IIS Informant - 13 Aug 2000


I'm using IIS 5.0, and I've been having problems getting my site to run. I'm using server-side Include statements in my documents to control document appearance and content, so I've mapped my .htm files to ssinc.dll, which processes server-side Include statements in .htm files. I've set everything up correctly, and I've checked the permissions extensively. Nevertheless, I continually receive a dialog box requesting a name and password as if a security problem existed. How can I fix this problem?

You've encountered a known bug in IIS 5.0, which the Microsoft article "Access Denied for the Default Document File Mapped to ssinc.dll" (http://support.microsoft.com/support/ kb/articles/q246/8/06.asp) describes. The problem occurs when the default document for your system (e.g., default.htm, default.stm, index .html—whatever default document you've specified) contains an #include statement and is processed by ssinc .dll. In this scenario, IIS 5.0 always sends error 401 Access Denied, which results in the security challenge. Contact Microsoft Product Support Services (PSS) for a patch. (This bug is fixed in Windows 2000 Service Pack 1—SP1.)

I recently upgraded to IIS 5.0. Since the upgrade, I've been receiving error 500-12 Application restarting. The error is related to Active Server Pages (ASP) and appears to be random. I haven't loaded anything unusual, and I didn't have this problem in IIS 4.0. How can I prevent this error?

This kind of problem can be maddening. My best guess is that you're suffering from a problem with IIS 5.0 that occurs when IIS recompiles the global.asa file. Making changes to global.asa requires that IIS recompile the file. When IIS detects such a change, it executes an orderly shutdown of running applications, recompiles global.asa, and relaunches the applications. If users attempt to connect to the server during the recompiling and application restart, they receive error 500-12 Application restarting.

Now, the question remains—Why is IIS performing this restart? As it turns out, antivirus software running on an IIS 5.0 server can cause IIS to think it needs to recompile global.asa. This scenario results in the symptoms you describe—apparently random restarts associated with ASP.

For information about this problem, see the Microsoft article "Err Msg: HTTP Error 500-12 Application Restarting" (http://support.microsoft.com/ support/kb/articles/q248/0/13.asp). No fix was available at the time of publication; the workaround is to refresh the browser.

I'm trying to connect 1000 clients to one IIS 4.0 system. These clients are issuing URLs that result in the execution of an Internet Server API (ISAPI) extension. Microsoft Performance Monitor shows that the Web Server:Current ISAPI Extension Requests counter gets to 256 before IIS starts returning WinInet error 12029 Cannot connect. I've set these configuration values:

Web Site (default web site)
Connections: unlimited
Hits per day: Greater than 100,000
HTTP Keep-Alives Enabled: yes

Is there a configuration value or Registry setting I can use to increase the number of outstanding ISAPI requests that IIS 4.0 supports?

IIS can handle this load without much trouble, so the focus lies not on tuning IIS but on your ISAPI extension. You must implement specific programming techniques to achieve scalability, or you're going to have the kinds of problems you're seeing.

A good resource for information about ISAPI behavior is Leonid Braginski and Matthew Powell, Running Microsoft Internet Information Server (Microsoft Press, 1998). The extension needs to create worker threads, then release its original thread back to the pool. Of course, you must turn ISAPI caching on. I'd take page 551 of this book to the programmers and see whether they're using DllMain or GetExtensionVersion to create the private pools. In addition, managing access to global resources is crucial. Also, you'll get better performance from IIS 5.0 than from IIS 4.0. (Thanks to reader Craig Weeks for this question.)

I'm having problems using Response.redirect in conjunction with Microsoft Proxy Server. The redirect works well for some users, but not for others. How can I fix this problem?

A problem exists with using Response.redirect with a Post command (usually when submitting a form), but that doesn't sound like your problem. (See the Microsoft article "FIX: IE Error When Posting to an ASP that Initiates Redirects" at http://support.microsoft .com/support/kb/articles/q175/3/18 .asp for information about this problem.) As it turns out, Microsoft Internet Explorer (IE) 5.0, 4.01 with SP1, 4.01, and 4.0 all have problems with Response.redirect when Proxy Server or a Web server returns them under certain conditions (e.g., if the redirect instruction is in one frame and the new redirect destination page is in another). Patches are available to fix the problem in these IE versions; Microsoft resolved the problem in IE 5.01.

Usually, when a redirect occurs, the server sends error 302 Object moved to the browser. If you can cause the browser to go to a new URL without the server sending it error 302 Object moved, you might solve the problem without applying any patches. So, try creating your own redirect function. Instead of using Response.redirect, use your own routine. You need to send the browser this code:

Response.Status = "302 Found"
Response.AddHeader "Location", YourURLHere
Response.AddHeader "Connection", "close"

I've read, but not tested, that to solve the Object Model problem, you might be able to procede the redirect with a Response.clear statement, such as

Response.redirect <http://the

See the Microsoft article "Internet Explorer Returns Error Message When Being Redirected" (http://support .microsoft.com/support/kb/articles/ q193/4/89.asp) for information about this problem. (Thanks to reader Shane Pike for this question.)

I saw a study stating that IIS performance can decrease as you add CPUs. I've also heard that Microsoft didn't design IIS for multiprocessor systems and it doesn't benefit from more than two CPUs. Can you help clarify the circumstances in which adding processors helps or hurts IIS?

Although adding more processors can decrease performance, this decrease occurs only when you add processors that you don't need. In such cases, you spend more time managing the additional complexity of the multi-CPU system than benefiting. I wouldn't go so far as to say that Microsoft didn't design IIS for multiprocessor machines—IIS is a Windows NT service, and NT makes good use of multiple CPUs. Win2K has evidently improved on this ability as well.

In addition, IIS can benefit from system use of multiple processors in ways that aren't necessarily directly related to IIS. For example, the network device interface specification (NDIS) assigns a NIC to each CPU by default. Spreading the network support load among the processors results in more efficient use of processor time to manage network activity, which in turn benefits IIS performance.

If you want to use multiple CPUs and IIS, be sure you're using SP5 or later because in SP5, Microsoft fixed a multiple-processor bug that caused ASP to crash. For a quick look at your processor load, use Performance Monitor to determine your typical load on these indicators:

  • System: Processor Queue Length—This indicator is the number of instructions waiting (queued) to be executed. The number shouldn't exceed 2 for a sustained period of time.
  • System: % Total Processor Time—This counter gives the percentage of time a processor is in use. On a multi-CPU system, this percentage is the sum of time in use for all processors divided by the number of processors. In other words, if one processor is running at 100 percent and another at 0, this counter will show 50 percent.
  • Processor: % Processor Time—This indicator monitors the same statistic as % Total Processor Time, but for individual processors. The counter also shows uneven distribution of the CPU load. In a single-CPU system, this number is always the same as % Total Processor Time.
  • Processor: % Privileged Time—This counter shows the percentage of time spent in Privileged mode. The NT core functions operate in this mode. High numbers here often mean that the OS is working hard to manage system functions.
  • Processor: % User Time—This counter indicates the percentage of time spent in User mode. IIS services (e.g., Inetinfo) run here.
  • High processor use with low to moderate network use can indicate a processor bottleneck. Also keep in mind that excessive paging, which occurs when the system is low on RAM, can masquerade as high CPU usage. Be sure you have sufficient RAM available for your system before concluding that your CPUs are a bottleneck. For more information about using Performance Monitor and tuning IIS, see
  • The Microsoft Internet Information Server Resource Kit, Chapter 4
  • IIS 5.0 Resource Guide, Chapter 5 (The resource guide is part of the Windows 2000 Resource Guide.)
  • The Microsoft article "The Art and Science of Web Server Tuning with Internet Information Services 5.0" (http://www.microsoft.com/technet/ iis/iis5tune.asp)
  • The Microsoft article "Internet Information Server 4.0 Tuning Parameters for High-Volume Sites" (http://www .microsoft.com/technet/iis/technote/ iistun.asp)
  • The Microsoft article "Measuring Hardware Performance of Web Sites" (http://www.microsoft.com/technet/ iis/meashd.asp)
  • Ken Spencer's Windows NT Magazine article "Optimizing IIS for Peak Performance" (May 1998)

I have a Web server running on machine A. I want pages from this Web server to be able to write information to sections of the file system from machine B. I'm using NT 4.0 with SP5 and IIS 4.0, and I've turned off Anonymous access. Both machines are in the same domain. I create a virtual directory on A, point it at the proper location on B, and supply a name and password as prompted. Everything works, except that anyone who accesses this directory has the permissions of the name and password I specified during the creation of the virtual directory. Can I use the NT permissions I applied to the original resource to control user access?

Before I answer your question, I must warn you that my solution involves enabling pass-through authentication for IIS 4.0, which Microsoft doesn't recommend and therefore doesn't support. Enabling pass-through authentication lets you achieve your goal, but it's likely to have side effects (e.g., Microsoft Index Server won't be able to index the virtual directory). There is a sunny side here, however: Microsoft built this capability into IIS 5.0 and, as far as I can tell, supports the configuration in that version.

Before you make these adjustments, be sure to back up your metabase. You also need to determine the Web site number assigned to the site in the metabase, which you can easily do using MetaEdit. MetaEdit comes with the Microsoft Windows 2000 Resource Kit (IIS 5.0) or the Microsoft Internet Information Server Resource Kit (IIS 4.0). (Be sure to use the new version of MetaEdit—MetaEdit 2.1. The Microsoft article "FILE: How to Download, Install, and Uninstall the IIS MetaEdit 2.1 Utility" (http://support.microsoft .com/support/kb/articles/q232/0/68 .asp) provides both information and the tool for download.

In IIS 5.0, the code in Listing 1 enables pass-through authentication on a virtual directory called Protected in the default Web site. You need to substitute the correct Web site number for 1 and the name of the virtual directory for Protected.

Next, you must enable an authentication mode that supports remote access to resources, which means you must use one of these modes:

  • Anonymous with IIS control password disabled
  • Basic
  • Integrated Windows (only if your users all use IE 5.0 on Win2K systems; otherwise, this won't work)
  • Certificate Mapping (IIS 5.0 version, not Windows Mapper)

In IIS 4.0, here's how you enable pass-through authentication:

  1. Enable an authentication mode that supports remote access to resources, which means you must use either
    • Basic
    • Anonymous with Automatic Password Synchronization turned off
  2. Locate the adsutil.vbs utility script, which is usually in the \winnt\sys
    tem32\inetsrv\adminsamples directory.
  3. At a command prompt, type adsutil set w3svc/#/root/*vdir*/UNCUserName#=<the Web site number in the metabase>. (You can use MetaEdit to identify this number. Vdir is the name of the virtual directory you're trying to affect.)
  4. Repeat Step 3, but type adsutil set w3svc/#/root/*vdir*/UNCPassword.
  5. Repeat Step 3, but type adsutil set w3svc/#/root/*vdir*/UNCAuthenticationPassThrough TRUE.
  6. Type net stop iisadmin /y.
  7. Type net stop start w3svc.

As a result of this procedure, you'll see an error in the Microsoft Management Console (MMC) associated with this virtual directory. However, the procedure will work. Note that any changes you make to the virtual directory through the MMC overwrite your modifications. Please remember—Microsoft neither supports nor recommends this configuration in IIS 4.0

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.