IIS7 Administration•Remote Administration•Shared Configuration•Scripted Administration

Remote AdministrationIIS Manager has built in remote administration capabilitiesTerminal Services or Admin web site not requiredClients are IIS Manager from XP, 2003, Vista and Longhorn Custom addins are downloaded to remoteUses the WMSVC service (Windows Service)Requires Management

Service be installed in Server Manager

Remote Service by WMSVCEnable in the IIS ManagerTurned off by DefaultEssentially a web application running on a standalone serverRuns as Local Service (NT Service\WMSVC)

If using UNC content, you need to run as identity with UNC access

Startup is set to ManualChange to automatic to enable on rebootsc config WMSVC start= auto

Enforces HTTPS

Remote Configuration OptionsType of User (Windows or IIS Manager)

ConnectionsCan be bound to a specific IPConfigurable port for listening

Set to 8172 by defaultWhen connecting specify port using <machine>:<port> (e.g. myserver:5050)

Logging can be turned on/off and log directory can be modified

Certificate for SSL is preinstalledIP and Domain restrictions

Ability to restrict connections to specific IP address/domainsAbility to block specific IP address/domains

Log files

Logs all HTTP connections to the WMSvc serviceLogs stored at:

<os drive>:\inetpub\logs\wmsvcUseful for auditingW3SVC log file formatService errors visible in event viewer (eventvwr.exe)

Installing the Remote Admininstration Service

demo

Control is Scoped to RoleAdministrators:

Control entire web server remotelyNon-administrators:

Identity stored as Windows Users or “IIS Manager Users”Control of sites/applications

DevelopersSite ownersApplication owners

Administrator decides what the user can view/change with Feature Delegation

Remote Windows Users

Only Administrator can connect to server node

Can see all settings and connect to other nodesDoes not need explicit permissions

If Remote Administration is enabled, a server administrator can log in.

Non-admins can connect to sites and apps

Explicit permission requiredContent can be ACL’d for greater security

Remote IIS Manager UsersCreated in the IIS Manager

Only used by WMSVC and Admin UINot used by any other IIS componentsDOES NOT map to Windows users

Stored in administration.config by defaultUses an IIS Authentication ProviderAuthentication provider be replaced by custom authentication provider, e.g. One which stored authentication info on SQL Server.

Only used for site/application connections

Authorizing Users for Remote Administration

demo

•Creating IIS Manager Users•Site/Application Permissions•Authorizing Access•Connecting to Sites

Remote Admin and Delegation

Remote users can only edit delegated featuresChanges are written to web.configMost features shown by defaultNon-delegated features can be hidden from remote userAllows creation of custom UI for remote users

Connection Scope and ConfigConnection Users who can connect Configuration

Scope(Where config changes go)

Server Windows Administrators applicationHost.config

Site Windows AdministratorsWindows UsersIIS Manager Users

web.config

Application Windows AdministratorsWindows UsersIIS Manager Users

web.config

Customizing theIIS Manager for Remote Users

demo

Shared Configuration

Designed for web farm scenario from the startMultiple servers to share a single configuration fileUNC share is created for master configWhen configured, servers direct config requests to share locationA local or domain user is specified as identify for remote access

Shared Config Setup

Export Settings using IIS Manager Shared Config featureCreate identical local user [Configuser] on all web servers (or use a domain account)

Assign user the right “Log on as a batch job”

Create a share for config filesShare permissions are [Configuser] ChangeACLS are [Configuser] Read

Place config files in UNC pathEdit redirection.config

Shared Config Limits

Designed to work in homogeneous farmPotential issues adding new components to IISPotential issues extending configurationFarm story still a work in progress

Shared Configuration

demo

Automating IIS 7 Adminsitration

ADSI: IIS 6 CompatibilityAPPCMD: General purpose command line utilityWMI: Improved for Longhorn and IIS7. Microsoft.Web.Administration – Managed API to control state and configurationPowershell: Use with Microsoft.Web.Administraiton and WMI

Using APPCMD

demo

Scripting: IIS6 WMI Provider

Create Site

Create Virtual Directory

Create Application

NOT CONSISTENTSet oIIS = GetObject("winmgmts:root\MicrosoftIISv2")

' Create binding for new siteSet oBinding = oIIS.Get("ServerBinding").SpawnInstance_oBinding.IP = ""oBinding.Port = "80"oBinding.Hostname = "www.site.com"

' Create site and extract site name from return valueSet oService = oIIS.Get("IIsWebService.Name='W3SVC'")

strSiteName = oService.CreateNewSite("NewSite", array(oBinding), "C:\inetpub\wwwroot")

Set objPath = CreateObject("WbemScripting.SWbemObjectPath") objPath.Path = strSiteNamestrSitePath = objPath.Keys.Item("")

Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'")oSite.Start

' Create the vdir for our application

Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting").SpawnInstance_ oVDirSetting.Name = strSitePath & "/ROOT/bar" oVDirSetting.Path = "C:\inetpub\bar" oVDirSetting.Put_

' Make the VDir an applicationSet oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'")

oVDir.AppCreate2

Scripting: new WMI Provider

Set oService = GetObject("winmgmts:root\WebAdministration")

' Create binding for siteSet oBinding = oService.Get("BindingElement").SpawnInstance_oBinding.BindingInformation = "*:80:www.site.com"oBinding.Protocol = "http"

' Create site oService.Get("Site").Create _ "NewSite", array(oBinding), "C:\inetpub\wwwroot"

' Create application oService.Get("Application").Create _ "/foo", "NewSite", "C:\inetpub\wwwroot\foo"

Static Create methods

CONSISTENT

Coding: Microsoft.Web.AdministrationServerManager iisManager = new ServerManager();

foreach(WorkerProcess w3wp in iisManager.WorkerProcesses) {    Console.WriteLine("W3WP ({0})", w3wp.ProcessId);                foreach(Request request in w3wp.GetRequests(0)) {        Console.WriteLine("{0} - {1},{2},{3}",                    request.Url,                    request.ClientIPAddr,                    request.TimeElapsed,                    request.TimeInState);    }}

Using Microsoft.Web.Administration

demo

With powershell…..

Compatibility: ABO MapperProvides compatibility for:

scriptscommand line toolsnative calls into ABO

Not installed by defaultInstall IIS 6 Compatibility

Can only do what IIS6 could do…Can’t read/write new IIS properties

Application Pools: managedPipelineMode, managedRuntimeVersionRequest Filtering Failed Request Tracing

Can’t read/write ASP.NET propertiesCan’t read/write web.config filesCan’t access new runtime data, e.g. worker processes, executing requests

applicationHost.config

IISADMIN

ABOMapper

IIS6 ADSI Script

SummaryRemote Administration

Built in remote administrationAccess is scoped to roles and delegationUse HTTPS to connect to remote serversChoice of client operating systems

Shared Configuration for web farmsAutomated administration tasks with

WMI: for enterprise wide managementAPPCMD: local, general purposeMicrosoft.Web.Administration: integrate into deployment and management programsADSI: IIS6 compat

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Additional Information

Replicating applicationHost.config

Will cause all application pools to recycle:changes to default settings for all application poolschanges to the <globalModules> list

Will cause one application pool to recycle:application pool settings

Use only RSA machine-encryption (default), replicate RSA machine key

http://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspx

Gotcha's:Machine specific data, like IP addresses or drive lettersServers must have same set of modules installed (reference to non-existent module in <globalModules> causes 503's)Assemblies in GAC, certificates, COM+ and other local items

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date

of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.