Beruflich Dokumente
Kultur Dokumente
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
Search all of IIS Join Sign In |
Home
Get Started Install
Downloads
M anage Develop
Learn
Publish
Reference
Troubleshoot Extensions
Solutions
Media
Forums
Web Hosting
Application Frameworks
Home Learn Manage Chapter 8. Remote Administration Configuring Remote Administration and Feature Delegation in IIS 7
Introduction
IIS provides administrators and developers with a new configuration system that is accessible, extensible and distributable. The new XML-based format allows for easy configuration of the modules and features available in IIS 7 and above. It also enables granular control of the locations at which settings for individual features can be configured (for example, at the server level in the applicationHost.config file, or at a site or an application level in a Web.config file). The new IIS administration user interface (UI), IIS Manager, fully supports this new configuration system and adds additional features that provide a powerful and granular system for configuring the Web server. Two of these additional features are remote administration of servers, sites and applications, and support for user-based authentication and authorization. This article explains how to enable remote connections, configure users and permissions, and delegate features to a site or application level. There are many scenarios where an IIS server administrator might want to delegate administrative control of a certain feature or features to someone, or where the administrator might want to prevent others from viewing existing configuration. Take the following scenario, for example. Edward is a server administrator on a computer that hosts several sites. The computer is part of a domain, and some of the site owners belong to the same domain. However, some of the site owners are outside of the domain, and Edward must create IIS Manager user accounts for them by creating a user name and password for each owner. After he has created the necessary IIS Manager user accounts, Edward sets up IIS Manager permissions for each site to specify which of the users are allowed to connect to a particular site. To do this, Edward opens the IIS Manager Permissions feature in each site and adds Windows users and IIS Manager users. This action does two things. First, it configures IIS to allow a user to connect to the site when the user provides valid credentials. Second, it permits users who successfully connect to configure any delegated features in that site. Edward also wants to delegate configuration of some features that he trusts to be configured by a site owner in his or her own site. This eliminates the need for a site owner to request that Edward configure features that vary by site, such as default documents. He decides to delegate configuration for the following features in all sites on his server: Default Documents, Directory Browsing, and Error Pages. In addition, Edward decides to delegate configuration of an additional feature, HTTP Redirect, to the site Contoso, because he knows that the site often needs to be redirected and trusts the site owners to configure those settings. He sets all other features to be Read Only so that site owners can see the settings but not configure them in their sites. Julian and Catherine are site owners for the site Contoso on Edward's computer. Julian has a Windows user account, and Catherine has an IIS Manager user account for which Edward has provided her credentials. They can both open IIS Manager on their own computers, and connect to Contoso because Edward has permitted their accounts to configure the Contoso site. They each see all of the features that have been delegated to the site level. They can configure Default Documents, Directory Browsing, Error Pages, and HTTP Redirect because Edward delegated configuration of those settings to their site.
IIS 7 WM I P rov ider A ppC m d. exe Serv ic es Im plem en tation C on su m in g th e Serv ic es M ic rosof t. Web. A dm in istration In stallin g IIS M odu les in Sh ared C on f igu ration En v iron m en ts H osted Serv ic es C on trol P an els WebsiteP an el Featu res of th e Win dow s P roc ess A c tiv ation Serv ic e ( WA S) Serv ic es Ov erv iew
Table of Contents
Creating Websites
P rov ision in g FT P 7. 5 Sites Selec t a P rov ision in g Option P rov ision in g IIS 7 Sites f or Sh ared H ostin g P rov ision in g IIS 7 Sites
Prerequisites
Oth er M an aged C ode Sam ples Sh ared C on f igu ration an d Rem ote
iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
1/13
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
P rov ision in g P rov ision in g Option s in IIS 7 Usin g M an aged A P Is in IIS 7 P rov ision in g Sam ple in C #
The following items are required to be installed to complete the procedures in this article: IIS 7.0 on Windows Server 2008 or IIS 7.5 on Windows Server 2008 R2 IIS Manager
C on f igu rin g a Web Farm Usin g IIS Sh ared C on f igu ration A ddin g IE 9 M IM E T ypes to IIS 7 M etabase C om patibility w ith IIS 7 an d A bov e H ow to Use M etabase C om patibility w ith IIS 7 an d A bov e
iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
2/13
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
Usin g C on f igu ration H istory w ith IIS 7 an d IIS 8
Note: The next section in this article explains IIS Manager credentials. To enable remote connections and allow connections from Windows users and IIS Manager users:
1. In IIS Manager, in the Connections pane, click the server node in the tree. 2. Double-click Management Service to open the Management Service feature page.
IIS 7. 0 Un derstan din g IIS 7. 0 C on f igu ration Delegation H ow to Use C on f igu ration Delegation in IIS 7. 0 Sh ared C on f igu ration Usin g C on f igu ration Editor: Gen erate Sc ripts Editin g C ollec tion s w ith C on f igu ration Editor Editin g C ollec tion s u sin g C on f igu ration Editor: C om plex Sec tion s
Scripting
M an agin g Sites w ith IIS 7. 0' s WM I
4 .Select the Enable remote connections check-box. 5. Under Identity Credentials, select Windows credentials or IIS Manager credentials. 6. In the Actions pane, click Apply to save the changes, and then click Start to start the Management Service.
P rov ider M an agin g A pplic ation s an d A pplic ation P ools on IIS 7. 0 w ith WM I M an agin g Worker P roc esses an d A ppDom ain s in IIS 7 w ith WM I H ow to Use M ic rosof t. Web. A dm in istration A c c essin g C on f igu ration Sec tion s Usin g M ic rosof t. Web. A dm in istration ( M WA ) Get to Kn ow th e IIS 7. 0 WM I P rov ider Usin g C IM Stu dio
PowerShell
Writin g P ow erSh ell C om m an dlets f or IIS 7. 0 A n In trodu c tion to Win dow s P ow erSh ell an d IIS 7. 0 Gettin g Started w ith th e IIS 7. 0 P ow erSh ell Sn ap-in In stallin g th e IIS 7. 0 P ow erSh ell Sn ap-in P ow erSh ell Sn ap-in : Nav igatin g th e IIS Sn ap-in Nam espac e
Additional Information You do not have to enable remote connections to start the Management Service. If remote connections are disabled and the Management Service is started, you can connect to the Management Service from the local computer but not from a remote computer. If you cannot connect from a remote computer, make sure that remote connections are enabled. You should check your firewall settings to ensure that connections are allowed to the Management iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
P ow erSh ell Sn ap-in : Usin g th e P ow erSh ell H elp System P ow erSh ell Sn ap-in : C reatin g WebSites, Web applic ation s, Virtu al Direc tories an d A pplic ation P ools P ow erSh ell Sn ap-in : M akin g Sim ple C on f igu ration C h an ges to Web-Sites
3/13
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
an d A pplic ation P ools P ow erSh ell Sn ap-in : C h an gin g Sim ple Settin gs in C on f igu ration Sec tion s P ow erSh ell Sn ap-in : A dv an c ed C on f igu ration T asks
Service. When the Management Service is installed, the setup process adds a firewall rule that allows traffic to the Management Service on port 8172 (the default port) which is on by default. If you ever change the port that the Management Service uses, you must add a new firewall rule to allow traffic to the Management Service on that port.
P ow erSh ell Sn ap-in : Ru n -tim e Data P ow erSh ell Sn ap-in : C on f igu rin g SSL w ith th e IIS P ow erSh ell Sn ap-in P ow erSh ell Sn ap-in : Usin g th e T askbased C m dlets of th e IIS P ow erSh ell Sn ap-in
Description Specifies the IP address to which the service is bound. Specifies the port number that the service uses for requests.
Remote Administration
Rem ote A dm in istration f or IIS M an ager
8172
SSL
Specifies the SSL certificate used by the over the port specified in the Port field. This list contains the SSL certificates that are available to the server. If you want to add additional SSL certificates, use the Server Certificates feature at the server level.
Rem ote A dm in istration Beh av ior M atrix Rem ote M an ager f or Win dow s 2003, XP an d Vista SP 1
Log requests to
Specifies the path to the log files for the Management Service.
%SystemDrive%\Inetpub\logs\WMSVC
IIS 7. 0 on Serv er C ore
iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
4/13
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
3. On the IIS M anager Users page, in the Actions pane, click Add User. 4. In the User name box, type a user name. 5. In the Password box, type a password and then retype the password in the Confirm password box. 6. Click O K.
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
To permit an IIS M anager user to connect to a site or an application: 1. In IIS Manager, in the Connections pane, select the site or application for which you want to configure permissions. 2. On the home page for the site or application, double-click IIS M anager Permissions.
3. On the IIS M anager Permissions page, in the Actions pane, click Allow User. 4. On the Allow User dialog box, select IIS M anager and click Select.
5. On the Users dialog box, select one or more IIS Manager users from the list and then click O K.
6. Click O K to dismiss the Allow User dialog box. To permit a Windows user to connect to a site or an application:
iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
6/13
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
1. On the IIS M anager Permissions page, in the Actions pane, click Allow User. 2. On the Allow User dialog box, select Windows and then click Select. 3. On the Select User or Group dialog box, type a user name or search for a user account, and then click O K.
iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
7/13
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
3. On the Provide Credentials page of the Connect to Site or Connect to Application wizard, select whether you want to use current credentials or to specify the credentials to connect to the site. When you specify credentials, the default is Windows credentials unless you select the Use IIS M anager credentials check-box. After you specify the credentials, click Next to connect to the server.
4. If the connection succeeds, IIS Manager will display a final page on the Connect to Site or Connect to Application wizard to name the connection. As shown in the image below, the TestAdmin user has created a site connection to the Contoso.com site.
Additional Information
iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
8/13
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
In the next section, we look at Feature Delegation. However, before we do that, and to better explain Feature Delegation and what it does, we look at one feature of the site we have just connected to. The site should be highlighted and the site home page should be displayed. On the home page, double-click Error Pages. As shown in the image below, on the right-hand side of the page there is an alert saying "This feature has been locked and is read only." This alert is displayed when a feature has been locked; the next section explains Feature Delegation and locking in more detail.
Description
The configuration is locked and any configuration of the feature in a Web.config file will cause a runtime error. The feature is not visible or configurable in IIS Manager when a user is connected at levels below where this state is set. For example, if a feature is configured to be Not Delegated at a site level, users connected to applications in that site will not see the feature and cannot configure it in IIS Manager.
Read Only
The configuration is locked and any configuration of the feature in a Web.config file will cause a runtime error. The feature is visible in IIS Manager when a user is connected at lower levels, but the configuration is locked so that changes cannot be made.
Read/Write
The feature can be configured in Web.config. The feature appears in IIS Manager and can be configured when a user is connected at lower levels (site or application level).
Configuration The meaning is the same as Read O nly; however, there are settings or data for Read Only the feature that are stored and managed outside of IIS, such as in a database.
Configuration The meaning is the same as Read/Write; however, there are settings or data for Read/Write the feature that are stored and managed outside of IIS, such as in a database.
iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
9/13
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
Note: Server administrators can modify the configuration for all features, so if they are connected to the server, they will see all features at all levels even if a feature has been configured to not display at lower levels.
3. Select Delegation from the Group by list to organize the list of features by their current delegation states.
4. Select Error Pages in the Feature Delegation list, and then review the available delegation states in the Actions pane. The Error Pages feature is selected and the available options under Set Feature Delegation are Read/Write, Remove Delegation and Reset to Inherited.
iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
10/13
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
5. Select Error Pages. In the Actions pane, click Read/Write to unlock the configuration section that is related to the Error Pages feature. This makes the feature configurable in Web.config files and in IIS Manager at the site and application levels.
AD D I TI O NAL I NF O RM ATI O N The following excerpt from the IIS configuration files shows that the values can be overridden at every location (also referred to as "path"):
<oainpt="oerdMd=Alw> lcto ah" vrieoe"lo" <ytmwbevr sse.eSre> <tpros htErr> .. . .. . <htErr> /tpros <sse.eSre> /ytmwbevr <lcto> /oain
To further demonstrate what this action does, look at Error Pages feature at a site level. In the Connections pane, connect to a site and then double-click Error Pages on the site home page. As shown in the image below, the Error Pages feature can now be configured by the user connected to the site level.
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
to be applicable to all sites. In this case, you can configure a custom delegation state for a specific site. You can also copy custom delegation states of all features from one site to another site. To configure custom delegation states for features in a specific site 1. In IIS Manager, double-click Feature Delegation. 2. On the Feature Delegation page, in the Actions pane, click Custom Web Site Delegation. 3. From the Sites list, select the site for which you want to configure custom delegation settings.
4. Select a feature, and then click a delegation state in the Actions pane. To copy custom delegation states from one site to another site 1. On the Custom Web Site Delegation page, in the Sites list, select the site from which you want to copy delegation to another site. 2. Click Copy Delegation. 3. On the Copy Delegation dialog box, select the site or sites to which you want to copy the delegation states and then click O K.
RESET F EATU RE D EL EG ATI O N STATES There may be a time in which it is necessary to undo the changes that have been made to the delegation states of features. Perhaps the changes were made to a particular site or application by accident, or some 'experimentation' with the feature has gone wrong. In this case, reset the delegation states of all features back to their default states. Or, reset only one feature back to its default state. To reset feature delegation states 1. Open the Feature Delegation feature page. 2. To reset all feature delegation states, in the Actions pane click Reset All Delegation.
To reset the delegation state of a specific feature, select the feature in the list, and in the Actions pane click Reset to Inherited.
BY SAAD L AD KI Saad Ladki is a former Program Manager at Microsoft and now works for Amazon
iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
12/13
10/4/12
Configuring Remote Administration and Feature Delegation in IIS 7 : The Official Microsoft IIS Site
Powered by IIS and Umbraco Privacy Statement | Terms of Use | Contact Us | Advertise With Us
iis.net/learn/manage//configuring-remote-administration-and-feature-delegation-in-iis-7
13/13