ict.ken.be

 

Posts in Category: IIS

Disable cors on IIS 

Categories: IIS

Add following to HTTP Response Headers in case you get cross origin issues (for testing only ofcourse). eg. when you get Request header field Content-Type is not allowed by Access-Control-Allow-Headers.

  • Access-Control-Allow-Origin: *
  • Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept

IIS SDDL issue when installing IIS after ASP.NET 

Categories: IIS

Just a reminder to use aspnet_regiis -lv to check the valid installation.

And aspnet_regiis -i if needed.

Introduction to IIS Certificates - Notes 

Categories: IIS Notes

by Paul Lemmers

Ok, this must have been the most confusing 44m of my IT life. I clearly do have almost no knowledge about certificates. (edit: finally starting to understand, and yes it is very important and also a total mess selfsll, opensll, bouncycastle, certutil, pvk2pfx, makecert, ...) and I actually wonder if there are people who really know this... let alone really understand the specifications.

Alice & Bob Story - Certificate is name of Alice + Public key signed with private key if self-signed.
Object Identifier (OID)
Certificate: Subject CN = name to trust, Issuer eg. Go Daddy, Valid from, Valid to, Public Key

Exclamation mark means it is a critical extension and client should only use it when they really know how.

Formats

  • DER (binary format *.cer over network in ssl handshake)
  • Base-64 (xml, email)
  • Export with hierarchy of certificates can be included (.P7B)
  • PKCS#12 : Export user certificate with private key. (.PFX)

MMC - Certificates
To make all stores visible, select Certificates in treeview > View - Options - Check Physical certificate stores. All hidden notes of trusted root certification authorities will be visible. Certificates that are at enterprise level will come back in your store after deletion if set in the group policy.

When using a machine for signing, you should always delete the private key on export.

Distinguished Name

E = foo@bar.com
CN = foo bar
CN = foo
DC = local

Subject Alternative Name

Other Name:
       Principal Name = foo@bar.com (upn name)
RFC822 Name = Foo@Bar.com (email name)

Key Usage (8bit field flags)
Enhanced Key Usage
SSL certificate should have Server Authentication as enhanced, Digital Signature and Key Encipherment as usage. Command name should be dns.

Where are the keys stored?

CSP - Cryptical Service Providers (eg. when using a smartcard to sign, the private key will 'never' leave the smart card) In the properties (all tasks - manage private keys) you can set which computer accounts should have access to the certificates.

certutil (eg. when using windows 2003)
certutil -dump -v abc.cer
certutil -url abc.cer
certutil -store My
  • Windows - dir ProgramData /As - Microsoft - Crypt - RSA - MachineKeys
  • Firefox - Tools - Options - Encryption - View Certificates
  • Microsoft Active Directory Certificate Services - psResCA

IIS - Machine Name - Server Certificates
Create Domain Certificate (testing)
Create Certificate Request (from external)
Complete Certificate Request

Self-Signed Certificates
if key usage and enhanced key usage is not filled in you can use the certificate for anything
if you install a self-signed certificate of someone else in your trusted root store then they can do remote to your machine!

Certificate Revocation

Certificate - Details - CRL Distribution Point -> url -> Certificate Revocation List -> Serial number by date and reason. (eg. http://crl.godaddy.com/gds3-4.crl)

Authority Information Access (eg. http://ocsp.godaddy.com) will just return valid or not for this certificate instead of complete list of revoked certificates.

Certificate Chain building
Root Certificate then Issuer = Subject

Legal
When you create a CA you are changing the burden of proof (certificate policies)
Usage of certificates has legal consequences.

More

IIS for developers - Notes 

Categories: IIS Notes

by Steve Evans

1. IIS Setup

  • Windows 2000/IIS 5 (sample page allowed code red to attack the machine)
  • Windows 2003/IIS 6 (you had to activate on server)
  • Windows 2008/IIS 7 (choose with bits you want to install)
  • Windows 2008R2/IIS7.5

Server Manager - Roles - Add IIS

Web Platform Installer
Allows to install plugins like WordPress, Orchard CMS, MVC, IIS: FTP Publishing Service, IIS Smooth Streaming Client, ...

Remove default website

Keep binding IP address 'all unassigned' because webservers can have multiple ip addresses.

Remember to also bind www

SSL-Certificate
Root - Server Certificates
Create Certificate Request (for testing use self-signed certificate, issued to name of the box)
Add additional binding of type https
One ssl for one ip address, cause hostname is encrypted.
Browser will check that
Date is in range
Certificate created by authority it trusts
Does the hostname match what is in the certificate

Wildcard certificate (for testing make one with makecert.exe in windows SDK)
Root - Server Certificates - Import the pfx file (eg. issues to *.site2.com)
Bindings - Select certificate - Fill in subdomain host name (eg. www.site2.com)

Extended validation certificate is not available in wild card.

2. IIS Configuration

If not default document is defined you will get a 403.14 - Forbidden if the web server is configured to not list the contents of the directory.

web.config (can have other copies in subfolders)
<configuration>
  <defaultDocument>
    <files>
      <clear /> -> will break inheritance of parent folder
      <remove value="Default.htm" />
      <add value="Home.htm" />
   </files>
  </defaultDocument>
</configuration>

Feature Delegation
If you put on read only the developer will see the setting but not be able to change it in the web.config
Will throw a 500.19 if you keep the settings in the web.config
Remember to set them in IIS or you will get 403.14 again.
When going from read only to write it is best to revert to parent to avoid inconsistencies.

Application Pools (worker processes)
In production environment put the 'Idle Time-out' to 0.
Define your web garden by adjusting the maximum worker processes.
Ping enable will check if your application pool is healthy and if not recycle.
By default application gets recycled

  • idle timeout of 20min
  • every 29hours (you can add specific times instead)
  • whenever an unhandled exception occurs
  • whenever a ping gives an unhealthy response
  • whenever configuration changes

You can set the application pool defaults.
It is best to have only one site per application pool, unless very limited resources.
You can put part of a site in a separated application pool. (right-click folder, convert to application)

3. Manage IIS

Root - Worker Processes - Select pool and you will see all request that run longer then 0 seconds.

Server Manager - Add Role - Health - Tracing
Failed request tracing rules - Add
eg. trace requests that take longer than 30 seconds
eg. all pages that return a 500
Edit Site Tracing - Location where to store - open xml for report

Microsoft Log Parserhttp://www.microsoft.com/en-us/download/details.aspx?id=24659

Log Parser Lizardhttp://www.lizard-labs.net/log_parser_lizard.aspx

SELECT TOP 100 * 
FROM D:\Backups\date_libertinus_eu_logfiles_20121101\W3SVC4\*.log

SELECT cs-uri-stem, count(*)
FROM D:\Backups\date_libertinus_eu_logfiles_20121101\W3SVC4\*.log
WHERE sc-status = 404 AND date > '2012-10-01'
GROUP BY cs-uri-stem


Windows PowerShell will treat iis as a drive.

cd iis:\\
dir
cd .\AppPools
cd ..
cd sites

New-Item iis:\Sites\site3.com
-bindings @{protocol="http";bindingInformation="*:80:site3.com"}
-physicalPath C:\inetpub\site3.com

New-ItemProperty iis:\sites\site3.com
-name bindings
-value @{protocol="http";bindingInformation="*:80:www.site3.com"}

Web Deployment Tool 2.1

msdeploy 
-verb:sync
-source:webServer
-dest:webServer,computerName=xyz,username=rst,password=abc

-whatif
-presync:runcommand="%windir%\system32\inetsrv\appcmd stop apppool site2.com"

msdeploy
-verb:sync
-source:iisApp=site2.com
-dest:archiveDir=c:\temp

visual studio under administrator
right-click - publish - web deploy

4. IIS Extensions

http://iis.net - download
Media Services
URL Rewrite
You can specify user-friendly-urls and map them to old url.
You can also redirect, return custom response, ...

5. IIS Express

MyDocuments - IISExpress - Logs
MMC - Add certificate snap in - Computer Account - Personal Certificates - Copy certificate to trusted root certificates

6. IIS8 for 2012

Choose on which set of servers you want to install this. (so you can install on all your servers in the same time)

Application Initialisation Mode (app warmup)
IIs will perform the first request for you.
Application Pool - Advanced Settings - Start Mode - AlwaysRunning
Site - Advanced Settings - Preload Enabled - True

<applicationInitialization remapManagedRequestsTo="startup.htm" skipManagedModules="true">
    <add initializationPage="/default.aspx"/>
</applicationInitialization>

SNI - Server Name Indication
Allows multiple ssl certificates on one IP
Not support in Internet Explorer on windows XP !

SSL Management: Centralized Certificates for web farms with lots of certificates.
CPU ThrottleUnderLoad, allows to specify a percentage when others are also using else max possible.
Web Sockets support by adding WebSocket Protocol

Configuration of pools and asp.net 

Categories: .Net IIS

.Net 4 repair

  • winver.exe
  • %windir%\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /repair /x86 /x64 /ia64 /parameterfolder Client /norestart
  • %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe –i

Setting up permissions and pools on iis (eg. mojoPortal)

  • Create a new Web Site in IIS and name it mojoportal, leave the IP address as "All Unassigned" but add the host name "mojoportal"
  • Point the web site root to the mojoportal folder and choose a .NET 4 Integrated application pool. 
  • Make note of the user that is the identity on the application pool
  • In Windows Explorer, right click the mojoportal folder and choose properties, on the security tab click Edit..., then click Add..., then click Advanced..., then click Find Now
  • Select the user that is the identity on the application pool, then click OK, give the user read permissions here and click OK.
Page 2 of 3 << < 1 2 3 > >>