Beginner's
Guide: Exploring IIS 6.0 With ASP.NET
Table of
Contents
Introduction
In the past, I have written
a few articles for beginners and had got a very good response from all readers.
This time I have planned to write an article on IIS 6.0 and Integration of IIS
with ASP.NET. I have worked on IIS 5.1, IIS 6.0, and IIS 7.0. Though the
purpose of all IIS servers are the same, they are very different in their
architecture and use. Don't worry, I am not going to explain the differences of
those three versions of IIS. The purpose of this article is completely
different. While answering in the ASP.NET forum, I found many questions on
deploying websites, the security settings of IIS, different authentication
types, Application Pool, recycling of application pool, etc. This is an
"All in One" article for IIS. This will help beginners know what IIS
is, how to install IIS, how to deploy sites on IIS, create an Application Pool,
web garden, etc. This article is all about IIS 6.0. If anybody is interested in
IIS 7.0, please read the article Deploying. Websites on IIS 7.0.
Please give your valuable suggestions and feedback to improve this article.
What is a Web Server
Visual Studio has its own
ASP.NET engine which is responsible for running your web application so you
don't have any problems running an ASP.NET application from the VS IDE. When
you want to host your site for others to access, the concept of a "Web
Server" comes into picture. A web server is responsible for providing a
response to requests that come from clients. So when multiple users come in,
multiple requests also come in and the web server will have a response for each
of them. IIS (Internet Information Server) is one of the most powerful web
servers from Microsoft that is used to host ASP.NET web applications. IIS has
its own ASP.NET Process to handle ASP.NET requests. If you look at this
picture:
IIS Server Overview
The first client will make a
request to the web server (IIS), the web server checks the request and will
pass the request to the ASP.NET Process (don't get confused here, I have
explained the details), the ASP.NET process engine will process the request and
pass the response to the client via the web server. One of the major roles of
IIS is handling each and every request. Don't worry, I have explained each and
everything in more detail later. So far I hope it is clear why we are using a
web server.
Introduction to IIS
IIS 6.0 provides a
redesigned World Wide Web Publishing Service architecture that can help you
achieve better performance, reliability, scalability, and security for your web
sites. In this section, I have described an overview of IIS and an installation
guide for IIS 6.0.
Overview
of IIS
Internet Information Server
is one of the most powerful web servers provided by Microsoft that is able to
host and run your web applications. IIS supports the following protocols: FTP,
FTPS, SMTP, NNTP, HTTP/HTTPS. We can host our web sites on IIS, we can use it
as an FTP site also.
IIS
Version in Different OSs
Below is a list of IIS
versions that support the following Oerating Systems:
Operating System
|
IIS Version
|
Windows Server 2008
|
IIS 7.0
|
Windows Vista - Home Premium/ Ultimate
|
IIS 7.0
|
Windows Server 2003
|
IIS 6.0
|
Windows XP Professional
|
IIS 5.1
|
Windows 2000 Server IIS 5.0
|
IIS 5.0
|
How
to Install IIS 6.0
Installation of IIS is very
similar to installing any other system application from the Control Panel. We
have to start navigation from Control Panel > Add/Remove Programs, then
select Add/Remove Windows Component. Follow the screen given below.
IIS installation
Select "Application
Server" from the checkbox list. This will open a new window, select IIS,
and click on OK.
IIS installation selection
This will initiate IIS
installation. The OS will show a continuous progress bar during installation
and will show a final message after installation is complete.
IIS installation progress
Note:
During the installation period, it may ask for some OS files. You need to
provide the paths for them. After successful installation of IIS, go to Start
> Run > Inetmgr to launch IIS. The below screen will appear, which
indicates that IIS has been successfully installed in your system.
IIS installed successfully
IIS 6.0 Process Mod
el and Request Processing
Before starting with a
virtual directory and Application Pool and all other stuff, let us have a quick
look into the IIS 6.0 Process module and IIS request processing. This topic is
a huge one. Here I am just giving you an overview.
We can divide the whole
architecture into two layers.
·
Kernel Mode
o
HTTP.SYS
·
User Mode
o
Web Admin Service
o
Virtual Directory
o
Application Pool
IIS 6.0 Process module
As per the above diagram,
IIS has two modes, Kernel and User. HTTP.SYS is the heart of kernel mode which
accepts raw requests from the client and pass it to a particular application
pool. Below are the steps of IIS request processing.
1. Client
requests for a page from the browser by hitting the site URL.
2. Request
comes to kernel level. HTTP.SYS catches the requests and creates a separate
queue for each and every application pool.
Note: Whenever we create
an application pool, IIS automatically registers the pool with HTTP.SYS to
identify it during request processing.
Then HTTP.SYS forwards the request to the Application Pool.
3. A
request coming to the application pool means the worker process (w3wp.exe) starts
action by loading theISAPI Filter.
4. Based
on the requested resource, w3wp.exe loads "aspnet_isapi.dll"
for an APSX page and starts anHTTPRuntime which
is the entry point of an application.
5. Then
the HttpRuntime.ProcessRequest method signals the start of processing.
6. The HttpContext object
represents the context of the currently active request, as it contains
references to objects you can access during the request lifetime, such as Request, Response, Application, Server,
andCache.
7. The HttpRuntime creates
a pool of HttpApplication objects.
8. The
request passes through the HTTP Pipeline.
9. HTTP
Modules are executed against the request until the request hits the ASP.NET
page HTTP Handler.
10. Once
the request leaves the HTTP Pipeline, the Page life cycle starts.
Deploying Your Web Sites on IIS
In this section, I discuss
how to host a site on IIS, how to create a virtual directory, configure a
virtual directory, etc. Let's start with virtual directory creation.
Creating
a Virtual Directory
There are various way to
host a web application on IIS. Visual Studio has some inbuilt features to host
and create a virtual directory on IIS directly. Here is
one of my articles on hosting a site on IIS from Visual Studio. But in this
section, Idiscuss the basic steps for creating a virtual directory.
First, right click on
Default web sites > New > Virtual Directory.
Virtual directory creation
By selecting "Virtual
Directory...", the virtual directory creation wizard will start. Click on
"Next".
Virtual directory creation
Give the "Alias"
name and proceed for "Next". The alias name is your virtual directory
name.
Virtual directory creation
As its name implies, a
"virtual directory" does not contain any physical file. We need to
define the physical file path that it will refer to. We have to browse the
physical path over here.
Virtual directory creation
Now based on your
requirements, you can select the check boxes and click on "Next".
Generally, we select only the "Read" option.
Virtual directory creation: Permission settings
Below is a list of
permissions that we can use:
·
Read: It
is the most basic and is mandatory to access webpages of your application.
·
Run Scripts: It
is required for ASPX pages, not for static HTML pages because ASPX pages need
more permissions so they could conceivably perform operations.
·
Execute:
This allows the user to run an ordinary executable file or CGI application.
This can be a security risk so only allow when it is really needed.
·
Write: It
allows to add, modify, or remove files from the web server. This should never
be allowed.
·
Browse:
This allows one to retrieve a full list of files in a virtual directory even if
the contents of the files are restricted. It is generally disabled.
You are done! The virtual
directory has been created successfully. You will get a final message. Click on
"Finish" to close the window and move forward.
Virtual directory creation: Finish
There are other alternative
options that you can use for creating a virtual directory.
1. Copy
the physical directory to the wwwroot folder.
2. Physical
Folder Properties > Web Sharing.
Configure
Virtual Directory
The items listed below are
very important for the configuration of any web application.
·
Virtual Directory
·
Documents
·
Documents
·
ASP.NET
·
Directory Security
·
Custom Errors
I have explained each of
them step by step. Apart from them, a Virtual Directory can have settings like
BITS Server Extension, HTTP Header, etc. I haven't covered those in this
article. Let us start with the "Virtual Directory" tab.
Virtual Directory
This is the most important
configuration section for a virtual directory. To open this tab, we need to
select the newly created virtual directory.
Virtual directory configuration
Right click on it >
Properties. The below screen will come up:
Virtual directory properties
Here we can change the local
path (physical path). Before looking into other stuff, first look into the
"Application Settings" section. It seems the application name is
disabled. So first we need to click the "Create" button, which will
enable the rest of the settings. Check the below image.
Virtual directory creation
Here we can change the
execution setting and application pool name. Choosing "None" for
Execute Permission will restrict the access to the web site. Now we will move
to the "Documents" tab.
Documents
The Documents tab is used to
set the default page of your web application. We can add or remove the page
name in this section. To configure, we have to move to the
"Documents" tab.
Virtual directory creation
This is useful when you want
to access the site directly with the virtual directory name. For example, if
your virtual directory name is "mywebsite" and your home page name is
"home.aspx",
then you can access the page as follows:
http://<ip>/mywebsite/home.aspx
but if you define home.aspx in the Documents section, you need to
only use this at the address bar to access the site:
ASP.NET
If IIS is registered with
multiple .NET Framework versions, the ASP.NET version dropdown list shows all
of them. But based on the application, we need to change the framework version.
E.g.: If our application was developed in .NET 2.0, then the version should be 2.0.X.X.
ASP.NET version selection
Tip: If
.NET Framework is already installed in your system when you are installing IIS,
then ASP.NET will not be registered with IIS. So if you host an application on
IIS, it will not work. To register IIS with the ASP.NET version, you need to
run the aspnet_regiis -i command from the command prompt. This
will automatically register the .NET Framework with your IIS.
For more info, please read this.
Directory Security
Directory security enables
all kinds of security access for your web application. For directory, we need
to move to the "Directory Security" tab.
Directory security settings
Click on the
"Edit" button to modify the directory security settings. After
clicking on the Edit button, the below screen will come up.
Directory security settings
Below are the commonly used
IIS security settings:
·
Anonymous
·
Integrated Windows Authentication
·
Basic Authentication
·
Digest Authentication
Anonymous
Anonymous authentication
means the site is accessible to all. This is the default authentication mode
for any site that is hosted on IIS, and it runs under the
"IUSR_[ServerName]" account. We can change it by clicking on the
"Browse" button.
Integrated Windows Authentication
This authentication mode is
generally used for Intranet sites. Users are authenticated from the Active
Directory. Integrated Windows authentication is also known as NTLM
authentication. If browser settings automatically login for trusted sites for
Windows authentication then the site will be logged in automatically with the
Windows user credentials.
Basic Authentication
This is supported by all
browsers and is a part of the HTTP standard. This shows a login dialog control
which accepts the user name and password. The user ID and password are passed
to IIS to authenticate the user from the Windows credentials.
Digest Authentication
The disadvantages of Basic
authentication mode is that it sends a password as plain text. Digest
authentication does almost the same thing as basic authentication but it sends
the "hash" of the password rather than sending plain text.
Integrated Windows, Basic
Authentication, and Digest Authentication use Active Directory to authenticate
the user.
Note:
There are many things related with IIS and ASP.NET Security configuration. I am
not covering all these in detail. I am just giving a brief overview so that you
are comfortable with all this stuff.
For configuring SSL, please
read the reference link that I have provided in the References section.
Custom Errors
The Custom Errors tab allows
us to specify the error page that will be displayed for any specific type of
HTTP Error.
Directory security settings
We can also customize the
setting at our application level by configuring the web.config settings or changing the htmfile
path by clicking on the "Edit" button.
This is all about the basic
overview of creation of virtual directories and setting up. Hope you are now
comfortable with all this stuff.
Application Pool
Application pool is the
heart of a website. An Application Pool can contain multiple web sites.
Application pools are used to separate sets of IIS worker processes that share
the same configuration. Application pools enable us to isolate our web
application for better security, reliability, and availability. The worker
process serves as the process boundary that separates each application pool so
that when a worker process or application is having an issue or recycles, other
applications or worker processes are not affected.
Application pool - IIS
Generally we do it in our
production environment. The main advantages of using an application pool is the
isolation of worker processes to differentiate sites and we can customize the
configuration for each application to achieve a certain level of performance.
The maximum number of application pools that is supported by IIS is 2000.
In this section, I have
discussed about the creation of application pools, application pool settings,
and assigning an application pool to a web site.
How
to Create an Application Pool?
Application pool creation in
IIS 6.0 is a very simple task. There are two different ways by which we can
create an application pool. There is a pre-defined application pool available
in IIS 6.0, called "DefaultApplicationPool". Below are the two ways
to create an application pool:
·
Create New Application Pool
·
Create From Existing Configuration File
Create a New
Application Pool
First of all, we need to
open the IIS Configuration Manager. Then right click on Application Pool and go
to New > Application Pool.
Create new application pool
The below screen will
appear, where we need to mention the application pool name.
New application pool name
When we create a new
application pool, we can use the default application setting for it. The
selection of "Default Settings" means by default the application pool
setting will be the same as the IIS default settings. If we want to use the
configuration of an existing application pool, we need to select the section
option "Use existing application pool as template". Selecting this
option will enable the application pool name dropdown.
Application pool template selection
If we select an existing
application pool as a template, the newly created application pool should have
the same configuration of the template application pool. This reduces the time
for application pool configuration.
That is all about creating a
new application pool. Now let us have a look at the creation of an application
pool from an existing XML configuration file.
Create From Existing
Configuration File
We can save the
configuration of an application pool into an XML file and create a new
application pool from that. This is very useful during the configuration of an
application pool in a Web Farm where you have multiple web servers and you need
to configure the application pool for each and every server. When you are
running your web application on a Load Balancer, you need to uniquely configure
your application pool.
So first of all, you need to
save the application pool configuration in a server. Check the below image for
details.
Application pool template selection
During this operation, we
can set the password for the configuration file which will be asked during the
import of the application pool on another server. When we click on "Save
Configuration to a file", the below screen will appear.
Save configuration as XML file
Where we need to provide the
file name and location. If we want, we can set a password to encrypt the XML
file. Below is a part of that XML:
Location ="inherited:/LM/W3SVC/AppPools/StateServerAppPool"
AdminACL="49634462f0000000a4000000400b1237aecdc1b1c110e38d00"
AllowKeepAlive="TRUE"
AnonymousUserName="IUSR_LocalSystem"
AnonymousUserPass="496344627000000024d680000000076c20200000000"
AppAllowClientDebug="FALSE"
AppAllowDebugging="FALSE"
AppPoolId="DefaultAppPool"
AppPoolIdentityType="2"
AppPoolQueueLength="1000"
AspAllowOutOfProcComponents="TRUE"
AspAllowSessionState="TRUE"
AspAppServiceFlags="0"
AspBufferingLimit="4194304"
AspBufferingOn="TRUE"
AspCalcLineNumber="TRUE"
AspCodepage="0"pre>
Now we can create a new
application pool for this configuration file. While creating a new application
pool, we have to select the "Application Pool ( From File )" option
as shown in the below figure.
Application pool creation from a configuration file
When we select this option,
a screen will come where we need to enter the file name and the password of
that file.
Application pool creation from configuration file
Select the file and click on
the "Read File" button. This will show you the imported application
pool name. Click "OK" to import the full configuration.
Application pool creation from configuration file
Here we need to mention the
new application pool name or we can have another option where we can replace an
existing application pool. For moving ahead, we need to provide the password.
Password to import application pool configuration
This is the last step for
creating a new application pool from an existing configuration file.
Configure
Application Pool Properties
This is one of the most
important tasks for web server configuration and this is important when we are
hosting on a production server. As I have already discussed, the application
pool is the heart of any web application hosted on IIS. We need to know each
and every configuration of the application pool. To start configuration, we
need to go to the Properties of the application pool.
Application pool properties
We need to configure the
following things in the application pool:
·
Recycling
·
Performance
·
Health
·
Identity
Recycling
Recycling the application
pool means recycling the worker process (w3wp.exe)
and the memory used for the web application. It is a very good practice to
recycle the worker process periodically, which wll keep the application running
smooth. There are two types of recycling related with the application pool:
·
Recycling Worker Process - Predefined settings
·
Recycling Worker Process - Based on memory
Recycling Worker Process - Predefined Settings
Worker process recycling is
the replacing of the instance of the application in memory. IIS 6.0 can
automatically recycle worker processes by restarting the worker processes that
are assigned to an application pool and associated with websites. This improves
web site performance and keeps web sites up and running smoothly.
Application pool recycling- Worker process
There are three types of
settings available for recycling worker processes:
·
In minutes
·
Number of requests
·
At a given time
Recycle Worker Process (In Minutes)
We can set a specific time
period after which a worker process will be recycled. IIS will take care of all
the current running requests.
Recycle Worker Process (Number of Requests)
We can configure an
application with a given number of requests. Once IIS reaches that limit, the
worker process will be recycled automatically.
Recycle Worker Process (In Minutes)
If we want to recycle the
worker process at any given time, we can do that configuration on IIS. We can
also set multiple times for this.
Application pool recycling - Worker process: Time setting
Recycling Worker Process - Based on Memory
Server memory is a big
concern for any web application. Sometimes we need to clean up a worker process
based on the memory consumed by it. There are two types of settings that we can
configure in the application pool to recycle a worker process based on memory
consumption. These are:
·
Maximum virtual memory used
·
Maximum used memory
Application pool recycling - Worker process.
At any time, if the worker
process consumes the specified memory (at memory recycling settings), it will
be recycled automatically.
What Happens During
Application Pool Recycling
This is quite an interesting
question. Based on the above settings, an application pool can be recycled any
time. So what happens to the users who are accessing the site at that time? We
do not need to worry about that. This process is transparent from the client.
When you recycle an application pool, HTTP.SYS holds onto the client connection
in kernel mode while the user mode worker process recycles. After the process
recycles, HTTP.SYS transparently routes the new requests to the new worker
process.
Performance
Moving to the Performance
tab in the Properties dialog box results in the following output.
Application pool performance
To improve the performance
of a web application, we can setup the performance settings of the application
pool. We can set the shut down time of the worker process based on the ideal
time. The worker process will be shut down at a given time period if it is
ideal. Whenever a new requests comes, it will live again. Another important
thing for improving the performance is "Web Garden".
Web Garden
Overview of Web Garden
By default, each application
pool runs with a single worker process (W3Wp.exe). We can assign multiple
worker processes with a single application pool. An application pool with
multiple worker processes is called a Web Garden. Many worker processes with
the same application pool can sometimes provide better throughput performance
and application response time. And each worker process should have its own
thread and memory space.
Web Garden (Application pool with multiple worker processes)
As Shown in the picture, in
IIS Server, there may be multiple application pools and each application pool
has at least a single worker process. A Web Garden should contain multiple
worker processes.
There are certain
restrictions in using a Web Garden with your web application. If we use Session
Mode as "in proc", our application will not work correctly because
the Session will be handled by a different worker process. To avoid this, we
should use Session Mode as "out proc" and we can use "Session
State Server" or "SQL-Server Session State".
How to Create a Web Garden?
We need to increase the
number of worker processes on the Performance tab.
Web garden creation
Main
advantage: The worker processes in a web garden share the requests that
arrive for that particular application pool. If a worker process fails, another
worker process can continue processing the requests.
Health
Now we move to the
"Health" tab. When wel select the "Health" tab, it will
show the following screen:
Health monitoring setting
IIS provides a couple of
settings to improve the health of an application pool. There are also a few
settings for measuring the worker process health. These are:
·
Enable Pinging
·
Enable Rapid-fail protection
·
Startup time limit
·
Shutdown time limit
Enable Pinging
This property specifies
whether the WWW Publishing Service should periodically monitor the health of a
worker process. Checking this option indicates to the WWW service to monitor
the worker processes to ensure that worker processes are running and healthy.
By default, it sets to 30s. This is also needed to check if a service is
staying ideal or not. If it is ideal it can be shutdown until the next request
comes. The Windows Activation Process maintains all this stuff.
Enable Rapid-fail Protection
When enabling Rapid Fail
Protection, the application pool is shut down if there are a specified number
of worker process crashing within a specified time period. When this happens,
the WWW Publishing Service puts all applications in the application pool
"out of service".
Failure
Count: The default value for failure count is 5 minutes. This
property specifies the maximum number of failures allowed within the number of
minutes specified by the "Time Period" property before the
application pool is shut down by Rapid Fail Protection. If the number of
failure is more than the specified in a given time, the application pool should
be put on "out of service mode".
Time
period: This property specifies the number of minutes before the
failure count for a process is reset. By default, it is set to 5 minutes.
Startup time limit
The Start up time limit
property specifies the amount of time that the WWW Publishing Service should
wait for a worker process to finish starting up and reporting to the WWW
Service. In general it means the time taken to start a worker process.
Shutdown time limit
This is the shutdown time
for a worker process. This is the time required to execute all old running
worker process requests before it shuts down during recycle time.
Identity
This is the last and final
setting for an application pool. An application pool has three types of
identity: "Network Service" is the default Identify.
"defaultappPool" also runs under the "Network Service"
Identity. Below are the listed application pool identities with description:
Identity
|
Description
|
LocalSystem
|
A built-in account that has
administrative privileges on the server. It can access both local and remote
resources. For any kind accessing of server files or resources, we have to
set the Identity of the application pool to Local System.
|
LocalServices
|
Built-in account has privileges of an
authenticated local user account. It does not have any network access
permission.
|
NetworkServices
|
This is the default Identity of an
application pool. NetworkServices has privileges of an authenticated local user account.
|
Navigating to the Identity
tab will show the following screen:
Application pool identity configuration
We can also configure the
application pool under a given user account. For that, we need to select the
"Configurable" option on "Identity" tab.
This is all about the
application pool. Hope now you have a very good understanding on what
application pool is, how to create and configure the application pool.
Q:
You are using a file upload control in your web application and it is working
fine on Visual Studio but when you host the same code on IIS, it is not
working. This is a very common problem in web hosting when file upload is
involved.
A:
When a web application runs under Visual Studio - ASP.NET engine integrated
with visual studio takes care of all the executions. And this engine has
sufficient rights so that it can write data on your disk. But when you host the
site on IIS, as I have already mentioned, it runs under the "Network
Services" Identity, which has very minimum rights on your system. The user
can only have read access on the site. So for resolving file upload issues, you
need to change the Identity of the application pool from "Network
Service" to "Local System". Local System identity means the
client can have write access on your hard drive. This will resolve your issue
of file uploading on the server.
You can also resolve this
issue by giving Write access permission to the file destination folder for
"Everyone".
Enabling Web Service
Extension
IIS 6.0 provides a certain
type of configuration from where we can enable/disable web service extensions.
If we want to prohibit/restrict any kind of extension, we need to select the
extension and click on the "Prohibit" button.
Web Service extension vonfiguration
Note: If
the ASP.NET v 2.0.X.XXXX extension is prohibited over here, you will not be
able to access the site which is running on .NET 2.0.
Debugging Your Application That Hosted on IIS
If your site is hosted on
IIS and we want to debug the site, the main thing that we need to do is attach
a worker process with Visual Studio. There are two possible scenarios for
debugging from IIS:
1. Site
is hosted on local IIS server: Local IIS debugging
2. Site
is hosted on remote IIS server: Remote IIS debugging
I have already published two
complete articles on CodeProject on the above topic. Please refer to those for
details.
