IIS Informant - 07 Feb 2000

Do you have questions on the IIS resource kit's createuser.vbs example script? Do you know how to identify IP addresses for users accessing your site? Get answers to these and other questions in this month's IIS Informant.

Brett Hill

February 7, 2000

10 Min Read
ITPro Today logo in a gray background | ITPro Today

I installed the Microsoft Windows Internet Information Server Resource Kit and have been trying to use the createuser.vbs example script. When I try to run the script, I receive a message that IIS can't connect to the domain. The same result occurs even when I specify localhost as the domain. After that, I receive several other error messages. Do you have any suggestions?

After installing the resource kit, you'll find createuser.vbs and many other useful examples of Microsoft Active Directory Services Interfaces (ADSI) scripting under Resource Kit, Utilities, ADSI Admin Scripts, Explore. ADSI scripts are a great resource for automating repetitive administrative tasks. You can use ADSI to create groups, Web sites, virtual directories, and users, and change account policies. The error you're reporting happens when you haven't installed ADSI but are trying to create an object that requires it. To enable ADSI capability, download the latest version at http://www.microsoft.com/ntworkstation/downloads/other/adsi25.asp. Windows 2000 (Win2K) doesn't require this download because Win2K includes ADSI. In addition, check out the good introduction to ADSI at http://www.microsoft.com/technet/iis/technote/adsi1.asp.

The additional messages you're reporting aren't error messages, but reports on the status of errors. The example scripts with the resource kit aren't as user-friendly nor as fully developed as other Microsoft products. The scripts serve more as examples than as finished products ready for use. The additional errors appear even if the script is working fine. The confusion is that the errors say Error code: xx, where xx is the error number being reported. If that error number is 0, as Screen 1 shows, then no error exists at all. Confusing, but at least informative.

Users can access our IIS server from the Internet and as part of our corporate intranet. I'd like to find a way to disable links when a user accesses the site from our LAN. How can I identify the IP addresses of users accessing our site?

The Active Server Pages (ASP) scripting engine that IIS contains makes it easy to get information about the users connecting to the IIS server. ASP's object model includes the Request object. One of the object's features is the Server Variables collection. The Server Variables collection is a store of information about the contents of a user's HTTP header when that user submits a Web-page request to the server.

You might think that the Server Variables collection contains information about the server instead of the user, so looking for user information in the Server Variables collection would be a redirection. The reason for this redirection is that the IIS server is the entity that receives and processes the user's HTTP request from that user's Web browser. This request contains the HTTP header, which is necessary for establishing a session and requesting information from the IIS server. Various bits of information about the user's environment—including the IP address of the machine making the request—also exist in this header.

To answer your question, you can use ASP to obtain the IP address by querying the value of REMOTE_ADDR as follows:

User's IP Address is : <%= Request.ServerVariables("REMOTE_ADDR")%>

If you put this line in an .asp file and load it with your browser, it will show the IP address you're using to access the Web server. To take an action based on the IP address, you need to assign the IP address to a variable, evaluate that variable, and provide links based on the results according to your business needs. In metacode form, the line looks something like this:

VarUserIP=Request.ServerVariables("REMOTE_ADDR")If VarUserIP is local Then   Do somethingElse   Do something elseEnd if

The exact code required to determine whether the user's IP address is local depends on the specifics of your network. The key, however, is that you can use standard ASP to obtain the user's IP address by querying the Server Variables collection.

The Server Variables collection is quite rich with data, so you can gather more information than merely the user's IP address. Here's a partial list of other data available from the Server Variables collection:

  • HTTP_USER_AGENT—The user's browser (This value has obvious uses for directing users to pages better suited to the capabilities of Netscape or Microsoft Internet Explorer—IE. For example, Netscape doesn't support Windows NT 4.0 Challenge/Response logon authentication.)

  • HTTP_REFERER—The URL of the page containing the link the user clicked to get this page

  • QUERY_STRING—Everything following the question mark (?) in a URL

  • LAST_MODIFIED—The last edit of the document (You can use this value to force a reload or redirect.)

  • DOCUMENT—The name of the current document

  • LOGON_USER—The user's NT account (You can use this value to resolve logon or authentication problems.)

  • REMOTE_HOST—The remote hostname of the client

  • URL—The URL of the current page (Use this value when you aren't sure which page the script will execute from because of the use of include files, redirects, and so on.)

I've set up a demonstration of the values that you can extract with this feature at http://www.techmesa.com/demos.

To find out more about ASP, check out the many Wrox publications at http://wrox.com/consumer/store/listtitles.asp?by=105&category.asp. Wrox has books for beginners as well as professionals on just about every aspect of ASP. I highly recommend these books for anyone trying to learn ASP or polish his or her skills.

I want to upload files from a client based on the contents of an .asp form that the client completes. How can I start an FTP session from within IIS and upload the designated files? I don't know whether the client is using Netscape or IE, so the session can't be browser dependent.

From within IIS, you can upload files in several ways. You might want to consider alternatives to using FTP-style communications because some of the limits FTP imposes can be burdensome—for example, lack of programmability, no simple way to ensure secure communications (i.e., no Secure Sockets Layer—SSL—support), and no support for restarts in IIS 4.0 (however, IIS 5.0 supports restarts). Many IIS administrators and developers use ASP to upload the files to your site.

Several commercially available components can achieve such uploads. Check out the Web sites below for installable objects that let you upload files from an .asp script and perform other useful functions:

  • http://www.softartisans.com

  • http://www.persits.com

Another method you can use to upload files is through Microsoft Posting Acceptor. Posting Acceptor is part of Site Server Express, which exists on the NT 4.0 Option Pack CD. Posting Acceptor works in conjunction with the Web Publishing Wizard, which is also part of the Option Pack, or you can call the program directly from ASP as detailed in the Microsoft article "Uploading Files: The Posting Acceptor, Part 1" at http://msdn.microsoft.com/workshop/server/asp/server052499.asp.

You can download Posting Acceptor as a part of Site Server Express 3.0 at http://www.microsoft.com/ntserver/nts/downloads/management/siteserver/default.asp. The program also comes with Visual Studio (VS), Visual J++ (VJ++) Enterprise Edition, Visual InterDev, and Visual Basic (VB) Enterprise Edition.

Our IIS site is mission critical and must be up 24 X 7. The problem is that at times, IIS seems to simply stop. No entries exist in the event log, and IIS requires a reboot. How can we set an alert to tell us when the site is down?

Occasionally, an exception occurs inside the IIS process. Sometimes IIS returns an error, and sometimes it doesn't (depending on the specific circumstances), which makes this problem as challenging to debug as it is frustrating.

IIS can stop and leave no clues about what is going on. Several systems administrators have found that cleaning up their ASP code to release all objects, and connections, and generally tightening up the code goes a long way toward helping. Others have found that appling various updates, such as adding RAM or reducing the use of ASP session variables, has helped. Nevertheless, on a mission-critical server, you have to know when the site is down. If your clients or customers are the means by which you discover a down server, you need to beef up your front-line monitoring services.

One solution that works for some installations is to simply restart the Web server every night. Microsoft also has a script called restart.bat that you can find at http://support.microsoft.com/support/kb/articles/q194/9/16.asp. You can schedule restart.bat to run early in the morning.

To find out whether the server is running, you can get an inexpensive but reasonably well-featured solution at http://www.woodstone.nu/salive, where you can find Servers Alive. This program can monitor NT local or remote servers, monitor server services, ping Winsock services, send alerts by email or dial a pager to send a message, and perform many other tasks. Servers Alive is free for up to 10 monitored services, and for $69 you can monitor up to 1000 services.

For a more comprehensive solution, check out http://www.netiq.com for NetIQ's AppManager line. NetIQ produces a series of products, several of which specifically target monitoring and administering IIS, Microsoft Proxy Server, and Site Server. AppManager goes beyond reporting whether the services are running and provides performance statistics, and checks for unauthorized access, and looks for log entries regarding system problems.

When I asked other systems administrators which products they use to monitor their sites, they regularly mentioned MediaHouse's Enterprise Monitor. Enterprise Monitor appears to be decently priced and full featured. Check it out at http://www.mediahouse.com.

In addition to installable software, you can find services on the Web that monitor your site remotely and alert you when it's inaccessible. You can find such services at http://www.indcorp.com/guardian and http://www.netmechanic.com.

These services can be valuable tools because they run from outside your system and therefore more closely resemble the typical user's experience. Some services go beyond simple availability and offer throughput analysis for checking how many pages your server can serve at what times of day. Some services provide transaction-based reports. In mission-critical situations, you might want to contract with multiple monitoring services in case one of them is down. Don't construe these suggestions as endorsements but rather as examples of tools that are available. Many companies offer products and services similar to those I mentioned, so shop around.

Of course, what you really want to do is to solve the problem of IIS stopping without warning. Toward that end, IIS Exception Monitor can be helpful.

IIS Exception Monitor is a free utility that can peer into the IIS process and report on the .dll file that is executing when an error occurs. IIS Exception Monitor is best used on a test machine rather than on an online production server. The utility has the added capability of being accessible remotely by Microsoft in the event that the reports from the analysis are a bit cryptic.

For more information about IIS Exception Monitor, see Ken Spencer, "IIS Exception Monitor" (November 1999). To read an introduction to and download IIS Exception Monitor, go to http://www.microsoft.com/technet/iis/tools/ixcptmon.asp.

We installed a Microsoft COM object that requires access to the HKEY_LOCAL_MACHINE/SOFTWARE Registry key. When we run the object from IIS, the Registry access fails but the object works fine in VB. Do we need to fix some setting to make this object work?

Many IIS administrators don't realize that you can set permissions to Registry keys just like you set NTFS permissions. The permissions for Registry keys are significantly different from NTFS permissions, but the same principle applies to both.

Before you set the permissions, first back up your Registry. Use Regback (from the Microsoft Windows NT Server 4.0 Resource Kit) or at least Rdisk /s. Then, open regedt32 and browse to the HKEY_LOCAL_MACHINESOFTWARE key. Screen 2 shows the default permissions for this key. Note that Everyone has Special Access permission. If you double-click Everyone, you'll find that Everyone has almost full control because it has all but three Registry permissions. On many Web servers, administrators tighten access to certain Registry entries. In doing so, if they remove the Everyone group and their anonymous Web users require access to the key, they must assign permissions to the IUSR_computername account explicitly or to a group that has the IUSR account as a member (e.g., Guests). Note that the IUSR account isn't a member of Users, but it needs to be a member. You might also need to provide access to the IWAM_computername account if you run your applications out of process.

While we're on the subject of Registry security, be sure to secure your IIS server with the many Registry updates currently available. These updates include keys that can disable calling the shell (which can provide the ability to run commands from within IIS), place restrictions on remote Registry access, and tighten security on the run and run once keys. For more information about Registry security, see http://www.microsoft.com/security/products/iis/checklist.asp.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like