IIS Answers
Enable pass-through authentication, precede your URL with an icon, and recover a corrupted metabase.
December 19, 2000
I have a Web server running on machine A. I want pages from this Web server to be able to write information to sections of the file system on machine B. I'm using Windows NT 4.0 Service Pack 5 (SP5) and Microsoft IIS 4.0, and I've turned off Anonymous access. Both machines are in the same domain. I created a virtual directory on A, pointed it at the proper location on B, and supplied a name and password as prompted. Everything works, except that anyone who accesses the directory on A or B has the permissions of the name and password I specified during the creation of the virtual directory. Can I use the NT 4.0 permissions I applied to the original resource to control user access?
Before I answer your question, I must warn you that my solution involves enabling pass-through authentication for IIS 4.0, which Microsoft doesn't recommend and therefore doesn't support. Pass-through authentication lets you achieve your goal, but it's likely to have side effects (e.g., Microsoft Index Server won't be able to index the virtual directory). The good news is that Microsoft built pass-through authentication into IIS 5.0 and, as far as I can tell, supports the configuration in this version.
Before you enable pass-through authentication for either IIS 5.0 or IIS 4.0, be sure to back up your metabase. You also need to determine the Web site number assigned to the site in the metabase, which you can easily do using MetaEdit. MetaEdit comes with the Microsoft Windows 2000 Resource Kit (for IIS 5.0) and the Microsoft Internet Information Server Resource Kit (for IIS 4.0). Be sure to use the most recent version of MetaEdit—MetaEdit 2.1. The Microsoft article "FILE: How to Download, Install, and Uninstall the IIS MetaEdit 2.1 Utility" (http://support.microsoft.com/support/kb/articles/q232/0/68.asp) provides more information and the tool for download.
In IIS 5.0, to enable pass-through authentication on the Protected virtual directory in the default Web site, you type the code in Listing 1 at a command prompt. You substitute your Web site number for 1 and the name of your virtual directory for Protected.
You must also enable for the Web site or the virtual directory an authentication mode that supports remote access to resources, which means you must use one of these modes: Anonymous with IIS control password disabled; Basic, Integrated Windows (this mode will work only if all your users use Microsoft Internet Explorer—IE—5.0 on Windows 2000 systems); or Certificate Mapping (the IIS 5.0 version, not Windows Mapper). You enable the authentication mode in the Web site or virtual directory properties.
To enable pass-through authentication in IIS 4.0, perform these steps:
Enable an authentication mode that supports remote access to resources, which means you must use one of these modes: Basic or Anonymous with Automatic Password Synchronization turned off.
Locate the adsutil.vbs utility script, which is usually in the winntsystem32inetsrvadminsamples directory.
At a command prompt, type
adsutil set w3svc/1/root/vdir/UNCUserName ""
where 1 is the Web site number and vdir is the name of your virtual directory.
Type
adsutil set w3svc/1/root/vdir/UNCPassword ""
Type
adsutil set w3svc/1/root/vdir/UNCAuthenticationPassThrough TRUE
Type
net stop iisadmin /y
Type
net stop start w3svc
As a result of enabling pass-through authentication for a virtual directory in IIS 4.0, you'll see an error in the Microsoft Management Console (MMC) associated with the virtual directory. However, the procedure will work. Note that any changes you make to the virtual directory through MMC will overwrite your modifications. And please remember that Microsoft neither supports nor recommends this configuration in IIS 4.0.
I've set up an Active Server Pages (ASP) page to use Collaboration Data Objects (CDO) email to send the results of a form to a designated recipient. Everything works fine as long as the recipient isn't using an email address that is linked to the server's domain. For example, if the Web site is http://www.b2bcommerce.com and I've set the form to send the results to [email protected], CDO email sends the form. However, if I set the form to send results to [email protected], the form isn't sent. What's wrong?
You can resolve this problem easily. Just configure the local Microsoft IIS SMTP server as follows.
Define the domain of the SMTP address as the local domain for the IIS SMTP server (e.g., myserver.b2bcommerce.com). Note that this domain can be different from the domain in the Web address. Also note that the server name precedes the domain name.
Define a remote domain that has the same name as the domain of the SMTP address (b2bcommerce.com). In the remote domain, specify the name or IP address of the mail server that receives mail for b2bcommerce.com. In IIS 4.0, this server is called the route domain; in IIS 5.0, this server is called Smart Host (not the SMTP properties Smart Host, but a specific smart host for this particular routing domain). In the Windows 2000 SMTP server, you can simply let the SMTP server use standard DNS lookup of the mail exchanger (MX) record to resolve the domain name and forward mail to that address. In this setup, the SMTP server takes the message addressed to b2bcommerce.com and routes it to the remote server.
In addition to setting up the domains, be sure to define a DNS server for the IIS machine. A good place to determine whether a DNS problem exists is in the Queues directory. If the SMTP service is trying to deliver messages, it will store those messages in the Queues directory with an .rtr extension. If .rtr files are associated with your unsent messages, examine the files for errors. A DNS lookup failure will have the form No path found from URL. (Thanks to reader Wesley H. Peace for this question and answer.)
How do you add an icon to your URL so that the icon shows up before the URL in Microsoft Internet Explorer (IE)'s Address field and Favorites list? I see icons for only certain URLs, so apparently you must perform some action on the Web server to make them appear in the browser.
You can have your company or Web site logo appear before your URL in IE 5.x's Address field and Favorites list. However, the graphic—called a shortcut icon—appears only to users who place your site on their Favorites list.
First, use one of the many icon editors available as shareware to create an icon that measures exactly 16 * 16 pixels. (Make sure you choose an editor that lets you save your icon as an .ico file.) Save your icon with the filename favicon.ico in your Web site's root directory. I also recommend placing it in any other directory your users might bookmark. You can use a different name or location, but if you do, you need to tell IE the name and location, as Listing 2 shows. This link to the icon file must be in every page that you think users will bookmark.
Because this fun feature is available only when a user bookmarks a page, you might want to encourage your users to create bookmarks. You can find a snippet of code to get you started on a button for this purpose at http://msdn.microsoft.com/workshop/author/dhtml/howto/shortcuticon.asp.
My Microsoft IIS server stopped and won't start up again. Having tried unsuccessfully to recover it, I believe my metabase is corrupted. Unfortunately, no backup metabase exists. Do I have to start over?
I'm glad you asked. You have one hope that most IIS administrators don't know about. IIS makes a temporary backup of the metabase when you update it and deletes the metabase after an update has been completed. However, if something went wrong during the update, which could be the cause of the corruption in the first place, the backup might still be present. The temporary backup file is named either metabase.bak or metabase.bin.bak; you can find the file in the %systemroot%system32inetsrv folder. If you get lucky and find it there, use the following procedure to restore it.
Stop IIS and all related services.
Rename the current metabase (i.e., metabase.bin) metabase.badbadbad (or equivalent).
Rename the good metabase (i.e., metabase.bak) metabase.bin.
Restart IIS and all related services. (Reboot just to be sure everything gets loaded properly.)
If this process doesn't get you going, you must completely uninstall Microsoft Internet Explorer (IE) and Microsoft Windows NT 4.0 Option Pack, then delete metabase.bin and reinstall from the ground up. For information about this problem and the restoration process, see the Microsoft article "How to Manually Restore the Metabase When No Proper Backup Exists or the MMC Won't Start" (http://support.microsoft.com/support/kb/articles/q234/4/29.asp).
How can I make the Active Server Pages (ASP) files on my server unreadable to those who might gain access to the script?
As you probably know, if a user can access the ASP script files that run on a server, that person can clearly see the details of the software, including variables in use, paths to calling programs, database connections, and even embedded passwords or authentication schemes. If Microsoft IIS is working properly, users should see only the result of running the script; however, various vulnerabilities have enabled users to access ASP source code. For information about two such vulnerabilities, see the Microsoft articles "Malformed HTR Request Returns Source Code for ASP Scripting Files" at http://support.microsoft.com/support/kb/articles/q260/0/69.asp and "Virtual Directory Mapped to UNC Returns Server-Side Script Code When URL Contains Additional Characters at the End of the Request" at http://support.microsoft.com/support/kb/articles/q249/5/99.asp.
Windows 2000 Service Pack 1 (SP1) fixes the Server-Side Script Code bug but not the Malformed HTR Request bug. In addition, anyone who can access the IIS server files with Read permissions by any means other than Microsoft Internet Explorer (IE) can peruse the source code. Because of script vulnerabilities, some administrators don't use scripting on their sites, insisting on harder-to-develop, faster-to-execute, and harder-to-read compiled code in the form of isapi.dll or custom COM objects.
To solve the ASP-script security problem, Microsoft has released Windows Script Encoder, which is available at no cost as part of the updated Windows Script (WS) engine at http://msdn.microsoft.com/scripting. The encoder obscures readable ASP script so that it makes no sense to the viewer looking at the script.
The encoder is fairly straightforward, but you should use it with care. First, you should use the encoder only on your final, debugged code. Error messages reporting problems in encoded script tend not to be as useful as error messages in unencoded script. For example, the line numbers specifying where an error occurred can be wrong, which makes identifying the problem more difficult. Second, encoding is a one-way process. So, after you debug your script and use the command
screnc sourcefile outputfile
to encode the script, .html file, .txt file, or scriptlet, users can't decode the encoded file to yield your source—and you can't either.
The encoder lets you encode all your ASP files at one time and place them in a target directory. For example, to encode all ASP files and place them in the aspencoded directory, you use the command
screnc *.asp c:aspencoded
You can also encode just a portion of a script. You use the **Start Encode** special marker to indicate where encoding should begin in your script, as Listing 3, page 84, shows. Anything after the marker is encoded. During encoding, the scripting language reference changes to indicate that the script is encoded. For VBScript, the reference looks like this:
For JScript, the reference looks like this:Finally, note that the encoded script won't work unless you update your WS engine to version 5.5. This update applies to Win2K, Windows NT 4.0, Windows 98, and Win95 OEM Service Release 2 (OSR2).
About the Author
You May Also Like