Chris May

Have you ever come across this error message?

403.6
Forbidden IP address of the client has been rejected

If you are using Small Business Server you might come into this quite fast as by default it will lock down IIS to keep machines who are not on the same subnet from accessing the web server.

This means if you VPN in you can't browse the intranet site.  Oops, that's not good.

To fix this problem, you need to edit the website and iis application properties in IIS.  On the Directory Security tab edi the IP address and domain name restrictions.  Change the settings on there from "Deny" to "Grant" and you will be all set.

 

Recently I ran into a problem where browsing to a newly installed web app produced a bunch of javascript errors.  Stuff like: "'Type' is not defined" and "'Sys' is not defined".

After debugging it for a while, I found the problem to be that URLScan had been installed on the server (Windows 2000 Server), which was preventing any requests with dots in the folder name.

URL Scan is a tool that MS suggested everyone install a while back that acts to filter out many malicious attacks.

So, with the default settings any request for a file inside the scripts\System.Web.Extensions folder would be denied as a 404 b/c of URL Scan.

To fix this, you need to edit the UrlScan.ini file, located in %WINDIR%\System32\Inetsrv\URLscan.  Near the top of the file, change AllowDotInPath from 0 to 1.

The run iisreset to restart IIS and you should be ok!

More info on URLScan is available here:

http://support.microsoft.com/kb/326444

 

Here is a nice article on creating a test (bogus) SSL certificate for your local develoment machine.

ScottGu has a nice article on how to do something similar with IIS7, which is going to be the webserver on Vista machines.

Here are some nice step by step directions for getting HTTP Compression setup in IIS6.

They also link to a nice site that will do a compression test for you on the public side.

I was trying to test stuff that wasn't public, so I figured out how to test this with Fiddler.

Once you start a trace with fiddler, if you select a session, they will check a box next to the type of compression None/GZIP/Deflate, which was used.

 

A while ago, maybe 3 months, my blog stopped remembering my login.  When I login I can click to have it remember my login, and thus when I return to the site I don't have to login every time.

Well I finally arrived at the problem. 

In IIS settings for the website, under the ASP.NET tab, if you click the "Edit Configuration" button, and then the authentication tab, you have the option to set the expiration length for the cookie, which was set to 1 hour.

I changed it to a larger value, restarted the IIS processes, and it appears to be working great now!

This article talks about how requests are dealth with by IIS and ASP.NET, and how after requests are passed to ASP.NET, how they are handled internally by various httpHandlers.

IIS6 HTML Compression seems to be either unimpressive or mis-configured (by myself).

This is some documentation that I am going to need to look at...

This article from IISFaq basically explains a method for forcing HTTPS. You require IIS to use HTTPS, and then you put a redirect page in and assign that page to be the 403 default page. Article is here.

Just convert this into a BAT file:

cd program files
cd microsoft visual studio .net 2003
cd common7
cd tools
cd bin


makecert -r -pe -n "CN=users.walshgroup.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 usersCert.cer
echo finished



After you have the cer file, you need to do the following.

Export a Certificate and Public Key
Now that you have added the Certificates snap-in, you can export the key pair that your Web server is using (the certificate and public key). To do this, perform the following steps: Open the Certificates (Local Computer) snap-in you added in the last section, navigate to Personal, and then to Certificates.

You will see your Web server certificate denoted by the CN (Common Name) found in the Subject field of the certificate (using Internet Explorer 5.0, you can easily view the certificate to see the Common Name if you are unsure).

Right-click on the server certificate, select All Tasks, and then click Export.

When the wizard starts, click Next. Choose to export the private key, and then click Next. NOTE: If you export the certificate for use on an IIS Web server, do not select Require Strong Encryption. This option causes a password prompt every time an application attempts to access the private key, and causes IIS to fail.


The file format you will want to choose is the Personal Information Exchange (though you can select from several options). This will create a PFX file. Notice that you can export any certificates in the certification path by selecting the option on this screen. This is very handy if your certificate was issued by a non-trusted certificate authority (for example, Microsoft Certificate Server). Only choose delete the private key if the export is successful to be sure it is not left on the computer (for example if your migrating from one server to another).NOTE: If you do not select "Include all certificates in the certificate path if possible" and the issuer of the certificate is not trusted by your server, then you may notice that when the properties of the certificate are viewed, the "This certificate is issued to:" field may display "Windows does not have enough information about this certificate". This is by design and can be resolved by selecting "Include all certificates in the certificate path" while exporting the certificate.


The just import the file into IIS.



For more info, check out these urls http://www.inventec.ch/chdh/notes/14.htm and http://support.microsoft.com/default.aspx?scid=kb;EN-US;232136.

I have been using Weblog Expert Lite on my server. It's pretty nice, but it doesn't know that "aspx" is a "page" and so some of the stats arn't as interesting as they could be. I might buy the full version for 79 bucks or something, but there are some free alternatives such as http://awstats.sourceforge.net and http://www.analog.cx. Analog can work with this thing called Report Magic to make some nice reports, and it's written in C, while AWStats is done in Perl. I don't know if I want to install the Perl runtime on my machine.

Here are some tips from an IIS Admin on some stuff everyone running a live IIS box should do.