Microsoft IIS Administration on Nano Server

Tuesday, October 11, 2016

One of the driving forces behind the development of the IIS Administration API was Nano Server, a new headless variant of Windows Server 2016. This API allows us to provide a web based management UI. This post will cover the experience of getting IIS Administration up and running on Nano Server.

Enabling IIS

The first step to installing IIS Administration on a Nano machine is to make sure that the server has IIS enabled. We can enable IIS through the use of a package provider. First we must install the package provider, then install IIS, and finally restart the machine. We achieve this with the following PowerShell commands.

# Version of Nano Server used for this demo [<NanoServerIPAddress>]: PS C:\> [System.Environment]::OSVersion # Platform Version # -------- ------- # Win32NT 10.0.14300.0

# https://github.com/OneGet/NanoServerPackage Save-Module -Path 'C:\Program Files\WindowsPowerShell\Modules\' -Name NanoServerPackage -minimumVersion 1.0.1.0 Import-PackageProvider NanoServerPackage Install-NanoServerPackage -Name Microsoft-NanoServer-IIS-Package Start-Service W3SVC

Verify

We can verify that IIS is installed and running on the machine by executing the following command.

Get-Service W3SVC | Select Status # Status # ------ # Running

Enable Dependencies

After we have installed IIS, we can enable the IIS components that IIS Administration depends on.

Pitfall: To avoid an issue with enabling IIS components, ensure that all desired components are enabled before making any modifications to the applicationHost.config file.

# Backup applicationHost.config Copy-Item C:\Windows\System32\inetsrv\config\applicationHost.config C:\Windows\System32\inetsrv\config\applicationHost_BeforeIisAdministration.config # Enable required features Enable-WindowsOptionalFeature -Online -FeatureName "IIS-WindowsAuthentication" Enable-WindowsOptionalFeature -Online -FeatureName "IIS-URLAuthorization" # Optionally, take the chance to enable all IIS features # Get-WindowsOptionalFeature -Online | where {$_.FeatureName -match "IIS-" -and $_.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled} | % {Enable-WindowsOptionalFeature -Online -FeatureName $_.FeatureName}

Installing .NET Core

In order to run IIS Administration, the machine must be set up to host .NET Core applications. There is a tutorial for installing .NET Core tailored specifically for Nano Server available at https://docs.asp.net/en/latest/tutorials/nano-server.html#installing-the-asp-net-core-module-ancm. The relevant sections are “Installing the ASP.NET Core Module (ANCM)” and “Installing .NET Core Framework.”

Copying the ASP.NET Core Module

To make copying the ASP.NET Core Module to the Nano Server machine easier, use the Copy-Item command combined with a PowerShell session.

$s = New-PSSession -ComputerName "<NanoServerIPAddress>" -UseSSL -Credential "<hostname>\Administrator" Copy-Item C:\windows\system32\inetsrv\aspnetcore.dll -Destination c:\windows\system32\inetsrv\ -ToSession $s Copy-Item C:\windows\system32\inetsrv\config\schema\aspnetcore_schema.xml -Destination C:\windows\system32\inetsrv\config\schema\ -ToSession $s

Adding .NET Core to Path

At this point .NET Core should be installed on the machine. Next we want to put the dotnet executable on the path so that .NET Core applications can be loaded by IIS without any manual intervention.

Note: Take caution when altering the PATH environment variable. This script stores the old value of the PATH environment variable for safe keeping.

# Assuming dotnet was placed at C:\Program Files\dotnet $env:Path | Out-File "C:\PathBeforeDotNet.txt" setx PATH "$($env:Path);C:\Program Files\dotnet" /m # Restart computer to update path in IIS. Services' environments are not updated until system restart. Restart-Computer –Confirm

Verify

At this stage we should verify that .NET Core has been added to the path correctly. We can do this by executing the following command.

Get-Command 'dotnet' # Application dotnet.exe 1.0.1.4500 C:\Program Files\dotnet\dotnet.exe

Then we can ensure that .NET Core is installed correctly by running the dotnet executable. Below is a snippet of the output of dotnet when executed alone.

dotnet # Microsoft .NET Core Shared Framework Host # Version : 1.0.1 # Build : cee57bf6c981237d80aa1631cfe83cb9ba329f12 # Usage: dotnet [common-options] [[options] path-to-application]

Opening the Firewall for Remote Administration

We want the API to be accessible by remote machines, therefore we need to allow it through the firewall. The default port is 55539 and we can open it up using PowerShell.

New-NetFirewallRule -Name "IIS Administration" -DisplayName "Allow IIS Administration on TCP/55539" -Protocol TCP -LocalPort 55539 -Action Allow -Enabled True

Visual Studio 2015 C++ Redistributable

To install the VS 2015 runtime libraries on Nano Server, install it on a local machine (x64 required) and then copy it over. This process is similar to the ASP.NET Core Module. The VS 2015 x64 C++ redistributable package can be obtained from https://go.microsoft.com/fwlink/?LinkID=827997. If the VS 2015 runtime is not installed, installation of the API will fail when trying to start the service.

First, on the Nano Server machine, check if the VS 2015 runtime is already installed

Write-Host "Visual Studio 2015 C++ Redistributable already installed?" Write-Host "$(Test-Path C:\Windows\System32\vcruntime140.dll)"

If it is not installed, install it on the local machine and copy it over

# $s = New-PSSession -ComputerName "<NanoServerIPAddress>" -UseSSL -Credential "<hostname>\Administrator" Copy-Item C:\Windows\System32\vcruntime140.dll -Destination C:\Windows\System32\ -ToSession $s

Installing the Microsoft IIS Administration API

The API can be obtained as a ZIP archive from https://github.com/Microsoft/IIS.Administration/releases/download/v1.0.36/IIS.Administration.zip. In this format, the API can be installed via a PowerShell script. Run this script to automatically download the archive and extract it to C:\IIS.Adminstration.

Download the Archive

$SourcePath = "https://github.com/Microsoft/IIS.Administration/releases/download/v1.1.1/IIS.Administration.zip" $DestinationPath = "C:\IIS.Administration" $EditionId = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'EditionID').EditionId if ($EditionId -eq "ServerDataCenterNano") { $TempPath = [System.IO.Path]::GetTempFileName() if (($SourcePath -as [System.URI]).AbsoluteURI -ne $null) { Invoke-WebRequest -Uri $SourcePath -OutFile $TempPath } else { throw "Cannot copy from $SourcePath" } [System.IO.Compression.ZipFile]::ExtractToDirectory($TempPath, $DestinationPath) Remove-Item $TempPath }

Install

Once the archive has been downloaded, assuming the default location was used, you can install the IIS Administration API by running the included setup script.

C:\IIS.Administration\setup\setup.ps1 Install –Verbose

28 Comments

Add-Type : (8) : The type or namespace name 'X509Certificates' does not exist in the namespace 'System.Security.Cryptography' (are you missing an assembly reference?)
(7) : using System.Runtime.InteropServices;
(8) : >>> using System.Security.Cryptography.X509Certificates;
(9) : using System.Text;
At C:\IIS.Administration\setup\netsh.ps1:129 char:9
+ Add-Type $cs
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (Microsoft.Power...peCompilerError:AddTypeCompilerError) [Add-Type], Exception
+ FullyQualifiedErrorId : SOURCE_CODE_ERROR,Microsoft.PowerShell.Commands.AddTypeCommand

[System.Environment]::OSVersion
Platform Version
-------- -------
Win32NT 10.0.14393.0

Get-Command 'dotnet'
CommandType Name Version Source
----------- ---- ------- ------
Application dotnet.exe 1.0.1.4500 C:\dotnet\dotnet.exe

dotnet
Microsoft .NET Core Shared Framework Host
Version : 1.0.1
Build : cee57bf6c981237d80aa1631cfe83cb9ba329f12

Pierre - Wednesday, October 12, 2016 2:25:23 PM

@Pierre

Looking into this issue right now.

This issue is affecting the newest release of Nano Server. TP5 does not have this issue.

Jimmyca - Wednesday, October 12, 2016 3:24:37 PM

Now that Nano Server has been officially released, I guess it's better to use build 14393 as the baseline for everything you release.
I managed to solve the problem with the namespace by replacing line 128 in netsh.ps1 with:
Add-Type -ReferencedAssemblies System.Security.Cryptography.X509Certificates.dll,System.Net.dll $cs

I noticed IIS Windows Authentication feature doesn't seem to be enabled because I don't have authsspi.dll in c:\windows\system32\inetsrv.
It should be part of your procedure.
I get an error 0x800f0922 trying to enable it with:
dism /Enable-Feature /online /featurename:IIS-WindowsAuthentication /all

Additionally if you could reach out to the Application Request Routing team and ask them to publish ARR 3.0 as a WSA package, it would be awesome.
All the bits have been published as MSIs which make it impossible to install on Nano Server.

Pierre - Wednesday, October 12, 2016 5:04:10 PM

@Pierre

Great fix getting that to work. I'll be putting a patch into the PowerShell script to prevent that error. Also I will update this post to use the official release instead of TP5.

I have been working on the second error that you mentioned. There were changes in Dism deployment between the TP5 and the GA release that are not yet incorporated into the install script. In TP5, hostable web core was enabled by default. On GA, IIS sub features should be enabled before using hostable web core.

The following will enable all IIS subfeatures. (Requires Nano Server official release).
Get-WindowsOptionalFeature -Online | where {$_.FeatureName -match "IIS-" -and $_.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled} | % {Enable-WindowsOptionalFeature -Online -FeatureName $_.FeatureName}

Regarding the error code you got. What is your output for the following commands?
Get-Package -ProviderName NanoServerPackage
Get-WindowsOptionalFeature -Online -FeatureName "IIS-WindowsAuthentication"

Jimmy Campbell - Wednesday, October 12, 2016 6:45:03 PM

@Jimmy Campbell

Get-Package -ProviderName NanoServerPackage
Name Version Source ProviderName
---- ------- ------ ------------
Package_for_KB3176936 10.0.1.2 Local Machine NanoServerPackage
Microsoft-Windows-ServerDatacenterNano-LanguagePack-Package 10.0.14393.0 Local Machine NanoServerPackage
Microsoft-Windows-Foundation-Package 10.0.14393.0 Local Machine NanoServerPackage
Microsoft-NanoServer-Guest-Package 10.0.14393.0 Local Machine NanoServerPackage
Microsoft-NanoServer-IIS-Package 10.0.14393.0 Local Machine NanoServerPackage
Package_for_RollupFix 14393.206.1.2 Local Machine NanoServerPackage

Get-WindowsOptionalFeature -Online -FeatureName "IIS-WindowsAuthentication"
FeatureName : IIS-WindowsAuthentication
DisplayName : Windows Authentication
Description : Authenticate clients by using NTLM or Kerberos.
RestartRequired : Possible
State : Disabled
CustomProperties :
ServerComponent\Description : Windows authentication is a low cost authentication solution for internal Web sites. This authentication
scheme allows administrators in a Windows domain to take advantage of the domain infrastructure for authenticating users. Do not use
Windows authentication if users who must be authenticated access your Web site from behind firewalls and proxy servers.
ServerComponent\DisplayName : Windows Authentication
ServerComponent\Id : 164
ServerComponent\Parent : NanoServer-Web-Security
ServerComponent\Type : Feature
ServerComponent\UniqueName : NanoServer-Web-Windows-Auth
ServerComponent\Deploys\Update\Name : IIS-WindowsAuthentication

I've tried running the cmdlet to enable all IIS subfeatures: 3 have installed successfully, 18 have failed with error 0x800f0922.
I must admit I'm stuck on this one.

Pierre - Wednesday, October 12, 2016 9:42:40 PM

@Pierre

Your packages are the correct version which is what I wanted to initially check. The dism error is not one that I have encountered on Nano, but if you are using shared configuration I might investigate whether that is causing an issue.

The blog has been updated for Nano Server GA. Also the download for IIS Administration was patched to fix that setup script bug.

Jimmyca - Thursday, October 13, 2016 12:37:29 AM

@Jimmy Campbell

Not using shared configuration.
This is pretty much a vanilla Nano Server, I only installed the NanoServerPackage package provider and the IIS package.
I performed the update installation then manually installed ASP.NET Core Module and the .NET Core Framework by following the procedure @ https://docs.asp.net/en/latest/tutorials/nano-server.html#installing-the-asp-net-core-module-ancm
I'm going to try to reproduce the issue with a new Nano VM today.

This is everything relevant I've been able to extract from the CBS logs:
2016-10-13 00:28:27, Info CBS FLOW: Enter Installation Stage: Advanced Installer Execution, Current Operation Stage: Installing
2016-10-13 00:28:27, Info CSI 0000001d Begin executing advanced installer phase 38 index 2 (sequence 38)
Old component: [l:0]''
New component: [l:173 ml:174]'Microsoft-Windows-IIS-Nano-WindowsAuthentication-GC, Culture=neutral, Version=10.0.14393.0, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=amd64, versionScope=NonSxS'
Install mode: install
Smart installer: FALSE
Installer ID: {e3974b8b-fa38-4927-882a-bf78e011a774}
Installer name: 'IIS AdvancedInstaller'
2016-10-13 00:28:27, Info CSI 0000001e Performing 1 operations as follows:
(0) LockComponentPath: flags: 0 comp: {l:16 b:efecc9f3d724d20114000000e0053002} pathid: {l:16 b:efecc9f3d724d20115000000e0053002} path: [l:119]'\SystemRoot\WinSxS\amd64_microsoft-windows-servicingstack-inetsrv_31bf3856ad364e35_10.0.14393.206_none_6f316cca04c0e0d7' pid: 5e0 starttime: 131207848898005026
2016-10-13 00:28:27, Info CSI 0000001f Loading installer DLL from explicit path: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack-inetsrv_31bf3856ad364e35_10.0.14393.206_none_6f316cca04c0e0d7\iissetupAI.dll
2016-10-13 00:28:27, Info CSI 00000020 Performing 1 operations as follows:
(0) LockComponentPath: flags: 0 comp: {l:16 b:1a53ccf3d724d20116000000e0053002} pathid: {l:16 b:1a53ccf3d724d20117000000e0053002} path: [l:117]'\SystemRoot\WinSxS\amd64_microsoft-windows-i..wsauthentication-gc_31bf3856ad364e35_10.0.14393.0_none_81a1db7292a82270' pid: 5e0 starttime: 131207848898005026
2016-10-13 00:28:27, Info CSI 00000021@2016/10/12:22:28:27.417 ConfigManager::Initialize failed with error code c0000225 [Error,Facility=(system),Code=549 (0x0225)]

2016-10-13 00:28:27, Info CSI 00000022 Performing 1 operations as follows:
(0) LockComponentPath: flags: 0 comp: {l:16 b:ff3ccff3d724d20118000000e0053002} pathid: {l:16 b:ff3ccff3d724d20119000000e0053002} path: [l:115]'\SystemRoot\WinSxS\x86_microsoft.windows.s..ation.badcomponents_31bf3856ad364e35_10.0.14393.0_none_09e78f632173f4c5' pid: 5e0 starttime: 131207848898005026
2016-10-13 00:28:27, Error [0x01805f] CSI 00000023 (F) Failed execution of queue item Installer: IIS AdvancedInstaller ({e3974b8b-fa38-4927-882a-bf78e011a774}) with HRESULT c0000225 [Error,Facility=(0000),Code=549 (0x0225)]. Failure will not be ignored: A rollback will be initiated after all the operations in the installer queue are completed; installer is reliable[gle=0x80004005]
[...]
2016-10-13 00:29:26, Error [0x01805f] CSI 00000046 (F) Failed execution of queue item Installer: IIS AdvancedInstaller ({e3974b8b-fa38-4927-882a-bf78e011a774}) with HRESULT c0000225 [Error,Facility=(0000),Code=549 (0x0225)]. Failure will be ignored: The failure was encountered during rollback; installer is reliable[gle=0x80004005]
[...]
2016-10-13 00:29:45, Error CBS Exec: An error occurred while committing the transaction, the transaction has been rolled back. [HRESULT = 0x800f0922 - CBS_E_INSTALLERS_FAILED]
[...]
2016-10-13 00:29:45, Error CBS Failed to process single phase execution. [HRESULT = 0x800f0922 - CBS_E_INSTALLERS_FAILED]

Pierre - Thursday, October 13, 2016 7:10:44 AM

Same errors as Pierre. I didn't try it till after being patched up to today though. Included are the packages installed if that helps.

Get-WindowsPackage -Online

PackageName : Microsoft-NanoServer-Host-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0
PackageState : Installed
ReleaseType : Other
InstallTime : 10/14/2016 11:22:00 PM

PackageName : Microsoft-NanoServer-Host-Package~31bf3856ad364e35~amd64~~10.0.14393.0
PackageState : Installed
ReleaseType : Other
InstallTime : 10/14/2016 11:22:00 PM

PackageName : Microsoft-NanoServer-IIS-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0
PackageState : Installed
ReleaseType : Other
InstallTime : 10/14/2016 11:23:00 PM

PackageName : Microsoft-NanoServer-IIS-Package~31bf3856ad364e35~amd64~~10.0.14393.0
PackageState : Installed
ReleaseType : Other
InstallTime : 10/14/2016 11:23:00 PM

PackageName : Microsoft-NanoServer-Storage-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0
PackageState : Installed
ReleaseType : Other
InstallTime : 10/14/2016 1:20:00 PM

PackageName : Microsoft-NanoServer-Storage-Package~31bf3856ad364e35~amd64~~10.0.14393.0
PackageState : Installed
ReleaseType : Other
InstallTime : 10/14/2016 1:20:00 PM

PackageName : Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.14393.0
PackageState : Installed
ReleaseType : Foundation
InstallTime : 7/16/2016 12:22:00 PM

PackageName : Microsoft-Windows-ServerDatacenterNano-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0
PackageState : Installed
ReleaseType : LanguagePack
InstallTime : 7/16/2016 12:27:00 PM

PackageName : Package_for_KB3176936~31bf3856ad364e35~amd64~~10.0.1.2
PackageState : Installed
ReleaseType : Update
InstallTime : 10/14/2016 11:23:00 PM

PackageName : Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.206.1.2
PackageState : Superseded
ReleaseType : Update
InstallTime : 10/14/2016 11:29:00 PM

PackageName : Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.321.1.5
PackageState : Installed
ReleaseType : SecurityUpdate
InstallTime : 10/14/2016 12:07:00 PM

Michael J. Prentice - Friday, October 14, 2016 2:40:12 PM

I was just able to use a Nano Server VM in Azure to install the API using the steps provided. Were these machines created clean from Nano Server GA images?

Jimmyca - Monday, October 17, 2016 5:29:19 PM

I used the Nano Server VHD available @ https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016

Pierre - Tuesday, October 18, 2016 2:32:31 PM

@ Pierre

Thank you. I just obtained the Nano Server VHD from the link you provided and ran through the setup with the clean installation. Everything was successful on my end.

I know you tried to install on the first day of the post when the instructions were still for TP5. TP5 used a different version of the NanoServerPackage provider. If that version of NanoServerPackage was used to install IIS on your GA machine then I would try restarting from fresh and using the installation steps that were updated for the GA release.

Jimmyca - Tuesday, October 18, 2016 4:56:31 PM

@ Michael J. Prentice

Your errors are also from trying to enable IIS Optional features such as IIS-WindowsAuthentication?

Jimmyca - Tuesday, October 18, 2016 4:59:07 PM

@ Jimmy Campbell

I performed the installation on October 3rd.
I've just checked the version of the NanoServerPackage provider installed on my VM, it's 1.0.0.0 published on 2016-09-24.
There's a new version 1.0.1.0 that was published 1 week ago: https://www.powershellgallery.com/packages/NanoServerPackage/1.0.1.0
I'm going to uninstall the IIS package, update to the new version of NanoServerPackage and try to reinstall IIS.

Remove-WindowsPackage -Online -PackageName "Microsoft-NanoServer-IIS-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0"
Remove-WindowsPackage -Online -PackageName "Microsoft-NanoServer-IIS-Package~31bf3856ad364e35~amd64~~10.0.14393.0" (had to restart after that)
Uninstall-Package -Name NanoServerPackage
Save-Module -Path 'C:\Program Files\WindowsPowerShell\Modules\' -Name NanoServerPackage -RequiredVersion 1.0.1.0
Install-Module -Name NanoServerPackage
Install-PackageProvider NanoServerPackage
Set-ExecutionPolicy RemoteSigned -Scope Process
Import-PackageProvider NanoServerPackage
install-NanoServerPackage -Name Microsoft-NanoServer-IIS-Package -culture en-us

Result:
Install-NanoServerPackage : Add-WindowsPackage failed. Error code = 0x8000ffff
I'll declare that VM dead and spin a brand new one.

Pierre - Wednesday, October 19, 2016 2:45:56 PM

@ Jimmy Campbell

Brand new VM based on Nano Server VHD from TechNet, same issue.

Here's the exhaustive list of commands issued:
Save-Module -Path 'C:\Program Files\WindowsPowerShell\Modules\' -Name NanoServerPackage
Install-PackageProvider NanoServerPackage
Set-ExecutionPolicy RemoteSigned -Scope Process
Import-PackageProvider NanoServerPackage
install-NanoServerPackage -Name Microsoft-NanoServer-IIS-Package -culture en-us
net start w3svc
Import-module iisadministration
(at this point I copied aspnetcore.dll and aspnetcore_schema.xml through a SMB share)
$aspNetCoreHandlerFilePath="C:\windows\system32\inetsrv\aspnetcore.dll"
Reset-IISServerManager -confirm:$false
$sm = Get-IISServerManager
$sm.GetApplicationHostConfiguration().RootSectionGroup.Sections.Add("appSettings")
$appHostconfig = $sm.GetApplicationHostConfiguration()
$section = $appHostconfig.GetSection("system.webServer/handlers")
$section.OverrideMode="Allow"
$sectionaspNetCore = $appHostConfig.RootSectionGroup.SectionGroups["system.webServer"].Sections.Add("aspNetCore")
$sectionaspNetCore.OverrideModeDefault = "Allow"
$sm.CommitChanges()
Reset-IISServerManager -confirm:$false
$globalModules = Get-IISConfigSection "system.webServer/globalModules" | Get-IISConfigCollection
New-IISConfigCollectionElement $globalModules -ConfigAttribute @{"name"="AspNetCoreModule";"image"=$aspNetCoreHandlerFilePath}
$modules = Get-IISConfigSection "system.webServer/modules" | Get-IISConfigCollection
New-IISConfigCollectionElement $modules -ConfigAttribute @{"name"="AspNetCoreModule"}
(I unzipped .NET Core Framework to c:\dotnet)
[Environment]::SetEnvironmentVariable("Path", "$($env:Path);C:\dotnet")
Enable-WindowsOptionalFeature -Online -FeatureName "IIS-WindowsAuthentication"

Result:
Enable-WindowsOptionalFeature failed. Error code = 0x800f0922

Pierre - Wednesday, October 19, 2016 3:48:26 PM

@Jimmyca Yes, the error happens when trying to Enable IIS-WindowsAuthentication.

My ISO is from the Microsoft Volume Licensing Service Center

Michael J. Prentice - Wednesday, October 19, 2016 9:19:37 PM

@ Pierre

Awesome, that is the holy grail when it comes to reproducing an issue. I am checking this out right now on a refreshed technet vm.

@ Michael J. Prentice

Okay. Thank you for the heads up. The fix should be the same in both of these cases.

Jimmy Campbell - Thursday, October 20, 2016 12:28:25 AM

@ Pierre

Thanks again for the detailed command list. I was able to reproduce this issue. There are signs of a bug in the Enable-WindowsOptionalFeature code path that we will have to investigate. This bug can be avoided if you install all the IIS subfeatures before modifying the applicationHost.config file.

After executing the exact commands that you provided and reproducing the issue, I was able to get it working. I set the handlers section back to the default overridemode of "Inherit", then enabled all IIS sub features, then set it back to "Allow". This is a temporary fix, I will investigate further to see why this is causing the error.

# I Executed the commands provided and was receiving 'Enable-WindowsOptionalFeature failed. Error code = 0x800f0922'

# Reset handlers section to default overridemode
Reset-IISServerManager -confirm:$false
$sm = Get-IISServerManager
$appHostconfig = $sm.GetApplicationHostConfiguration()
$section = $appHostconfig.GetSection("system.webServer/handlers")
$section.OverrideMode="Inherit"
$sm.CommitChanges()

# Enable Windows Authentication
Enable-WindowsOptionalFeature -Online -FeatureName "IIS-WindowsAuthentication"

# Enable URL Authorization
Enable-WindowsOptionalFeature -Online -FeatureName "IIS-URLAuthorization"

# Enable every feature
Get-WindowsOptionalFeature -Online | where {$_.FeatureName -match "IIS-" -and $_.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled} | % {Enable-WindowsOptionalFeature -Online -FeatureName $_.FeatureName}

# Allow handlers override for .NET Core
Reset-IISServerManager -confirm:$false
$sm = Get-IISServerManager
$appHostconfig = $sm.GetApplicationHostConfiguration()
$section = $appHostconfig.GetSection("system.webServer/handlers")
$section.OverrideMode="Allow"
$sm.CommitChanges()

Jimmyca - Thursday, October 20, 2016 1:32:49 AM

@Jimmy Campbell

Congratulations for the fix, it works! Tricky one though.
I had a feeling I should enable the Windows Authentication feature (and URL Authorization) right after installing IIS.
I'm happy to report success with IIS Administration installation, I can eventually manage IIS remotely.
Now it's on to AAR, I need to find a way to install URL Rewrite, External Cache, WebFarm and Request Router.

Thanks again

Pierre - Thursday, October 20, 2016 3:15:05 PM

Thanks for the help with this. We now have an open issue to track it at https://github.com/Microsoft/IIS.Administration/issues/31.

Jimmyca - Friday, October 21, 2016 11:39:41 PM

I always get this error at last step, whether Nano Server has been installed from Microsoft Library or through custom nano server vhd upload.

[10.0.0.7]: PS C:\> C:\IIS.Administration\setup\setup.ps1 Install –Verbose –SkipVerification
VERBOSE: Verifying user is an Administrator
VERBOSE: Ok
VERBOSE: Verifying user is an Administrator
VERBOSE: Ok
Checking installation requirements
VERBOSE: Verifying .NET Core shared framework installed
VERBOSE: Ok
VERBOSE: Verifying AspNet Core Module is installed
VERBOSE: Ok
VERBOSE: Ok
VERBOSE: Checking if port '55539' is available
VERBOSE: Ok
VERBOSE: Verifying that IIS Administrators group does not already exist
Installation Requirements met
VERBOSE: Creating installaton directory C:\Program Files\IIS Administration\1.0.38
Copying files
VERBOSE: Creating new IIS Administration Certificate
VERBOSE: Adding the certificate to trusted store
VERBOSE: Binding Certificate to port 55539 in HTTP.Sys
[SC] CreateService SUCCESS
WARNING: Waiting for service 'Microsoft IIS Administration (Microsoft IIS Administration)' to start...
Rolling back
Rolling back service creation
Rolling back HTTP.Sys port binding
Rolling back setup config creation
Rolling back SSL certificate creation
Rolling back IIS Administrators group creation
Rolling back installation folder creation
Finished rolling back.
C:\IIS.Administration\setup\setup.ps1 : Could not start service
At C:\IIS.Administration\setup\install.ps1:510 char:9
+ throw "Could not start service"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], RuntimeException
+ FullyQualifiedErrorId : System.Management.Automation.RuntimeException,setup.ps1

Firoz - Wednesday, February 8, 2017 12:18:51 AM

Hello Firoz,

The first step to figuring out what the cause could be here is seeing the current state of IIS on the machine.

Can you run the following:
Get-WindowsOptionalFeature -Online | where {$_.FeatureName -match "IIS-"}

Also, would you mind opening this up as an issue on github at https://github.com/Microsoft/IIS.Administration/issues ?

jimmyca - Wednesday, February 8, 2017 2:28:11 AM

Hi Jimmyca,

It seems WindowsAuthentication was not installed properly. Ran the following command with out –SkipVerification flag.

C:\IIS.Administration\setup\setup.ps1 Install –Verbose –SkipVerification

Error was regarding IIS Windows Authentication. Uninstalled and reinstalled IIS Windows Authentication and then did IIS Administration install with following command and it was successful.

C:\IIS.Administration\setup\setup.ps1 Install –Verbose –SkipVerification

Firoz - Wednesday, February 8, 2017 7:03:31 PM

I installed these tools, but I cannot access the administration pages on my Nano Server install. Microsoft Edge gives me an 'INET_E_DOWNLOAD_FAILURE' after I enter my credentials. I already have a site up and running on this server, but I also have problems connecting to it using HTTPS. Any guess at what the problem might be?

Thanks!

Andrew - Thursday, July 6, 2017 1:35:47 AM

@Andrew

Which version of the iis administration api and .net core did you install on the machine? Also feel free to file an issue at https://github.com/microsoft/iis.administration to track the issue.

jimmyca - Saturday, July 8, 2017 3:04:59 AM

In case something was wrong with my Nano Server install, I actually spun up a Server Core installation (2016 Standard) in another Hyper-V VM and tried it again. It solved the problem I was having with HTTPS for the main site (I was able to actually use the old IIS Manager to configure it), but I'm still getting 'INET_E_DOWNLOAD_FAILURE' with version 2.0.0 of the IIS Administration API when attempting to connect to it locally on port 55539. On this Server Core VM, I installed the API using the .exe, so it's running .NET Core 1.0.5.

Thanks again!

Andrew - Saturday, July 8, 2017 3:33:32 AM

@Andrew

Did you try using a different browser such as chrome or firefox?

And you said you are trying to connect to localhost on server core using https://localhost:55539 correct?

One thing worth mentioning is that the Iis.administration api requires windows authentication by default and in a fresh installation the only user allowed access is the one who installed it. If you are connecting to the api under a different windows identity than the installing user you will need to grant the new user access in the appsettings file. This is detailed in the documentation at https://docs.microsoft.com/iis-administration in the configuration tab. I wouldn't expect that to cause the inet_e_download_failure you mentioned but it could be the cause.

If there is an error in the api it will show up in the log files at c:/program files/iis administration/logs

The verbosity of these logs can be increased through the appsettings.json (c:/program files/iis administration/2.0.0/microsoft.iis.administration/config/appsrttings.json) file by changing the "log_level" property to a value of "information".

jimmyca - Saturday, July 8, 2017 9:51:13 PM

The IIS Administration API seems to be working on my Server Core installation for localhost connections only. I downloaded Chrome and installed it on the IIS server, and from there I was able to generate a key and enter the administration pages. Previously, when I said I was connecting to it locally, I meant from a browser (I tried both Edge and Chrome) on a different machine on the same LAN subnet. There is no firewall blocking port 55539.

The problem persists when attempting to log on remotely, however. I modified the logging behavior you mentioned, and when I access the log right after trying to connect, it reads:

2017-07-09 18:00:58.407 -04:00 [Information] Request starting HTTP/1.1 GET https://LOCAL_IP_ADDRESS:55539/
2017-07-09 18:00:58.407 -04:00 [Information] Request finished in 0.4649ms 401

So it's sending me HTTP 401 'Unauthorized'. I tried entering my credentials as both 'Administrator' and 'DOMAIN\Administrator' and then the password. 'DOMAIN\Administrator' is the user name I was logged on with when I installed the IIS Administration API. The Windows Authentication IIS module is installed.

Andrew - Sunday, July 9, 2017 10:15:44 PM

@Andrew,

The 401 status code means that the Windows Credentials were invalid or were unauthorized. The entry in the appsettings.json should have '{COMPUTER NAME}\Administrator' if you are trying to log on remotely with the built in administrator account. Then when the browser prompts for Windows Credentials the username can be set as '.\Administrator' and password would be the password for the account.

Here is an example setup of a computer with the name 'MyWorkComp' that I set up to allow connections from the Administrator account that comes by default on the machine. I also set it up to allow myself to enter by placing 'MyWorkDomain\\jimmyca'.

If I was going to log on with the jimmyca account I would put 'MyWorkDomain\jimmyca' as the username in the prompt in the browser.

"security": {
"require_windows_authentication": true,
"users": {
"administrators": [
"MyWorkComp\\Administrator",
"MyWorkDomain\\jimmyca"
],
"owners": [
"MyWorkComp\\Administrator"
]
},
"access_policy": {
"api": {
"users": "administrators",
"access_key": true
},
"api_keys": {
"users": "administrators",
"access_key": false
},
"system": {
"users": "owners",
"access_key": true
}
}
}

The Windows Authentication IIS module is not needed.

jimmyca - Tuesday, July 11, 2017 1:28:01 AM

Comments have been disabled for this content.