Article from Windows NT Magazine's IIS Administrator
February 2000 

Q: I have a Web site on IIS 4.0 that requires very high security. I
want to require 128-bit encryption, but some browsers only support
40-bit encryption. How can I determine the capability of my clients'
browsers and direct those clients to an upgrade location? 

A: Try this: Create a virtual directory, and set it to receive only 128-bit
connections. Associate a customized error for error number 403.5
(128-bit Secure Sockets Layer—SSL—required) with this directory. The
error page can direct users to update locations for 128-bit capability. 

One of the most flexible features of IIS is its ability to customize error
messages. Because IIS can create a custom page for any given file, Web
site, or virtual directory, you have an advantage when error conditions
occur. In your case, you can create a virtual directory and set it to receive
only 128-bit connections. Then, use the Microsoft Management Console
(MMC) Custom Errors tab for the virtual directory to associate a
customized error for error number 403.5 (128-bit SSL required). The new
page can direct users either to update locations for 128-bit capability or to
a page that doesn't require 128 bits. 

Q: For a high-traffic Web server hosting 350-plus Web sites, should
I set the server service
to Maximize Throughput for File Sharing or Maximize Throughput
for Network Applications? Most people seem to think that I should
set the IIS server to Maximize Throughput for Network
Applications, but a Web server serves files, and the file server
setting seems to make more sense. 

A: The effect of this setting on IIS is widely under-appreciated. When I
teach Microsoft's IIS class, the very first page of instruction has the
statement, "Microsoft Internet Information Server 4.0 (IIS) is a network
file and application server. . . ." (Creating and Managing a Web Server
Using Microsoft's Internet Information Server, page 20). So IIS is not a
file server or an application server, but a network file and application server.
Look at the settings found at Control Panel, Network, Services, Server,
which you see in Screen 1: Which of these settings has the best throughput
for IIS? Generally speaking, Maximize Throughput for Network
Applications, although the reasoning is not entirely intuitive. 

IIS benefits substantially from file caching. However, if you set up the
server service to the Maximize Throughput for File Sharing setting, you
are, in effect, telling Windows NT 4.0 that memory for caching files is
more important than memory for applications. As a result, NT swaps out
programs to disk, including IIS, when NT needs memory for files. As you
can imagine, IIS doesn't perform well when it's not loaded into RAM.
Furthermore, this setting is the default! As a result, many IIS servers can
enjoy a quick and easy boost in performance by switching this setting to
Maximize Throughput for Network Applications. 

Here are a few more suggestions to improve performance: 

Add more paging files and increase their size. By distributing the
paging files across drives, you can increase performance. It's also a
good idea to move the paging file off the boot partition. By creating
fixed paging file sizes, you can prevent the paging files from
becoming fragmented. Paging file fragmentation causes disk
accesses to this often-used area to be less efficient. 
Use RAID 0 (disk striping without parity) to increase performance
in your disk drive subsystem. Be sure to use a hardware controller
that supports RAID, not the NT software implementation using Disk
Administrator. While software RAID works, it places the burden on
the OS—a disk controller can do the job many times faster. 



Screen 1 Viewing server settings 


If your browser does not support inline frames, click here to view
on a separate page. 

Screen 2 Viewing a common security alert 


If your browser does not support inline frames, click here to view
on a separate page. 

Screen 3 Creating a new key 
Keep related files on the same logical partition of a disk, which
helps to improve the performance of the file-system cache. 
Keep your disks defragmented. 
Convert Common Gateway Interface (CGI) applications to Active
Server Pages (ASP) or Internet Server API (ISAPI) applications. 
Disable the use of 8.3 file names. Because the Web server is
servicing only the Web sites, removing this Registry entry is better
than leaving it enabled. No 16-bit applications are running, and the
OS doesn't have the overhead of managing two filenames. Use
regedt32, and locate the hkey_local_machine \system
\currentcontrolset \control \filesystem
\ntfsdisable8dot3namecreation. Change the default value to 1 to
disable creating 8.3 file names. 

Q: I installed Service Pack 6 (SP6) on my IIS 4.0 server, and
immediately SMTP stopped working. I reverted to SP5, and SMTP
started working again. Did SP6 cause this problem to occur? 

A: Any IIS installation could have problems with a number of SP6 services
because Microsoft Winsock might refuse to work with these directory
applications unless the user has full administrative rights. In general, the
problem arises when you attempt to connect to a new server. Unless you
want to make your IUSR account an administrator, you need to update
your system with one of several post-SP6 patches. For more information
about this problem, see the Microsoft article "Winsock Call Fails When
User Does Not Have Local Administrator Rights" at
http://support.microsoft.com/support/kb/articles/q245/6/78.asp . 

For more information about SP6, visit
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/iis40 from time to time
to see whether any hotfixes exist that you need to apply after you update to
SP6. Two current fixes involve a problem with FTP ignoring NTFS
settings and another problem with IIS allowing access to unauthorized
clients (i.e., when you provide a domain name for which IIS should deny
access, IIS can't resolve the client's IP address). 

Q: I'm using SSL with a certificate purchased from VeriSign. When
I connect to the server, Microsoft Internet Explorer (IE) displays
the message The certificate does not match the URL. I ordered the
certificate for our domain (e.g., www.myserver.com), and the server
is named Pluto. When I enter https://pluto everything works fine.
But when I enter www.myserver.com I get the message The URL
does not match the certificate. I can click Continue, and IE
establishes an SSL session, but how can I eliminate the message? 

A: Installing certificates so that IE 4.0 users don't see messages such as the
one in Screen 2 is one of the key goals of any systems administrator. The
process isn't entirely intuitive, and a senior Microsoft consultant called the
problem you describe "the number one mistake" with certificates. The
message appears when a user attempts to connect to a site using an SSL
connection and begins the URL with https://. The browser checks the URL
entered against the certificate to see whether they match. If they don't, the
security alert in Screen 2 appears. You get a similar security alert with
other browsers. 

So, where is the name on the certificate? When you use IIS Key Manager
to create a certificate request, you must complete a form, such as the one
in Screen 3, that includes an entry for the Common Name. If you read that
screen carefully, you'll find a very important instruction: 

Enter the Common Name. This is the fully qualified domain name used for
DNS lookups of your server (such as www.yourcorp.com). This
information is used by browsers to identify your site. If you change this
name, you will need to obtain a new certificate. 

Frequently (and this seems to be what you've done), people put the server
name (e.g., Pluto) in the Common Name box instead of the name people
will use to access your site. The Common Name must be the name people
enter in a DNS to access your site. 

For example, I have a simple site set up at www.techmesa.com. I've
installed a certificate for that exact URL, and if you access the site using
SSL by typing https://www.techmesa.com, you won't see the security alert
about the URL not matching the certificate. You'll receive a security alert,
but that message will be about the certificate coming from an untrusted
authority. This security alert means that your browser doesn't recognize the
presented certificate as having been issued from a trusted Certificate
Authority (CA). Most browsers have preloaded certificates from Thawte,
VeriSign, and a few other widely recognized Cass. Despite the scary
warning about the issuer being untrusted, you can proceed and create a
perfectly good SSL connection just as if the issuer were a trusted authority.

So, you can create a secure connection to www.techmesa.com without the
security alert using HTTP over Secure Sockets Layer (HTTPS). However,
if you access the site again using https://techmesa.com, you'll see a
message warning you that the certificate doesn't match the name. The
Common Name box for this certificate is for www.techmesa.com, not
techmesa.com, so the message appears. If I tried to access the IIS server
internally by computer name, I would get the same message. To answer
your questions therefore, you'll have to obtain a new certificate with the
Common Name www.myserver.com instead of your computer name to
solve the problem. 

Q: Can you shed some light on IIS resources (e.g., an instructor-led
course or a good reference book)? I have about 4 weeks to migrate
my organization's current Web site from a provider to our three
newly purchased Web servers. 

A: As an avid reader of all things pertaining to IIS, I'm sorry to say that
I've found only a few good IIS resources. By far, the best book about IIS
is Leonid Braginski and Matt Powell, Running Microsoft Internet
Information Server (Microsoft Press, 1998). The next most-used reference
on my list is Microsoft Internet Information Server Resource Kit
(Microsoft Press, 1998). Of course, our own IIS Administrator is required
reading, as is Windows 2000 Magazine, which often has relevant
information about IIS. My next reads will be Mark Joseph Edwards,
Internet Security with Windows NT (29th Street Press, 1997) and Ken
Spencer, Windows NT Magazine Instant Solutions: Troubleshooting IIS
4.0 and Visual InterDev 6.0 (29th Street Press, 1998). Both are available
at http://www.29thstreetpress.com . Aside from these resources, you
should visit the Microsoft TechNet Web site for IIS (
http://www.microsoft.com/technet/iis/default.htm ) and the Microsoft
Security Advisor Web site ( http://www.microsoft.com/security ) weekly. 

In addition, you can't just pick up the phone and call one of the IIS
programmers at Microsoft to ask about some really oddball technical glitch
that no one seems to comprehend, but you can attend a free chat with
members of the IIS team hosted once a month by Microsoft. For the
schedule and archive of past conversations, see the above TechNet URL. 

You can also post messages about IIS on a few public bulletin boards.
You can find the Microsoft TechNet board for IIS and other Microsoft
products at http://technetnews.microsoft.com/technet/default.asp .
Windows 2000 Magazine hosts a board at
http://www.winntmag.com/support/forums/application/main.cfm?cfapp=68
. In addition, I host an IIS board at
http://networking.brainbuzz.com/boards/viewboardcategories.asp (after
you're there, click Web Technologies, Microsoft IIS). 

Microsoft also hosts a few newsgroups on IIS, but I've found them long on
questions and short on answers. You can, however, glean some useful
information if you're willing to wade through the repetitious problems. The
main newsgroup for IIS is microsoft.public.inetserver.iis, but you'll likely
find other newsgroups of interest as well (e.g., a Microsoft FrontPage
Server Extensions newsgroup). 

Q: Does an easy way exist to duplicate IIS on a new system? 

A: I've answered this question before, but I thought it worth visiting again
because it's one of the most frequently asked IIS questions, and some new
answers exist. As reported previously, Microsoft's Site Server content
replication replicates IIS, but a lot of IIS administrators don't want to go
out and get a full-blown version of Site Server just for this purpose. 

Another possibility is a utility called iissync.exe, which Microsoft provides
with IIS. This utility duplicates an IIS setup to another server, but you must
use it with a cluster of servers. The utility requires Windows NT Server,
Enterprise Edition (NTS/E), and you need to set up clustered servers for
load balancing and failover. I've talked to some administrators who have
used iissync.exe to duplicate IIS servers without installing clustered servers
or NTS/E, but I haven't tested it myself. Documentation for it is thin, but
you can find information about iissync.exe in the Microsoft articles below: 

"Deciphering IISSYNC Status Codes" at
http://support.microsoft.com/support/kb/articles/q224/8/01.asp 
"How to Install the Windows NT Option Pack on Microsoft Cluster
Server" at
http://support.microsoft.com/support/kb/articles/q191/1/38.asp 
"Contents of Internet Information Server 4.0 Release Notes" at
http://support.microsoft.com/support/kb/articles/q230/2/87.asp 

If you do decide to play around with iissync.exe, be sure to make a copy
of your metabase first, and check out the requirement to specify the target
server in the Microsoft Transaction Server (MTS) as stated in "Contents of
Internet Information Server 4.0 Release Notes." 

Until recently, no one had designed a utility specifically to achieve
duplication of an IIS setup from one server to another, with no clusters or
enterprise required. So I was delighted when I ran across a company
offering a utility that does exactly that, complete with virtual directories and
other settings. To make the utility even sweeter, it's freeware. The utility
even has a feature that lets you save the settings to a database and restore
them later to another system. Check it out at
http://www.adsonline.co.uk/iisexport . 

About The Author 

Brett Hill is an MCSE, an MCT, an MCP+Internet, and an A+. He
operates Techmesa Technical Services in Boulder, Colorado, and is a
Microsoft Internet Information Server consultant. You can reach him at
brett@techmesa.com or http://www.techmesa.com . 

The above article is courtesy of Windows NT Magazine's IIS
Administrator. 

We at Microsoft Corporation hope that the information in this work is
valuable to you. Your use of the information contained in this work,
however, is at your sole risk. All information in this work is provided "as
-is", without any warranty, whether express or implied, of its accuracy,
completeness, fitness for a particular purpose, title or non-infringement,
and none of the third-party products or information mentioned in the work
are authored, recommended, supported or guaranteed by Microsoft
Corporation. Microsoft Corporation shall not be liable for any damages
you may sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the possibility of
such damages. All prices for products mentioned in this document are
subject to change without notice. 

International rights = English only. 



Click to order


Contact Us | E-mail this Page | TechNet Newsletter 
© 2002 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement Accessibility 

If you wish to get more information, please email us at

or call us at (714)  228-5444