Probably the most important thing I can do first is to describe the environment I'm using; we have a global Active Directory forest with local domain controllers in each country. We have Windows 2003 servers running IIS 6 in both test and production - Developers (like myself) have a normal user account and a "Domain Administrator" account for working with remote servers. We use Kerberos for authentication (which requires a slight change to the process, see later).
The website itself has been generated using Visual Studio 2008. It has a single label (lblOutput) on the "Default.aspx" page and in the pages "on_load" event handler the following code;
lblOutput.Text = "
|Page.User.Identity.Name:||" + Page.User.Identity.Name + "|
|System.Security.Principal.WindowsIdentity.GetCurrent().Name:||" + System.Security.Principal.WindowsIdentity.GetCurrent().Name + "|
|Request.ServerVariables[LOGON_USER]:||" + Request.ServerVariables["LOGON_USER"] + "|
Put simply this just reads the currently logged in user, the user running the IIS server, and the server variable for the logged in user and displays them on the web page (very simple). It's a good test of what we're doin because the user running the web server will be changed by this process.
This document is a fairly specific guide for the company I work for so we can do the process repeatedly, feel free to make suggestions to improve it and to skip any "unnecessary" steps that don't fit into your organisation.
Step by Step Guide
- Logon (Remote Desktop) to the machine acting as your webserver and make sure you are connecting as as an Administrator
- Open Windows Explorer and go to "C:\Websites"
- Create a directory with your website name, it's best not to use spaces or any special characters as we're going to use this for the names of the Website in IIS and the Applicaiton Pool.
- Open IIS Manager
- Right-click "Application Pools" and choose "New > Application Pool"
- Call the Pool AP + the directory name you used under "C:\Websites" (henceforth just "directory name")
- Choose "User default settings ..."
- Click "OK"
- Right-click the newly created Application Pool and select "Properties"
- Select the "Identity" tab, choose "Configurable" and enter the windows account the website should be running under
- Click "OK"
- Right-click the "Websites" and select "New > Website"
- Enter the same name as you used for a directory
- Set the TCP Port to a random value not currently in use for any of the other sites
- Select the directory you just created under "C:\Websites" as the location for the new site
- Choose "Run Scripts" and "Read" for permissions
- Click "Finish"
- Right-click the newly created Web Site and select "Properties"
- Go to "ASP.NET" tab and select the correct version (if needed)
- Go to "Home Directory" tab and change the "Application Pool" to the application pool you just created
- Go to "Directory Security" tab and click on "Edit" under "Authentication and acccess control"
- Disable "Enable anonymous access"
- Click "OK" twice
- Open up Computer Management, expand "Local Users and Group", then "Groups"
- Open the IIS_WPG group and add in the Windows account you are using to run the application pool
You are now ready to begin testing, open your web browser on a different machine and see if you can connect.
"Service Unavailable" error message in the browser
Check to make sure that the windows account you are using for the application pool is actually able to login (i.e. the account isn't locked, you've entered the correct username and password).
If you refresh the application pools in IIS Manager if the application pool has "crashed" you will see the icon change.
Multiple "username/password" dialogs followed by "you are not authorized to view this page" errors
The chances are if you're seeing this you are using Kerbaros for authentication (like us). An easy way to tell is to download Firefox and try and access the site using that - it should accept your authentication and take you to the site. This is one of the very rare cases where Firefox will actually work and IE won't.
In order to fix this problem you need to create a Service Principle Name (SPN) for the username/ server combination. Remember to create a fully qualified SPN as well as a shortcode (i.e. server and server.domain.forest.org) - you are likely to need both and it makes it a lot easier to have both.