Blog Archives

Could not load type System.ServiceModel.Activation.HttpModule’ from assembly ‘System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=

If you already have .Net 4.0 installed and install a program that brings in an earlier version of .Net, or manually install an earlier version of .Net afterwards, you may get an exception page that matches the title of this article.

This is a simple fix, outlined in detail in MSDN article referenced at the bottom.

Navigate to:

%windir%\Microsoft.NET\Framework\v4.0.30319

%windir%\Microsoft.NET\Framework64\v4.0.30319 (on a 64-bit computer)

Run:

aspnet_regiis.exe /iru

That’s it!

http://support.microsoft.com/kb/2015129

IIS6 Change Framework Version without restart of W3SVC service

browse to the location of the folder containing the version of asp_net regiis such as:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319

run aspnet_regiis -lk to get the virtual path you will need in the next command. to see which ID matches your website launch IIS manager and under websites you will see a column called “identifier”.

run the command:
aspnet_regiis.exe -norestart -s “W3SVC\1398789133″

done.

iis 6 redirect with querystring

Permanent site redirects using IIS are useful when moving a site to a new domain and also more search engine friendly than simply doing a javascript or server side redirect. These send a “301″ response status code

To do this in IIS 6, simply open the website properties in IIS 6, select “a redirection to a URL” and enter the URL.

(courtesy of R. prestol)
20130402httpredirect

To send querystring values along with your redirect, simply add “$Q” to the end of the URL, such as:


http://www.google.com/pagename/pagename/$Q

If you would like instructions on how to perform this via IIS 7, let me know and I can upload these screenshots as well.

References
http://en.wikipedia.org/wiki/HTTP_301

Create Custom and Self Signed SSL Certificate in IIS 6 (Windows Server 2003)

Single domain

Ex.
http://www.ronniediaz.com

Note: Foremost, in order to access your site over HTTPS, the HTTP SSL Service will need to be running. This service binds to port 443 and filters HTTP traffic to IIS.

Relatively easy to do in never versions of IIS , but a few more steps in previous.

First, download SSL Diagnostics from MS:
http://www.microsoft.com/download/en/details.aspx?amp;displaylang=en&id=674

Make sure if you are on 32bit you install the x86 version above or the x64 version if you are on 64 bit.

Once installed, open a cmd prompt.

cd C:\Program Files\IIS Resources\SSLDiag
ssldiag /selfssl /N:CN=(certname.com) /V:365 /S:(ID)

This will create a self signed cert with (certname.com) which is good for 365 days. See link below for additional information on other parameters you may need to pass in such as site identifier and key length (default 1024).

If you try to test it right now, you will likely get a “Page Cannot Be Displayed”, “Cannot Find Server”, “Server Cannot be Found” or something to this effect. This is because the port 443 bindings are not yet in place.

To add the port 443 bindings to your site, run adsutil:

cscript.exe "C:\inetpub\AdminScripts\adsutil.vbs" set w3svc/(site id in iis)/SecureBindings ":443:sub.host.com"

To confirm the certificate was added, navigate to your site in IIS and go to:
(right click domain)->Properties->Directory Security->Secure Communications->View Certificate

Multi domain wildcard

Ex.
http://www.ronniediaz.com
test.ronniediaz.com
blog.ronniediaz.com

Configuring the wildcard certificate, is essentially the same as above, however simply use * for sub domain in your cert creation and binding, and export and add this cert to your other sub domains which will be using it.

Multi domain SAN or UCC

Ex.
http://www.ronniediaz.com
test.ronniediaz.com
http://www.wordpress.com
ronniediaz.wordpress.com

Subject alternative name certificates a.k.a unified communications certificates can get very expensive when issued by third parties.. To create your own, there are three approaches to consider:

- Certificate Enrollment wizard with an enterprise CA (Using Advanced->Custom Request or New Request->Template)

- Certificate Enrollment wizard with a standalone CA

– Certreq.exe

For more information on configuring your own SAN cert, reference MS Kbase article http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx

OpenSSL/Linux

On Linux, the process is IMO a bit easier and simply requires openssl. Since this utility is also available for windows, this method can be used on IIS as well.
http://lanestechblog.blogspot.com/2009/04/creating-ssl-certificates-with-multiple.html

References
ServiceFirstSupport, http://www.servicefirstsupport.com/KB/a175/how-do-i-create-a-self-signed-ssl-certificate-in-iis-6.aspx
SAN Cert/Custom Request, http://techontip.wordpress.com/2011/06/06/how-to-create-a-san-certificate-signing-request-for-iis-web-server/
Page Cannot be Display, http://support.microsoft.com/?id=290391
Debug SSL Connectivity on Intermediary Device, http://support.microsoft.com/?id=290051
Cannot Find Server, http://support.microsoft.com/?id=292296
IIS forums, http://forums.iis.net/t/1147942.aspx
adsutil, http://support.microsoft.com/?id=290391
Server 03 pre SP1 HTTP 1.1 host headers bug with SSL, http://support.microsoft.com/kb/187504/EN-US
Configuring Host Headers (IIS6.0), http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
Configuring Server Bindings for SSL Host Headers, http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/8d9f2a8f-cd23-448c-b2c7-f4e87b9e2d2c.mspx?mfr=true
Obtaining/Installing Wildcard certificate (IIS6), http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5d0fb4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true
SSL Host Headers in IIS 6, http://www.sslshopper.com/article-how-to-configure-ssl-host-headers-in-iis-6.html
UCC Certificate Partners, http://support.microsoft.com/kb/929395
How to Create SAN Certificate for Web Server, http://techontip.wordpress.com/2011/06/06/how-to-create-a-san-certificate-signing-request-for-iis-web-server/
OpenSSL SAN Cert, http://lanestechblog.blogspot.com/2009/04/creating-ssl-certificates-with-multiple.html
How to Request a Certificate With a Custom Subject Alternative Name, http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx

IIS 7 Remote Administration Manager

At the time of writing this article, in the latest version of Windows (Vista,7 and Server 2008), IIS management has changed quite a bit.

IIS7 features some very cool remote management capabilities. In an environment where developers may need access to IIS, but not necessarily the server, or too many remote logins to the server fill up the TS licenses, using IIS remote management can save ALOT of your time and money.

Consider the following scenarios:

New site needs to be added to IIS or changes to existing site need to be made.

1) Developer does not have RDP access due to corporate security policies or may be outside consultant, etc and submits ticket/request for new site to be added
2) Count the time delay until ticket is responded, time to form responses and time spent on actual technical changes.
3) If details regarding site changes sent by developer are adequate, IT helpdesk applies the changes and notifies developer setup successful. If additional info is needed, helpdesk must request more information, then repeat steps 2-3 until complete.

Even if only 1% of all sites require follow up, and approximate ticket response and IIS configuration time is lets say 3-4 hours including delay until ticket is received; if you create 50 sites / annually this equates to 150-200 hours spent simply on site setup.

If your company outsources IT helpdesk, or response time is even slower, 12-24 hours, this is now 600-1200 hours of delay at the same rate of 50 sites / annually.

To save time (and money), consider cross-training developers that don’t know IIS, and setup remote administration in IIS7.

Note some Vista and Windows 7 installations do not come with the manager, and it will have to be downloaded from IIS.net.

For walkthroughs on this configuration and more information, see references below.

References:
TrainSignalTraining, “Remote Administration of IIS 7: Install, Configure, Connect”, http://www.trainsignaltraining.com/iis-7-remote-administration
IIS.Net, “IIS Manager for Remote Administration”, http://www.iis.net/download/IISManager

IIS Application Pool

A great many documents, blogs and references exist on IIS which cover it comprehensively. This article simply serves to discuss one aspect – the application pool.

When configuring IIS in an environment that will contain many websites, there are a few important considerations:

- Will each site potentially run different versions of .NET? Sites with different frameworks should not share the same app pool. This will cause a conflict and they will not be functional.

- Is it a large web application that requires many resources? If yes, you may also want to consider creating it’s own app pool, which allows you to manage detailed information regarding how the server prioritizes the site.

Recycling

The first tab for the app pool properties displays information regarding memory resource usage. If you have multiple sites on a server which are hit very often and would like to force the amount of memory each one uses, you can create an app pool for each and manage it here.

Or if it will be split evenly among various sites, you can create “groups” of app pools with assigned memory and IIS will allocate among children accordingly.

You can also force the worker process to automatically free up memory after specified interval and/or at different times of the day.

Recycling

Recycling

Performance
The performance tab allows for CPU resource management. Certain sites may have functions that, left unchecked or still under development, can cause excessive CPU load and affect other processes running on the same server.

Max CPU usage can be assigned here setup in conjunction with events to trigger when these scenarios occur.

A remote exploit or overflow attempt of your server can also be secured here by limiting the maximum number of kernel requests.

Idle timeout can help free up CPU for a site that is not very active. Legacy sites or informational areas which are rarely visited are still using a fraction of the CPU usage, and setting an idle timeout can help release some of those resources.

Performance

Performance

Health
The health tab can help you diagnose potential issues with your site or application. By forcing certain restrictions such as maximum failures and/or maximum failures within a specific time period, as well as enabling pinging, you can check for periods of down time or help identify timeout issues a specific web service may be experiencing.

This tab works well in conjunction with third party testing tools used to benchmark and stress test your site, application or service.

Health

Health

Identity
Depending on the size and nature of your infrastructure, you may want to configure certain application pools to run under different credentials. For highly security conscious people this can theoretically reduce the likelihood of certain privilege escalation techniques that may be executed in the event of a remote application pool exploit.

Identity

Identity

Hope the above information was helpful. This was a condensed version based on a similar article I read on Windows Networking. See reference below for full article.

References
WindowsNetworking, http://www.windowsnetworking.com/articles_tutorials/Working-Application-Pools-Internet-Information-Server.html

Follow

Get every new post delivered to your Inbox.