Workaround: Running ASP.NET 1.1 on Vista SP2/WS08 SP2

wonyoo — Thu, 18 Jun 2009 22:01:00 GMT

Many of you have probably read the article on how to install ASP.NET 1.1 on IIS7 on Vista and WS08 (The article can be found at http://learn.iis.net/page.aspx/472/how-to-install-aspnet-11-with-iis7-on-vista-and-windows-2008/).

While above works great on Vista/Vista SP1/WS08 RTM, if you try to run ASP.NET 1.1 on Vista SP2/WS08 SP2, you may have experienced the following error if you are on a 64-bit OS:

There was an error while performing this operation.

Details:

Filename:
\\?\C:\Windows\system32\inetsrv\config\applicationHost.config
Error:

Here is the problem.

In order to support .NET 4.0 Framework, IIS team has released a hotfix (http://support.microsoft.com/kb/958854) which is also included in SP2. At the root of the problem is that this hotfix allows the IIS runtime to read the correct version of .NET Framework configuration based on the .NET Framework version that is associated with the application pool. For example:

.NET Framework version 1.1: the config location is %windir%\Microsoft.NET\Framework\v1.1.4322\CONFIG
.NET Framework version 2.0: the config location is %windir%\Microsoft.NET\Framework\v2.0.50727\CONFIG
.NET Framework version 4.0: the config location is %windir%\Microsoft.NET\Framework\v4.0.nnnnn\CONFIG

The problem is that when the runtime tries to load the corresponding configuration, it doesn't take the bitness of the application pool into the consideration. As you know, ASP.NET 1.1 is only supported on 32-bit. So if you have a 64-bit OS, in order to run ASP.NET 1.1, you have to enable 32-bit applications in the application pool. So, with the QFE/SP2 on 64-bit OS (and only on 64-bit OS), the runtime is incorrectly looking for the 1.1 version of the configuration under Framework64, which does not exist.

Workaround:

Create the Framework64 directory for 1.1
md \windows\microsoft.net\framework64\v1.1.4322\config\
Copy the 32bit config to 64bit config location created in step 1.
copy \windows\microsoft.net\framework\v1.1.4322\config\machine.config \windows\microsoft.net\framework64\v1.1.4322\config\

In the spirit of full disclosure, without the hotfix/SP2, the behavior was still incorrect on Vista/Vista SP1/WS08 RTM in that the runtime was alreays reading the 2.0 configuration although the application pool is configured to use .NET 1.1. (Because the runtime was always reading the 2.0 config regardless of the .NET Framework version that is associated with the application pool. This was the bug that hotfix/SP2 tried to address as part of supporting .NET 4.0, but it didn't quite consider the fact that ASP.NET 1.1 is only available in 32-bit.) This bug in Vista/Vista SP1/WS08 RTM may not have been too obvious to those running ASP.NET 1.1 on 64-bit Vista/Vista SP1/WS08 RTM unless you have significant/specific settings/differences between 1.1 and 2.0 configurations.

Section level encryption of ASP.NET settings in IIS 7

wonyoo — Thu, 10 Jan 2008 06:31:00 GMT

As you know, ASP.NET supports section level encryption for protecting its configuration. It supports both RSA, which is default, and DPAPI out of the box and it also provides a way to use a custom protection provider. (Click here for more information on using RSA. Click here for DPAPI.) The most commonly encrypted sections are appSettings, connectionStrings, identity and sesstionState.

While the initial encryption is done using the aspnet_regiis.exe, once the sections are encrypted, IIS 6 inetmgr allowed the users to view the encrypted settings in clear text (ie. the UI decrypted the sections) and it also allowed the users to edit the values and saved the settings encrypted (ie. the UI re-encrypted the sections).

Unfortunately, in IIS 7, the inetmgr does not know how to handle encrypted sections for ASP.NET settings. It is important to note that the section level encryption is still supported and it is as secure as it was in IIS 6. It is just that the manageability of the encrypted sections is not supported in the IIS 7 inetmgr. If the connection string section is encrypted in configuration, the user will see the following error when clicking on the connection string icon in IIS 7 inetmgr:

There was an error while performing this operation.
Details:
Filename: <path to configuration file>
Line number: <line number>
Error: Configuration section encryption is not supported

This was a consious design decision in IIS 7.

I still recommend the users to encrypt and secure the ASP.NET settings that they find sensitive. However, in order to view the values and/or update them, the users will first have to manually decrypt the sections using aspnet_regiis.exe, edit the file, and again re-encrypt the sections using aspnet_regiis.exe. The steps to encrypt and decrypt the sections using RSA and DPAPI are provided in the links above.

Won Yoo's Blog : ASP.NET

Workaround: Running ASP.NET 1.1 on Vista SP2/WS08 SP2

Section level encryption of ASP.NET settings in IIS 7