Saturday, August 31, 2013

Remote Administration for IIS Manager

Remote management of IIS 7.0 and above through Internet Information Services (IIS) Manager must be explicitly enabled. This has changed from IIS 6.0 where IIS Manager remoting was through MMC and was always enabled. This document describes how to enable remote management of IIS on Windows Server® 2008 through IIS Manager.
First, you must be on Windows Server 2008. IIS on Windows Vista will not be remotely manageable when it released. You must also be logged in as the built-in Administrator account, or be a member of the Administrators group using elevated privileges.
These are the steps for enabling remote administration of your IIS server.
  1. Install the Web Management Service (WMSVC).
  2. Enable remote connections.
  3.  Optionally set other configuration, e.g.:

    a. HTTPS binding (port, IP address, and/or SSL certificate)
    b. IP and domain restrictions.
4. Start WMSVC, and optionally change the service Startup Type from Manual to Automatic.
Starting WMSVC is the last step because WMSVC cannot be configured while running.
Note: This document only describes how to enable remoting. For an overview of how IIS Manager remoting works, please see theGetting Started with IIS Manager.
This article contains:

INSTALL WEB MANAGEMENT SERVICE (WMSVC)

Click Server Manager in the Start menu, select the Roles node in the left-hand tree view, and scan down to find the Web Server (IIS) role. Click Add Role Services and select the Management Service component.

Enable Remote Connections

To enable remote connections using IIS Manager, click the server node in the tree view, open the Management Servicefeature, and check the Enable Remote Connections check box under Remote Connections (check out our online help topic for more details).
This configuration is stored in the dword registry value "EnableRemoteManagement" under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WebManagement\Server. The easiest way to enable remote management from the command line is to save this text in a file called EnableRemoteMgmt.reg and run it:
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\WebManagement\Server]

"EnableRemoteManagement"=dword:00000001

Configure WMSVC Settings

There are a few other WMSVC settings you might want to configure:
  • Binding – By default, WMSVC is bound to all unassigned IP addresses on port 8172 using a self-signed certificate (WMSVC only communicates over HTTPS).
  • IPv4 Restrictions – After remote connections are enabled, WMSVC accepts connects from any IP address. You may want to refuse connections from a set of known clients, or lock down connections to only a set of known clients.
  • Acceptable for unspecified clients – By default, WMSVC accepts both Windows credentials and IIS Manager credentials (i.e. non-Windows credentials stored in administration.config). You can choose to restrict this to just Windows credentials.
To configure these settings using IIS Manager, click the server node in the tree view and open the Management Servicefeature . This configuration is stored in the registry and can be manipulated many different ways (e.g. regedit, .reg files, WMI, etc.):

Start WMSVC

To start WMSVC using IIS Manager, click the server node in the tree view, open the Management Service feature, and clickStart in the task pane . To start WMSVC from the command line, type:
net start WMSVC
WMSVC installs with Startup Type set to Manual, which means that the service has to be manually restarted each time the server reboots or if HTTP.sys is stopped (WMSVC depends on HTTP.sys). Set the Startup Type to Automatic if you want WMSVC to start on system boot. Do this in the Services MMC console, or using this command line:
sc config WMSVC start= auto

Administering Servers Remotely in IIS 6.0 (IIS 6.0)

You can administer your server remotely by running IIS on an intranet or the Internet. You can use the following tools for this purpose:
IIS Manager: You can use IIS Manager on your server to remotely connect to and administer an intranet server running IIS 5.0, IIS 5.1, or IIS 6.0 (IIS 3.0 and IIS 4.0 are not supported).
Terminal Services: Terminal Services does not require you to install IIS Manager on the remote client computer because, once connected to the server running IIS, you use IIS Manager on the Web server as if you are logged on to the server locally.
Remote Administration (HTML) Tool: You can use the Remote Administration (HTML) tool to administer your IIS Web server from any Web browser on your intranet. This version of the Remote Administration (HTML) tool is supported only on servers running Windows Server 2003 with IIS 6.0.
  Note
If you install the Remote Administration (HTML) Tool for IIS 6.0 on a server that has been upgraded to Windows Server 2003 from Microsoft Windows NT 4.0, you may receive an error when you try to view the administrative Web site. This error occurs because, by default, buffering is set to False in IIS 4.0. However, in IIS 6.0, buffering is set toTrue by default, and this setting is not changed during upgrade. To view the administrative Web site in IIS 6.0, you must enable buffering.
  Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, typerunas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

Procedures

To administer your intranet server remotely by using IIS Manager

1.
Start IIS Manager on any computer on your network that is running a member of the Windows Server 2003 family.
2.
To connect to a remote computer running IIS, right-click the local computer, and then click Connect.
3.
In the Connect to Computerdialog box, in the Computer name box, type the name of the computer to which you want to connect, or click Browse to browse to the computer, and then click OK.
Note   If you do not have TCP/IP and a name resolution server, such as Windows Internet Name Service (WINS) installed, you might not be able to connect to an IIS computer using the computer name. As an alternative, you can also use the IP address of the IIS computer, or you can add the host name and IP address to the local hosts file on the computer, which is located at %systemdrive%\Windows\system32\drivers\etc\hosts. For more information, see "TCP/IP" in Help and Support Center for Windows 2003.

To administer your server remotely using Terminal Services

1.
Install the Terminal Services client on the computer you are using to connect.
2.
While the remote computer is running, start Terminal Services and identify the name of the remote computer.
3.
From the Terminal Services window, administer IIS as you would locally. You can start IIS Manager on any computer on your network that is running Windows, or you can open a Web-based server-management appliance. You can also run scripts from the Terminal Services window.

To enable the Remote Administration (HTTP) tool through Control Panel

1.
In Control Panel, click Add or Remove Programs.
2.
In the Add or Remove Programs dialog box, click Add/Remove Windows Components.
3.
In the Windows Components Wizard dialog box, in Components, click Application Server, and then click Details.
4.
In the Application Server dialog box, in Subcomponents of Application Server, click Internet Information Services (IIS), and then click Details.
5.
In the Internet Information Services (IIS) dialog box, inSubcomponents of Internet Information Services (IIS), click World Wide Web Service, and then click Details.
6.
In the World Wide Web Service dialog box, in Subcomponents of World Wide Web Service, select the Remote Administration (HTML) check box, and then click OK.
7.
Click OK two more times, and then, in the Windows Components Wizard dialog box, click Next.
8.
After setup is complete, click Finish to close the wizard.

To enable buffering on the administrative Web site (for upgrades from IIS 4.0 to IIS 6.0 only)

In IIS Manager, double-click servername (local computer).
Double-click Web Sites.
Right-click the Administration Web site, and then click Properties.
Click Home Directory, click Configuration, and then click Options.
Check the Enable buffering check box, and then click OK twice.

To view the Remote Administration (HTML) tool from IIS Manager

Expand the local computer, expand the Web Sites folder, right-click the Administration Web site, and click Browse.

To administer an IIS Web server with the Remote Administration (HTML) tool

Open your intranet site from a Web browser and type the following in the address bar: https://hostname:8098
Replace hostname with the name of the computer that you want to connect to and administer.

For more information about how to manage servers remotely by using the Remote Administration (HTML) tool, see HOW TO: Remotely Administer Internet Information Services in Windows Server 2003.

Monday, August 26, 2013

Fixing error "0x800106ba" on Vista Windows Defender

Control Panel->Administrative tools->Services
then locate WD and double click it, select "startup type" as automatic, then click "log on" tab,  click "Local System account" and check the only check box available.
Click the "recovery" tab and make sure WD tries atleast two time to start, you can understand from the information you see there.
Now, click the "General" Tab and clikc "start"

Close the window.

Configure the Web Deployment Handler

This guide provides a basic overview of the steps to configure the Web Deployment handler on your hosted server and test that a user can deploy applications to a Web site. This setup will be using the information in this document to install the Web Deployment Tool onto a new server and configure recommended settings.

PREREQUISITES

This guide requires the following prerequisites:
  • .NET Framework 2.0 SP1 or greater
  • Web Deployment Tool 1.0 or 1.1
  • IIS 7 or above with the Web Management Service (WMSvc) installed
Note: If you have not already installed the Web Deployment Tool, see Installing the Web Deployment Tool.

UNDERSTANDING THE WEB DEPLOYMENT HANDLER

The handler is integrated with the Web Management Service (WMSVC) that ships with IIS 7.0 on Windows Server 2008 and IIS 7.5 on Windows 2008 R2.
First, you must create an account (either an IIS Manager User or Windows account) for the user. For more information about creating IIS Manager user accounts, see Configuring Remote Administration and Feature Delegation in IIS.
Second, the user must be authorized to connect to his or her Web site by using WMSVC. You can use the IIS Manager Permissions feature in IIS Manager to grant users the right to connect remotely to their Web sites.

Third, a user must also be authorized to perform deployments using the Web Deployment Tool. You can use the theManagement Service Delegation feature in IIS Manager to create delegation rules that allow users to perform deployments to their Web sites and to no others.

The following diagram illustrates how a user is first connected to and authorized by WMSVC, before the deployment request is routed to the handler and authorized against the handler’s own rules. This quick guide will help you setup the necessary rules to allow a user to deploy IIS applications with content, set file permissions and deploy databases.

PART 1 - CONFIGURE WMSVC AND IIS MANAGER PERMISSIONS

  1.  Install IIS and the Web Management Service on your Windows Server 2008 server.
  2.  Configure WMSVC so that remote connections are allowed.
    a. Open IIS Manager.
    b. Select the Server node.
    c. In Features View of the Server, double-click the Management Service icon.
    d. Ensure that the Enable remote connections checkbox is selected. If the checkbox is not selected and grayed out, use theActions pane to stop the WMSvc Service. This will let you select the checkbox.
    e. On the right-hand Actions pane, click Start. The Enable remote connections checkbox will be selected and grayed out.
  3.  Give the account under which WMSvc is running (for example, Local Service) Full Control permissions to the customer's directory.
  4.  After creating a Web site for the user, allow the user access to his or her Web site.
    a. Open IIS Manager.
    b. Select the Web site that the user will manage remotely.
    c. In Features View, double-click the IIS Manager Permissions icon.
    d. On the IIS Manager Permissions page, in the Actions pane, click Allow User.
    e. In the Allow User dialog box, select the type of user (Windows or IIS Manager), then click Select to choose the user's account.
    f. Click OK to dismiss the Allow User dialog box.
For more information about IIS Manager user accounts, see Allow an IIS Manager User Account to Connect to a Site or an Application (IIS 7).

PART 2 – CREATE DELEGATION RULES FOR WEB DEPLOY USERS

  1.  If you have not yet done so, download the Web Deployment tool and install it on the Web server.
  2.  Create delegation rules for the Web Deploy functionality (providers) that you want to allow users to have. To allow a user to deploy applications and content to his or her Web site:
    a. Open IIS Manager.
    b. Select the Server node.
    c. In Features View of the Server, double-click the Management Service Delegation icon.

    d. In the right-hand Actions pane, click Add Rule…

    e. Select the Deploy Applications with Content rule template. This template creates a rule that allows any WMSVC authorized user to use the Web Deploy contentPath and iisApp providers to deploy applications to his or her user scope.

    f. Click OK to open the template.
    g. Click OK to create the rule.
    h. In the Add User to Rule dialog box, type an asterisk ( * ). This will allow each user to deploy applications to his or her user scope.
NOTE: If you want to perform admin-only synchronization, go to the Management Service Delegation page. In the Actionspane, click Edit Feature Settings, and then select Allow administrators to bypass rules.
Mark Folders as Applications Rule
  1.  To allow each user to create an application within his or her Web site:
    a. Click Add Rule…
    b. Select the Mark Folders as Applications rule template. This template allows all WMSVC authorized users to use the Web Deploy createApp provider to create applications within their user scope. The applications will inherit all settings from the parent, including the application pool.
    c. Click OK to open the template.
    d. In the RunAs section, select SpecificUser for the Identity Type, and the click the Set… button to specify a user account that will perform this operation. In order for this rule to work, the rule must run as a user that has access to write to the applicationHost.config file. It is recommended that you create an account (for example, "CreateAppUser") that is not in the Administrators group and only grant it the minimum required permissions. To do this:
    •  Create a user account.
    •  Grant read permission to %windir%\system32\inetsrv\config.
    •  Grant modify permission to %windir%\system32\inetsrv\config\applicationHost.config.
  2.  In the Add User to Rule dialog box, type an asterisk ( * ). This will allow each user to create applications within his or her Web site.
Deploy Databases Rule
  1.  To allow users to deploy databases to their Web sites:
    a. Click Add Rule …
    b. Select the Deploy Databases rule template. This template allows any WMSVC authorized users (as set in Part 1) to deploy databases to SQL database servers.
    c. Click OK to open the template.
    d. Add a path to authorize, such as Server=Server1 to allow anyone to deploy to this server using their SQL credentials, or Server=Server1;Database={userName}_db1 to restrict to specific databases that match their username.
    e. Click OK to create the rule.
  2.  In the Add User to Rule dialog box, type an asterisk ( * ). This will allow each user to deploy databases to his or her Web site.
Set Permissions Rule
  1.  To allow each user to deploy applications and content to his or her Web site:
    a. Click Select Rule Template… b. Select the Set Permissions rule template. This template allows any WMSVC authorized user to set ACLs on the file system.
    c. Click OK to open the template.
    d. Click OK to create the rule.
  2.  In the Add User to Rule dialog box, type an asterisk ( * ). This will allow each user to deploy applications and content within his or her Web site.
Optionally, Enable Tracing for WMSvc
If you want to enable tracing for WMSvc, see Configuring Web Management Service Tracing. Tracing logs are stored in %systemdrive%\inetpub\logs\wmsvc\tracinglogfiles\w3svc1. 

PART 3 - TEST THE USER'S CONNECTION TO THE WEB SITE

  1.  Download and install the Web Deployment Tool on a client machine that has IIS Remote Manager installed, or use the local server. It is recommended that you test the local server first to isolate any issues that may be caused by networking, firewall or proxy settings.
  2.  Test connect to the user's Web site by using the credentials you created for the user:
    a. Open IIS Manager.
    b. Right-click on the Start Page node.
    c. Select Connect to a Site… (Note: do not select Connect to a Server)
    d. In the Server name text box, enter localhost.
    e. In the Site name text box, enter the name of the user's Web site that you enabled for remote management.
    f. Click Next.
    g. In the User name text box, enter the user you authorized for the Web site.
    h. In the Password text box, enter the user's password.
    i. Click Next to complete the connection. You may be prompted to trust the certificate if you’re using an untrusted or self-signed certificate. The lower right-hand corner of IIS Manager will show the new connection status (for example, localhost 8172 as SampleUser).
  3.  Create a quick application package to verify that the authorization rules are working:
    a. In the Actions pane on the right, click Export Application…
    b. This will launch the Export Application wizard, click Next through all of the screens to accept the defaults and create a package.
  4.  Now that you have created a package, verify that you can install it:
    a. In the Actions pane, click Import Application…
    b. Click Next.
    c. On the Parameters page, change the application name to something that doesn’t already exist in the Web site to verify that the user can create applications.
    d. Complete the wizard.
  5.  Finally, you should download an application package or using the Web Platform Installer to install an application to this Web site to verify that the database and other options are working.

TROUBLESHOOTING

There are some common issues that can occur during deployments:
User receives 401 unauthorized error while trying to connect to a Web site.o Cause(s): This error comes from WMSVC and is usually an error with username/password, or because the user does not have access to the Web site.
o Resolution(s): Verify the username/password and that the user has access to the Web site.
User receives a server error while trying to import or export an application.o Cause(s): This error comes from the Web Deployment Handler and is usually a problem with the deployment rules. Since the user has connected successfully, it is not an issue with WMSVC. A deployment rule may have a typo, the user performing deployment may not be authorized or the runAs identity may not have access.
o Resolution(s): Open the tracing logs at %systemdrive%\inetpub\logs\wmsvc\tracinglogfiles\w3svc1 and see what rule is failing to authorize.
  • Look for logs that contain failures, such as “Details: No rule was found that could authorize user 'server1\siteowner', provider 'appPoolConfig', operation 'Read', path 'DefaultAppPool'”. In this case, the provider appPoolConfig is not authorized and the user tried to add a provider they are not allowed to add.
  • Another common error is if the RunAs user that is being used to create apps does not have proper access to configuration. In this case, Procmon is a useful tool for determining where an access denied error may be coming from.

SUMMARY

This guide shows how to configure the WMSVC and the deployment handler to allow users to manage their Web applications and describes steps to use IIS Manager to create and install a package to verify that the delegation rules are working.