Microsoft IIS Web Server





IIS is Internet Information Services, the web server included with Windows Server operating systems. All current versions are built on a modular architecture; modules can be added or removed individually so that those required for specific functionality are installed. The full installation of IIS includes HTTP, security, content, compression, caching, logging and diagnostics.

Share tech news, updates, or what's on your mind.

Sign up to Post


I'm testing a website in my company's intranet and would like to enable "Single Sign-on Authentication" method for computers in the domain but also let users login with their company username and passwords when accessing the site from outside the domain (using LDAP).

They provided me with a Microsoft Server 2016 with Internet Information Server 10 and PHP 7.3.

Currently I've enabled the "Windows Authentication" for the site but also the "Anonimous Authentication" in IIS. This was because with only Windows Authentication, the website gave an error when trying to navigate into it. The problem now is that the PHP Server variables does not show the AUTH_USER for the company's domain users, which needs only the Windows Authentication to be enabled.

How can I configure all of this? What would be the best configuration/scenario to use?

Thanks in advance,

Build an E-Commerce Site with Angular 5
LVL 13
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

I have a Log_File_Max_Size_Truncate error in my FREB logs.  I have looked for a solution and I found that I am supposed to implement this:

appcmd set config /section:sites -siteDefaults.traceFailedRequestsLogging.maxLogFileSizeKB:1024  

The problem is that I don't know where to do that.  I tried in the command prompt on my server but that generated an error.  Any help would be much appreciated!
IIS 8.5.9600.16384 Revealing internal IP address:

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Server: Microsoft-IIS/8.5
X-RequestId: c9f71f8c-354b-4238-a7a6-2cad9d41ecdc
Date: Wed, 27 Mar 2019 22:16:01 GMT
Connection: close
Content-Length: 0

I can find many articles for previous versions of IIS but nothing for IIS 8.5
I need to reconfigure passwords for many IIS servers, and manual setup would take way too long, so I will be using PowerShell to automate the process.
I already have all the pieces to set up specific user authentication for each of the application pools, but could use PowerShell assistance with:

1) Setting the local IUSR_ password:
IUSR-Password.jpgBy the way, the version of PowerShell is 4.0, so I cannot use the Set-LocalUser cmdlet (which was first introduced in 5.1).

2) Setting the website identity (I already have the application pool identity set up):
3) Setting the field Physical Path Credentials Logon from ClearText to Network:
I have a Windows Server running IIS with a default website.
The default website has 4 apps:

--- Default Web Site
-------- ABC
-------- App2
-------- App39
-------- AnotherApp

They are all bound to port 80 and so currently, they are accessed by their directory.
For example, to get to the app called App39, you would type this in your web browser >

Rather than expose the server name, I'd like to have the URL look like a subdomain. In other words, instead of...
I would like to access the site like this ...

In IIS you can edit the bindings (port number and/or host header) on the root site only. But how would I do it on an app and/or virtual folder?

I suppose I could just create a new site in IIS, use host header and call it a day. But reconfiguring these apps would be a nightmare so I was hoping there was a solution.
I'm getting the following error message when trying to write to the event log in my aspx page:

code to write to the event log:
EventLog.WriteEntry ......

error message
[SecurityException: Requested registry access is not allowed.]
   System.ThrowHelper.ThrowSecurityException(ExceptionResource resource) +51
   Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable) +7469849
   System.Diagnostics.EventLog.CreateEventSource(EventSourceCreationData sourceData) +366
   System.Diagnostics.EventLog.VerifyAndCreateSource(String sourceName, String currentMachineName) +194
   System.Diagnostics.EventLog.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +205
   System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) +87
   System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type) +14
   TagTeam.ttDownloadHandler.ProcessError(HttpContext context, String errorMessage, EventLogEntryType entryType) in e:\InetPub\Products\RevBase\Applications\DotNet\ttDownloadHandler\sl.ashx:395
   TagTeam.ttDownloadHandler.ProcessRequest(HttpContext context) in e:\InetPub\Products\RevBase\Applications\DotNet\ttDownloadHandler\sl.ashx:106
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& 

Open in new window

Hello, All.

Not sure if this can be done or not.
I am wanting to design a web-based media site, to catalog all my movies in.
And when the link is clicked on for the movie, I would like to have the default media player to launch the movie.

I read, doing this, would work. However, it does not.
<a href="file://J:/Movies/Drama/MovieDrama.mp4">Movie 1999</a>

Open in new window

Any idea's on how to accomplish this?

I will be doing this for my own network users to access, this is NOT something that will be for the World to see.
Just local area network only.

Thanks All.
For sending requests to a webservice that deserializes Json, what items in this list are 'required' by the webservice?

# BasicAuthUser:
# BasicAuthPassword:
# ProxyURI:
# ProxyUser:
# ProxyPassword:
# SendHTTPHeaders:
# HeaderCookieData:
# ResponseCookieFile:
# HeaderSOAPAction:
# HeaderUserAgent:
# HeaderAccept:
# HeaderHost:
# HeaderReferer:
# HeaderConnection:
# HeaderContentType:
# CustomHeaderName(1): Authorization
# CustomHeaderValue(1):
# InputCcsid: 0
# OutputCcsid: 0
# EnableExpectHeader:  
# LocalInterface:
# Enable IPv6:
I want to create an internal webpage on my current IIS Windows 2016 server that displays "ALL Active Directory Users"
  ** including their Active Directory photo that already displays via my onPremise Exchange server

What do you recommend ?

Below are a few ideas I found, but would also like input from others
  ** $249 onetime cost
Hi everydone.

I am having a  Exchange 2013+ hybrid Exchange Online which when opening the ecp presents the IIS error

Has anyone seen this problem?
Angular Fundamentals
LVL 13
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

Hi Experts,
How to install "Dynamic content compression". It is coming disabled and i am getting error "The module DD"compdyn.dll" failed to load. I am using windows10.  Please help!

Thanks in advance!
I am getting an error as below when i deploy the code in IIS where as in local it works fine.

I have a master page and master page has an update panel which display a popup on click of a button . Inside an update panel it has two buttons which on click is performing operations server as well as client side operations. It has a child page where <asp:ScriptManager>.. has been employed (i.e., AJax CDN toolkit ). Now the issue seems to be like whenever the child page is loading it is not allowing a postback from master page's Update panel , whereby giving an exception as below :

Uncaught TypeError: Cannot read property 'PRM_ServerError' of undefined
    at Sys.WebForms.PageRequestManager._createPageRequestManagerServerError (MicrosoftAjaxWebForms.js:6)
    at Sys.WebForms.PageRequestManager._parseDelta (MicrosoftAjaxWebForms.js:6)
    at Sys.WebForms.PageRequestManager._onFormSubmitCompleted (MicrosoftAjaxWebForms.js:6)
    at Array.<anonymous> (MicrosoftAjax.js:6)
    at MicrosoftAjax.js:6
    at Sys.Net.WebRequest.completed (MicrosoftAjax.js:6)
    at XMLHttpRequest._onReadyStateChange (MicrosoftAjax.js:6) 

Open in new window

i tried setting like this to supress it, but it did not help :
<script runat=server>
  $(document).ready(function () {
            Sys.WebForms.PageRequestManager.getInstance().add_endRequest( endRequest );

        function endRequest( sender, e ) {
            if( e.get_error() ){
                document.getElementById("error").innerText =  e.get_error().description;
                e.set_errorHandled( true );

Open in new window

the issue is driving me nuts ! and i need a proper solution to make the button click in updatepanel work in Master page .
I need a powershell script that will capture the following details about websites residing in IIS:

.NET CLR version
Authentication method
Enable 32bit application flag
Connections strings

I'd like to be able to run it against a group of servers and output the server OS version and server name as well but that is a "nice to have"
URL Rewrite. Configure request blocking.
Need to allow all access to the EWS virtual directory from the localhost, but block access from all other hosts

I have tried the following config, but it's not working, rule#2 is blocking the local host.

Or in other words, rule#1 is not capturing all requests from the local hostExisting blocking rules - not working
I cannot for the life of me figure out what IP4 to put in this

I am trying to add a new adaptor to my EC2 server and I have to assign an IP address forst

Which entails the subnet etc...

On the current EC2 server in the IIS I see these that are in use
In my AWS COnsole I have tried everything I know to add this IP and get either an "Overlap" message or a :Invalid" message
Little help?
We built a new remote desktop services server just recently. We are very happy with it except for one strange issue. When one of our domain joined laptops launches the login page from either IE or Chrome, a certificate windows pops up asking to use one of our sub-ca certs to login. If I say yes, it gives me a login failure and an IIS screen pops up. If I say no, the cert screen goes away and continues to the correct login page. Its almost as if the site initially once to use the cert for authentication when it should not. Any ideas?

Built on Server 2016
Am using .net framework 4.6.1 and the class library project using C#. Need to enforce HTTP Strict Transport Security (HSTS) in all public facing http endpoints.I did configuration settings but it doesn't help me. Please help me about how to enforce HSTS on project and how to verify the site has hsts settings.
Have attached Properties window of the project, web.config, startup.cs .Please help...

Kind regards,
Points of My Scenario
1. I have just implemented a single-server farm of SharePoint 2016
2. I created the first site collection of this farm and configured myself as primary site administrator
3. When I go to the website (http://servername), I get error "401 Unauthorized"
4. When I go to http://servername/default.aspx, I can access the homepage, but any other page - INCLUDING "Site settings" gives me the same error
5. I've tried: (a) enabling "Kernel-mode authentication" for Windows Authentication, (b) disabling Anonymous Authentication

QUESTION: What should I do to resolve the error and therefore use the website?
Can anyone give me their view on whether installing databases directly on a web server (where all your website files exist) is a major security issue, and why, given only the standard web ports are open to the Internet, nothing specific to SQL.

We have a CMS that allows users to edit the web pages, and the configuration, e.g. usernames & password hashes, user permissions etc etc, are all stored in a SQL Server express database, and the SQL Server express software and the databases themselves are installed on the web server itself. I'd like to know if this is 'unheard of' from a best practices point of view, or if the risk is relatively low and somewhat overblown. There is no sensitive client data in it, the worst it would expose would be user accounts of the CMS and their passwords, but their are already IP restrictions in place on where the CMS can be accessed from, e.g. not the Internet, only from machines on the internal private network. Granted if you could amend/drop tables etc that may seriously mess up with the website, but from a confidentiality perspective I am not sure its a major issue.

Is there anything above and beyond security as to why you should not coexist the CMS databases on the web server itself? If so, what are they?
Why Diversity in Tech Matters
LVL 13
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

I am having problems with an old Visual Studio 2010 Webforms site that uses forms authentication and works well when published to production server.  The problem is now I have moved up to Visual Studio 2017 and having an issue of casting WindowsIndentity object to another custom class.  It used to work in 2010 but does not work in 2017 when debugging.  Tried to change the code and now the problem is that when starting to debug the site, some browsers are not prompting for a login and using NTLM and I need it to force forms authentication.  I have it set to forms in the web.config file.  Some day we will rewrite the site but stuck with old system for now.  

Why would something that worked in VS 2010 not work the same in VS 2017?   Site is ASP.NET 4.0.

Does anyone know what the default url is for the cms user login for a site managed by the umbraco CMS?
Are there any 'best practices' guides for general iis configuration and management, not just from a security angle. Plus any common mistakes that are made.
2 Windows 2012 R2 Web Server Farm
IIS 8.5
VMware Esxi 6.5
Kemp Load Balancer
SQL 2014

I have 2 Web Farm Servers with shared config.

I am trying to build a web page using PHP all my other pages are HTML & ASP

I can get to

when I enter my userid and password which I stored in a SQL database

I get this error

Server Error
405 - HTTP verb used to access this page is not allowed.
The page you are looking for cannot be displayed because an invalid method (HTTP verb) was used to attempt access.

I am thinking something in IIS not correctly setup

Any ideas?

Thank you

I have a rdweb service that is  published over the interent I want to secure the authentication with client certificate so the user can't access without it.
so how I can do it ?
can I make it on usb flashdisk and secure it ?
(reworked my question as it seems to be a "pure" IIS issue)

I am currently trying to deploy a server 2019 as a RDS Session Host and RDS Web Access server in our infrastructure for RemoteApp use.

I have followed the usual procedure and it seems everything went fine.

However, when I try to reach https://myserver/rdweb I get an IIS error:

HTTP Error 500.21 - Internal Server Error

Handler "ExtensionlessUrlHandler-Integrated-4.0" has a bad module "ManagedPipelineHandler" in its module list

Doesn't see much in the event logs - I guess there must be something in the IIS specific logs but not sure how to retrieve them.
Tried to google this but didn't find any obvious answer (yes .NET is deployed and active on the server, and I would have thought/hoped that the prerequisite would be checked by the installer). By all accounts, it would seem it a "pure" IIS issue around ASP.NET (ie not specific to RDS services) but in any case blocking.

Any help most welcome

Microsoft IIS Web Server





IIS is Internet Information Services, the web server included with Windows Server operating systems. All current versions are built on a modular architecture; modules can be added or removed individually so that those required for specific functionality are installed. The full installation of IIS includes HTTP, security, content, compression, caching, logging and diagnostics.