Administration of an IIS 7.0 Web Server • Chapter 16 817 slightly different than in previous versions of IIS. The important change is that virtual directories in IIS 6.0 were typically assigned to the application of their parent, where IIS 7.0 creates a new root application. To create a new virtual directory, you do the following: 1. In the left column, select the Web site where you would like to create a virtual directory. 2. Right-click the Web site—for example, Default Web Site. 3. Click Add Virtual Directory… 4. In the Add Virtual Directory Wizard, type alias and enter the path. 5. Click OK. Creating Applications Many veteran IIS administrators were very familiar with the concepts sites and virtual directories, though, not nearly as familiar with applications. On the other hand, Web developers typically are the opposite and are focused on applications. IIS 7.0 brings the concept of applications to the forefront and makes applications fi rst-class citizens. This isn’t to say they haven’t been important in the past, just that they typically weren’t the focal point—something that is certainly different in IIS 7.0. The key concept to grasp about applications is that applications are the fundamental building blocks of your Web sites. They are where your developers or Web business-logic is executed and where applications are assigned to a specifi c application pool. To isolate them fully, you would have one application per application pool, though you can certainly have many applications all participating in the same application pool. To create a new application, do the following: 1. In the left column, select the Web site where you would like to create a virtual directory. 2. Right-click the Web site—for example, Default Web Site. 3. Click Add Application… 4. In the Add Application Wizard, type alias, select an application pool, and enter the path. 5. Click OK. Creating Application Pools Application pools is a concept that was added in IIS 6.0. In IIS 7.0, it changed very little and is basically the same and defi nes what applications run within what worker process. This is IIS’s isolation functionality and is where you can recycle, change process identity security, and view health and diagnostics information. By default, IIS 7.0 provides you with a single application pool called DefaultAppPool. 818 Chapter 16 • Administration of an IIS 7.0 Web Server To create an application pool, do the following: 1. In the IIS Manager Connections pane, expand the server node and click Application Pools. 2. On the Application Pools node, right-click and choose Add Application Pool… 3. In the Add Application Pool dialog, provide a name for the application pool in the Name fi eld. 4. From the .NET Framework version list, select the version required by your managed applications. Otherwise, choose No Managed Code if the applications in this pool don’t require the .NET Framework. 5. From the Managed pipeline mode list, select the ASP request processing mode. 6. Select the Start application pool immediately check box to start the pool when the WWW service is started. 7. Click OK to create the new Application Pool. SOME INDEPENDENT ADVICE The default behavior for adding new Web sites in Windows Vista is to add it to the DefaultAppPool. This behavior is by design since Windows Vista is a client environment and isolating each Web site and its root application into its own application pool would hinder the performance of the client. In Windows Server “Codenamed” Longhorn, though, each time you create a new Web site using IIS Manager it will create a new application pool. This behavior is expected and creates maximum isolation of your Web applications and is a good security practice. NOTE The Actions pane provides the same “right click” functionality for the Application Pools. Changing Authentication Settings You can take several actions in the security space, such as changing the authentication type for your Web site or application. The needs of your Web applications often differ even though they are running on the same server and it is important to understand how to change authentication settings. Administration of an IIS 7.0 Web Server • Chapter 16 819 Authentication in IIS 7.0 IIS 7.0 offers several options like previous versions of IIS for authenticating to your Web server. The default behavior for a typical installation of IIS 7.0 is to have all authentication types disabled except anonymous authentication. Enabling Basic Authentication Basic authentication is a standards-based authentication for HTTP clients. It is a popular authentication when protected by SSL, but should not be used on the Internet without protecting the authentication with SSL since it will expose your user’s credentials, given it is an insecure protocol. To enable Basic authentication, click the left column of your Web site, then follow these steps: 1. On the Web site home page, double-click Authentication. 2. Select Basic Authentication by clicking it. 3. In the right-column, click Enable in the Actions. Enabling Windows Authentication In Intranet environments, it is common to disable anonymous authentication and enable Windows authentication. In IIS 6.0, Windows authentication was enabled by default but this isn’t the case in IIS 7.0. There is often a lot of confusion around Windows authentication because it has a couple of authentication protocols in it, namely NT Challenge\Response (NTLM) and Kerberos. The default setting is to allow both in IIS 7.0 and let the client select the protocol to use. To enable Windows authentication: 1. Click your Web site in the left column. 2. On the Web site home page, double-click Authentication. 3. Select Windows Authentication by clicking it. 4. In the right-column, click Enable in the Actions. SOME INDEPENDENT ADVICE It is possible that when viewing Authentication in IIS Manager you will not see all the supported IIS 7.0 authentications in the list. This is what happens when you have chosen not to install the authentication during setup. If you do not see the authentication type you want, use setup to add the features binaries and then restart IIS Manager. 820 Chapter 16 • Administration of an IIS 7.0 Web Server Enabling Digest Authentication Digest authentication is a standards-based authentication protocol defi ned in RFC 2617 (www.ietf.org/rfc/rfc2617.txt). In IIS 7.0, there is only one version of digest authentication, unlike in IIS 6.0. For more information on digest authentication, see the following Microsoft Webcast www.iis.net/default.aspx?tabid=2&subtabid=26&i=67. To enable Digest authentication: 1. Click the left column of your Web site. 2. On the Web site home page, double-click Authentication. 3. Select Digest Authentication by clicking it. 4. In the right-column, click Enable in the Actions pane. Enabling Forms Authentication The integration between IIS and ASP.NET is unprecedented in IIS 7.0. This integration lets you protect all your content using ASP.NET’s forms-based authentication. This cookie or cookie-less- based authentication allows Web applications to be authenticated using credentials other than Windows. For more information on forms authentication, see the following http://msdn2.microsoft. com/en-us/library/aa480476.aspx. To enable forms authentication: 1. Click the left column of your Web site. 2. On the Web site home page, double-click Authentication. 3. Select Forms Authentication by clicking it. 4. In the right-column, click Enable in the Actions pane. SOME INDEPENDENT ADVICE When using Forms Authentication, you will need to do a bit more work than just enabling it in IIS. You are required to create a default login page using ASP.NET’s login control and save that page. The default settings for Forms Authentication are available in IIS Manager by clicking Edit after selecting Forms Authentication. Viewing Worker Process Details IIS 7.0 gives administrators some incredible information about what is occurring in IIS’s worker processes. This includes giving you the ability to see what requests are currently executing within a worker process and other details, like how long it has been executing. This is all available by viewing worker process details in IIS Manager. Administration of an IIS 7.0 Web Server • Chapter 16 821 To view currently executing requests within a worker process: 1. Click the left column of the server. 2. Select Worker Processes on the home page. 3. Click DefaultAppPool. 4. In the Actions pane, click View Current Requests. Changing Diagnostic Settings IIS 7.0 offers some powerful diagnostics capabilities, in particular the all-new Failed Request Tracing. You will learn more about failed request tracing in Chapter 17, but for our purposes here we will show you how to enable failed request tracing to assist you in troubleshooting your Web applications. Failed request tracing is a two-step process when using IIS Manager. The fi rst step is to enable tracing for the server, and then confi gure your rule for tracing to capture the data. Do the following to enable Failed Request Tracing: 1. Click the left column of your Web site. 2. In the right column, click Failed Request Tracing under Confi gure. 3. In the Edit Web Site Failed Request Tracing Settings, check Enable and choose a path for your log fi les. 4. Choose the number of log fi les to maintain in the Maximum number of trace fi les. 5. Click OK. BEST PRACTICES FROM MICROSOFT For Web sites that are heavily used with hundreds of requests per second, it is recommended you set the Maximum number of trace fi les much higher than the default of 50. This will aid you in ensuring that when your problem occurs you will not have lost the data because of the busy nature of the site. Selecting Rules for Failed Request Tracing The key step to ensuring you capture the right data is to set up the right rule. You will learn later that you can set up multiple rules for your server, site, or application to assist you in troubleshooting your problem. The key step to understand is how to narrow your rule to capture only the data you need, nothing more. In our example, we will show how to use a simple rule for capturing data when a HTTP 500 error occurs. HTTP 500 errors are defi ned as server failures and come in various fl avors. . applications. On the other hand, Web developers typically are the opposite and are focused on applications. IIS 7.0 brings the concept of applications to the forefront and makes applications fi. pool, and enter the path. 5. Click OK. Creating Application Pools Application pools is a concept that was added in IIS 6.0. In IIS 7.0, it changed very little and is basically the same and defi. worker process. This is IIS’s isolation functionality and is where you can recycle, change process identity security, and view health and diagnostics information. By default, IIS 7.0 provides