virtual techdays india │ 18-20 august 2010 iis 7/7.5 tips & tricks jaskirat singh │...

virtual techdaysINDIA │ 18-20 august 2010

IIS 7/7.5 Tips & Tricks

Jaskirat Singh │ Technical Lead [IIS|Asp.Net team], Microsoft

IIS 7 /7.5 Architect changes IIS 6 Architect flashback IIS 7 features/modular approach

Tip & Tricks Enabling SSL on IIS 7.0 Using Self-Signed Certificates

Kernel Mode SSL And Authentication FTP over SSL

New Management API/ APPCMD tool Demo

Running 32 bit and 64 bit worker process side by side on same server


S E S S I O N A G E N D A

App pool identity feature

Server Core – No User interface

IIS Remote management /Feature delegation Allow Non-Admins to manage IIS remotely

App warm Module for cold start Can be used to avoid initial start up time

Troubleshooting using FREB


IIS 7/7.5 Tip & Tricks continue…

IIS 6.0 Features

Worker process isolation mode

Health monitoring

Worker process recycling

Rapid-fail protection

XML based Metabase

Manage using WMI and ADSI

Tight security by default lock down

Enhanced logging mechanism

HTTP.sys logging

Performance and Scalability

Web gardens, Processor affinity, Ideal timeout, CPU Monitoring

Troubleshooting using ETW


IIS 6 Quick Flash Back

IIS 6.0 Architecture


Quick Flashback

IIS 7.0/7.5 ArchitectureIIS 7 -> win 2k8/VistaIIS 7.5 -> win 2k8 R2/Win 7


IIS 7.0 leverages the reliability and security-focused architecture of IIS 6.0

Modular Web server

40 different components

Individual installation of each component

Role specific Web server deployment

Extensible architecture

ASP.NET integration

Form Authentication and URL authorization for static files (.htm, .css etc) and .asp

pages

Eliminates duplication of features

Common IIS and ASP.NET configuration file

Enhancement in hosting FastCGI application such as PHP

Distributed configuration system

Enhanced diagnostics and troubleshooting using Failed Request Tracing[FREB]



Quick Flashback

IIS 7.0/7.5 Architecture


Quick Flashback

IIS 7 Using Self Signed certificate feature

With IIS 6 , it was difficult to generate certificate even for testing purpose. Earlier We’ve submit to cert request to Local CA for self signed certificate.

But IIS 7.0 makes it radically easier to configure and enable SSL. IIS 7.0 also now has built-in support for creating "Self Signed Certificates" that enable you to easily create test/personal certificates that you can use to quickly SSL enable a site for development or test purposes.


Kernel Mode SSL

Kernel Mode SSL[IIS7 kernel mode SSL is going to be the default setting and the only setting]

This give Tremendous performance gain in terms of context switching


Kernel Mode Windows Authentication

On IIS 7 Windows Authentication is by default configured to run in kernel mode

When set it takes care of SPN setting for kerberos . But exceptions are there to the rule.



DEMO: Kernel Mode Auth / Creating Self signed certificatesJaskirat Singh │ Technical Lead, Microsoft

Management Api And APPCMD tool

IIS management (API) allows complete manipulation of the XML configuration files and convenience access to server objects The management classes reside in the Microsoft.Web.Administration namespace

Example : Create New Websiteusing System;using System.Collections.Generic;using System.Text;using Microsoft.Web.Administration;namespace MSWebAdmin_Application{ class Program { static void Main(string[] args) { ServerManager serverManager = new ServerManager(); Site mySite = serverManager.Sites.Add("Racing Cars Site", d:\\inetpub\\wwwroot\racing", 8080); mySite.ServerAutoStart = true; serverManager.CommitChanges(); }


Management Api And APPCMD tool

AppCmd.exe is the single command line tool for managing IIS 7

Some of the things you can do with AppCmd: Create and configure sites, apps, application pools, and virtual directories Start and stop sites, and recycle application pools List running worker processes, and examine currently executing requests Search, manipulate, export, and import IIS and ASP.NET configuration



DEMO: Management API and APPCMD

Jaskirat Singh │ Technical Lead, Microsoft

Running 32 bit and 64 bit worker process side by side on same server

On Windows X64 bit you can run either worker process [w3wp.exe] either in 32 bit OR 64 bit but not the both on the same timeGood New on IIS 7.x , We can run 32 bit and 64 bit worker process on same time.

You can change the config manually or through UI or using appcmd

Using Appcmd:appcmd set apppool /apppool.name:MyAppPool32bit /enable32BitAppOnWin64:trueappcmd set apppool /apppool.name:MyAppPool64bit /enable32BitAppOnWin64:false


IIS 7 Application Pool Identities

Worker processes in IIS 6.0 run as NETWORKSERVICE by default.[It was low privilege account]

Why ApplicationPoolIdenity in IIS7 ?

As more and more Windows system services started to run as NETWORKSERVICE. This is because services running as NETWORKSERVICE can tamper with other services that run under the same identity. Because IIS worker processes run third-party code by default (Classic ASP, ASP.NET, PHP code), it was time to isolate IIS worker processes from other Windows system services and run IIS worker processes under unique identities.

For every Application Pool you create, the IIS Admin Process (WAS) will create a virtual account with the name of the new Application Pool and run the Application Pool's worker processes under this account. Represented as "IIS AppPool\DefaultAppPool"

However, the identity is not a real user account; it will not show up as a user in the Windows User Management Console


Server Core

Minimal Installation option for windows 2008 Available for X86 and X64 No User interface. Only CMD

Core sub system: Security Logon,networking(TCP/IP),file system etc Basic set of management tools: Configure ip address, create users,notepad ,taskmgr

Less patches 60% less than win 2000

More Secure, Reliable and Less Management


IIS 7/7.5 Remote management And Feature delegation

Prerequisites for Remote management IIS 7.0 on Windows Server® 2008 or IIS 7.5 on Windows Server 2008 R2

The default IIS 7 installation options do not include the Management Service (also referred to as the Web Management Service (WMSVC)), which is required for remote administration

Only Windows Administrator can connect remotely to “Server” Level and not the IIS User

You can connect to IIS 7/7.5 remotely from Win XP SP-2 / Windows 2003 Sp-1 and Windows 7 after installing IIS Remote Manager

For enabling Write permission for any feature you’ve to configure permission and file ACLs For IIS Manager User (NT Service\WMSVC by default). For each Windows user or group



DEMO: IIS 7 Remote management And Feature DelegationJaskirat Singh │ Technical Lead, Microsoft

App Warm Up Module

Improving site performance Individual pages run faster Hide start-up cost for a cold application

Application Warm-Up Module in IIS 7.5 allows applications to automatically start without a request<applicationPools>

<add name="MyApplicationPool" startMode="AlwaysRunning" /> </applicationPools>

This helps us reduce the initial warm-up time for applications on the first request.



DEMO: App warm Up Module


Troubleshooting using FREB

It helps to figure out what exactly is happening with your request.At what point it failed.

It can be used to measure performance of the request

It can help in figuring out Module loading and executing order



DEMO: Enabling FREB Tracing


virtual techdaysTHANKS│18-20 august 2010

[email protected] │ http://blogs.msdn.com/jaskis

http://blogs.msdn.com/jaskis

virtual techdays india │ 18-20 august 2010 iis 7/7.5 tips & tricks jaskirat singh │...

Documents

architecture iis

2k8vista iis

server virtual techdays

etw virtual techdays

architect flashback

architect changes iis

microsoft slide

self signed certificates