IIS Community Newsletter - December 2011 edition released
#IIS Community Newsletter - November 2011 edition has been released. Lots of interesting and original content available on the web!
I ran across a great SEO article via Twitter, the link is here
There was a comment I wanted to add a few ideas, I tried to format the comment, however it didn’t format to cleanly so I thought I’d add here. Review the comments in the article too, there is some additional items that are worth mentioned. I hope he picks up this post and adds the couple links for reference.
Couple other things to reference to this great article. Here are three commands I run on all servers. I use the compression level 9 on a very high volume with no impact, Here is another article on other properties and http://learn.iis.net/page.aspx/206/dynamic-compression/
Scott Forsyth wrote an article on compress level and performance which is a good read. http://weblogs.asp.net/owscott/archive/2009/02/22/iis-7-compression-good-bad-how-much.aspx
c:\windows\system32\inetsrv\appcmd set config /section:urlCompression /doDynamicCompression:true
Sets the compression level
c:\windows\system32\inetsrv\appcmd set config /section:system.webServer/httpCompression -[name="'gzip'"].dynamicCompressionLevel:9"Mkdir D:\Data\IISTemporaryCompressedFiles"
Sets the directory path
c:\windows\system32\inetsrv\appcmd set config /section:httpCompression /directory:D:\Data\IISTemporaryCompressedFiles /maxDiskSpaceUsage:100 /minFileSizeForComp:256"
Hope this helps
After a few issues trying to send the October 2011 IIS community newsletter, we have got it published!
Here is the July/August/September 2011 IIS Community Newsletter
Microsoft has released the latest Windows OS preview. Nice new shiny logo.
ran across this post browsing the forums @ http://forums.iis.net It’s a real problem dealing with UNC content. Thread: New Solution to 500.19 Network BIOS Command Limit Reached
I try to keep track of UNC based posts in my “UNC” tag if it’s something that would help the community. http://forums.iis.net/p/1180183/1990052.aspx If you can provide assistance, that would be great. My intention is to setup some Linux and FreeBSD boxes locally using NFS, Samba and connecting to IIS. It’s on the geek list!
Every now and then, a thread will get my interest doing something different with IIS on http://forums.iis.net. I’ve never setup PERL within IIS even though I knew it was possible to host PERL. I figured what the heck, lets see if I can get it working even though I don’t really know how to program in PERL. The post is asking how to secure PERL in a shared hosting model.
Forum thread on securing PERL. As of this post, no one has responded who has secured PERL for shared hosting. I’ve asked a couple questions for my own interest. If you know, feel free to respond with more information. I’d be interested.
Here is a thread on http://forums.iis.net that discusses Stress testing tools. There is a wide variety tools available. I personally use a powershell script to create a single log file, then load test with Web Application Stress tool (retired by Microsoft). For my personal needs this has been sufficient. I thought I would pass along as an FYI.
This is one of those posts that has been “years in the making”. I’ve been working with SMS / ConfigMgr 2007 since version 2.0. In my IT career, I’ve used SMS / ConfigMgr 2007 on the server side exclusively. Traditionally SMS / ConfigMgr has been mainly a desktop software deployment, management tool. I’ve never talked with anyone who has used ConfigMgr strictly “ in a Server environment” for other things besides patching, OSD. Using ConfigMgr for DCM, Software Distribution, Querying, reporting etc.
I recently came across a situation where I was getting inconsistent status messages being sent back to the site server. Here is the message Failed to submit event to the Status Agent. Attempting to create pending event. For those familiar with ConfigMgr, all components send their status messages through the StatusAgent component. Advertisements, task sequences would work. the status messages would not be updated however.
Introduced in IIS 7 was the ability to set the Anonymous Authentication module to inherit from the application pool identity automatically. Here is a screenshot of the setting.
In previous IIS versions, the IUSR account was a local account with it’s own SID (Security Identifier). The administrator had to be aware of this account along with the application pool account (App pools started in Windows 2003/IIS 6). The IUSR account was introduced in Windows Server 2008 as a ‘machine’ account with the same SID across all boxes. In IIS 6, I would set the IUSR_MachineName and application pool identity accounts the same. Although I was administering two locations, it made troubleshooting a lot easier only dealing with one account. When Windows Server 2008 came out and provided the ability to inherit the application pool identity automatically, from an IIS Administrators perspective, I quickly adopted this architecture. PS – I’m not 100% sure why inheriting Application Pool Identity isn’t the default setting, I once heard it was to support Classic ASP applications. Not sure.
Back to ConfigMgr 2007
From an IIS perspective, administrators may implement this type of architecture (I did!). What I discovered, the IUSR setting at server level is required if a machine has IIS installed. What I did to prove the ConfigMgr client was checking for the existing of the IUSR account.
- I enabled more logging on the ConfigMgr client. Here is article showing How to enable DebugLogging & Verbose logging on ConfigMgr client.
- I set the IUSR account at server level to the picture above. All sites would inherit the application pool identity
- Execute an advertisement (task sequence or advertisement)
Here is the status messages that appeared in the logs. Notice the highlighted sections, and the function being called.
ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time="00:14:21.853+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1484">
ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time="00:14:21.853+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1559">
ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time="00:14:21.862+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1484">
ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time="00:14:21.862+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1559">
ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time="00:14:22.678+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="13344" file="perfobject.cpp:1484">
ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time="00:14:22.680+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="13344" file="perfobject.cpp:1559">
StatusAgent.log:<![LOG[Security::LookupIUSRAccountSid(sAccount), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\core\ccmcore\comobjectsecurity.cpp,58)]LOG]!><time="00:14:58.883+240" date="01-09-2011" component="StatusAgent" context="" type="0" thread="11300" file="comobjectsecurity.cpp:58">
As I mentioned earlier, I work strictly in a server environment, which many boxes have IIS installed (Mostly Windows Server 2008 / R2 boxes). For some reason Microsoft has logic in SCCM to check for the existence of the IUSR account. Here is a post I did “IUSR Account and ConfigMgr 2007 R3 agent”. This explains I temporarily had to set the IUSR account enabled at server level so the ConfigMgr agent would install.
A configuration workaround
The ConfigMgr agent doesn’t seem to check for IUSR at site level. This means an administrator who has ConfigMgr installed on a server OS with IIS can enable the IUSR setting at server level, and set the inherit application pool identity at site level. From my testing, this configuration works. I did a PowerShell script to:
- Backup current applicationHost.config with appcmd
- Enable IUSR at server level
- Disable IUSR and inherit application pool identity.
- Stop / Start SMS Agent Host
- Watch the SCCM logs
A little precaution before running the script. The logic assumes you are using the application pool identity for securing resources. I’d recommend you review your IIS architecture to ensure this setup would work in your environment. I ALWAYS encourage people to try scripts in a non-production environment first. The script does make a backup copy of the applicationHost.config before making changes. If something happens, just restore the applicationHost.config.
After years of not quite understanding how IUSR was used. I thank God for helping me finally understand what is happening! I hope you find this post useful. Hope this workaround isn’t needed in CM2012. Time will tell.
Here is the script.
$ExitCode = 0
$Command = "$Env:SystemRoot\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/authentication/anonymousAuthentication /userName:`"IUSR`" /commit:apphost"
Invoke-Expression -Command $Command
$Command = "$Env:SystemRoot\system32\inetsrv\appcmd.exe set config `"$SiteName`" /section:system.webServer/security/authentication/anonymousAuthentication /userName:`"`" /commit:apphost"
Invoke-Expression -Command $Command
#Use Powershell provider to get a list of sites, one of these will error
#windows Server 2008 needs powershell provider installed before using
#Windows Server 2008 R2 has powershll provider already
#There is some better logic that could be implemented on this option
Import-Module -Name "WebAdministration"
Add-PSSnapin -Name "WebAdministration"
$FileDate = (Get-Date).tostring('dd-mm-yyyy-mm-hh')
$Command = "$Env:SystemRoot\system32\inetsrv\appcmd.exe add backup `"BeforeSettingIUSRData$FileDate`""
Write-Host "applicationHost.config backed up"
Invoke-Expression -Command $Command
#Set IUSR at server level
Write-Host "Set IUSR at server level enabled"
#Get List of Sites using get-childitem
$sites = gci IIS:\Sites
#Set Each site on the box with IUSR disabled
foreach($site in $sites)
DisableIUSRSiteLevel -SiteName $site.name
$ExitCode = 1
The May / June combined newsletter has been published.
Windows Server MVP - ASP.NET / IIS
Log archival solution
Install, Configure, Forget
Questions on Microsoft SMTP Service - visit http://www.smtp.ws
IIS Community Newsletter - visit http://www.iisnewsletter.com
I’m excited to announce IISLogs (and my blog) upgraded to Orchard 1.2. The upgrade process wasn’t too painful, I’d suggest using WinMerge to compare folders, files. This came in handy when comparing my Modules and Themes folders. One thing I found extremely useful detecting errors was using the IIS SEO Toolkit to scour my site looking for errors.
If you are seeing this link, my blog link has been updated to http://www.iislogs.com/steveschofield.
After 7 1/2 years, my blog and all content has been moved to my own domain! I’ve worked with the admins who run http://weblogs.asp.net to implement a 301 redirect. Old links should redirect to the corresponding link on my new blog. It’s been quite an adventure. Check out the post related to standing up Orchard, here is the link I’ve been really impressed with the performance of Orchard. I’ve been testing a VPS at GoDaddy (1 proc, 2 GB, 30 GB of ram) for $40 / per month. So far so good. Stay tuned on this, more updates to come.
I was formatting various powershell formatting. Here is a handy date time format. http://technet.microsoft.com/en-us/library/ee692801.aspx
Here is a function I used to unzip several files using PowerShell.
I received a post on the forums that I was suggested to make a blog post. Here is the original post : http://forums.iis.net/t/1178739.aspx
I’ve been blogging for years, mainly with community server. I’ve had a desire to switch my blog over to my own domain, which currently is www.iislogs.com (the domain which sells IIS Logs program). I selected Orchard as it seemed different, fresh and challenging. Plus it was built on top of the MVC framework, has an up and coming community. I came from the days when I tried to be a web developer using Classic ASP and lets say Classic ASP.NET. Enough reflecting
I used this script to read a few months worth of my IIS logs to create a single log file. I used the single file for load testing with Web Application Stress tool.
Had an interesting question on http://forums.iis.net regarding FTP 7.5. There was a requirement to allow both local and domain users on the same FTP site. Here is the posting with the details http://forums.iis.net/t/1178738.aspx
IIS Community Newsletter - April 2011 Edition has been published
I'm excited to announce our March 2011 IIS Community Newsletter is published
Here is the link to the March 2011 edition -
If you run Sharepoint 2010 in one forest, users in another forest and a 1-way forest in-place. There is some additional configuration needed in Sharepoint 2010. I included links below that discuss the details. My post is not to be in-depth how to setup, rather share a tidbit not discussed in documentation (not that I could find). Thanks to a smart co-worker and process monitor, it was found there is a registry entry, the application pool needs READ access. You can either manually grant permissions on the server or add registry permission in AD Group Policy. Hope this helps.
If you are attending the MVP 2011 summit, hope to see you there! Look me up on twitter @steveschofield
I'm excited to announce our February 2011 IIS Community Newsletter is published
Here is the link to the February 2011 edition -
Looking for a job related to Microsoft (Internet Information Server)? Or do you have a job opening which requires IIS experience. Look no further, subscribe to the discussion forum today at http://www.iisjobs.com and be notified as soon as a job is posted or someone responds.
I've been doing some packaging of software within SCCM recently. As I'm rediscovering, each software package has it's own trick to get an unattended installation working. One usueful trick I found with MSI's is use the /l* logname.log when installing from the command line. After the installation has completed, you can open the log file and look for the variables that can be set.
I'm excited to announce our first IIS Community Newsletter. Here is the link to the January 2011 edition - http://bit.ly/gPq0qT
I'm working with SCCM and needed to troubleshoot some client items with task sequences.
I was surfing my comments and seen a great link on IIS info
I was looking at my web stats, my favorite item to look at is where referrer. I found a good review by Serdar Yegulalp, Contributor
I was recently talking with some good friends about tips for performance and what an IIS Administrator could do on the server side. I also see this question from time to time in the forums @ http://forums.iis.net. Of course, you should test individual settings in a controlled environment while performing load testing before just implementing on your production farm.