What is the best way to turn on HTTP Strict Transport Security on an IIS 7 web server?
Can I just through the GUI and add the proper HTTP response header or should I be using appcmd and if so what switches?
I have this section in my web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
IIS7 crashes and complains about the autientication section:
Module AnonymousAuthenticationModule
Notification AuthenticateRequest
Handler StaticFile
Error Code 0x80070021
Config Error This configuration section cannot be used at this path. This happens when the section is locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set explicitly by a location tag with overrideMode="Deny" or the legacy allowOverride="false".
Config Source
69: <authentication>
70: <anonymousAuthentication enabled="true" />
So the usual way to solve this is to go into %windir%\system32\inetsrv\config\applicationHost.config and unlock the section:
<sectionGroup name="system.webServer">
<sectionGroup name="security">
<section name="access" overrideModeDefault="Deny" />
<section name="applicationDependencies" overrideModeDefault="Deny" />
<sectionGroup name="authentication">
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="basicAuthentication" overrideModeDefault="Allow" />
<section name="clientCertificateMappingAuthentication" overrideModeDefault="Allow" />
<section name="digestAuthentication" overrideModeDefault="Allow" />
<section name="iisClientCertificateMappingAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
</sectionGroup>
(alternatively, appcmd unlock config).
The weird thing: I've done that and it still complains.
I looked for Locations (MVC is the name of my website that's the root of all sites I'm using):
<location path="MVC" overrideMode="Allow">
<system.webServer overrideMode="Allow">
<security overrideMode="Allow">
<authentication overrideMode="Allow">
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Still it blows up. I'm puzzled as to why this happens. I cannot remove it from the web.config, I want to find the root problem.
Is there a way to get specific information from IIS which rule is eventually denying me?
Edit: I was able to fix this using the IIS7 management console by going to the very root (my machine) and clicking "Edit Configuration" and unlocking the section there. Still I'd like to know if there is a better way since I can't find the file it actually modifies.
I have a WCF service app hosted in IIS. On startup, it goes and fetches a really expensive (in terms of time and cpu) resource to use as local cache.
Unfortunately, IIS seems to recycle the process on a fairly regular basis. So I am trying to change the settings on the Application Pool to make sure that IIS does not recycle the application. So far, I've change the following:
- Limit Interval under CPU from 5 to 0.
- Idle Time-out under Process Model from 20 to 0.
- Regular Time Interval under Recycling from 1740 to 0.
Will this be enough? And I have specific questions about the items I changed:
- What specifically does Limit Interval setting under CPU mean? Does it mean that if a certain CPU usage is exceeded, the application pool will be recycled?
- What exactly does "recycled" mean? Is the application completely torn down and started up again?
- What is the difference between "Worker Process shutdown" and "Application Pool recycling"? The documentation for the Idle Time-out under Process Model talks about shutting down the worker process. While the docs for Regular Time Interval under Recycling talk about application pool recycling. I don't quite grok the difference between the two. I thought the w3wp.exe is the worker process which runs the application pool. Can someone explain the difference to the application between the two?
The reason for having IIS7 and IIS7.5 tags is because the app will run in both and hope the answers are the same between the versions.
Image for reference: 
I have an application in one of my application pools that has a virtual path of /Site/login.aspx. I want to remove it but it no longer exists on my computer and it's causing me issues setting up AppFabric.
I understand that you can remove these phantom applications by recreating the application in IIS and then hitting Remove. That will get rid of the application from the pool but in this case I can't recreate the application due to the /login.aspx in the virtual path
Any ideas how I remove this erroneous entry?
For any URL with a plus sign (+) in the base URL (not the querystring), IIS7 and IIS7.5 (Windows Server 2008 and 2008 R2) do not appear to forward the URL to the default handler on an ASP.NET application. I started noticing the issue with a custom HTTP handler on *.html but I have the same issue with *.aspx. IIS6 (Server 2003) has no problem with these same URLs.
To replicate the issue, in an ASP.NET site, I created a set of ASPX files that did a simple Response.Write with various names:
- test_something.aspx
- test_some+thing.aspx
- test_some thing.aspx
The third file was a test to see if IIS7[.5] was treating plus symbols as spaces (as it would in the querystring); this does not appear to be the case. With all of these files in place, hitting http://somehost/test_some+thing.aspx or http://somehost/test_some%2bthing.aspx will work fine in IIS6 but 404 in IIS7/IIS7.5 before getting to any ASP.NET handler. Is there some configuration in IIS7/7.5 that I am missing to get it to "see" a plus sign in the URL without missing the final extension used to determine an HTTP handler?