Configuring IIS6 for Team Development

I started this paper a while ago and simply haven’t had the chance to buff ‘n polish it for publication.  However, enough people within Microsoft have derived value from it that I thought posting it here may allow the general public to derive similar value.  Do be aware that the biggest “gotcha” in doing this is that when the developer’s password expires, it is necessary to specify the new password for the developer’s application pool. Feel free to comment and ask questions, should you have them.

To install Internet Information Services 6.0 on Windows Server 2003

1. From Control Panel, choose Add or Remove Programs

2. Click Add/Remove Windows Components

3. Select Application Server and click Details…

4. Check ASP.NET and Enable Network COM+ access

5. Select Internet Information Services (IIS) and click Details…

6. Check Common Files, FrontPage 2002 Server Extensions and Internet Information Services Manager

7. Select World Wide Web Service and click Details…

8. Check Active Server Pages, Remote Administration (HTML) and World Wide Web Service

9. Click OK to accept the World Wide Web Service changes

10. Click OK to accept the Internet Information Services (IIS) changes

11. Click OK to accept the Application Server changes

12. Click Next to continue the Windows Components Wizard

13. Click Finish to complete the Windows Components Wizard

14. Close the Add or Remove Programs dialog

To install the Visual Studio .NET Remote Debugging Components

1. Launch Setup from the Insert the Visual Studio .NET 2003 CD

2. Click Remote Components Setup

3. Scroll to section titled To Install Remote Debugging Components

4. Click Install Full

5. Click OK to close the Windows Installer after it completes the installation

6. Close the Remote Components Setup window

7. Close the Visual Studio .NET Setup window

A new local group, VS Developers, has been created and Modify rights granted to VS Developers on C:\Inetpub\wwwroot.

What follows is trial and error

Steps that must be done next include

a) Assign the developer to the IIS_WPG local group

b) Create a new application pool

a. Set the identity to that of the developer

c) Create a new physical directory and ACL it appropriately

a. Would be best if these ACLs granted the individual developer private rights to the physical directory rather than VS Developers.

                                                               i. Grant the developer the same rights as we would grant VS Developers

                                                             ii. Does anything else in the VS.NET debugging process rely upon VS Developers?

b. Examining C:\Inetpub\wwwroot shows the following ACLs; Note that I believe that Special Permissions is also checked, but I’m not sure why

                                                               i. Administrators get Full Control (x)

                                                             ii. Everyone gets Read & Execute (x)

                                                            iii. IIS_WPG gets Read & Execute (x)

                                                           iv. Internet Guest Account is denied Write (x)

                                                             v. SYSTEM gets Full Control (x)

                                                           vi. Users gets Read & Execute

                                                          vii. VS Developers gets Modify

d) Create a virtual directory and point it to the physical directory created above

To create a new physical directory and assign appropriate permissions

1. Create C:\Users\kevinha

2. Right-click on the kevinha folder and choose Sharing and Security…

3. Click the Security tab

4. Click Advanced

5. Clear the Allow inheritable permissions from the parent to propagate to this object and all child objects checkbox

6. Click Copy to copy the permissions previously applied from the parent to this object

7. Click OK to close the Advanced Security Settings dialog

8. Select CREATOR OWNER and click Remove

9. Click Add…

10. Enter the following accounts and groups into the Enter the object names to select texbox

a. MICROSOF-27TCOC\Everyone

b. MICROSOF-27TCOC\IIS_WPG

c. MICROSOF-27TCOC\IUSR_MICROSOF-27TCOC

d. MICROSOF-27TCOC\Users

e. NORTHAMERICA\kevinha

11. Click OK to accept the Select Users, Computers or Groups dialog

12. Select Internet Guest Account

13. Clear the Read & Execute, List Folder Contents and Read checkboxes under the Allow column

14. Click the Write checkbox under the Deny column

15. Select Kevin Hammond

16. Click the Modify checkbox under the Allow column

17. Click OK to accept the folder Properties dialog

18. Click Yes to acknowledge you are setting a deny permission in the Security dialog

To configure FrontPage 2002 Server Extensions for the Default Web Site

1. Start Internet Information Services (IIS) Manager from the Administrative Tools program group

2. Expand MICROSOF-27TCOC (local computer)

3. Expand Web Sites

4. Expand Default Web Site

5. Right-click on Default Web Site and point to All Tasks choose Configure Server Extensions 2002

6. Use the local Administrator account when prompted for credentials

7. Click Submit to enable FrontPage 2002 Server Extensions on the Default Web Site and specify the local Administrator account as the administrator account for this virtual server

8. Close the browser window

To create a the developer’s virtual directory

1. Start Internet Information Services (IIS) Manager from the Administrative Tools program group

2. Expand MICROSOF-27TCOC (local computer)

3. Expand Web Sites

4. Expand Default Web Site

5. Right-click on Default Web Site and point to New choose Virtual Directory…

6. Click Next to continue the Virtual Directory Creation Wizard

7. Type kevinha in the Alias textbox

8. Click Next to accept the Virtual Directory Alias

9. Type C:\Users\kevinha in the Path textbox

10. Click Next to accept the Web Site Content Directory

11. Click Next to accept the default Virtual Directory Access Permissions

12. Click Finish to complete the Virtual Directory Creation Wizard

To configure FrontPage 2002 Server Extensions for the developer’s virtual directory

1. Start Internet Information Services (IIS) Manager from the Administrative Tools program group

2. Expand MICROSOF-27TCOC (local computer)

3. Expand Web Sites

4. Expand Default Web Site

5. Expand kevinha

6. Right-click on kevinha, point to All Tasks and choose Configure Server Extensions 2002

7. Use the local Administrator account when prompted for credentials

8. Select the Use unique permissions for this web radio button

9. Enter NORTHAMERICA\kevinha in the Administrator textbox

10. Click Submit to enable FrontPage 2002 Server Extensions on the Default Web Site and specify the developer’s account as the administrator account for this virtual server

11. Close the browser window

To create a new application pool for the developer’s virtual directory

1. Start Internet Information Services (IIS) Manager from the Administrative Tools program group

2. Expand MICROSOF-27TCOC (local computer)

3. Expand Application Pools

4. Right-click on Application Pools, point to New and choose Application Pool…

5. Enter kevinha in the Application pool ID textbox

6. Click OK to accept the Add New Application Pool dialog box

To configure the application pool’s identity to that of the developer

1. Start Internet Information Services (IIS) Manager from the Administrative Tools program group

2. Expand MICROSOF-27TCOC (local computer)

3. Expand Application Pools

4. Right-click on kevinha and choose Properties

5. Click the Identity tab

6. Select the Configurable radio button

7. Enter NORTHAMERICA\kevinha in the User name textbox

8. Enter the developer’s password in the Password textbox

9. Click OK to accept the Properties dialog

10. Re-enter the developer’s password in the Confirm Password dialog

11. Click OK to accept the Confirm Password dialog

To add the developer’s account to the IIS_WPG local group

1. Start Computer Management from the Administrative Tools program group

2. Expand Local Users and Groups

3. Select Groups

4. Right-click on IIS_WGP and select Add to Group…

5. Click Add…

6. Enter NORTHAMERICA\kevinha into the Enter the object names to select texbox

7. Click OK to accept the Select Users, Computers, or Groups dialog

8. Click OK to accept the IIS_WPG Properties dialog

To add the developer’s virtual directory to the developer’s application pool

1. Start Internet Information Services (IIS) Manager from the Administrative Tools program group

2. Expand MICROSOF-27TCOC (local computer)

3. Expand Web Sites

4. Expand Default Web Site

5. Right-click on kevinha and choose Properties

6. Select kevinha from the Application pool dropdown

7. Click OK to accept the kevinha Properties dialog

To disable negotiation of Kerberos authentication for the virtual directory

1. Start a Command Prompt

2. Change directory to C:\Inetpub\AdminScripts

3. Enter cscript adsutil.vbs set w3svc/1/ROOT/kevinha/NtAuthenticationProviders NTLM

It appears that Visual Studio .NET 2003 (or at least my configuration) defaults to trying to use Front Page to create the application. This fails because I’ve not installed the Front Page 2002 Server Extensions on the Web server. Visual Studio .NET 2003 then attempts use a file share path to open the project, and defaults to \\microsof-27tcoc\wwwroot$\kevinha\config1. Unfortunately, this will not work because the physical kevinha folder has been created outside of the wwwroot$ share.

There are two options that require investigation:

1. Create a share for each developer. For example share C:\Users\kevinha as \\microsof-27tcoc\kevinha$

2. Create the developer’s physical directory directly beneath C:\Inetpub\wwwroot.

Option 2 is suboptimal as many organizations leave C:\Inetpub\wwwroot on a small system drive, which may not afford sufficient space for team development.

Option 1 allows the creation of developer home directories on any drive in the system. However, when Visual Studio .NET 2003 attempts to create a new project, it is unable to create the IIS application on the physical folder and is unable to restrict browse access to the bin folder. I assume this is because Visual Studio .NET 2003 still has a reliance upon Front Page Server Extensions for project creation, even when choosing to use a file share path. Even when using Visual Studio .NET 2003 to create a new Web application in the root of the Default Web Site an error still occurs, further leading to the conclusion that FrontPage Server Extensions are required regardless of the access mode chosen.

The physical bin folder inherits it’s security permissions from the parent folder, which in turn inherits its permission from the developer’s home folder.

IIS directory security for the bin folder grants Read, Log visits and Index this resource.

Simply installing FrontPage 2002 Server Extensions is not enough. Permissions must be configured. Furthermore, after installation of FrontPage 2002 Server Extensions, it is necessary to configure them for the Default Web Site. Once the Default Web Site has been configured, the individual developer virtual directories may be configure as well, each specifying the developer as the administrator of the web site.

Relying upon FrontPage as the Web Access Mode removes the need to configure a share on the developer’s home folder, but may have implications for source control.

To share the developer’s home directory

1. Right-click on the kevinha folder and choose Sharing and Security…

2. Click Share this folder

3. Click Permissions…

4. Click Add…

5. Enter NORTHAMERICA\kevinha into the Enter the object names to select texbox

6. Click OK to accept the Select Users, Computers or Groups dialog

7. Select Kevin Hammond

8. Click the Full Control checkbox under the Allow column

9. Click OK to accept the Permissions dialog

10. Click OK to accept the Properties dialog

Comments

  • Anonymous
    January 06, 2004
    Gee -- next time you have something like this semi-baked, let a guy know... ;)

    Thanks for this, Kevin!

    TTFN - Kent
  • Anonymous
    January 14, 2004
    The comment has been removed
  • Anonymous
    January 18, 2004
    Remote Administration may rely upon ASP, but I don't recall. If you have no dependency on being able to process ASP requests, then there is no need to enable it.