What is Toluu?
Toluu is a free service for sharing the feeds you read and discovering new ones.		 Get Invite

Scott Forsyth's Blog

Postings on IIS, ASP.NET, SQL Server, Webfarms and general system admin.


Two computer guys and a treehouseYesterday

I don’t tend to blog too much about myself personally, but I thought I would break my mold and start off the new year with an exciting non-technical project I worked on over Christmas. This will hopefully kick off a year of more consistent blogging since I’ve been pretty quiet the last year.

Being from Canada (I’ve lived in the States for 5 years) my family is a long way away and is only able to visit every couple years. This year we planned a 2 week vacation. My parents came down from Northern Canada (in the Sub-Arctic) and my Sister and family came down from Eastern Canada.

My father’s thought of a great vacation is one where he works on a large unique project. I need to find something to build or do before he comes to visit. Note that he’s also in the computer industry, but \isn’t scared to take on any type of project. When we visited my sister’s family a few years ago, he rented a back-hoe, and we tore up her lawn and replaced the drainage along their house. When I visited my parents 2 years ago, he bought a cow, and we killed and butchered it. So, as you can guess, he was anxious for something along those lines. He suggested a treehouse, which we all thought would be very exciting, and we started looking at pictures online and dreaming up different ideas of what we would like. Of course, being the non-experts that we are, we dreamed really big, thinking it would be easily doable.

Well, to make a long story short, we had a great va

IIS, Windows Authentication and the Double Hop issueAugust 22 2008

In IIS, you run into an interesting situation when you need to access another resource off of the IIS server and certain fairly common situations occur.  When using Integrated Security, anonymous access is disabled, and impersonation is turned on, a security measure kicks in and doesn't allow your site to access resources on any network servers.  This includes access to a UNC path directly from IIS or SQL Server using Windows authentication.

The reason is because of a 'double hop' that authentication is doing.  When you authenticate to the IIS server using Integrated Authentication, that uses up your first 'hop'.  When IIS tries to access a network device, that would be the double or second hop which is not allowed.  IIS cannot in turn pass on those credentials to the next network device, otherwise the developer or administrator could abuse your credentials and use them in ways that the site visitor didn't anticipate.

This doesn't occur with anonymous access or with impersonation off because in that case IIS takes care of authenticating you and then it uses a different user for local or network access.  This means that the app pool identity or anonymous user can make a network call as the first hop.

Anyway, I didn't mean to even write that much since the following blog post answers this well already, and includes the three most common solutions.  I wanted to blog this as a reference point for anyone running into this authentication issue, and so

Application Pool Recycles from IIS 7 Setting ChangesAugust 11 2008

I've written a couple times about what configuration changes cause AppDomain recycles.  Most recently how the ASP.NET tab causes a server-wide AppDomain recycle, and previously about changes in ASP.NET 2.0.

Here I'm going to cover things that, when done in IIS 7, will cause a full application pool recycle.  I obtained the following list from the Microsoft.com folk at Microsoft.  They worked with the IIS team during IIS 7 development to get a complete list of all settings which cause full app pool recycles.  What this means is that if you make changes to applicationHost.config that touches anything in the following list, the applicable application pool will be recycled.  If you change other settings to applicationHost.config, the app pools on the server will remain unaffected.

Note: It's important to realize that an application pool in IIS is different than an AppDomain in ASP.NET.  The previous blog posts were about AppDomain recycles, but this one is about application pool recycles. 

Windows Activation Process Service (WAS) recycles an application pool if you change the configuration of any of the following:

  • Restart parameters (for example, restart time, number of r
ASP.NET tab in IIS, more dangerous than it first appears!August 1 2008

This blog post was a long time coming and fortunately doesn't apply to IIS7, but I thought I would finally take a few minutes and cover this shortcoming with the ASPNET tab that ASP.NET 2.0 introduced into IIS 6 and IIS 5.

As I've covered in a previous post, only 1 version of ASP.NET can run at a time in each IIS Application Pool.  When you want to target a newer or older version of the ASP.NET framework for a particular site or application, you must update that website or application.

When ASP.NET 1.1 was released

When ASP.NET 1.1 was released, the common way to do this was to use aspnet_regiis.exe from the command line.  There was a serious shortcoming with that method though, as I detailed back in December of '03.  (That article and attached script is long overdue for a revision which I'll cover later in this blog post.)  The essence of what I said, and gave a sample script for, is that if you use aspnet_regiis.exe, it will cause an AppDomain recycle on ALL AppDomains on the server, even if you target a single site.  This means that on a production server, it is not safe to use aspnet_regiis outside of a scheduled maintenance window unless you don't mind the impact of an AppDomain recycle.  (f

Breaking changing in IIS 7.0 and ASP.NETJuly 11 2008

This quick post is for my own sake so I can find it again later. :-)  I refer to the following link often. 

Mike Volodarsky has put together a detailed list of breaking changes in IIS 7.0 and ASP.NET.  For the most part IIS 7 has great compatibility with IIS 6 apps.  The httpModules and httpHandlers section are two important web.config sections that need to be migrated from system.web to system.webServer in Integrated mode, but most other things will work without changes.

There are exceptions though, which his blog post details well: http://mvolo.com/blogs/serverside/archive/2007/12/08/IIS-7.0-Breaking-Changes-ASP.NET-2.0-applications-Integrated-mode.aspx

 

aggbug.aspx?PostID=6389565