IIS detailed Setup method for windows2003

Source: Internet
Author: User
Tags metabase ntfs permissions

IIS detailed Setup method for windows2003

IIS detailed Setup method for windows2003

Windows 2003 is on the stage, many fashionable users have already tried, but despite the NO. 2003 call security has a great breakthrough, but its default support for the. NET architecture, and discard the use of a long time the popularity of the ASP's lack of the line is questioned, we need to manually configure a lot of things. In IIS 6.0, the default setting is particularly strict and secure, which minimizes the attack caused by previously too loose timeouts and restrictions. For example, the default metabase property enforces a maximum ASP posting size of 204,800 bytes and restricts each field to KB. There are no posting restrictions in the version prior to IIS 6.0. Causing our application to migrate to 2003 often goes awry. The summary solution is as follows.


First, enable ASP support

Windows Server 2003 is installed by default and is not installed with IIS 6 and requires additional installation. After you install IIS 6, you also need to turn on standalone support for ASP.

First step, enable ASP, Access: Control Panel-> management Tools->iis (Internet Server)-Web service Extensions-> Active Server Pages-> allow/Control Panel-> management Tools->iis (I Nternet server)-Web service extensions-> include files-> allowed on the service side

The second step is to enable the parent path support. iis-Web Site-Home Directory-configuration-options-Enable parent path

Third step, permission assignment

iis-Web site-(specific site)-(right) permissions-users Full Control of the ISUR_ computer permissions are best written and added


Second, enable the PHP method

After downloading the PHP installer online, run the installation package to install the completed PHP, and finally need to configure the WIN2003 IIS, a lot of users are stuck in this issue, so here is only to explain this problem.

Open the Internet Information Services (IIS) Manager-> Web service extension in WIN2003, and add a new Web service extension by clicking Action-> on the menu

Enter "PHP" in "extension", press "Add", click "Browse" in the pop-up new window, choose to install Php4ts.dll file in the PHP directory, in the original window "set extended state to allow" before tick, OK.

Set all unknown ISAPI extensions in IIS Manager to allow, so the configuration is OK, as shown in the following illustration:


Third, the resolution windows2003 maximum can upload only 200K limit.

Shut down the IIS Admin service in the service first

Find windows/system32/inesrv/under MetaBase.xml, open, find aspmaxrequestentityallowed change him to the desired value

Then restart the IIS Admin Service

(
The first step: Edit the metabase directly to allow
In IIS, right-click Local computer to select Properties and check "Allow direct editing of the metabase."
Step two: Turn off the IIS Admin service
Turn on Control Panel-Administrative Tools-services, locate the IIS Admin service on the right, select the key and right-click, and select Stop to turn off the service.
Step three: Modify the "MetaBase.xml" file
Open "X:/windows/system32/inetsrv" in turn, locate the "MetaBase.xml" file in the folder, open "MetaBase.xml" in Notepad, and search for " AspMaxRequestEntityAllowed ", change the following" 204800 "to" 1024000000 "to save the file.
Note: "X" is the disk character of the system disk, make sure that the first step is already operational before performing the second step, or you will not be able to save the modified "MetaBase.xml" file.
Fourth step: Turn on the "IIS Admin Service" service
After the modification completes, follow the first step to turn on the IIS Admin service.
After the simple three-step setup, we have changed the size limit of the IIS upload file to 100M, and of course you can change the size of the uploaded file at will.
Note: The operating environment for this example is Windows 2003, IIS6.0, and similar settings under other operating systems.

1. Allow Active Server Pages and include files on server side in Web service extensions

2, modify the site's Properties home directory-Configuration-options-enable the parent path

3, so that it can upload files larger than 200k (modified to the size you want, such as in the back two 0, will allow 20m) c:/windows/system32/inetsrv/metabase.xml

(Enterprise version of the windows2003 in line No. 592, the default is aspmaxrequestentityallowed= "204800" that is, 200K add it two 0, that is, now the largest can upload 20M. Aspmaxrequestentityallowed= "20480000".

4.IIS can not download the file problem solution is to put the properties into the site. To view the execution permissions inside the home directory, set it to a pure foot.


Four, for the server to deny access to the fault, or read the database when the failure (reinstall IIS is not a friend should know)

1. As mentioned above, open the guest's access rights

2. c:/windows/temp/This directory can not be deleted, and need everyone, NetworkService write permission, this is I have been looking for a few months also consulted a lot of friends have not resolved, after the discovery of their own.

3. C:/Documents and Settings/networkservice/local settings/temp and C:/Documents and settings/localservice/for your directory below the C disk The local settings/temp has write permission.

4. Open the path to the database to find your extended name for LDB file deletion.


Problem One: Parent path not enabled

Examples of symptoms:

QUOTE:

Server.MapPath () error ' ASP 0175:80,004,005 '

The Path character is not allowed

/0709/dqyllhsub/news/opendatabase.asp, line 4

The character ' ... ' is not allowed in the Path parameter of MapPath.

Cause analysis: Many Web pages need to use the. /formatted statement (that is, the page that returns to the previous layer, which is the parent path), and IIS6.0 for security reasons, this option is turned off by default.

Workaround: In IIS, in the Properties-> home directory-> configuration-> option, check the "Enable parent path" before confirming the refresh.

Problem two: ASP Web extensions improperly configured (same applies to asp.net, CGI)

Examples of symptoms:

QUOTE:

HTTP Error 404-file or directory not found.

Reason Analysis:

The new Web application extension option is added to IIS6.0, where you can allow or disallow ASP, asp.net, CGI, and IDC programs. Programs such as ASP are prohibited by default.

Workaround: Select Active Server Pages in the Web service extension in IIS and click Allow.

Problem three: Improper configuration of identity authentication

Examples of symptoms:

QUOTE:

HTTP Error 401.2-Unauthorized: Access was denied due to server configuration.

Reason Analysis: IIS supports the following types of Web authentication methods:

A Anonymous authentication IIS creates the IUSR, the computer name, the account (where the computer name is the name of the server that is running IIS), and is used to authenticate anonymous users when they request Web content. This account grants the user local logon rights. You can reset anonymous user access to use any valid Windows account.

b) Basic Authentication

Use Basic authentication to restrict access to files on an NTFS-formatted Web server. Using Basic authentication, the user must enter credentials and access is based on the user ID. Both the user ID and password are sent across the network in clear text.

c) Windows Integrated authentication

Windows Integrated authentication is more secure than basic authentication and works well in the intranet environment where users have Windows domain accounts. In Integrated Windows authentication, the browser attempts to use the credentials that the current user uses during the domain logon process and prompts the user for a user name and password if the attempt fails. If you use integrated Windows authentication, the user's password will not be transferred to the server. If the user logs on to the local computer as a domain user, he does not have to authenticate again when he accesses a network computer in this domain.

D) Digest Authentication

Digest authentication overcomes many of the drawbacks of basic authentication. When Digest authentication is used, the password is not sent in clear text. In addition, you can use Digest authentication through a proxy server. Digest authentication uses a challenge/response mechanism (the mechanism that is used to integrate Windows authentication), where passwords are sent in encrypted form.

e) Your-ip-was-logged-hotmail-scams-are-not-allowed-here Authentication

Microsoft Your-ip-was-logged-hotmail-scams-are-not-allowed-here is a user authentication service that allows single check-in security to enable users to access the Your-ip-was-logged-hotmail-scams-are-not-allowed-here Web sites and services are more secure. Your-ip-was-logged-hotmail-scams-are-not-allowed-here-enabled sites rely on Your-ip-was-logged-hotmail-scams-are-not-allowed-here the central server to authenticate the user. However, the hub server does not authorize or deny specific users access to each of the Your-ip-was-logged-hotmail-scams-are-not-allowed-here-enabled sites.

Workaround: Configure different identity authentication (typically anonymous authentication, which is the authentication method used by most sites) as needed. Authentication options are configured under IIS Properties-> Security-> authentication and access control.

Problem 4:IP Limited improperly configured

Examples of symptoms:

QUOTE:

HTTP Error 403.6-Prohibit access: The IP address of the client is denied.

Reason Analysis: IIS provides a mechanism for IP restrictions that you can configure to limit the access of certain IPs to sites, or to restrict access to sites by only certain IP, and error prompts if the client is within the IP range you are blocking, or not within the range you allow.

Workaround: Enter the properties of IIS-> Security->ip address and domain name restrictions. If you want to restrict access to certain IP addresses, you need to select an authorized access point to add an IP address that is not allowed. Conversely, you can only allow access to certain IP addresses.

Problem 5:IUSR account is disabled

Examples of symptoms:

Quote:http Error 401.1-Unauthorized: Access denied due to invalid credentials.

Reason analysis: Because the user anonymous Access uses the account is the IUSR_ machine name, therefore if this account is disabled, will cause the user to be unable to access.

Solution: Control Panel-> management tools-> Computer Management-> Local Users and groups, the IUSR_ machine name account is enabled.

Problem 6:ntfs permissions set improperly

Symptom Example: Quote:http error 401.3-Unauthorized: Access because the ACL's settings for the requested resource are denied.

Reason Analysis: Web client users are part of the user group, so if the file has insufficient NTFS permissions (such as no Read permissions), it can cause the page to be inaccessible.

Workaround: Enter the Security tab of the folder, configure user permissions, and at least Read permissions. About NTFS permission settings are no longer fed here.

Problem 7:iwam account is not synchronized

Examples of symptoms:

QUOTE:

HTTP 500-Internal server error

Cause Analysis: The IWAM account is a built-in account that is automatically built when IIS is installed. IWAM account is established by active Directory, IIS metabase database and COM + application tripartite use, the account password is saved by three parties, and the operating system is responsible for the three-party saved IWAM Password synchronization work. The system to IWAM account password synchronization work sometimes ineffective, resulting in IWAM account password is not uniform.

WORKAROUND: If there is an ad, select Start-> program-> management tools->active directory Users and Computers. Set the password for the IWAM account.

Run c:/inetpub/adminscrīpts>adsutil SET w3svc/wamuserpass + Password Sync IIS metabase database password

Run cscrīpt c:/inetpub/adminscrīpts/synciwam.vbs-v sync iwam account password in COM + applications

Problem 8:mime Setup problem causes some types of files to be downloaded (for example, ISO)

Examples of symptoms:

QUOTE:

HTTP Error 404-file or directory not found.

Reason analysis: IIS6.0 cancels support for some MIME types, such as ISO, causing client download errors.

Workaround: Property->http header->mime type-> new in IIS. In the dialog box that follows, the extension is filled in. The Iso,mime type is application.

Want to give 2003 to do the server system friend practical problem solving
Many friends have encountered many problems when they use the IIS6 website. And some of these problems in the past IIS5 inside have encountered, and some are new, I worked on the afternoon, did a lot of experiments, combined with the previous mistakes, made this summary, I hope to help you:

Issue 1: Parent Path not enabled

Examples of symptoms:

Server.MapPath () Error ASP 0175:80,004,005

The Path character is not allowed

/0709/dqyllhsub/news/opendatabase.asp, line 4

Characters are not allowed in the Path parameter of MapPath ...

Reason Analysis:

Many web pages use things like. /formatted statement (that is, the page that returns to the previous layer, which is the parent path), and IIS6.0 for security reasons, this option is turned off by default.

Workaround:

In IIS, the properties-> the home directory-> configuration-> option. Check the "Enable Parent path" front. Confirm the refresh.

Problem 2:asp Web extensions improperly configured (same applies to asp.net, CGI)

Examples of symptoms:

HTTP Error 404-file or directory not found.

Reason Analysis:

The new Web application extension option is added to IIS6.0, where you can allow or disallow ASP, ASP.net, CGI, and IDC programs, which are prohibited by default.

Workaround:

In the Web service extension in IIS, select Active Server Pages and click Allow.

Issue 3: Improperly configured identity authentication

Examples of symptoms:

HTTP Error 401.2-Unauthorized: Access was denied due to server configuration.

Reason Analysis: IIS supports the following types of Web authentication methods:

Anonymous authentication

IIS creates a IUSR_ computer name account, where the computer name is the name of the server that is running IIS, and is used to authenticate anonymous users when they request Web content. This account grants the user local logon rights. You can reset anonymous user access to use any valid Windows account.

Basic Authentication

Use Basic authentication to restrict access to files on an NTFS-formatted WEB server. Using Basic authentication, the user must enter credentials and access is based on the user ID. Both the user ID and password are sent across the network in clear text.

Windows Integrated Authentication

Windows Integrated authentication is more secure than basic authentication and works well in the intranet environment where users have Windows domain accounts. In integrated Windows authentication, the browser attempts to use the credentials that the current user uses during the domain logon process and prompts the user for a user name and password if the attempt fails. If you use integrated Windows authentication, the user's password will not be transferred to the server. If the user logs on to the local computer as a domain user, he does not have to authenticate again when he accesses a network computer in this domain.

Digest Authentication

Digest authentication overcomes many of the drawbacks of basic authentication. When Digest authentication is used, the password is not sent in clear text. In addition, you can use Digest authentication through a proxy server. Digest authentication uses a challenge/response mechanism (the mechanism that is used to integrate Windows authentication), where passwords are sent in encrypted form.

. NET Passport Authentication

Microsoft. NET Passport is a user authentication service that allows single check-in security to make it more secure for users to access the. NET Passport-enabled WEB sites and services. A. NET Passport-enabled site relies on a. NET Passport central server to authenticate users. However, the hub server does not authorize or deny specific users access to each of the. NET Passport-enabled sites.

Workaround:

Configure different identity authentication (typically anonymous authentication, which is the authentication method used by most sites) as needed. Authentication options are configured under IIS Properties-> Security-> authentication and access control

Problem 4:IP Limited improperly configured

Examples of symptoms:

HTTP Error 403.6-Prohibit access: The IP address of the client is denied.

Reason Analysis:

IIS provides a mechanism for IP restrictions that you can configure to limit the access of certain IPs to sites, or to restrict access to sites by only certain IP, and error prompts if the client is within the range of IP that you are blocking, or not within the range you allow.

Workaround:

Access to IIS Properties-> security->ip address and domain name restrictions. If you want to restrict access to certain IP addresses, you need to select an authorized access point to add an IP address that is not allowed. Conversely, you can only allow access to certain IP addresses.

Problem 5:IUSR account is disabled

Examples of symptoms:

HTTP Error 401.1-Unauthorized: Access denied due to invalid credentials.

Reason Analysis:

Because the user is using anonymous access account is the IUSR_ machine name, so if this account is disabled, will cause users inaccessible.

Solution:

Control Panel-> Management tools-> Computer Management-> Local Users and groups, enable IUSR_ machine name account.

Problem 6:ntfs permissions set improperly

Examples of symptoms:

HTTP Error 401.3-Unauthorized: Access because the ACL's settings for the requested resource were denied.

Reason Analysis:

Users of a Web client are subordinate to the user group, so if the file has insufficient NTFS permissions, such as no Read permissions, it will cause the page to be inaccessible.

Solution:

Enter the Security tab of the folder, configure user permissions, or at least Read permissions. About NTFS permission settings are no longer fed here.

Problem 7:iwam account is not synchronized

Examples of symptoms:

HTTP 500-Internal server error

Reason Analysis:

The IWAM account is a built-in account that the system automatically builds when IIS is installed. IWAM account is established by active Directory, IIS metabase database and COM + application tripartite use, the account password is saved by three parties, and the operating system is responsible for the three-party saved IWAM Password synchronization work. The system to IWAM account password synchronization work sometimes ineffective, resulting in IWAM account password is not uniform.

Solution:

If there is an ad, select Start-> program-> Administration Tools->active directory Users and Computers. Set the password for the IWAM account.

Run c:/inetpub/adminscripts>adsutil SET w3svc/wamuserpass + Password Sync IIS metabase database password

Run cscript c:/inetpub/adminscripts/synciwam.vbs-v sync iwam account password in COM + applications

Problem 8:mime Setup problem causes some types of files to be downloaded (for example, ISO)

Examples of symptoms:

HTTP Error 404-file or directory not found.

Reason Analysis:

IIS6.0 has canceled support for some MIME types, such as ISO, causing client downloads to go awry.

Workaround:

The property->http header->mime type-> new in IIS. In the dialog box that follows, the extension is filled in. The Iso,mime type is application.

In addition, firewall blocking, ODBC configuration errors, Web server performance restrictions, thread restrictions, and other factors that cause the IIS server can not access the possible reasons, here is no longer one by one feed. I hope this post will solve most of our problems:

Configure Windows Server 2003--IIS 6
The information in this article applies to:
Microsoft Windows Server 2003, Datacenter Edition
Microsoft Windows Server 2003, Enterprise Edition
Microsoft Windows Server 2003, Standard Edition
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, 64-bit Datacenter Edition
Microsoft Windows Server 2003, 64-bit Enterprise Edition
Microsoft Internet Information Services version 6.0

This step-by-step article describes how to set up a WWW server for anonymous access in a Windows Server 2003 environment.

Installing Internet Information Services

Microsoft Internet Information Services (IIS) is a WEB service that is set up with Windows Server 2003.

To install IIS, add optional components, or remove optional components, follow these steps:

1. Click Start, point to Control Panel, and then click Add or Remove Programs.

The Add or Remove Programs tool starts.
2. Click Add/Remove Windows components.

Displays the Windows Components wizard.
3. In the list of Windows components, click the Web application server.
4. Click Details, and then click Internet Information Services (IIS).
5. Click Details to view the list of IIS optional components.
6. Select the optional components you want to install. By default, the following components are selected:
---Common Files
---FrontPage 2002 Server extentions
---Internet Information Services snap-in
---Internet Information Services Manager
---NNTP service
---SMTP service
---world Wide Web Services

7. Click World Wide Web Services, and then click Details to view a list of IIS optional subcomponents, such as the Active Server Pages component and the remote Management (HTML) tool). Select the optional subcomponents that you want to install. By default, the following components are selected:
---world Wide Web Services

8. Click OK until you return to the Windows Components wizard.
9. Click Next, and then complete the Windows Components wizard.

Configuring Anonymous Authentication

To configure anonymous authentication, follow these steps:

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS).
2. Expand the * server name (where the server name is the name of the server), right-click the Web site, and then click Properties.
3. In the Web Site Properties dialog box, click the Directory Security tab.
4. Under Authentication and access control, click Edit.
5. Click the Enable anonymous Access check box to select it.

Note: The user account in the User name box is used only for anonymous access through the Windows Guest account.

By default, the server creates and uses the account IUSR_computername. The anonymous user account password is used only in Windows, and the anonymous user does not log on with the username and password.
6. Under Authenticated access, click the Integrated Windows authentication check box to select it.
7. Click OK two times.

Basic WEB Site Configuration

1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS).
2. Expand the "* Server name" (where the server name is the name of the server), and then expand the Web site.
3. Right-click the default Web site, and then click Properties.
4. Click the Web Site tab. If you have assigned more than one IP address to your computer, in the IP address box, click the IP address that you want to assign to this web site.
5. Click on the Performance tab. Use the Web Site Properties-Performance dialog box to set properties that affect memory, bandwidth usage, and number of web connections.

By configuring network bandwidth on a particular site, you can better control traffic for that site. For example, by restricting bandwidth on a lower-priority Web site, you can relax restrictions on the amount of access to his site. Similarly, when you specify the number of connections to a Web site, you can release resources for other sites. Settings are specific to the site and should be adjusted based on network traffic and usage changes.
---Click to select the limit the bandwidth available to this WEB site check box to configure IIS to adjust network bandwidth to the maximum amount of bandwidth selected, in kilobytes per second (KB/S).
Select a specific number or an unqualified number of Web Service connections---Click the Web Service connection check box. Restricting connections allows computer resources to be used for other processes.

Note: Each client browsing the Web site typically uses about three connections.

6. Click the Home Directory tab.
---if you want to use WEB content that is stored on the local computer, click Directory on this computer, and then type the path you want in the Local Path box. For example, the default path is C:/inetpub/wwwroot.

Note: To increase security, do not create a Web content folder under the root directory.
---if you want to use WEB content that is stored on another computer, click Shared location on another computer, and then type the location you want in the Network directory box that appears.
---if you want to use Web content that is stored in another Web address, click Redirect to URL, and then type the location you want in the redirect to box. Under customer will send to, click the appropriate check box to select it.
7. Click the document tab. Note the list of documents that can be used by IIS as the default startup document. If you want to use index.html as your startup document, you must add it. Add the method:
A. Click Add.
B. In the Add Default Document dialog box, type Index.html, and then click OK.
C. Click the up arrow button until index.html is displayed at the top of the list.

8. Click OK to close the default Web Site Properties dialog box.
9. Right-click the default Web site, and then click Permissions.
10. Note the user account with permission to operate on this web site. Click Add to add additional user accounts that can operate this web site.
11. Click OK to return to the Internet Information Services window.
12. Right-click the default Web site, and then click Stop.
13. Right-click the default Web site, and then click Start.

The server is now configured to accept incoming Web requests for access to the default Web site. You can replace the contents of the default Web site with the Web content you want, or create a new Web site.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.