Microsoft IIS Web Server





IIS is Internet Information Services, the web server included with Windows Server operating systems. All current versions are built on a modular architecture; modules can be added or removed individually so that those required for specific functionality are installed. The full installation of IIS includes HTTP, security, content, compression, caching, logging and diagnostics.

Share tech news, updates, or what's on your mind.

Sign up to Post

I'm getting the following error message when trying to write to the event log in my aspx page:

code to write to the event log:
EventLog.WriteEntry ......

error message
[SecurityException: Requested registry access is not allowed.]
   System.ThrowHelper.ThrowSecurityException(ExceptionResource resource) +51
   Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable) +7469849
   System.Diagnostics.EventLog.CreateEventSource(EventSourceCreationData sourceData) +366
   System.Diagnostics.EventLog.VerifyAndCreateSource(String sourceName, String currentMachineName) +194
   System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +205
   System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +87
   System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type) +14
   TagTeam.ttDownloadHandler.ProcessError(HttpContext context, String errorMessage, EventLogEntryType entryType) in e:\InetPub\Products\RevBase\Applications\DotNet\ttDownloadHandler\sl.ashx:395
   TagTeam.ttDownloadHandler.ProcessRequest(HttpContext context) in e:\InetPub\Products\RevBase\Applications\DotNet\ttDownloadHandler\sl.ashx:106
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& 

Open in new window

Get a highly available system for cyber protection
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

For sending requests to a webservice that deserializes Json, what items in this list are 'required' by the webservice?

# BasicAuthUser:
# BasicAuthPassword:
# ProxyURI:
# ProxyUser:
# ProxyPassword:
# SendHTTPHeaders:
# HeaderCookieData:
# ResponseCookieFile:
# HeaderSOAPAction:
# HeaderUserAgent:
# HeaderAccept:
# HeaderHost:
# HeaderReferer:
# HeaderConnection:
# HeaderContentType:
# CustomHeaderName(1): Authorization
# CustomHeaderValue(1):
# InputCcsid: 0
# OutputCcsid: 0
# EnableExpectHeader:  
# LocalInterface:
# Enable IPv6:
Hi everydone.

I am having a  Exchange 2013+ hybrid Exchange Online which when opening the ecp presents the IIS error

Has anyone seen this problem?
Hi Experts,
How to install "Dynamic content compression". It is coming disabled and i am getting error "The module DD"compdyn.dll" failed to load. I am using windows10.  Please help!

Thanks in advance!
I am getting an error as below when i deploy the code in IIS where as in local it works fine.

I have a master page and master page has an update panel which display a popup on click of a button . Inside an update panel it has two buttons which on click is performing operations server as well as client side operations. It has a child page where <asp:ScriptManager>.. has been employed (i.e., AJax CDN toolkit ). Now the issue seems to be like whenever the child page is loading it is not allowing a postback from master page's Update panel , whereby giving an exception as below :

Uncaught TypeError: Cannot read property 'PRM_ServerError' of undefined
    at Sys.WebForms.PageRequestManager._createPageRequestManagerServerError (MicrosoftAjaxWebForms.js:6)
    at Sys.WebForms.PageRequestManager._parseDelta (MicrosoftAjaxWebForms.js:6)
    at Sys.WebForms.PageRequestManager._onFormSubmitCompleted (MicrosoftAjaxWebForms.js:6)
    at Array.<anonymous> (MicrosoftAjax.js:6)
    at MicrosoftAjax.js:6
    at Sys.Net.WebRequest.completed (MicrosoftAjax.js:6)
    at XMLHttpRequest._onReadyStateChange (MicrosoftAjax.js:6) 

Open in new window

i tried setting like this to supress it, but it did not help :
<script runat=server>
  $(document).ready(function () {
            Sys.WebForms.PageRequestManager.getInstance().add_endRequest( endRequest );

        function endRequest( sender, e ) {
            if( e.get_error() ){
                document.getElementById("error").innerText =  e.get_error().description;
                e.set_errorHandled( true );

Open in new window

the issue is driving me nuts ! and i need a proper solution to make the button click in updatepanel work in Master page .
I need a powershell script that will capture the following details about websites residing in IIS:

.NET CLR version
Authentication method
Enable 32bit application flag
Connections strings

I'd like to be able to run it against a group of servers and output the server OS version and server name as well but that is a "nice to have"
URL Rewrite. Configure request blocking.
Need to allow all access to the EWS virtual directory from the localhost, but block access from all other hosts

I have tried the following config, but it's not working, rule#2 is blocking the local host.

Or in other words, rule#1 is not capturing all requests from the local hostExisting blocking rules - not working
I cannot for the life of me figure out what IP4 to put in this

I am trying to add a new adaptor to my EC2 server and I have to assign an IP address forst

Which entails the subnet etc...

On the current EC2 server in the IIS I see these that are in use
In my AWS COnsole I have tried everything I know to add this IP and get either an "Overlap" message or a :Invalid" message
Little help?
We built a new remote desktop services server just recently. We are very happy with it except for one strange issue. When one of our domain joined laptops launches the login page from either IE or Chrome, a certificate windows pops up asking to use one of our sub-ca certs to login. If I say yes, it gives me a login failure and an IIS screen pops up. If I say no, the cert screen goes away and continues to the correct login page. Its almost as if the site initially once to use the cert for authentication when it should not. Any ideas?

Built on Server 2016
Am using .net framework 4.6.1 and the class library project using C#. Need to enforce HTTP Strict Transport Security (HSTS) in all public facing http endpoints.I did configuration settings but it doesn't help me. Please help me about how to enforce HSTS on project and how to verify the site has hsts settings.
Have attached Properties window of the project, web.config, startup.cs .Please help...

Kind regards,
Active Protection takes the fight to cryptojacking
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Points of My Scenario
1. I have just implemented a single-server farm of SharePoint 2016
2. I created the first site collection of this farm and configured myself as primary site administrator
3. When I go to the website (http://servername), I get error "401 Unauthorized"
4. When I go to http://servername/default.aspx, I can access the homepage, but any other page - INCLUDING "Site settings" gives me the same error
5. I've tried: (a) enabling "Kernel-mode authentication" for Windows Authentication, (b) disabling Anonymous Authentication

QUESTION: What should I do to resolve the error and therefore use the website?
Can anyone give me their view on whether installing databases directly on a web server (where all your website files exist) is a major security issue, and why, given only the standard web ports are open to the Internet, nothing specific to SQL.

We have a CMS that allows users to edit the web pages, and the configuration, e.g. usernames & password hashes, user permissions etc etc, are all stored in a SQL Server express database, and the SQL Server express software and the databases themselves are installed on the web server itself. I'd like to know if this is 'unheard of' from a best practices point of view, or if the risk is relatively low and somewhat overblown. There is no sensitive client data in it, the worst it would expose would be user accounts of the CMS and their passwords, but their are already IP restrictions in place on where the CMS can be accessed from, e.g. not the Internet, only from machines on the internal private network. Granted if you could amend/drop tables etc that may seriously mess up with the website, but from a confidentiality perspective I am not sure its a major issue.

Is there anything above and beyond security as to why you should not coexist the CMS databases on the web server itself? If so, what are they?
I am having problems with an old Visual Studio 2010 Webforms site that uses forms authentication and works well when published to production server.  The problem is now I have moved up to Visual Studio 2017 and having an issue of casting WindowsIndentity object to another custom class.  It used to work in 2010 but does not work in 2017 when debugging.  Tried to change the code and now the problem is that when starting to debug the site, some browsers are not prompting for a login and using NTLM and I need it to force forms authentication.  I have it set to forms in the web.config file.  Some day we will rewrite the site but stuck with old system for now.  

Why would something that worked in VS 2010 not work the same in VS 2017?   Site is ASP.NET 4.0.

Does anyone know what the default url is for the cms user login for a site managed by the umbraco CMS?
Are there any 'best practices' guides for general iis configuration and management, not just from a security angle. Plus any common mistakes that are made.
2 Windows 2012 R2 Web Server Farm
IIS 8.5
VMware Esxi 6.5
Kemp Load Balancer
SQL 2014

I have 2 Web Farm Servers with shared config.

I am trying to build a web page using PHP all my other pages are HTML & ASP

I can get to

when I enter my userid and password which I stored in a SQL database

I get this error

Server Error
405 - HTTP verb used to access this page is not allowed.
The page you are looking for cannot be displayed because an invalid method (HTTP verb) was used to attempt access.

I am thinking something in IIS not correctly setup

Any ideas?

Thank you

(reworked my question as it seems to be a "pure" IIS issue)

I am currently trying to deploy a server 2019 as a RDS Session Host and RDS Web Access server in our infrastructure for RemoteApp use.

I have followed the usual procedure and it seems everything went fine.

However, when I try to reach https://myserver/rdweb I get an IIS error:

HTTP Error 500.21 - Internal Server Error

Handler "ExtensionlessUrlHandler-Integrated-4.0" has a bad module "ManagedPipelineHandler" in its module list

Doesn't see much in the event logs - I guess there must be something in the IIS specific logs but not sure how to retrieve them.
Tried to google this but didn't find any obvious answer (yes .NET is deployed and active on the server, and I would have thought/hoped that the prerequisite would be checked by the installer). By all accounts, it would seem it a "pure" IIS issue around ASP.NET (ie not specific to RDS services) but in any case blocking.

Any help most welcome
Running IIS 8.5 with URL Rewrite to redirect http to https. Works works fine BUT if you try to type an exact url to a page on the site other than the home page root domain it DOES NOT forward to https.

Here is an example... --> redirects to

if you type in the exact url

DOES NOT redirect to https....

What am I missing?

URL Rewrite is set up as
 <rule name="HTTPS force" enabled="true" stopProcessing="true">
 <match url="(.*)" />
 <add input="{HTTPS}" pattern="^OFF$" />
 <action type="Redirect" url="https://{HTTP_HOST}{R:1}" redirectType="Permanent" />
I am looking into getting some assurances from our web server admins that all sites and configurations are subject to routine backups, and all relevant files/configurations associated with the servers & sites hosted on the server are included in the backup process, nothing has been overlooked etc. I appreciate it will be an 'it depends' type response and is quitea broad query, but as a broad outline, what are the various components of a website hosted on an IIS web server that need to be routinely backed up.
Become a Certified Penetration Testing Engineer
LVL 13
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Hi Experts,

I have an application that I did and has been working flawlessly for 5 years. Currently I need to move it from one Linux server to another, and my development server is IIS.

On the new server I can successfully login and the first page comes up, but when I try to take any action from there, the redirect from the following code takes place.

//Login Check 
echo '<br> check sec sess = ' . $_SESSION['sess_id']; 
echo '<br> check sec server sess = ' . session_id(); 
echo '<br> is logging in = ' . $isLoggingIn; 
echo '<br> is logging in set = ' . isset($isLoggingIn); 

    if ($isLoggingIn == FALSE){
        if (!isset($_SESSION['sess_id']) || ($_SESSION['sess_id'] != session_id())){

            header('Location:' . $env['url'] . '/?type=err&msg=Must Login First.');

Open in new window

Upon successful login I do $_SESSION['sess_id'] = session_id(); but my gut feeling tells me that the session on the new server, which is VPS at Bluehost, is too short? How can I check this, and also check if debugging is true?

However, I can be completely off track here, so any other assumptions would be appreciated.

We have a single IIS 7.5 server running SharePoint 2010. The IIS site has Windows Authentication and ASP.NET Impersonation enabled. Windows Authentication has "Extended Protection" OFF and "Kernel Mode Authentication" enabled as well as "Negotiate" and "NTLM" providers enabled. ASP.NET Impersonation is set to "Authenticated Users".

The site has two Site Bindings. The first one is set to port 80 without any host name and using any unassigned IP Address. The second one is set to port 80 with the host name using any unassigned IP Address.

We have an internal Active Directory DNS CNAME record for pointing to the server's FQDN on the private network.

From within the private network, using Chrome and IE, we are able to log into the SharePoint web server without being prompted for our Active Directory credentials if we use the http://123 URL, since IIS is processing pass thru authentication. However, we are getting prompted for our Active Directory username and password when using the URL.

We are looking to have users NOT be prompted for their Active Directory username and passwords when using the URL.

Thanks in advance,
Dear Experts, can we increase the maximum size of email signature in OWA of Exchange 2016 server?

GUI or cmd is ok for us. Many thanks as always!

I am trying to add a few URL rewrites, as an example, I have the following in my webconfig:

            <rule name="SpecificRewrite" stopProcessing="true">
                <match url="~/Users/Apples" />
                <action type="Redirect" url="~/Users/Products.aspx?category=apples" redirectType="Permanent" />

Open in new window

I am running through VS for testing but just get a page not found (HTTP Error 404.0 - Not Found) when I navigate to http://localhost:56192/Users/Apples

Any help is appreciated.

Just upgraded out TFS install to 2018 and migrated to a new server. Trying to set it up so we only use HTTPS and I am able to login through the web interface and projects listed but when I try to connect through Visual Studio 2017 I get this error:

"TF400324: Team Foundation services are not available for server 'servernamehere'. Technical information (for administrator):
   The underlying connection was closed: Could not establish trust relationship for SSL/TLS secure channel"

In IIS I modified the bindings for the TFS and removed all the default bindings so now I only allow https://servername.domain and assigned a wildcard cert with the domain in it we got off godaddy. I then went into the TFS administration console and under the application tier I set the public URL to the same URL that was in the binding. I then reset the server to make sure everything got updated with the new URL settings.

Even then I was still getting the same message every time I tried to connect using Visual Studio. I know the cert is good and the path does work since I can connect via a web browser but I am not getting enough detail from the error message to help see what Visual Studio is actually trying to connect to generate that error.
i have a virtual machine within Azure which serves up a web site.

when i navigate to it works fine.  i purchased a SSL certificate and it imported into IIS.  i edited the bindings for the cert using the default port of 443.  i added the site's name to the bindings.  

when i navigate to i get a "The connection has timed out" error.

the firewall rules allow 443 (default rule).

what else can i check and/or modify within IIS or the OS?  any help is appreciated.


Microsoft IIS Web Server





IIS is Internet Information Services, the web server included with Windows Server operating systems. All current versions are built on a modular architecture; modules can be added or removed individually so that those required for specific functionality are installed. The full installation of IIS includes HTTP, security, content, compression, caching, logging and diagnostics.