Archive for the ‘IIS’ Category

When attempting to start sites in IIS the following error was thrown:

Full error from EventID: 15005

Unable to bind to the underlying transport for [::]:80. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.

First check to see what is listening on port 80. Open a command prompt and enter the following command:
netstat -ano | find ":80"

In this case process ID 4228 was listening on port 80. To check what this process is open task manager and locate that PID. (Note you may need to select View -> Select columns -> PID first).

It turns out a developer installed Apache which was listening on port 80 and causing a conflict. To resolve the conflict change one service to run on a different port or uninstall the unnecessary web server.

While trying to work with Microsoft Word on a server through .NET the following error was thrown:

Retrieving the COM class factory for component with CLSID {000209FF-0000-0000-C000-000000000046} failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).

To resolve this you will need to grant COM permissions to the user running the application pool.

1. Open up Component Services (Start -> Run -> dcomcnfg)
2. Expand Component Services -> Computers
3. Right click My Computer -> Properties

4. On the COM Security tab click Edit Default under the “Launch and Activation Permissions” section

5. Add the IIS_IUSRS group and check allow next to Local Launch and Local Activation

When trying to use Performance counters with WCAT testing I was getting this error on the final report:

An error occured collecting server information data. Check that WMI is available.

Looking back at the command prompt on the controller I also saw this:

ERROR:Unknown error -1073738789 (c0000bdb)

Wireshark and Procmon did not really indicate any problems. In my situation I was logged into the WCAT controller as a domain user which did not have administrative access on the web server I was trying to start the Perfmon counters on.

After adding this domain user to the administrative users group on the web server, the WCAT test successfully collected the Performance counters specified in my settings.ubr file.

I received this error when trying to complete a certificate request in IIS:
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

This turned out to be a permissions issue with the following folder
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

Ensure that the “Administrators” group has full control and the “Everyone” group has the following permissions on this folder only:
List folder / read data
Read attributes
Read extended attributes
Create files /write data
Create folders / append data
Write attributes
Write extended attributes
Read permissions

First create a new Windows user which will have access to the directory. If this user already exists, skip to step #5.

1. Open Server Manager by clicking Start -> Administrative Tools -> Server Manager

2. Expand Configuration -> Local Users and Groups

3. Right click Users and select New User.

4. Enter the desired user name and password. Make sure to uncheck “User must change password at next logon” and check both options for “User cannot change password” and “Password never expires”.

5. Open IIS Manager by clicking Start -> Administrative Tools -> Internet Information Services (IIS) Manager

6. Expand the server name in IIS then Sites. Expand the site in question and select the directory you are looking to secure.

7. Double click “Authenticaton” under the IIS heading on the right. If you do not see this, make sure you “Features view” is selected at the bottom of IIS.

8. Right click “Anonymous Authentication” and choose Disable.

9. Right click on “Windows Authentication” and choose Enable.

By default the new user we created will be a member of the “Users” group and this group has access to the directory we are securing. However if you want to limit this access to a select user(s) instead of all users on your server, follow the extra steps below.

1. Right click the directory again on the left side of IIS and choose Edit Permissions.

2. Click the Security tab and then click Advanced.

3. Click Change Permissions

4. Select the Users group and choose Remove

5. Click Add -> Advanced -> Find Now to browse for the new user

6. Click OK until all dialogue boxes are closed

By default IIS will listen for connections on port 80 for any IP bound to the server. This happens even if there are no host headers or bindings set for a specific IP. This can be a problem when trying to run multiple web servers on port 80.

To set IIS to listen on specific IPs follow the instructions below.

Windows Server 2003/IIS 6:

1. This requires the Server 2003 support tools. If this is not already installed it can be downloaded here.

2. Once installed open a command prompt and navigate to the support tools installation folder (default is C:\Program Files\Support Tools).
cd C:\Program Files\Support Tools

3. Stop http.
net stop http /y

4. Use this command to display the current list of IPs:
httpcfg query iplisten

5. By default it will listen on all IPs (0.0.0.0) so we can remove this.
httpcfg delete iplisten -i 0.0.0.0

6. Specify the IP(s) that IIS should listen on. Make sure to update 127.0.0.1 to the desired IP and run the command for each IP IIS should listen on.
httpcfg set iplisten -i 127.0.0.1

7. Start http and test out your sites.
net start http

Windows Server 2008/IIS 7:

1. Open a command prompt and type “netsh”.
netsh

2. Type “http”.
http

3. Enter the following command to display the current list of IPs to listen on. Note if no IPs are displayed like in the below image, IIS will listen on all IPs (default).
show iplisten

4. Use the command below to set IIS to listen on a specific IP. Make sure to replace 127.0.0.1 with the correct IP and run the command again for any additional addresses.
add iplisten ipaddress=127.0.0.1

5. In case you need to delete an IP from this list, use the following command.
delete iplisten ipaddress=127.0.0.1

6. Restart IIS to apply these changes.
iisreset

There is often a need to determine which application pool a w3wp.exe process is responsible for. There are separate commands for determining this in depending on the version of IIS.

IIS 6:
When running IIS 6 the following command can be used in a command prompt:

iisapp

Example output:

This process ID will match what is displayed on the Task Manager.

IIS 7:
The iisapp command will not work on IIS 7 however Microsoft provides an equivalent command:


%windir%\system32\inetsrv\appcmd.exe list wp

Example output:

This article assumes you have already installed the HTTP Redirection role. If this has not been installed follow the instructions listed here first:
Install HTTP Redirection in IIS 7

*Note: IIS creates a new web.config file or edits an existing one when a redirect is added. To avoid causing issues with an existing web.config file it is recommended to create a new site in IIS specifically for the redirect. Then the home directory for this new site can be pointed to an empty folder.

1. Open IIS and select the desired site.

2. Double click “HTTP Redirect” under the “IIS” heading.

3. Check the box next to “Redirect requests to this destination:” and enter the desired URL to redirect to.

4. Check the box next to “Redirect all requests to exact destination”

5. Choose the desired status code for the redirect. Most users choose the “Permanent (301)” as it will tell browsers the location has permanently changed. If this is something temporary like a maintenance page, select either of the other two options instead.

6. Click “Apply” under the Actions heading on the right hand side and test the new redirect.

It is possible to restrict access to a specific site in IIS 7 by IP address or domain. This article will cover installing the necessary role and adding allow/deny rules.

First the “IP and Domain Restrictions” Role will need to be installed:

1. Click Start -> Administrative Tools -> Server Manager

2. Expand Roles -> Add Role Services under Web Server (IIS)

3. Check the box next to IP and Domain Restrictions under the Security heading

4. Click Next -> Install

Now the restrictions can be setup through IIS:
1. Open IIS and select the site you wish to restrict

2. Under the Features View click IP Address and Domain Restrictions

3. Click Add Allow Entry and enter the IP or range you want to allow access from

4. In order to deny all other addresses click Edit Feature Settings under Actions

5. Set Access for unspecified clients to Deny -> OK

I came across the following error after migrating IIS information between two servers. It turns out the old one was using IIS 7, while the new server had IIS 7.5:

===================================
IISMANAGER_ERROR_LOADING_PROVIDER_TYPE

IIS Manager could not load type ‘Microsoft.Web.Management.Iis.Rewrite.RewriteModuleProvider, Microsoft.Web.Management.Rewrite, Version=7.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35’ for module provider ‘Rewrite’ that is declared in %windir%\system32\inetsrv\config\administration.config. Verify that the type is correct, and that the assembly that contains the module provider is in the Global Assembly Cache (GAC).
===================================

To clear this error and get sites working again in IIS I needed to edit the following file:

C:\Windows\System32\inetsrv\config\administration.config

Search for any instances of “7.0.0.0” and replace them with “7.5.0.0”. I had 49 occurrences of this but this was a new server so you may have even more. I recommend using an advanced text editor like Notepad++ so you can search and replace these instances quickly.

After the file is updated restart IIS and double check IIS/event viewer to be sure the error cleared.