Microsoft IIS Administration on Nano Server

One of the driving forces behind the development of the IIS Administration API was Nano Server, a new headless variant of Windows Server 2016. This API allows us to provide a web based management UI. This post will cover the experience of getting IIS Administration up and running on Nano Server.

Enabling IIS

The first step to installing IIS Administration on a Nano machine is to make sure that the server has IIS enabled. We can enable IIS through the use of a package provider. First we must install the package provider, then install IIS, and finally restart the machine. We achieve this with the following PowerShell commands.

# Version of Nano Server used for this demo
[<NanoServerIPAddress>]: PS C:\> [System.Environment]::OSVersion
# Platform Version
# -------- -------
#   Win32NT 10.0.14300.0

Save-Module -Path 'C:\Program Files\WindowsPowerShell\Modules\' -Name NanoServerPackage -minimumVersion
Import-PackageProvider NanoServerPackage
Install-NanoServerPackage -Name Microsoft-NanoServer-IIS-Package
Start-Service W3SVC


We can verify that IIS is installed and running on the machine by executing the following command.

Get-Service W3SVC | Select Status
# Status
# ------
# Running

Enable Dependencies

After we have installed IIS, we can enable the IIS components that IIS Administration depends on.

Pitfall: To avoid an issue with enabling IIS components, ensure that all desired components are enabled before making any modifications to the applicationHost.config file.

# Backup applicationHost.config
Copy-Item C:\Windows\System32\inetsrv\config\applicationHost.config C:\Windows\System32\inetsrv\config\applicationHost_BeforeIisAdministration.config
# Enable required features
Enable-WindowsOptionalFeature -Online -FeatureName "IIS-WindowsAuthentication"
Enable-WindowsOptionalFeature -Online -FeatureName "IIS-URLAuthorization"
# Optionally, take the chance to enable all IIS features
# Get-WindowsOptionalFeature -Online | where {$_.FeatureName -match "IIS-" -and $_.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled} | % {Enable-WindowsOptionalFeature -Online -FeatureName $_.FeatureName}

Installing .NET Core

In order to run IIS Administration, the machine must be set up to host .NET Core applications. There is a tutorial for installing .NET Core tailored specifically for Nano Server available at The relevant sections are “Installing the ASP.NET Core Module (ANCM)” and “Installing .NET Core Framework.”

Copying the ASP.NET Core Module

To make copying the ASP.NET Core Module to the Nano Server machine easier, use the Copy-Item command combined with a PowerShell session.

$s = New-PSSession -ComputerName "<NanoServerIPAddress>" -UseSSL -Credential "<hostname>\Administrator"
Copy-Item C:\windows\system32\inetsrv\aspnetcore.dll -Destination c:\windows\system32\inetsrv\ -ToSession $s
Copy-Item C:\windows\system32\inetsrv\config\schema\aspnetcore_schema.xml -Destination C:\windows\system32\inetsrv\config\schema\ -ToSession $s

Adding .NET Core to Path

At this point .NET Core should be installed on the machine. Next we want to put the dotnet executable on the path so that .NET Core applications can be loaded by IIS without any manual intervention.

Note: Take caution when altering the PATH environment variable. This script stores the old value of the PATH environment variable for safe keeping.

# Assuming dotnet was placed at C:\Program Files\dotnet
$env:Path | Out-File "C:\PathBeforeDotNet.txt"
setx PATH "$($env:Path);C:\Program Files\dotnet" /m
# Restart computer to update path in IIS. Services' environments are not updated until system restart.
Restart-Computer –Confirm


At this stage we should verify that .NET Core has been added to the path correctly. We can do this by executing the following command.

Get-Command 'dotnet'
# Application  dotnet.exe  C:\Program Files\dotnet\dotnet.exe

Then we can ensure that .NET Core is installed correctly by running the dotnet executable. Below is a snippet of the output of dotnet when executed alone.

# Microsoft .NET Core Shared Framework Host
#   Version  : 1.0.1
#   Build    : cee57bf6c981237d80aa1631cfe83cb9ba329f12
# Usage: dotnet [common-options] [[options] path-to-application]

Opening the Firewall for Remote Administration

We want the API to be accessible by remote machines, therefore we need to allow it through the firewall. The default port is 55539 and we can open it up using PowerShell.

New-NetFirewallRule -Name "IIS Administration" -DisplayName "Allow IIS Administration on TCP/55539" -Protocol TCP -LocalPort 55539 -Action Allow -Enabled True

Visual Studio 2015 C++ Redistributable

To install the VS 2015 runtime libraries on Nano Server, install it on a local machine (x64 required) and then copy it over. This process is similar to the ASP.NET Core Module. The VS 2015 x64 C++ redistributable package can be obtained from If the VS 2015 runtime is not installed, installation of the API will fail when trying to start the service.

First, on the Nano Server machine, check if the VS 2015 runtime is already installed

Write-Host "Visual Studio 2015 C++ Redistributable already installed?"
Write-Host "$(Test-Path C:\Windows\System32\vcruntime140.dll)"

If it is not installed, install it on the local machine and copy it over

# $s = New-PSSession -ComputerName "<NanoServerIPAddress>" -UseSSL -Credential "<hostname>\Administrator"
Copy-Item C:\Windows\System32\vcruntime140.dll -Destination C:\Windows\System32\ -ToSession $s

Installing the Microsoft IIS Administration API

The API can be obtained as a ZIP archive from In this format, the API can be installed via a PowerShell script. Run this script to automatically download the archive and extract it to C:\IIS.Adminstration.

Download the Archive

$SourcePath = ""
$DestinationPath = "C:\IIS.Administration"
$EditionId = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'EditionID').EditionId
if ($EditionId -eq "ServerDataCenterNano") {
      $TempPath = [System.IO.Path]::GetTempFileName()
      if (($SourcePath -as [System.URI]).AbsoluteURI -ne $null) {
          Invoke-WebRequest -Uri $SourcePath -OutFile $TempPath
      else {
          throw "Cannot copy from $SourcePath"
      [System.IO.Compression.ZipFile]::ExtractToDirectory($TempPath, $DestinationPath)
      Remove-Item $TempPath


Once the archive has been downloaded, assuming the default location was used, you can install the IIS Administration API by running the included setup script.

C:\IIS.Administration\setup\setup.ps1 Install –Verbose


  • Add-Type : (8) : The type or namespace name 'X509Certificates' does not exist in the namespace 'System.Security.Cryptography' (are you missing an assembly reference?)
    (7) : using System.Runtime.InteropServices;
    (8) : >>> using System.Security.Cryptography.X509Certificates;
    (9) : using System.Text;
    At C:\IIS.Administration\setup\netsh.ps1:129 char:9
    + Add-Type $cs
    + ~~~~~~~~~~~~
    + CategoryInfo : InvalidData: (Microsoft.Power...peCompilerError:AddTypeCompilerError) [Add-Type], Exception
    + FullyQualifiedErrorId : SOURCE_CODE_ERROR,Microsoft.PowerShell.Commands.AddTypeCommand

    Platform Version
    -------- -------
    Win32NT 10.0.14393.0

    Get-Command 'dotnet'
    CommandType Name Version Source
    ----------- ---- ------- ------
    Application dotnet.exe C:\dotnet\dotnet.exe

    Microsoft .NET Core Shared Framework Host
    Version : 1.0.1
    Build : cee57bf6c981237d80aa1631cfe83cb9ba329f12

  • @Pierre

    Looking into this issue right now.

    This issue is affecting the newest release of Nano Server. TP5 does not have this issue.

  • Now that Nano Server has been officially released, I guess it's better to use build 14393 as the baseline for everything you release.
    I managed to solve the problem with the namespace by replacing line 128 in netsh.ps1 with:
    Add-Type -ReferencedAssemblies System.Security.Cryptography.X509Certificates.dll,System.Net.dll $cs

    I noticed IIS Windows Authentication feature doesn't seem to be enabled because I don't have authsspi.dll in c:\windows\system32\inetsrv.
    It should be part of your procedure.
    I get an error 0x800f0922 trying to enable it with:
    dism /Enable-Feature /online /featurename:IIS-WindowsAuthentication /all

    Additionally if you could reach out to the Application Request Routing team and ask them to publish ARR 3.0 as a WSA package, it would be awesome.
    All the bits have been published as MSIs which make it impossible to install on Nano Server.

  • @Pierre

    Great fix getting that to work. I'll be putting a patch into the PowerShell script to prevent that error. Also I will update this post to use the official release instead of TP5.

    I have been working on the second error that you mentioned. There were changes in Dism deployment between the TP5 and the GA release that are not yet incorporated into the install script. In TP5, hostable web core was enabled by default. On GA, IIS sub features should be enabled before using hostable web core.

    The following will enable all IIS subfeatures. (Requires Nano Server official release).
    Get-WindowsOptionalFeature -Online | where {$_.FeatureName -match "IIS-" -and $_.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled} | % {Enable-WindowsOptionalFeature -Online -FeatureName $_.FeatureName}

    Regarding the error code you got. What is your output for the following commands?
    Get-Package -ProviderName NanoServerPackage
    Get-WindowsOptionalFeature -Online -FeatureName "IIS-WindowsAuthentication"

  • @Jimmy Campbell

    Get-Package -ProviderName NanoServerPackage
    Name Version Source ProviderName
    ---- ------- ------ ------------
    Package_for_KB3176936 Local Machine NanoServerPackage
    Microsoft-Windows-ServerDatacenterNano-LanguagePack-Package 10.0.14393.0 Local Machine NanoServerPackage
    Microsoft-Windows-Foundation-Package 10.0.14393.0 Local Machine NanoServerPackage
    Microsoft-NanoServer-Guest-Package 10.0.14393.0 Local Machine NanoServerPackage
    Microsoft-NanoServer-IIS-Package 10.0.14393.0 Local Machine NanoServerPackage
    Package_for_RollupFix 14393.206.1.2 Local Machine NanoServerPackage

    Get-WindowsOptionalFeature -Online -FeatureName "IIS-WindowsAuthentication"
    FeatureName : IIS-WindowsAuthentication
    DisplayName : Windows Authentication
    Description : Authenticate clients by using NTLM or Kerberos.
    RestartRequired : Possible
    State : Disabled
    CustomProperties :
    ServerComponent\Description : Windows authentication is a low cost authentication solution for internal Web sites. This authentication
    scheme allows administrators in a Windows domain to take advantage of the domain infrastructure for authenticating users. Do not use
    Windows authentication if users who must be authenticated access your Web site from behind firewalls and proxy servers.
    ServerComponent\DisplayName : Windows Authentication
    ServerComponent\Id : 164
    ServerComponent\Parent : NanoServer-Web-Security
    ServerComponent\Type : Feature
    ServerComponent\UniqueName : NanoServer-Web-Windows-Auth
    ServerComponent\Deploys\Update\Name : IIS-WindowsAuthentication

    I've tried running the cmdlet to enable all IIS subfeatures: 3 have installed successfully, 18 have failed with error 0x800f0922.
    I must admit I'm stuck on this one.

  • @Pierre

    Your packages are the correct version which is what I wanted to initially check. The dism error is not one that I have encountered on Nano, but if you are using shared configuration I might investigate whether that is causing an issue.

    The blog has been updated for Nano Server GA. Also the download for IIS Administration was patched to fix that setup script bug.

  • @Jimmy Campbell

    Not using shared configuration.
    This is pretty much a vanilla Nano Server, I only installed the NanoServerPackage package provider and the IIS package.
    I performed the update installation then manually installed ASP.NET Core Module and the .NET Core Framework by following the procedure @
    I'm going to try to reproduce the issue with a new Nano VM today.

    This is everything relevant I've been able to extract from the CBS logs:
    2016-10-13 00:28:27, Info CBS FLOW: Enter Installation Stage: Advanced Installer Execution, Current Operation Stage: Installing
    2016-10-13 00:28:27, Info CSI 0000001d Begin executing advanced installer phase 38 index 2 (sequence 38)
    Old component: [l:0]''
    New component: [l:173 ml:174]'Microsoft-Windows-IIS-Nano-WindowsAuthentication-GC, Culture=neutral, Version=10.0.14393.0, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=amd64, versionScope=NonSxS'
    Install mode: install
    Smart installer: FALSE
    Installer ID: {e3974b8b-fa38-4927-882a-bf78e011a774}
    Installer name: 'IIS AdvancedInstaller'
    2016-10-13 00:28:27, Info CSI 0000001e Performing 1 operations as follows:
    (0) LockComponentPath: flags: 0 comp: {l:16 b:efecc9f3d724d20114000000e0053002} pathid: {l:16 b:efecc9f3d724d20115000000e0053002} path: [l:119]'\SystemRoot\WinSxS\amd64_microsoft-windows-servicingstack-inetsrv_31bf3856ad364e35_10.0.14393.206_none_6f316cca04c0e0d7' pid: 5e0 starttime: 131207848898005026
    2016-10-13 00:28:27, Info CSI 0000001f Loading installer DLL from explicit path: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack-inetsrv_31bf3856ad364e35_10.0.14393.206_none_6f316cca04c0e0d7\iissetupAI.dll
    2016-10-13 00:28:27, Info CSI 00000020 Performing 1 operations as follows:
    (0) LockComponentPath: flags: 0 comp: {l:16 b:1a53ccf3d724d20116000000e0053002} pathid: {l:16 b:1a53ccf3d724d20117000000e0053002} path: [l:117]'\SystemRoot\WinSxS\amd64_microsoft-windows-i..wsauthentication-gc_31bf3856ad364e35_10.0.14393.0_none_81a1db7292a82270' pid: 5e0 starttime: 131207848898005026
    2016-10-13 00:28:27, Info CSI 00000021@2016/10/12:22:28:27.417 ConfigManager::Initialize failed with error code c0000225 [Error,Facility=(system),Code=549 (0x0225)]

    2016-10-13 00:28:27, Info CSI 00000022 Performing 1 operations as follows:
    (0) LockComponentPath: flags: 0 comp: {l:16 b:ff3ccff3d724d20118000000e0053002} pathid: {l:16 b:ff3ccff3d724d20119000000e0053002} path: [l:115]'\SystemRoot\WinSxS\' pid: 5e0 starttime: 131207848898005026
    2016-10-13 00:28:27, Error [0x01805f] CSI 00000023 (F) Failed execution of queue item Installer: IIS AdvancedInstaller ({e3974b8b-fa38-4927-882a-bf78e011a774}) with HRESULT c0000225 [Error,Facility=(0000),Code=549 (0x0225)]. Failure will not be ignored: A rollback will be initiated after all the operations in the installer queue are completed; installer is reliable[gle=0x80004005]
    2016-10-13 00:29:26, Error [0x01805f] CSI 00000046 (F) Failed execution of queue item Installer: IIS AdvancedInstaller ({e3974b8b-fa38-4927-882a-bf78e011a774}) with HRESULT c0000225 [Error,Facility=(0000),Code=549 (0x0225)]. Failure will be ignored: The failure was encountered during rollback; installer is reliable[gle=0x80004005]
    2016-10-13 00:29:45, Error CBS Exec: An error occurred while committing the transaction, the transaction has been rolled back. [HRESULT = 0x800f0922 - CBS_E_INSTALLERS_FAILED]
    2016-10-13 00:29:45, Error CBS Failed to process single phase execution. [HRESULT = 0x800f0922 - CBS_E_INSTALLERS_FAILED]

  • Same errors as Pierre. I didn't try it till after being patched up to today though. Included are the packages installed if that helps.

    Get-WindowsPackage -Online

    PackageName : Microsoft-NanoServer-Host-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0
    PackageState : Installed
    ReleaseType : Other
    InstallTime : 10/14/2016 11:22:00 PM

    PackageName : Microsoft-NanoServer-Host-Package~31bf3856ad364e35~amd64~~10.0.14393.0
    PackageState : Installed
    ReleaseType : Other
    InstallTime : 10/14/2016 11:22:00 PM

    PackageName : Microsoft-NanoServer-IIS-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0
    PackageState : Installed
    ReleaseType : Other
    InstallTime : 10/14/2016 11:23:00 PM

    PackageName : Microsoft-NanoServer-IIS-Package~31bf3856ad364e35~amd64~~10.0.14393.0
    PackageState : Installed
    ReleaseType : Other
    InstallTime : 10/14/2016 11:23:00 PM

    PackageName : Microsoft-NanoServer-Storage-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0
    PackageState : Installed
    ReleaseType : Other
    InstallTime : 10/14/2016 1:20:00 PM

    PackageName : Microsoft-NanoServer-Storage-Package~31bf3856ad364e35~amd64~~10.0.14393.0
    PackageState : Installed
    ReleaseType : Other
    InstallTime : 10/14/2016 1:20:00 PM

    PackageName : Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.14393.0
    PackageState : Installed
    ReleaseType : Foundation
    InstallTime : 7/16/2016 12:22:00 PM

    PackageName : Microsoft-Windows-ServerDatacenterNano-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0
    PackageState : Installed
    ReleaseType : LanguagePack
    InstallTime : 7/16/2016 12:27:00 PM

    PackageName : Package_for_KB3176936~31bf3856ad364e35~amd64~~
    PackageState : Installed
    ReleaseType : Update
    InstallTime : 10/14/2016 11:23:00 PM

    PackageName : Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.206.1.2
    PackageState : Superseded
    ReleaseType : Update
    InstallTime : 10/14/2016 11:29:00 PM

    PackageName : Package_for_RollupFix~31bf3856ad364e35~amd64~~14393.321.1.5
    PackageState : Installed
    ReleaseType : SecurityUpdate
    InstallTime : 10/14/2016 12:07:00 PM

  • I was just able to use a Nano Server VM in Azure to install the API using the steps provided. Were these machines created clean from Nano Server GA images?

  • I used the Nano Server VHD available @

  • @ Pierre

    Thank you. I just obtained the Nano Server VHD from the link you provided and ran through the setup with the clean installation. Everything was successful on my end.

    I know you tried to install on the first day of the post when the instructions were still for TP5. TP5 used a different version of the NanoServerPackage provider. If that version of NanoServerPackage was used to install IIS on your GA machine then I would try restarting from fresh and using the installation steps that were updated for the GA release.

  • @ Michael J. Prentice

    Your errors are also from trying to enable IIS Optional features such as IIS-WindowsAuthentication?

  • @ Jimmy Campbell

    I performed the installation on October 3rd.
    I've just checked the version of the NanoServerPackage provider installed on my VM, it's published on 2016-09-24.
    There's a new version that was published 1 week ago:
    I'm going to uninstall the IIS package, update to the new version of NanoServerPackage and try to reinstall IIS.

    Remove-WindowsPackage -Online -PackageName "Microsoft-NanoServer-IIS-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0"
    Remove-WindowsPackage -Online -PackageName "Microsoft-NanoServer-IIS-Package~31bf3856ad364e35~amd64~~10.0.14393.0" (had to restart after that)
    Uninstall-Package -Name NanoServerPackage
    Save-Module -Path 'C:\Program Files\WindowsPowerShell\Modules\' -Name NanoServerPackage -RequiredVersion
    Install-Module -Name NanoServerPackage
    Install-PackageProvider NanoServerPackage
    Set-ExecutionPolicy RemoteSigned -Scope Process
    Import-PackageProvider NanoServerPackage
    install-NanoServerPackage -Name Microsoft-NanoServer-IIS-Package -culture en-us

    Install-NanoServerPackage : Add-WindowsPackage failed. Error code = 0x8000ffff
    I'll declare that VM dead and spin a brand new one.

  • @ Jimmy Campbell

    Brand new VM based on Nano Server VHD from TechNet, same issue.

    Here's the exhaustive list of commands issued:
    Save-Module -Path 'C:\Program Files\WindowsPowerShell\Modules\' -Name NanoServerPackage
    Install-PackageProvider NanoServerPackage
    Set-ExecutionPolicy RemoteSigned -Scope Process
    Import-PackageProvider NanoServerPackage
    install-NanoServerPackage -Name Microsoft-NanoServer-IIS-Package -culture en-us
    net start w3svc
    Import-module iisadministration
    (at this point I copied aspnetcore.dll and aspnetcore_schema.xml through a SMB share)
    Reset-IISServerManager -confirm:$false
    $sm = Get-IISServerManager
    $appHostconfig = $sm.GetApplicationHostConfiguration()
    $section = $appHostconfig.GetSection("system.webServer/handlers")
    $sectionaspNetCore = $appHostConfig.RootSectionGroup.SectionGroups["system.webServer"].Sections.Add("aspNetCore")
    $sectionaspNetCore.OverrideModeDefault = "Allow"
    Reset-IISServerManager -confirm:$false
    $globalModules = Get-IISConfigSection "system.webServer/globalModules" | Get-IISConfigCollection
    New-IISConfigCollectionElement $globalModules -ConfigAttribute @{"name"="AspNetCoreModule";"image"=$aspNetCoreHandlerFilePath}
    $modules = Get-IISConfigSection "system.webServer/modules" | Get-IISConfigCollection
    New-IISConfigCollectionElement $modules -ConfigAttribute @{"name"="AspNetCoreModule"}
    (I unzipped .NET Core Framework to c:\dotnet)
    [Environment]::SetEnvironmentVariable("Path", "$($env:Path);C:\dotnet")
    Enable-WindowsOptionalFeature -Online -FeatureName "IIS-WindowsAuthentication"

    Enable-WindowsOptionalFeature failed. Error code = 0x800f0922

  • @Jimmyca Yes, the error happens when trying to Enable IIS-WindowsAuthentication.

    My ISO is from the Microsoft Volume Licensing Service Center

  • @ Pierre

    Awesome, that is the holy grail when it comes to reproducing an issue. I am checking this out right now on a refreshed technet vm.

    @ Michael J. Prentice

    Okay. Thank you for the heads up. The fix should be the same in both of these cases.

  • @ Pierre

    Thanks again for the detailed command list. I was able to reproduce this issue. There are signs of a bug in the Enable-WindowsOptionalFeature code path that we will have to investigate. This bug can be avoided if you install all the IIS subfeatures before modifying the applicationHost.config file.

    After executing the exact commands that you provided and reproducing the issue, I was able to get it working. I set the handlers section back to the default overridemode of "Inherit", then enabled all IIS sub features, then set it back to "Allow". This is a temporary fix, I will investigate further to see why this is causing the error.

    # I Executed the commands provided and was receiving 'Enable-WindowsOptionalFeature failed. Error code = 0x800f0922'

    # Reset handlers section to default overridemode
    Reset-IISServerManager -confirm:$false
    $sm = Get-IISServerManager
    $appHostconfig = $sm.GetApplicationHostConfiguration()
    $section = $appHostconfig.GetSection("system.webServer/handlers")

    # Enable Windows Authentication
    Enable-WindowsOptionalFeature -Online -FeatureName "IIS-WindowsAuthentication"

    # Enable URL Authorization
    Enable-WindowsOptionalFeature -Online -FeatureName "IIS-URLAuthorization"

    # Enable every feature
    Get-WindowsOptionalFeature -Online | where {$_.FeatureName -match "IIS-" -and $_.State -eq [Microsoft.Dism.Commands.FeatureState]::Disabled} | % {Enable-WindowsOptionalFeature -Online -FeatureName $_.FeatureName}

    # Allow handlers override for .NET Core
    Reset-IISServerManager -confirm:$false
    $sm = Get-IISServerManager
    $appHostconfig = $sm.GetApplicationHostConfiguration()
    $section = $appHostconfig.GetSection("system.webServer/handlers")

  • @Jimmy Campbell

    Congratulations for the fix, it works! Tricky one though.
    I had a feeling I should enable the Windows Authentication feature (and URL Authorization) right after installing IIS.
    I'm happy to report success with IIS Administration installation, I can eventually manage IIS remotely.
    Now it's on to AAR, I need to find a way to install URL Rewrite, External Cache, WebFarm and Request Router.

    Thanks again

  • Thanks for the help with this. We now have an open issue to track it at

  • I always get this error at last step, whether Nano Server has been installed from Microsoft Library or through custom nano server vhd upload.

    []: PS C:\> C:\IIS.Administration\setup\setup.ps1 Install –Verbose –SkipVerification
    VERBOSE: Verifying user is an Administrator
    VERBOSE: Verifying user is an Administrator
    Checking installation requirements
    VERBOSE: Verifying .NET Core shared framework installed
    VERBOSE: Verifying AspNet Core Module is installed
    VERBOSE: Checking if port '55539' is available
    VERBOSE: Verifying that IIS Administrators group does not already exist
    Installation Requirements met
    VERBOSE: Creating installaton directory C:\Program Files\IIS Administration\1.0.38
    Copying files
    VERBOSE: Creating new IIS Administration Certificate
    VERBOSE: Adding the certificate to trusted store
    VERBOSE: Binding Certificate to port 55539 in HTTP.Sys
    [SC] CreateService SUCCESS
    WARNING: Waiting for service 'Microsoft IIS Administration (Microsoft IIS Administration)' to start...
    Rolling back
    Rolling back service creation
    Rolling back HTTP.Sys port binding
    Rolling back setup config creation
    Rolling back SSL certificate creation
    Rolling back IIS Administrators group creation
    Rolling back installation folder creation
    Finished rolling back.
    C:\IIS.Administration\setup\setup.ps1 : Could not start service
    At C:\IIS.Administration\setup\install.ps1:510 char:9
    + throw "Could not start service"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Write-Error], RuntimeException
    + FullyQualifiedErrorId : System.Management.Automation.RuntimeException,setup.ps1

  • Hello Firoz,

    The first step to figuring out what the cause could be here is seeing the current state of IIS on the machine.

    Can you run the following:
    Get-WindowsOptionalFeature -Online | where {$_.FeatureName -match "IIS-"}

    Also, would you mind opening this up as an issue on github at ?

  • Hi Jimmyca,

    It seems WindowsAuthentication was not installed properly. Ran the following command with out –SkipVerification flag.

    C:\IIS.Administration\setup\setup.ps1 Install –Verbose –SkipVerification

    Error was regarding IIS Windows Authentication. Uninstalled and reinstalled IIS Windows Authentication and then did IIS Administration install with following command and it was successful.

    C:\IIS.Administration\setup\setup.ps1 Install –Verbose –SkipVerification

  • I installed these tools, but I cannot access the administration pages on my Nano Server install. Microsoft Edge gives me an 'INET_E_DOWNLOAD_FAILURE' after I enter my credentials. I already have a site up and running on this server, but I also have problems connecting to it using HTTPS. Any guess at what the problem might be?


  • @Andrew

    Which version of the iis administration api and .net core did you install on the machine? Also feel free to file an issue at to track the issue.

  • In case something was wrong with my Nano Server install, I actually spun up a Server Core installation (2016 Standard) in another Hyper-V VM and tried it again. It solved the problem I was having with HTTPS for the main site (I was able to actually use the old IIS Manager to configure it), but I'm still getting 'INET_E_DOWNLOAD_FAILURE' with version 2.0.0 of the IIS Administration API when attempting to connect to it locally on port 55539. On this Server Core VM, I installed the API using the .exe, so it's running .NET Core 1.0.5.

    Thanks again!

  • @Andrew

    Did you try using a different browser such as chrome or firefox?

    And you said you are trying to connect to localhost on server core using https://localhost:55539 correct?

    One thing worth mentioning is that the Iis.administration api requires windows authentication by default and in a fresh installation the only user allowed access is the one who installed it. If you are connecting to the api under a different windows identity than the installing user you will need to grant the new user access in the appsettings file. This is detailed in the documentation at in the configuration tab. I wouldn't expect that to cause the inet_e_download_failure you mentioned but it could be the cause.

    If there is an error in the api it will show up in the log files at c:/program files/iis administration/logs

    The verbosity of these logs can be increased through the appsettings.json (c:/program files/iis administration/2.0.0/microsoft.iis.administration/config/appsrttings.json) file by changing the "log_level" property to a value of "information".

  • The IIS Administration API seems to be working on my Server Core installation for localhost connections only. I downloaded Chrome and installed it on the IIS server, and from there I was able to generate a key and enter the administration pages. Previously, when I said I was connecting to it locally, I meant from a browser (I tried both Edge and Chrome) on a different machine on the same LAN subnet. There is no firewall blocking port 55539.

    The problem persists when attempting to log on remotely, however. I modified the logging behavior you mentioned, and when I access the log right after trying to connect, it reads:

    2017-07-09 18:00:58.407 -04:00 [Information] Request starting HTTP/1.1 GET https://LOCAL_IP_ADDRESS:55539/
    2017-07-09 18:00:58.407 -04:00 [Information] Request finished in 0.4649ms 401

    So it's sending me HTTP 401 'Unauthorized'. I tried entering my credentials as both 'Administrator' and 'DOMAIN\Administrator' and then the password. 'DOMAIN\Administrator' is the user name I was logged on with when I installed the IIS Administration API. The Windows Authentication IIS module is installed.

  • @Andrew,

    The 401 status code means that the Windows Credentials were invalid or were unauthorized. The entry in the appsettings.json should have '{COMPUTER NAME}\Administrator' if you are trying to log on remotely with the built in administrator account. Then when the browser prompts for Windows Credentials the username can be set as '.\Administrator' and password would be the password for the account.

    Here is an example setup of a computer with the name 'MyWorkComp' that I set up to allow connections from the Administrator account that comes by default on the machine. I also set it up to allow myself to enter by placing 'MyWorkDomain\\jimmyca'.

    If I was going to log on with the jimmyca account I would put 'MyWorkDomain\jimmyca' as the username in the prompt in the browser.

    "security": {
    "require_windows_authentication": true,
    "users": {
    "administrators": [
    "owners": [
    "access_policy": {
    "api": {
    "users": "administrators",
    "access_key": true
    "api_keys": {
    "users": "administrators",
    "access_key": false
    "system": {
    "users": "owners",
    "access_key": true

    The Windows Authentication IIS module is not needed.

Comments have been disabled for this content.