Kristina Olson's Blog

Delegate Application Creation for Non-Admininistrator accounts

krolson — Thu, 12 Nov 2009 18:37:00 GMT

The Web Deployment Tool provides a way to delegate application creation to non-Administrator Windows users or IIS users. This blog covers how to configure this particular delegated setting. If you have not yet set up some users, or are not familiar with remote administration, I highly recommend going through this walkthrough: http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-70/ before trying out these steps.

Server Admin Steps

1. Install the Web Deployment Tool (MSDeploy)

Use the Web Platform Installer (can be found here: http://www.microsoft.com/web/downloads/platform.aspx)
Run and choose Web Deployment Tool 1.0 and click Install. This will also pull in any dependencies you don’t already have on your system.

NOTE: This might take a while if you are missing a lot of dependencies (particularly the Windows Installer 4.5 – as this may require a restart)

2. Launch Inetmgr

Click Start and type inetmgr. Press Enter.

3. Open Management Service Delegation feature UI

Select the server node and double-click the Management Service Delegation icon (in the Management group)

NOTE: if you see these warnings:

This means you need to do 2 things (but they may be done after setting up rules, if you prefer):

Start WMSvc with remote connections allowed
Set up some IIS Manager Permissions.

There is information about doing this here: http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-70/

4. Make a rule to allow marking folders as applications

Click the Add Rule… task in the Actions pane

Choose the Mark Folders as Applications template and click OK

Set the Run-As identity to an account that has write permission to applicationHost.config (such as an Administrator account)
Click Set button under Specify credentials:

Enter user credentials

Click OK

Click OK to finish creation of the rule

5. Add a user to the rule

Note: this dialog will pop up automatically when you create the rule, but you can add users at any time by selecting the rule and clicking the “Add User to Rule…” task

Add a specific Windows user, user group or IIS User. You may also make this rule for all users (*) and the {userScope} path will limit each user to the specific sites/apps they have IIS Manager Permissions for – see section Configure IIS Manager Permissions for a Site or an Application here for more information on this step http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-70/ )

Click OK

6. Add additional rules if you want to allow additional user actions (such as the ability to add content, set ACLs, or access databases) - see last section on this page.

Note – this rule ONLY allows the users to right-click an existing folder and mark it as an application – other rules are probably desired. See the bottom of this article for some common rules.

Client (non-Admin) steps

1. Launch inetmgr

Note: this may be done either from a remote computer or locally. If remote, the remote computer must also have MSDeploy installed in order to use the MSDeploy UI features.

2. Connect to the user’s site (or app)

Right-click on Start Page and choose the Connect to a Site… option

Type in the server name and site name – click Next

Type in user credentials and click Next

You should get to a “Created a new connection successfully.” screen. Click Finish.

3. Expand the site node

4. Right-click a folder

Note: if you do NOT see the Deploy option, then most likely issues are:

MSDeploy UI component is not installed on the computer
There are no Management Service Delegation rules
This user has not been added to any Management Service Delegation rules

5. Select the Deploy > Convert to Application option

Note: other options would appear under Deploy if other rules were specified, such as Delete Folder and Content or Recycle. See the Common Rules section below for a few basic rules to try out.

6. Notice that the folder has now marked as an application (you can tell by the updated icon in the tree view)

Some Common Rules to Get Started

This shows the values for some common rules as they would appear in the administration.config file (%windir%\System32\inetsrv\config\administration.config). The rule just created for createApp has been bolded:

<system.webServer>
            <management>
                <delegation>
                    
                    <rule enabled="true" providers="contentPath, iisApp" actions="*" path="{userScope}" pathType="PathPrefix">
                        <runAs identityType="CurrentUser" />
                        <permissions>
                            <user name="*" isRole="false" accessType="Allow" />
                        </permissions>
                    </rule>
                    <!—This is the “Set Permissions for Applications” rule, with all the template defaults. It allows users to set ACLs to locations they have IIS Manager Permissions for AND appropriate ACLs on the parent physical directories-->
                    <rule enabled="true" providers="setAcl" actions="*" path="{userScope}" pathType="PathPrefix">
                        <runAs identityType="CurrentUser" />
                        <permissions>
                            <user name="*" isRole="false" accessType="Allow" />
                        </permissions>
                    </rule>
                    <!—This is the “Mark Folders as Applications” rule, using the template defaults. The runAs identity was set to a local Administrator account to allow non-administrators to mark folders as applications if they are in a path the user has IIS Manager Permissions for. This rule was the focus of the walkthrough above. -->
                   <rule enabled="true" providers="createApp" actions="*" path="{userScope}" pathType="PathPrefix">
                        <runAs identityType="SpecificUser" userName="Administrator" password="[enc:RsaProtectedConfigurationProvider:jAAAAAECAAADZgAAAKQAAKv+vnsskEdvc7c3Q2tcaJGVbvKW0urtCC8QayxZfYyGVjKrxQKQTob7T5z7ESM/3Zm0mPhIut033tWpyNJ+As4N8H5Wh/w31327eaxe+C6NLK2zmHY978A0aHpqcafcZ7K7YIaGGEem/Up0xa2Jf/LXJt77vLJUkumwGOlO3Dw9NGYGIyj8zk6lHsFQPoU0SHykWhrnMCp12uzFCUN4fYw=:enc]" />
                        <permissions>
                            <user name="*" isRole="false" accessType="Allow" />
                        </permissions>
                    </rule>
                 </delegation>
            </management>
        </system.webServer>

Why do all these rules use {userScope} for the default path?

This makes your job easier by automatically limiting the users to areas you’ve given them permission to using IIS Manager Permissions – which are stored in the same administration.config file. You can see in this sample administration.config section below that both a Windows user (A_Windows_User) and an IIS user (An_IIS_User) are authorized to access Default Web Site – so the {userScope} in the above rules would limit them to altering items under Default Web Site. (Note that for reading/writing content under Default Web Site these accounts will also require you to grant ACLs on Default Web Site’s physical directory. There’s some more information on how to do this here: http://blogs.iis.net/krolson/archive/2009/11/04/using-iis-manager-accounts-for-web-deployment-tool-msdeploy-delegation.aspx - for Windows users just use the user name instead of Local Service)

<system.webServer>
<management>

Using IIS Manager accounts for Web Deployment Tool (msdeploy) delegation

krolson — Wed, 04 Nov 2009 20:04:00 GMT

This blog outlines the basic steps for setting up IIS Manager accounts so that they may be used for Web Deployment Tool delegation.

Most of the steps particular to using IIS Manager users for delegation are required for connecting remotely using the Windows Management service, so if there are already accounts set up for remote management, that work has already been done.

The following steps will allow IIS Manager accounts to be used for management service delegation. Step-by-step instructions with screen shots may be found for steps 1 through 4 on this page, with their section title added in parenthesis: http://learn.iis.net/page.aspx/159/configuring-remote-administration-and-feature-delegation-in-iis-70/

1. Make sure that Windows Management Service is installed (Configuring Remote Connections in IIS Manager)

2. Enable remote connections for IIS users (Enable Remote Connections and Configure Identity Credentials)

The previous steps only need to be performed once, however the following steps may be repeated for any number of new IIS Manager users.

3. Create an IIS Manager account (Add an IIS Manager User)

4. Give the user access to a site or application (Configure IIS Manager Permissions for a Site or an Application)

This next step is vital for remote management, without which IIS users could not access or modify content for a site/application. A complete walkthrough for this step is the main focus of this page.

5. Grant access to the physical site/application content (Configure Access Control Lists (ACLs) for Content Directories)

Open IIS Manager (from start menu type “inetmgr” and press ENTER)
Select the site (or application) you want to give an IIS user access to, right-click, and select the “Edit Permissions…” option.

Go to the Security tab and click “Edit…” under the “Group or user names:” section.

This will open a very similar looking Permissions window. Click the “Add…” button.

Now type in the WMSvc identity in the Select Users, Computers, or Groups dialog (i.e. “Local Service” - without the quotation marks. To confirm that this is the account WMSvc uses, check out the section, below, “How to find out what account to add for IIS user ACLs”). Click OK.

Select the LOCAL SERVICE user and modify the Permissions for LOCAL SERVICE by checking/unchecking the permission boxes. For example, you may want to allow Write or Modify permissions.

When finished editing the permissions, click OK. You may be warned that “You are about to change the permission settings on system folders…” depending on where the directory for your web site is located.
Now you will see LOCAL SERVICE in the list of “Group or user names:” and can view the permissions by selecting that account. If at any point you want to change these permissions, you can follow similar steps by clicking Edit and then changing the check-box permission selections.

Click OK when you are finished.

6. Add the IIS user to existing/new Management Service Delegation rules to allow those users to import content, create applications, and/or modify databases

How to find out what account to add for IIS user ACLs

This will typically be “Local Service”, and it is easy to check this.

Click Start and type “Services” – open the Services feature.

In Services, locate the service named “Web Management Service” and see what is listed under the Log On As column.

Patch for Dynamic IP Restrictions for IIS 7 - Beta

krolson — Mon, 08 Jun 2009 22:52:00 GMT

Dynamic IP Restrictions (DIPR) was created to give users a tool to help mitigate the effects of DOS attacks and certain brute-force password breaking attempts. The Out-Of-Band (OOB) feature description is (perhaps more elegantly) outlined on this page: http://www.iis.net/extensions/DynamicIPRestrictions. In short, it is a handy tool that is easy to configure to protect a site/server from certain attacks.

A bug was discovered in the Beta for Microsoft Dynamic IP Restrictions for IIS 7 for which a patch has been released. The bug affects users with site names longer than 22 characters. Installing the feature with a long site name and browsing to that site would result in a distinctive error in the Windows Application logs.

To check whether your version of DIPR beta contains this update, check the Registry. If the value for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS Extensions\DynIpRst\Version is 7.1.0394.0, then the installed DIPR is not updated. This value should be 7.1.0487.0 for the updated version. The fix for the DIPR beta is being distributed in 2 ways: an updated installer (.msi) for a new install and a patch (.msp) for existing installs. These are available through WebPI (the Web Platform Installer) and are also posted on Microsoft Download Center (DLC) and IIS.net (see links included below for where to get the update).

If you do not already have WebPI, I highly recommend trying it out – you can get it here: http://www.microsoft.com/web/downloads/platform.aspx. WebPI is a tool that makes it easy to see available new products or even Web applications and streamlines their installation (including any product dependencies). When you launch WebPI, it will start on the “What’s New?” page. You will either see the update patch in the “Updates” section of WebPI:

Or the full product install will be shown in the “Web Platform Beta Extensions” section:

To manually get the patch or update an existing DIPR beta install, the appropriate .msi or .msp file may be downloaded directly from the Download Center (see section, below, for links to Download Center pages). Run the file, and the installer will guide you through the installation steps. For the full install you may be required to stop WMSvc and WAS (from a command line do a net stop wmsvc and net stop was) prior to installing, such as if you have IP Security installed. Note that the patch install may require you to restart your computer. This may be post-poned to a time of your choosing, but the update may not be effective until after a restart.

Where can I download the updated Dynamic IP Restrictions for IIS 7 – Beta or the patch?

Tips for a better experience

Make sure you have the download for the correct architecture and type (x86 or x64, full install or patch)
Back-up your configuration
- Such as by saving a copy of applicationHost.config and administrationHost.config prior to install
Stop WAS and WMSvc before starting the installation (you will have to restart these services after product is installed)
- net stop was
- net stop wmsvc

Why does the install wizard ask to uninstall IP Security?

Installing DIPR beta using the (.msi) wizard will require you to uninstall the IP Security feature if it is installed. It is possible for both features to be installed at the same time, but this does have a performance impact, and it is recommended that only one of the 2 features be installed for this reason. WebPI will not uninstall IP Security when installing DIPR beta because it cannot verify the action with the user, and DIPR beta will not remove an installed feature without the user “OK”. IP Security may be removed after installing DIPR beta, but the IP restriction configuration and settings will be lost, so be conscious of this action.

Do I have to restart my computer?

The patch install may require you to restart your computer whether using WebPI or the .msp directly. If this is inconvenient, the restart may be postponed, but the update may not be effective until after a restart. Recycling WAS or doing an iisreset /restart may have a similar effect. Even if the patch is “actively working,” WebPI will not continue to install other features until after the restart has been completed.

TAP Once for Quality

krolson — Tue, 02 Jun 2009 15:31:37 GMT

Microsoft is home to a number of acronyms, to the point where it is sometimes referred to as TLA (Three-Letter Acronym) land. I am a recent graduate of an acronym program: TAP, which stands for Test Apprentice Program. This program was designed to take non-CS majors with a penchant for breaking things and turn them into qualified software testers.

TAP is a 9-month program where each participant spends half a day in training and the other half working with a team in Microsoft as a test trainee. Over time, each “tapper” picks up coding skills and becomes able to contribute more to the testing effort on their team. By the end of the program, tappers are capable of applying their own unique outside-the-box thinking style toward testing a product with which they are already familiar.

I joined Microsoft and the IIS team as a mechanical engineering graduate of the University of Washington about 10 months ago. TAP was an amazing opportunity for me, as someone who discovered how much they were interested in computer programming when they were already hip-deep in another degree. Not to mention – the job was all about breaking stuff (without the risk of missing fingers)!

From day one, tester training was all about software quality, or just Quality (you could tell it was capitalized from how it was spoken). How do you define it? How can you measure it? The answer is that it all comes down to customer needs and expectations. A person could test that the code works the way that it’s coded, but a good tester will make sure that it works the way the customer wants it to.

The IIS team, and Microsoft in general, is extremely customer focused. We’re driven by questions: what do our customers want? What are they trying to do with IIS or what would they like to do? How can we show them what’s cool and easy with IIS that they might not know about? Customer feedback is treated very seriously, often birthing new features or evolving existing ones.

I’m looking forward to continuing here at Microsoft on the IIS team. It will be a constant challenge to keep learning about what people like and don’t like about IIS, as well as how we can make IIS better. I’d like to use this blog to tell people about interesting things in IIS or Microsoft technology and culture in general.

Welcome to TLA land.