviewing the setting for the following metabase property:
NTAuthenticationProviders
This property must be set to either "Negotiate, NTLM" or "Negotiate" for Kerberos to be available. To verify this, use the following command at the command prompt:
Cscript adsutil.vbs get w3svc/NTAuthenticationProvidersIt should return:
.jpg)
Important: This property can be set at various levels throughout the metabase configuration. To ensure that you are viewing the correct setting, ensure that you locate this property for the Web site, virtual directory, directory, or file for which you want Kerberos to work. You can easily determine if this property is set anywhere within the metabase using the following command:
Cscript adsutil.vbs find NTAuthenticationProviders
If the application running on IIS is an ASP.Net application, make sure the ASP.Net Application impersonates the client. To verify this, open the Web.config file located in the Web Application folder and make sure that:
Under the <System.web> section, the following element for impersonation has been set:
<identity impersonate="true" />
- Verify if you need to set an additional Service Principal Name (SPN) for IIS, which depends on the IIS configuration. With an SPN the service is registered in Active Directory, this is a requirement for Kerberos to work. Use the SetSPN.exe utility to perform SPN changes.
Backend Services Configuration:
We often refer to the remote system as the "backend service" and this indicates the location in which IIS will delegate the "impersonated" user�s token. It is required that there is a valid SPN registered in Active Directory, otherwise Kerberos traffic will fail between IIS and the backend service.
The backend could be a File Server, SQL Server, or another Web Server (IIS). We will not handle all configurable backend services and the required SPNs in this article.
Since SQL Server is the most common backend for this type of scenario, here are some additional resources (Knowledge Base articles) on setting up SQL Server:
811889 How to troubleshoot the "Cannot generate SSPI context" error message
319723 Information about SQL Server 2000 Kerberos support, including SQL Server
For SQL Analysis Server check:
828280 How to configure an Analysis server computer to use Kerberos
Using the Debug Diagnostics Tool
Fac4
Q. Help! All of a sudden, my IIS 6 Web application is crashing. I have checked the event logs and there are no errors related to IIS. I need help figuring out what is happening and how to resolve the problem.
A. The first thing I always ask in this situation is what has changed on the server? Have you recently rolled out new code? Have you applied any service packs or hotfixes? Since you state that there are no errors in the event logs, the best way to track down the issue is to use Debug Diagnostics to capture a memory dump.
Downloading the Debug Diagnostics tool
The first thing you need to do is download the Debug Diagnostics tool. Debug Diagnostics was recently released as part of the IIS Diagnostics Toolkit.
Install Debug Diag
In the Setup Type Dialog box, choose Typical Installation.
Using the Debug Diagnostic Tool
Open the Debug Diagnostic Tool.
You will be presented with the New Rule Wizard as seen below.
If your browser does not support inline frames, click here to view on a separate page.
Create a Crash rule, and click Next.
Since we don't know which process is crashing, choose All IIS Related processes, and click Next.
.gif)
At this time, you don't need to set any of the advanced configuration options, so click Next.
.gif)
Type a name for your rule, and then enter a path for the userdump location.
.gif)
Note: Keep in mind that these memory dumps can get quite large so make sure that you choose a partition with plenty of free disk space.
Click Next, select Activate the rule now, and then click Finish.
.gif)
.gif){kind=link}
The main Debug Diagnostic Tool window displays the rule you just created. Notice that on the line that has your rule, the Userdump count is set to 0. Next time IIS crashes, Debug Diag will capture a memory dump, and you will see the Userdump count go up to 1.
.gif)
Analyzing the memory capture
Open the Debug Diagnostic Tool, and click the Advanced Analysis tab.
If your browser does not support inline frames, click here to view on a separate page.
In the Data Files section, click the Add Data Files button, and add the dump file that the Debug Diagnostic Tool just created for you.
Highlight the Crash/Hang Analyzers script in the Available Analysis Scripts section, and then click the Start Analysis button. This will launch the Analysis Script which will generate a nice HTML based report on what was going on with IIS and all its related processes at the time of the crash. If the analysis script sees something of interest in your memory dump, it will tell you at the top of the report and give you possible resolutions.
.gif){kind=link}
In a future column, I will discuss advanced analysis of memory dumps using the Debugging Tools for Windows available at https://www.microsoft.com/whdc/devtools/debugging/default.mspx.
For some additional training on Debug Diagnostics 1.0, visit the IIS Webcast Series and view the following webcasts:
For More Information
Submit your questions to IIS Insider. A response is not guaranteed; however, selected questions along with the answers will be posted in a future IIS Insider column.
Visit IIS Insider column archives for a list of previous months' questions and answers.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported, or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental, or consequential, even if it has been advised of the possibility of such damages.