When I created a website named Portal on my IIS 7.5 on the website permissions->security I got this user. What is its purpose?

From what I have read the ApplicationPool runs under NetworkService permissions, but I noticed if I gave Portal user full permissions I could do the saving I wanted in the virtual folder without needing to impersonate any other user (I used to impersonate admin which was a bad idea). So I guess my question is, should I be setting permissions on this Portal user without knowing how it came about?

It seems that this user did not get created when I created the website, but did so when I published to the website from VS 2010.

In IIS 7.5 the default behavior is to run all application pools under a specific account for the individual application. You can of course change this if you modify the application pool settings.

Regardless, yes, setting permissions against this user is the desired behavior as it limits the potential attack surface rather than using a generic network service account as in the past.

You can read more about the change to default accounts in IIS here.

Check more discussion of this question.

This error is logged once I create a website:

The World Wide Web Publishing Service (WWW Service) did not register the URL prefix http://*:80/ for site 6. The necessary network binding may already be in use. The site has been disabled. The data field contains the error number.

I followed this link but there is no ListenOnlyList, instead I saw UrlAclInfo which contains this:

C:\Users\Administrator>netstat -ano | find ":80" |find /i "listen"
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    [::]:80                [::]:0                 LISTENING       4

4 is the pid number of System process.

Any ideas to fix this?

As stated here Un-Install Microsoft Web deploy and then Re-Install it using command line with these parameters:

msiexec /I <msi_filename> /passive ADDLOCAL=ALL LISTENURL=http://+:8080/MsDeployAgentService2/

Check more discussion of this question.

I have 2 servers running the exact same Classic ASP code with Access DBs (yes, not ideal, but it is what it is, for now).

1) Xeon 5520 @ 2.27 GHz (6 GB Memory)

2) Xeon E5-2620 @ 2.00 GHz (2 processors, 32 GB Memory)

For most pages the newer E5-2620 processes the pages between 10-15% faster. On pages requiring heavy and/or multiple complicated access stored procedures (queries) the older 5520 does a much better job.

I believe the servers are configured nearly identically. My question: is it possible that the newer, multi-processor server is not as good at handling Classic ASP as the older single processor?

Is there a configuration difference that needs to be in place that I’m missing since I’m shooting for identical implementations?

For a Classic ASP with Access Databases I can definitely say that the Dual Processor Xeon E5-2620 is not a faster server than the Xeon 5520. Basically, it’s the clock speed here – the 2.27 GHz on the older machine processes the ASP code quicker than the 2.00 GHz Dual Core E5-2620.

As an aside I just set up a 3.4 GHz single processor server and it is quicker than both the machines earlier discussed. For Classic ASP processor speed is definitely the determining criteria.

Check more discussion of this question.

Is it possible to run IIS7/7.5 on Windows Server 2003?

No, since IIS4, the IIS version has been tied to the OS version.

IIS7, specifically, has many hooks into Server 2008 features that don’t exist in Server 2003. So even if you were able to force the installer to complete on 2003, IIS would not work. Upgrade to a newer OS, or live with IIS 6.

Check more discussion of this question.

http://technet.microsoft.com/en-us/library/cc732742(WS.10).aspx

The above URL describes how to start/stop an IIS 7 app pool. However, I have spaces in my app pool name. Double-quotes doesn’t work. Ideas?

C:\Windows>C:\Windows\System32\inetsrv\appcmd stop apppool /apppool.name: My Ap
p Services
Failed to process input: The parameter 'App' must begin with a / or - (HRESULT=8
0070057).C:\Windows>C:\Windows\System32\inetsrv\appcmd stop apppool /apppool.name: "My A
pp Services"
ERROR ( message:The attribute "apppool.name" is not supported in the current com
mand usage. )

Type appcmd list apppool, and use exactly what it lists there in your appcmd start apppool /apppool.name:

It does look like names with spaces will be escaped with double quotes. Post the exact command you’re trying to run ; perhaps you missed the colon or there’s another problem with the syntax?

Edit – you’re adding a space between the colon and the first double-quote. Remove that space, use the double-quote, and see what happens.

Check more discussion of this question.

We’ve finally set-up our server to accept ldap SSL connections thanks to another question answered by a helpful member.

Our problem now is that when attempting to bind to ldap using the below simple PHP script, we constantly fail. Binding using ldap instead of ldaps works just fine using the script so I know the ldap is enabled. The catcher is that while using LDP.exe, we can successfully connect and bind to ldap on port 636 using a secure connection.

The script we are failing with is below:

<?php
$ldap = ldap_connect("ldaps://localhost");
$username="user";
$password="pass";if($bind = ldap_bind($ldap, $username,$password ))
echo "logged in";
else
    echo "fail";
    echo "<br/>done";
    ?>

We’ve also attempted inputting the username as “user@domain” or “domain/user” with no success. It seems I’m forever having LDAP/Cert questions. Our environment is Server 2008.

Followed: http://greg.cathell.net/php_ldap_ssl.html

Looks like steps #3, #5-7 needed be complete in Windows.

Check more discussion of this question.

I’m having a problem very similar to IIS 7.5 FTP IIS Manager Users Login Fail (530) on Windows Server 2008 R2 Standard.

I have created an FTP site and IIS Manager user but am having trouble logging in. I could really do with getting this working with the IIS Manager user rather than by creating a new system user since I’m fairly restricted with those accounts.

Here is the output when connecting locally through command prompt:

C:\Windows\system32>ftp localhost
Connected to MYSERVER.
220 Microsoft FTP Service
User (MYSERVER:(none)): MyFtpLogin
331 Password required for MyFtpLogin.
Password: ***
530-User cannot log in.
 Win32 error:   Logon failure: unknown user name or bad password.
 Error details: An error occured during the authentication process.
530 End
Login failed.

I have followed the guide to configure ftp with iis manager authentication in iis 7 and Adding FTP Publishing to a Web Site in IIS 7

Things I have done and checked:

• The FTP Service is installed (along with FTP Extensibility).
• Local Service and Network Service have been given access to the site folder
• Permission has been given to the config files
• Granted read/write permissions to the FTP Root folder
• The Management Service is installed and running
• Enable remote connections is ticked with ‘Windows credentials or IIS manager credentials’ selected
• The IIS Manager User has been added to the server (root connection in the IIS connections branch)
• The new FTP site has been added
• IIS Manager Authentication has been added to the FTP authentication providers
• The IIS Manager user has been added to the IIS Manager Permissions list for the site
• Added Read/Write permissions for the user in the FTP Authorization Rules

Here’s a section of the applicationHost config file associated with the FTP site

<site name="MySite" id="8">
    <application path="/" applicationPool="MyAppPool">
        <virtualDirectory path="/" physicalPath="D:\Websites\MySite" />
    </application>
    <bindings>
        <binding protocol="http" bindingInformation="*:80:www.mydomain.co.uk" />
        <binding protocol="ftp" bindingInformation="*:21:www.mydomain.co.uk" />
    </bindings>
    <ftpServer>
        <security>
            <ssl controlChannelPolicy="SslAllow" dataChannelPolicy="SslAllow" />
            <authentication>
                <basicAuthentication enabled="true" />
                <customAuthentication>
                    <providers>
                        <add name="IisManagerAuth" enabled="true" />
                    </providers>
                </customAuthentication>
            </authentication>
        </security>
    </ftpServer>
</site>...<location path="MySite">
    <system.ftpServer>
        <security>
            <authorization>
                <add accessType="Allow" users="MyFtpLogin" permissions="Read, Write" />
            </authorization>
        </security>
    </system.ftpServer>
</location>

If I connect to the Site (not FTP) from my local IIS Manager using the same IIS Manager account details then it connects fine, I can browse files and change settings as I would locally (though I don’t seem to have an option to upload files). Trying to connect via FTP though either through the browser or FileZilla etc… gives me:

Status: Resolving address of www.mydomain.co.uk
Status: Connecting to 123.456.12.123:21...
Status: Connection established, waiting for welcome message...
Response:   220 Microsoft FTP Service
Command:    USER MyFtpLogin
Response:   331 Password required for MyFtpLogin.
Command:    PASS *********
Response:   530 User cannot log in.
Error:  Critical error
Error:  Could not connect to server

I have tried collecting etw traces for ftp sessions, in the logs I get a FailBasicLogon followed by a FailCustomLogon, but no other info:

FailBasicLogon  SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55} | ErrorCode=0x8007052E
StartCustomLogon    SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55} | LogonProvider=IisManagerAuth
StartCallProvider   SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55} | provider=IisManagerAuth
EndCallProvider SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55}
EndCustomLogon  SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55}
FailCustomLogon SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55} | ErrorCode=0x8007052E
FailFtpCommand  SessionId={cad26a97-225d-45ba-ab1f-f6acd9046e55} | ReturnValue=0x8007052E | SubStatus=ERROR_DURING_AUTHENTICATION

In the normal FTP logs I just get:

2012-10-23 16:13:11 123.456.12.123 - 123.456.12.123 21 ControlChannelOpened - - 0 0 e2d4e935-fb31-4f2c-af79-78d75d47c18e -
2012-10-23 16:13:11 123.456.12.123 - 123.456.12.123 21 USER MyFtpLogin 331 0 0 e2d4e935-fb31-4f2c-af79-78d75d47c18e -
2012-10-23 16:13:11 123.456.12.123 - 123.456.12.123 21 PASS *** 530 1326 41 e2d4e935-fb31-4f2c-af79-78d75d47c18e -
2012-10-23 16:13:11 123.456.12.123 - 123.456.12.123 21 ControlChannelClosed - - 0 0 e2d4e935-fb31-4f2c-af79-78d75d47c18e -

If anyone has any ideas than I would be very grateful to hear them. Many thanks.

So after many lost hours, I came back to this with fresh eyes and new fire in my soul. It seemed I was a little too focused on what settings the new FTP site had and paid little attention to other influences.

It turned out that there was a global ‘Default FTP Site’ which was catching all FTP requests on port 21, since the user wasn’t added to the list of authorised accounts for this site, it was returning an unauthorised response.

Adding the user to the default FTP site enabled me to log in, but I was then getting put into the root FTP directory for the default site (similar to http://forums.iis.net/t/1156913.aspx). Changing the Log on to <hostheader>|<username> didn’t work either and returned a 530 Valid hostname is expected response.

After banging my head on the desk a few times I went back and checked and re-checked each and every setting. Typically in the end it turned out to be a typo in the host header name set in the site bindings. Logging on using <hostheader>|<username> subsequently worked once the typo had been fixed.

In Summary

1. I needed to log in using the <hostheader>|<username> format in
   order for IIS to pick up which site I intended to log in to
2. I had a typo in the hostheader value in the site bindings

Check more discussion of this question.

Really need some help here. I am at a loss. I am trying to install a webservice that some other guy wrote in .NET. I have some basic IIS understanding. The webservice works just fine on my dev computer. But now i try to move the webservice to a production server and bad things happens.

The webservice has been located in C:\inetpub\wwwroot\ dir on the dev server. But on this production server it is to be located in D:\services\

I have managed to install an application on the production server and everything seems fine and dandy. But when i “Test Settings” in the initial setup i get “Invalid application path” error. But i can just close it down and still install it. But when i try to access the webservice with: http://myserver.com/webservice/GetData nothing happens. Just a blank page and when i check the response headers…500 error.

I don´t know what is going on here or where the problem is. I post the config file here so someone hopefully might notice something odd.

Thanx in advance!

EDIT: The config file is from my dev server. I just copied it to my production server…but that obviously didn´t work

UPDATE: I noticed that my dev server run in an Application pool with Net 4 and in “classic” “mode”. On the production server it was in NET 4 but in “integrated” mode. So i changed it to “classic”. I still get a blank page. But checking the log will output this:

2012-10-03 14:57:00 ip removed GET /boo/GetData – 80 – ip removed Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:15.0)+Gecko/20100101+Firefox/15.0.1 404 2 1260 203

UPDATE 2: Thank you guys for your help. Your comments helped what to look for. After ALOT of log looking, and rights management i got to this page:
http://support.microsoft.com/kb/942040

After checking ISAPI and CGI Restrictions on server level i found out that .NET 4 and .NET 4 64 was not allowed. After allowing both, FINALLY my webservice started to talk.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.web>
    <identity impersonate="true" />
    <!-- Impersonate NT AUTHORITY/IUSR -->
    <compilation targetFramework="4.0">
      <assemblies>
        <add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b7735c561131e089" />
      </assemblies>
    </compilation>
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
  </system.web>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
    <httpErrors existingResponse="PassThrough" />
    <httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Origin" value="*" />
     </customHeaders>
   </httpProtocol>
        <directoryBrowse enabled="false" />
  </system.webServer>
  <system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
    <standardEndpoints>
      <webHttpEndpoint>
        <!-- 
            Configure the WCF REST service base address via the global.asax.cs file and the default endpoint 
            via the attributes on the <standardEndpoint> element below
        -->
        <standardEndpoint name="" helpEnabled="true" automaticFormatSelectionEnabled="true" />
      </webHttpEndpoint>
    </standardEndpoints>
  </system.serviceModel>
  <connectionStrings>
    <add name="Entities" connectionString="metadata=res://*/DataModel.csdl|res://*/DataModel.ssdl|res://*/DataModel.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=someip;initial catalog=db_90;User ID=user1;Password=access2;multipleactiveresultsets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient" />
  </connectionStrings>
</configuration>

This may be a better question for stackoverflow.com but I’ll take a stab at it for now.

From an IIS perspective if you can find out the specific 500 error it may give a big clue. Check the IIS logs in c:\inetpub\logs\Logfiles\w3svc{siteid}. Find the records for your failed tests and towards the end of the records you should see a 500{space}{something}{space}{something}. It’s the {something}’s that have further clues.

Another test is to create a simple test.aspx in the root folder of the site and make sure that the IIS site works well too.

Check more discussion of this question.

I have created certificates based on this tutorial:

http://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/

Then I have imported “MyPersonalCA.cer” on IIS host server based on this tutorial:

http://www.networksolutions.com/support/installation-of-an-ssl-on-certificate-microsoft-iis-7-x/

I had to import the certificate via MMC, because IIS is giving me an error:

“Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created.”

As stated this is a known bug, but i cant get pass the error.

I have imported certificate in Certificate (LocalComputer) snap in and provided a friendly name. It all looks ok.

But i still cant select the certificate on my webpage binding in IIS when trying to enable SSL.

EDIT

Ok I went as suggested and issued the .CER file via CertAuthority.
On another machine I have installed Windows Server and CA. I have created a request in IIS and issued myself a .CER file.
This file I can normaly import to Windows7 IIS.

But now I want to create client certificates.
The certificate is missing PVK file and i cant create client certificates as described in the first link.

Will post another question …

System: Windows7 Home Premium SP1 32bit,IIS 7.5

Can someone point me to the right direction on this?

You may have to reissue your cert using a new CSR check out the following link. It is similar to the directions you have already followed but with a little more instruction to getting around this error.

http://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm

Check more discussion of this question.

ASP.NET WEB API
Windows Server 2008 R2/IIS 7.5/Web Farm Framework 2.5

I am planning to deploy application across 4 web servers.

Should i use shared content/configuration using DFS among web servers for web farm scenario?

Second option is to use Web Farm Framework for deployment.

Furthermore, is there chance of single point of failure in WFF? for example what if primary server goes down.

which option would be better? pros and cons of each of the above.

I appreciate your response.

The Web Farm Framework is easy. The only SPOF exists when integrating with an external load balancer as opposed to using the built in Application Request Routing. This is mainly because unless your load balancer is able to detect a failure on the server it may still try to route to that server.

If you are just deploying a single application the WFF is a perfect choice and MUCH easier to configure than the traditional shared config setup.

Check more discussion of this question.