Troubleshooting Internet Information Server 2.0

Are you one of the many people challenged with setting up a Web server? Anddo you plan to run Windows NT 4.0 Server on your network? If so, you need toknow that Microsoft includes Internet Information Server (IIS) 2.0 with NT 4.0Server and a peer version of IIS in NT 4.0 Workstation. (Steve Genusa reviewsIIS, starting on page 62.)

Q: How do I install IIS?

Microsoft's integration ofIIS into the OS makes setting up your Web server easier than with IIS 1.0. Whileinstalling NT 4.0, you can set up and configure your Internet services,including Web, FTP, and Gopher. If you've already installed NT 4.0, you can addIIS through the Control Panel. Click Network and then Services. Choose Add andselect Microsoft Internet Information Server 2.0.

Follow the Setup routine carefully, because you must decide where to put theserver and content directories as you go. You must also determine how much diskspace you need. In addition to allocating approximately 5MB of disk to IIS, youneed disk space for content you create for your Web site. If you plan to secureyour site, your Web content must reside on an NT File System (NTFS) partition.By default, the content directories are in c:inetpub (in IIS 1.0, the contentdirectories were in c:inetsrv). Have your NT 4.0 CD handy so Setup can copythe necessary files.

Once you install IIS, a default Web site is up and running. To test your newWeb server, connect to it with a Web browser on the server or on a networked PC.If you have Internet Explorer (IE), view the Microsoft IIS home page at http://[yourserver name]. This page (default.htm) is in the inetpubwwwroot directory,which is the default directory for your Web content. Under inetpub, you alsosee ftproot and gophroot, if you installed FTP and Gopher. If you want torevise your Web pages, this is where you'll find them.

Q: What's new in IIS 2.0?

Once you install, test, andtroubleshoot IIS, you can customize the default page to suit your needs orreplace it. If you used IIS 1.0 on NT Server 3.51, you'll notice several otherimprovements in IIS 2.0:

Dynamic Publishing
For advanced publishing, IIS lets you add content to your Web site by meansof databases, Internet Server API (ISAPI) DLLs, and CGI scripts. With IDC scriptfiles, you can query or insert data into an Open Database Connectivity(ODBC)-compliant database such as SQL. You can also increase your site'sinteractivity by using CGI scripts written with Perl, C++, and even Visual Basic4 (WinCGI scripts). With the ISAPI interface, you can create scripts withMicrosoft Visual C++ 4.1 or 4.2. These scripts are faster than CGI or WinCGIscripts because they run in-process with IIS.

Q: How do I controlaccess to my Web server?

IIS 1.0 and 2.0 providethree methods for authenticating users accessing a Web service: anonymous logon,basic authentication, and Windows NT challenge/response.

Anonymous logon. When you install IIS, it creates an accountcalled iusr_, where <computername> isyour network computer name. This account impersonates all anonymous users whoconnect to Web, FTP, or Gopher services on the server. This user account's onlyunique feature is the requirement that it have the Log on Locally userright, in the user managerpoliciesuser rights. All activities IISperforms on behalf of anonymous users must occur through this account. Forexample, if the IUSR account doesn't have access to the system32 directory,DLLs that ODBC and Perl (and other programs) use won't load, causing scripts tofail.

Anonymous logon authentication secures Web and FTP content. IIS uses theaccess control lists on NTFS partitions to verify whether someone has access toa file or Web page. You can use NT Explorer or File Manager to set permissionson files. IIS uses local accounts by default, and like the IUSR account, anyindividual accounts IIS uses must have the Log on Locally user right.For example, to grant all users access to the wwwroot directory and to aprivate area for elite friends or customers, you can create a subdirectory underwwwroot and name it. Place the appropriate permissions on the private directoryfor the users to whom you want to grant access. For the permission changes totake effect immediately, exit all three Internet services in Internet ServiceManager and then restart them. These steps update the token cache that IIS keepsfor performance reasons. Ordinarily, this cache updates at 15-minute intervals.

Basic authentication. If you have problems getting anonymouslogon authentication to work, try basic authentication. More browsers on themarket support basic authentication than Windows NT challenge/response.

Windows NT challenge/response. This authentication method(also known as NTLM) is an encrypted way of passing the credentials across theInternet. NTLM is safer than basic authentication, which uses a clear textmethod. Both IE 2.0 for Windows 95 and IE 3.0 support NTLM.

Scripts

Q: What is WinCGI? How isit related to CGI?

IIS 1.0 and 2.0 supportCGI scripts and ISAPI DLL scripts. You refer to these scripts as serverextensions because they extend the functionality of your Web server.

WinCGI is another server extension specification similar to CGI, but WinCGIis usually used with scripts written in Visual Basic (VB). For a WinCGI scriptto run with IIS, you need a wrapper that performs standard input andoutput functions on behalf of your script. Scripts written with languages suchas VB don't have standard I/O capability. The IS2WCGI sample included with theMicrosoft ISAPI Software Development Kit is a wrapper that works with IIS. Youcan modify and compile your own version of this DLL (is2wcgi.dll) or obtain acompiled version from a third party.

You can obtain other freeware or shareware wrappers that work in a similarfashion to IS2WCGI on the Internet. We provide URLs at the end of this articleto get you started.

Q: Do CGI scripts writtenwith Perl work with IIS?

Perl scripts work with IISif you install a Perl interpreter for NT. For example, you can download HipCommunications' Perl interpreter from the Internet.

To use Perl, install it, copy your Perl scripts to the IIS scriptsdirectory, and then create a script map in the IIS registry. Be careful notto place perl.exe in your scripts directory, or unwelcome visitors can attemptto issue Perl commands that can destroy your data. Here's the correct Registrylocation:

hkey_local_machinesystemcurrentcontrolsetservicesw3svcparametersscriptmap

Choose EditAdd Value:

Value Name: .pl (Perl scripts usually use the .pl extension)

Data Type: REG_SZ

String: Example: c:perl5perl.exe%s %s

Script mapping lets you associate your script with an interpreter such asPerl. This technique is unique to IIS but similar to a file association in FileManager.

FTP

Q: I created a virtualdirectory for my FTP service, but users can't see it. Why not?

NT doesn't support symboliclinking, so when you create a virtual directory outside the FTP root directory,the virtual directory isn't visible. You can change the directory and use it,but you won't see it when issuing a DOS DIR or UNIX LS command. (Thisinvisibility can be useful if you want to create a secret directory, becauseusers won't know the name of the secret directory.) Most systems administratorswant the directory to be visible. You can get around the visibility problem bycreating your virtual directory outside your FTP root directory and thencreating a dummy directory inside the FTP root directory, giving it the samename as the alias for the virtual directory. Now users can see the dummydirectory, and IIS redirects them to the virtual directory when they change tothe dummy.

Q: I created some useraccounts so I can restrict access to my FTP server, but none of those users canlog in. Why?

With all Internet serverservices, user accounts must have the Log on Locally user right. Makesure the non-anonymous users have this right and that they have, at minimum,Read permissions to the FTP root directory. You must stop and restart all threeservices before the new permissions take effect.

Q: I checked thepermissions and user rights for the domain accounts that I've given access tothe Web and FTP services, but they still can't log in. What am I missing?

If your server is a memberof a domain, you can use local or domain accounts to restrict access. Localaccounts work with no changes because IIS checks the local account database bydefault. For domain accounts, the user must specify both the domain name andusername when logging on to the Web or FTP service, as shown in Screen 1.

You can eliminate this requirement for domain accounts by adding a Registryentry in IIS 2.0. However, altering the Registry can cause serious problems, sobe careful when you change it.

Registry Path:

hkey_local_machinesystem

currentcontrolset

services

servicename

parameters

where ServiceName is:

MSFTPSVC - FTP Service

GOPHERSVC - Gopher Service

W3SVC - Web Service

The default logon domain below validates a clear-text logon when no domainis specified in the username field. The default value is the domain name forservers that are domain controllers or the local computer's name (if it's astandalone).

DefaultLogonDomain REG_SZ

Range: string

Default: domainname

Q: I host a Web serverfor several users. How can I let them use FTP to update their Web pages?

You can set up FTP toallow users Read and Write access to their Web pages in two ways. The followingexamples illustrate two common methods.

Suppose you have a Web server called www.widgets.com. On this server, youcreate directories for several users under wwwroot:

d:inetpubwwwrootlarry

d:inetpubwwwrootbill

d:inetpubwwwrootgeorge

The IUSR account has Read access to each subdirectory, and Larry, Bill, andGeorge have full privileges to their respective directories. Anonymous users canview the pages in these directories through the Web service, and Larry, Bill,and George can connect to FTP and read and write files to these directories.

Because all your guest Web authors want to use FTP to access their Web pagecontent, you must create a virtual directory on the FTP Service Propertiesscreen, as you see in Screen 2, for each author's directory. Then click EditProperties and select both Read and Write access on the Directory Propertiesscreen, which you see in Screen 3, for each virtual directory. Because you'reusing NTFS security, Web and FTP services share permissions.

The second method to let users update their Web pages using FTP is to setthe NTFS permissions and point the FTP home directory (with Read and Writeaccess enabled) to the Web home directory, as you see in Screen 4.

Q: My Web site has heavytraffic. How can I balance the load between two or more servers?

When clients try toconnect to your domain, they usually query a Domain Name System (DNS) server toresolve the name to an IP address. (For more on administering DNS, see SpyrosSakellariadis, "Configuring and Administering DNS," August 1996, and "Integratingand Administering DNS," September; Mark Minasi discusses IP addressing in "Howto Set up IP," February; "IP Routing with NT," March; "NTWorkstations Using an IP Router," May; "Unlock Your Gateway to theInternet," June; "DHCP and Assigning IP Addresses," August; and "GatewaysRe-visited," on page 47.)

DNS Servers (including Microsoft's new DNS server, which is part of WindowsNT 4.0) can return addresses in a round-robin fashion to clients. If you listmultiple IP addresses for one host name, DNS returns the first IP address to thefirst client, the second IP address to the second client, and so on.

Microsoft uses this method on www. microsoft.com, where several serversshare the traffic load. Each server in turn satisfies a request.

Q: When I try to installmy new Secure Sockets Layer (SSL) certificate, I get the message, "Keycheck failed with error 0x8009030e." Why?

This error usually occursbecause you haven't saved the certificate (that the Certificate Authorityemailed to you) in the correct format. You must save this certificate to a textfile to install it into your IIS server. If you save the certificate as Unicodein the notepad, you will get the keycheck error.

To ensure successful installation of your SSL certificate, make sure yousave the emailed certificate as a text file. Then, if you're using thecopy/paste feature to get the file into the notepad and you're still getting theerror, try exporting the file to the notepad from your mail program. Thecertificate will look like a clean block of ASCII text after you save it, as inFigure 1.

Q: Sometimes, when Iconnect to my Web server, the server name in the URL changes to the server's IPaddress. How can I prevent this?

This change happens whenthe server sends a redirect signal to the client. You can get around thissituation in either of two ways. First, you can make sure you type a trailingslash at the end of your URL: Instead of www.joesplace.com, typewww.joesplace.com/. Or, you can add the ReturnURLUsingHostName registry entry asfollows:

Registry Path:

hkey_local_machinesystem

currentcontrolset

services

w3svc

parameters

When the default is set to 0 and the server is doing redirects, the serverreturns its IP address to a client if the host header field isn't present. Toreturn a host name or the server's computer name, change this registry settingto 1.

If you add a host name in the Host Name box of the DNS dialog, the serverreturns that name. Otherwise, it returns the server's computer name, whichappears in the Host Name box by default.

To fill in a host name, open the TCP/IP property sheet in the NT ControlPanel's Network application. Click the DNS tab, and type a name in the Host Namebox.

-----BEGIN CERTIFICATE-----

JIEBSDSCEXoCHQEwLQMJSoZILvoNVQECSQAwcSETMRkOAMUTBhMuVrM

mIoAnBdNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMRwwGgYDVQ

QLExNQZXJzb25hIENlcnRpZmljYXRlMSQwIgYDVQQDExtPcGVuIE1hc

mtldCBUZXN0IFNlcnZlciAxMTAwHhcNOTUwNzE5MjAyNzMwWhcNOTYw

NTE0MjAyOTEwWjBzMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIER

hdGEgU2VjdXJpdHksIEluYy4xHDAaBgNVBAsTE1BlcnNvbmEgQ2VydG

lmaWNhdGUxJDAiBgNVBAMTG09wZW4gTWFya2V0IFRlc3QgU2VydmVyI

DExMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDU/7lrgR6vkVNX40BA

q1poGdSmGkD1iN3sEPfSTGxNJXY58XH3JoZ4nrF7mIfvpghNi1taYim

vhbBPNqYe4yLPAgMBAAEwDQYJKoZIhvcNAQECBQADQQBqyCpws9EaAj

KKAefuNP+z+8NY8khckgyHN2LLpfhv+iP8m+bF66HNDUlFz8ZrVOu3W

QapgLPV90kIskNKXX3a

------END CERTIFICATE-----

FIGURE 1:Sample SSL certificate

Q: Do I need more thanone network to set up virtual servers?

No. When you set upvirtual servers, you must type in an IP address for each new server. You mustalso add this new IP address to your net-work card. In controlpaneletworkprotocolstcp/ip protocoladvanced, NT lets you add up to fivedifferent IP addresses to a network card. Just add the new IP addresses to theIP Addresses box.

Q: How can I add morethan five IP addresses to my NT network card?

You must add the remainingIP addresses through the Registry editor. For details, see the Knowledge Basearticle Q149426 at www.microsoft.com/kb/bussys/winnt/q149426.htm.

NT 3.51 users running Service Pack 4 can run a maximum of 14 to 17 IPaddresses without ordering a hot fix. This limit is from an error in Microsoft'snetbt.sys. A fix in Service Pack 5 will let you run more than 14 to 17addresses. NT 4.0 includes this fix.

Q: What is IDC? How can Iuse it to publish information from my database?

IDC is an interface for IISthat provides access to any Open Database Connectivity (ODBC)-compliant databasefrom a standard HTML Web page. To use IDC, you must have IIS, an ODBC-compliantdatabase and driver, System Data Source Name (DSN), an HTML file, an IDC file,and an HTX file.

Q: How does IIS accessdata from a database?

IIS uses API calls tohttpodbc.dll to access data from a database. The file httpodbc.dll is aninstalled component that comes with IIS.

Q: How does IDC use ODBCdrivers?

IDC can use SQL to returninformation from tables and can use the database engine to run stored proceduresand queries. IDC relies on the ODBC driver to accomplish these tasks.

ODBC drivers come in many types and versions. Be sure that your ODBC driverversion is compliant with your database version. For example, you cannot use theSQL Server 6.0 driver with SQL Server 6.5 and vice versa.

To check your ODBC driver version, go to control panelodbc. In the DataSources dialog, click Drivers, highlight the driver in question (as shown inScreen 5) and click About. Screen 6 displays background information forthe SQL Server driver.

Q: What's the role of DSNwith IIS database access?

For an IDC file to connectto a database, you must set up a system DSN. You cannot use an ordinary DataSource with IDC. To set up a system DSN, go to control panelodbc. First, clickSystem DSN, which you see in Screen 7. In the System Data Sources dialog, clickAdd for a new system DSN. Next, select the ODBC-compliant driver that matchesthe type of database you will access with IDC, as shown in Screen 8.

For IDC to work correctly, you must fill in the DSN and server for thisparticular DSN setup. You configure the DSN setup dialog differently for eachODBC driver. After you set up the System DSN, you must write the HTML file thatcalls the IDC file.

Q: What is the functionof the HTML file?

You can use the HTML filein different ways. You can use a form to pass variables to an IDC file, or theHTML file can just call an IDC file that returns a standard set of informationfrom a database.

Let's look at some examples of different ways to retrieve data from an IDCfile. Listing 1 shows how to use a form to send variable data. Listing 2 showshow to use IDC to return a static set of data from a database.

The form example lets you choose one of the states in the pulldown. You canthen click Submit Form to run the IDC file, or click Reset Form. IDC stores thevalue you select from the pulldown in a variable called state. The programpasses the variable to the IDC file to let the ODBC driver perform a query inthe database.

Q: How are IDC filesrelated to HTML files?

IDC files let simple HTMLfiles communicate with databases. You can pass several parameters through theIDC file, but it requires only three parameters: Datasource, Template,and SQLStatement. Table 1 lists and describes all the possible parameters.

IDC also offers ODBCOptions. Consult your ODBC documentation and the ODBCSDK for options that allow debugging and tuning.

Listing 3 corresponds with the HTML file in Listing 1. Together, these filesprovide a form for sending variable data. You can create example_1.idc andexample_2.idc, which you see in Listing 4, in any text editing program (such asNotepad) that creates ASCII text files. You must store IDC files in a directorythat has execute permissions, because the IDC file is a script.

I've divided the SQL statement, example_1.idc, into several lines to make iteasy to read and troubleshoot. The plus sign at the beginning of each line joinsthe lines into one SQL statement. For the variable state, I added two morepercent signs to the end. The percent signs represent a wildcard.

If the example uses the variable alone, the statement looks like this:

+WHERE state LIKE '%STATE%'

However, the IDC file in this example calls for all states that begin withthe value selected in the pulldown, and any other characters can follow thatprefix. In SQL, the % sign is a wildcard, but because I joined the % sign to avariable, I need two extra %% signs to bind the variable to the wildcard.

The IDC file in Listing 4 corresponds with the HTML file in Listing 2. Inthe static example, the IDC file queries the database, selects some fields, andthen sorts the fields by the store name.

IDC files have several other uses. They can run stored procedures and storedqueries. Remember that the syntax for procedures and queries will vary,depending on the database type and version.

To run a stored procedure in SQL Server, you need a SQL statement like this:

SQLStatement:

+EXEC sp_processmail @subject=My Life, @filetype='CSV',@set_user='guest'

To run a query stored in an access database, you need a SQL statement likethis:

SQLStatement:

+Select * FROM myquery

Q: What is an HTX file?

In the final stage of IDC,you return the values to the browser. An HTX file is an HTML file with someadditional tags that place variable information into the page from ODBC. Thefirst set of required tags, <%begindetail%> and <%enddetail%>,identify the beginning and end of a section for ODBC, as shown in Listing 5(which corresponds with Listing 1) and Listing 6 (which also corresponds withListing 1). The <% and %> markers surround the column names to tell thebrowser where the value belongs. In addition to standard tags, conditional tagsexist. Table 2 lists tags and describes usage for each.

Q: How can I do multipleSELECTS and multiple drop-down selecting?

To perform a multipleSELECT, forget everything you know about SQL and follow one simple rule: Formultiple SELECTS in one query, use the UNION command with parentheses around allSELECT statements except the first one, as you see in the following example:

SQLStatement:

+SELECT *

+FROM pubs.authors

+UNION

+(SELECT *

+FROM pubs.sales)

+UNION

+(SELECT *

+FROM pubs.titles)

Listing 7 is an example of selecting multiple items from a pulldown list.

Q: Where can I find moreinformation on IIS?

You can find greatinformation, user-to-user conversation, and tips at the IIS newsgroup,microsoft.public.inetserver.iis, on news server msnews.microsoft.com. For thelatest IIS information from Microsoft, point your browser tomicrosoft.com/infoserv/. Microsoft Internet Information Server Frequently AskedQuestions List is at rampages.onramp.net/~steveg/iis. html, and Windows NT WebServer Tools is at www.primenet.com/~ buyensj/ntwebsrv.html. Microsoft offersfee-based technical support at 1-800-936-5900.