HOWTO: Pose Answerable Questions, My Top 10...

Today, I decided to do a sweep through my backlog of private blog comments which I have not yet composed a response to. There are about 120 comments going back six months in this state.

Honestly, it is getting progressively harder for me to blog regularly about topics that I am interested in, maintain a good, responsive loop on the blog feedback, and still answer all the questions via blog comments. So, I am going to start a new "rule" about the comments that I will actually respond to.

"You get what you put in."

To kickstart this effort, I will demonstrate some of the more amusing private blog comments that I unfortunately have to discard from my answer queue into oblivion. I simply do not have the bandwidth to hand-hold everyone without your help. Please see this blog entry for more details

The majority of readers that ask questions have done so very nicely with lots of details, and I thank you for your continued patience. You need only monitor the "Web Q&A" RSS feed and the answer will be showing up there at some point.

Now, onto my Top 10 Unanswerable Blog Comments...

#10

HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.

Internet Information Services (IIS)

On a virtual directory under a web site - When I uncheck Integrated Windows Authenticatinon, I get this error. I am on Windows 2003 IIS 6 withOUT windows 2003 SP1.

Any ideas?

Answer:

I suggest reading the following blog entry about 401.1:

https://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx

I can only presume that when you say "I uncheck Integrated Windows Authentication" that you also meant that you have "Anonymous Aunthentication" enabled. But, you are asking a question, so please be clear about facts like this. Because if you had no other authentication protocols enabled, you should be getting 401.2, and I would start wondering if something else is wrong.

In any case, it sounds like you have the classic "Anonymous username/password is out of sync" issue, which usually happens on IIS5 to IIS6 upgrades and you turn off IIS Sub Authentication. Or you may have group policy applied to this machine that prevents the configured anonymous user from logging in. But the point is clear - IIS is always logging in some user identity to service the request, and the user identity depends on the authentication protocol selected. Thus, you need to be clear about which authentication protocol is in use, what user identity is being logged in, and then start troubleshooting there.

#9

Hi

I am trying to move two web applications from IIS 5 where they are working well, to Windows 2003 Server Standard SP1 and IIS 6. I have to do this from a hardware and software support standpoint, but I was expecting to get better performance (or a wrorse the same) as IIS 5. This is clearly not the case, it is noticeably slower even with only 1 user! The web applications uses ASP, .NET and CGI. Any idea why this would be?

Thanks

Answer:

You changed an entire OS as well as web server, so start regression testing to figure out what is going awry. I can tell you that at an absolute level, IIS6 is far superior to IIS5 in all respects, including performance and reliability, so you want to spend time to figure out what is going awry. Whether your particular application configuration is able to take advantage of IIS6 - that is totally up to you.

Based on the technology that you are using, I suspect your code is highly serialized and likely to contend over itself in the new IIS6 worker process isolation model (for example, ASP threading model changed from STA to MTA, which can have bad effects if you are using STA objects in Session state). I do not consider it a fault if IIS6 exposes a weakness in your code... it is merely a messenger identifying a problem that you can either solve or ignore at your own peril.

#8

Hi,

I am very new to this webfilter concept,i am having a dll with me , i want to register that to this ISA 2000 server ,so i have used the sample vbscript code given in the sdk help,but it wasn't properly registered when i tried the sample filter registeration its properly registered ,

So please help me to rectify the problem

Answer:

Sorry, but I am new to the ISA Web Filter concept as well, so I really cannot comment.

#7

I am trying to run an exe on the box with IIS 6.0 and I did carry out all the steps mentioned on this blog yet no improvements. Can someone please throw some light on this.

Answer:

If you just carried out the steps in my blog entry about how to enable .EXE download, then it will work. You probably carried out additional steps prior to trying out my steps, and I request that you revert those steps, whatever they are. Or read the following blog entries:

To run an EXE on IIS6, all you need to do are:

  1. Ensure that the directory allows "Scripts and Executables"
  2. The EXE is readable by the impersonated identity through authentication
  3. The EXE is enabled in Web Service Extension

I have seen people mistakenly add .EXE Application Mappings which basically foul everything up (it usually prevents .EXE from both executing and downloading), and that is not exactly my fault. :-)

#6

Hi David,

I have a Windows 2k server and I need to either create or resolve subdomains on the fly:

adam.msdn.com
david.msdn.com

In the past, I have used the 404 error page to do this, but the subdomain error doesn't resolve to the same place. Do you have any ideas?

Thanks,

Answer:

I have no idea how creating/resolving subdomains have anything to do with IIS or a 404 error page, nor what you mean by "the subdomain error doesn't resolve to the same place". Please clarify what exactly are you trying to accomplish, not how you think you want to do it.

#5

Dear David,

Hi, we are using Win2k3 Premium Server, with II6, MS SQL 2000 Standard Edition, before we install the Crystal Enterprise, the software software running very smooth; after we install it, everyday mininum hang twice, but MS SQL 2000 still working fine, i wondering is it IIS 6 which cause my software work? How to configure in order the system never down?

Thank you

Answer:

Ummm, let's think about it for a moment. Everything was working perfectly. Then you installed Crystal Enterprise and the server starts hanging. And you are wondering if it is IIS6 that is causing the problems?

Hello?!? Wake up... I have no idea how to get to that conclusion. :-)

Now, I have seen many people have problems with Crystal Enterprise software on IIS6, almost all of them due to various bugs in Crystal Enterprise because it just crashes and hangs the server if you leave it alone. Maybe you are in the same bucket as them. You can use debugging tools like IIS State or DebugDiag from Microsoft to determine that for yourself:

#4

I saw your name in a lot of places over ther web, so i presume that you know about IIS.

I´ll be very happy, if you could help me.

I can´t make my IIS work with site root path...why???? I made the Virtual Directory...

I am using XP Professional.

Please, i don´t know more what to do.

Thanks

Answer:

... I have absolutely nothing constructive to offer given your information. IIS on XP Pro just works after you install it; you do not need to make a virtual directory for anything - that is how our tests run and it works.

Now, you can start by describing what you mean by "I can't make my IIS work" - what errors/event log/IIS web log are you seeing? What configuration changes did you make and what effect are you expecting to see?

#3

On an upgraded installation of Windows 2003 Server, my IIS crashes on bootup over and over (I get a w3wp exception over and over, in a window on my desktop), until I view/visit a website hosted by the server. This makes no sense to me. I've tried removing PHP and Perl, and it doesn't fix the problem. I'm not running any other "add-ons", so I'm totally confused.

Maybe this new program will help me figure out the problem?

Answer:

I suggest that you first read this blog entry to understand and diagnose an Application Pool Crash.

Then, I suggest you follow the blog entry's suggestions and configure IIS State or DebugDiag to catch the crash. Making random configuration changes like what you are doing is definitely not the way to go.

Once you have a stack trace, then you can try to determine the cause of the crash... because until you determine the cause, it is really going to be confusing because bugs are not guaranteed to make sense...

#2

Hi,

I had an application running on IIS 5 and Tomcat 4.1.29 without any problems.

I have moved my application to IIS 6 and using the same Tomcat version, but I get an "HTTP/1.1 401 Unauthorized" error when connecting to some servlet. I know that there has been several enhancements in IIS 6 in terms of security, but I have tried different things to make it work as in IIS 5 but have not succeeded so far.

Any assistance will be much appreciated.

Answer:

You can start diagnosing this 401 by reading https://blogs.msdn.com/david.wang/archive/2005/07/14/HOWTO_Diagnose_IIS_401_Access_Denied.aspx

The key information you want to obtain from the IIS log file is whether IIS or the ISAPI Filter/Extension DLL of Tomcat redirector is causing the 401. If it is 401.1-401.3, then look at the IIS-related suggestions in the blog entry. If it is 401.4 or 401.5, then the error is coming from the Tomcat side of things.

For the most part, I do not think that IIS security enhancements are blocking you. 401.1 means that you misconfigured user login, and 401.3 means that you misconfigured user ACLs on files. Both are user misconfigurations...

#1

Hi I'm having problems with Virtual server and wondered if I could ask for your help?. I'm running VS2005 on windows 2003 but on a 2k native domain. It all installs ok but I cannot access the admin page unless I am a domain admin :o(. I've played around with delegation and still no joy. Any ideas?

Answer:

Whenever you mention domain membership, my first thought is to evaluate any Group Policy in effect that may adversely lockdown IIS and Virtual Server. Group Policy lockdown that the user is not aware of is probably the #1 randomization and detriment to server behavior that I see anywhere, bar none (well, the system administrators making the configuration changes come in a close second ;-) ).

By default, Virtual Server 2005 Administration website is only available to the local Administrators group on the machine that Virtual Server 2005 installed on. If you want other users/groups to be able to administer that Virtual Server 2005 installation, then you need to give them permissions. Delegation is not involved unless you are trying to store the Virtual Machine files on a remote UNC share (i.e. cover the double-hop scenario).

See the following blog entries for details:

It is definitely possible to configure non-admin users, either domain member or local user, to locally or remotely administer a Virtual Server 2005 machine.

Virtually Yours,

//David