TechOnTip Weblog

Run book for Technocrats

Archive for the ‘IIS’ Category

Rename IIS Anonymous (IUSR) Account

Posted by Brajesh Panda on January 17, 2013

Applied to IIS 6.0

When we install IIS, it creates two user account IUSR_Computername & IWAM_Computername. IUSR stands for Internet User, IWAM – Internet Web Application Manager

If you rename them thru Computer User management section, you will find another two accounts get created with same old names. Even if you delete these two accounts they will automatically get created in next IIS restart or Os Reboot. Well these accounts are completely managed by IIS Metabase. So to rename them we have to edit IIS Metabase. Before you do anything in IIS Metabase make sure you have a good backup. To backup IIS Metabase

Right Click IIS Server Name -> All Tasks -> Backup and Restore config -> Then Click “create backup”

Let’s edit metabase file

  • Stop IIS so we can edit the metabase file
  • Open C:\WINDOWS\system32\inetsrv\Metabase.xml in Notepad or anyother text editor
  • Search for AnonymousUserName (for IUSR account) and change the value to IUSR_<whatever you like>
  • Search for WAMUserName (for IWAM account) and change the value to IWAM_<whatever you like>
  • Save Metabase.xml 
  • Start IIS Admin Service
  • Open User Management console in Windows, you will find two new accounts with new names

Posted in IIS | Tagged: | Leave a Comment »

Configure FTPS Server Using IIS

Posted by Brajesh Panda on September 7, 2012

FTPS, SFTP & FTP over SSH are three different things. FTPS is like HTTPS, TelentS, SMTP-S, IMAP-S or POP-S. It doesn’t encrypt any data or authentication details. It just transfers everything in clear text inside the SSL tunnel on a different port. However SFTP (SSH File Transfer Protocol) encrypts everything like SCP. Only similarity is it use same kind of syntaxes & do same file transfer. However SFTP is more secure than FTPS. Last one FTP over SSH implementation is in-between both FTPS & SFTP. It tries to tunnel FTP Control channel in a SSH session & then failover to normal data channel for data transfer.

FTPS implementation can be done in two methods i.e. Explicit & Implicit;

In Explicit mode, FTPS aware & unaware clients can work together. It also called as FTPES. 1st client have to explicitly request security from FTPS server & server will reply accordingly & they will agree on parameters. If client didn’t request, server either can allow on normal mode or can refuse.

In Implicit method both client & server need to be aware of FTPS. Here no security negotiation takes place. Client need to start communication using FTPS control messages. And if such message is not received server will drop connection. In this mode server listens on 990 for control messages & 989 for data channel, however data channel ports can be changed.

Note: for client connectivity we have to use filezilla or winscp. Neither IE nor Windows Explorer support FTPS protocol

As I have a test Windows 2012 server with IIS 8.0. So I am going to use the same. Steps are same for Windows 2008 R2 which comes with IIS 7.5.

  • Install IIS Role – FTP Server Services
    • Using Powershell “Add-WindowsFeature Web-FTP-Service, WEB-Mgmt-Console”
    • Or Use Server Manager and Install FTP Service from IIS Web Role

  • Open IIS Manager, Right click Sites folder & Click Add FTP Site

  • If you want to bind the IP Address type details.
  • Type 990 as FTPS Control Channel Port
  • Virtual Host Depends on if you are going to host multiple FTP Servers
  • Click that check mark to “Start FTP Site Automatically”
  • If you are building it out explicitly FTPS server, select Require SSL & Select your installed SSL Cert & click next
  • As I have already installed a SSL Cert from my internal Windows Certificate Authority

  • If you are creating an Anonymous site select the same else select Basic
  • Select right authorization policy. This Policy will be applied at site level & FTP Virtual Directories are going to inherit the same.
  • I prefer “Specified roles or user groups” with a Local Group & Read Permission.
  • As per my FTP administration procedure I always add FTP users to that group. So all members of that group can get into this FTP site with read access.
  • So by default this config will all of my FTP users to have read access to all virtual directories. Then if I need any custom setting for them, I modify Authorization at virtual directory level. Will be discussed later.

  • Now you FTPS Site is ready;
  • Let’s check till now what has been configured by double clicking specific icons on home page of site

  • Authentication & Authorization

  • Directory Browsing style as MS-DOS, FTP SSL Settings as we configured at the beginning

  • I am selecting “user home directory” as user logon start point. You can restrict them to check other users folders too.

  • Another key configuration point is Data Channel Ports. These are Passive Port range.
    We define on which port server & client need to transfer data.

  • You have to configure on IIS Server Level. So select the IIS server Name & configure Data Channel Ports. I am configuring them to 5000-5001. You can choose your one numbers.
  • FTP Sites in this IIS server are going to inherit these numbers.
  • If you are going to publish this server to internet thru a firewall & publishing this server to internet using NAT rules. Make sure you configured that Public IP address in the External IP Address box.

  • Till now our FTPS server is ready, let’s talk to your External Firewall Administrator & ask him to open 990, 5000-50001 port on this Public IP Address.
  • While he is doing that let’s create a Virtual Directory & configure related user access so we can test our FTPS server.
  • Create a Local Windows User as “Brajesh”
  • Create a Local Windows User Group as “FTPUsers”
  • Add the above Brajesh user to “FTPUsers” Group & remove from “Users” group
  • Create a folder named as “Brajesh” in the FTP Root folder i.e. inside e:\FTPRoot. Because E:\FTPRoot is our FTP Website Root Folder. Make sure keep that folder name as Brajesh, so it will work like a Home Directory.
  • Right click the FTP Website & Add a Virtual Directory

  • Keep alias as Brajesh & select the Brajesh Folder we created under E:\FTPRoot

  • Now you can select Brajesh virtual directory & check its configurations

  • Under Brajesh FTP Authorization Rules, you can see FTPUsers group has been already added with Read Permission
  • Add “Brajesh” user as a specified user with read & write permission & remove FTPUsers from this Authorization rules.

  • We are ready with FTPS server & Virtual Directory

Let’s download Filezilla & WinSCP to test FTPS connectivity. Note neither IE nor Windows Explorer support FTPS protocol

  • In Filezilla client, for host just type ftps://FTPServerURL or IP, then user name & password.
  • You can see it will connect on port 990. If your certificate is public trusted it will not prompt you any trust message. In my case it is an internal certificate, so it is asking me to trust it. So I will click “Always trust certificate in future sessions” and click okay.

    If you don’t trust the cert, it will connect but it will not let you upload any data. Because it will not able to authenticate the SSL channel!

  • Let’s take a look at FileZilla connection messages.

  • Do you see that message “227 Entering Passive Mode (10,10,10,105,19,136)? It has two contents i.e. IP Address & Data Channel Port server is listening on.
  • is server IP Address & 19,136 makes port i.e. (19 x 256) +136 = 5000. Remember we configured Data Channel port as 5000 & 5001.

Now let’s try with WinSCP. For WinSCP make sure you change the protocol to FTP & SSL/TLS Implicit encryption

  • Make sure you accept & select Trust in case any SSL certificate warning

Posted in IIS | 3 Comments »

Self-Sign Certificates in Windows 2008 R2

Posted by Brajesh Panda on September 5, 2012

If you want to know how to generate SAN certificate read this article.

  1. If you don’t have IIS Web Server Roll installed
    1. Download old age IIS6 Resource Kit tool & install it
    2. Then from Program -> IIS Resource -> SelfSSL -> Click SelfSSL.exe
    3. It will open up below command prompt with an example; but you may fine tune as per your requirement.

  1. It will prompt you to overwrite the settings for site 1, type yes & enter
  2. It will throw an error saying “Error opening metabase: 0x80040154 “
  3. This error can be ignored due to IIS 6.0 not being installed on the server.
  4. If you browse local Cert Store of the computer, you will able to see the certificate.

Read the rest of this entry »

Posted in IIS, Tools | 1 Comment »

IIS 7.5 FTP Administration Automation Powershell Script (APPCMD)

Posted by Brajesh Panda on July 26, 2012

Here is my FTP user provisioning script for IIS 7.5 FTP server. Later I will publish configuration steps for FTP & FTPS Server.

Most of the below command strings are not from PowerShell. But I used in a PowerShell script because it is easy to pass variables etc. APPCMD.exe is a new command line tool for IIS 7 & above. You will find it in C:\windows\system32\inetsrv. To make it work in your script make sure you configured environmnet variables.

Earlier it used to take 5mins to set up a user account mannually & always I used to forget to do something, resulting frustration. Now it is in seconds & robotic. Isn’t it awesome 😉

# Capture FTP User Details

$UserLogonName=read-host “Enter Logon Name”

$UserPassword=read-host “Enter Password”

$UserFullName=read-host “Enter Full Name”

$UserDescription=read-host “Who use this account?”

# Create Local FTP User, configuring Account Never Expire, User Can’t change password

net user $UserLogonName $UserPassword /add /passwordchg:no /expires:never /active:yes /fullname:$UserFullName /comment:$UserDescription

# Set the FTP user account’s password not to expire using WMI in Powershell

$WMI = gwmi win32_useraccount | where {$ -eq $UserLogonName}

$WMI.PasswordExpires = $False


# Add FTP User to FTP Users group. This group has permission to connect to this FTP server

net localgroup FTPUsers $UserLogonName /add

# Create FTP Directory for the above FTP user

mkdir C:\WEBRoot\Colliers-International_Com\$UserLogonName

# Create FTP Virtual Directory

appcmd add vdir /”FTP_Server/” /Path:/$UserLogonName /physicalpath:C:\WEBRoot\$UserLogonName

# Remove FTP Users group from the Virtual Directory. So nobody will able to access this folder

appcmd set config “FTP_Server/$UserLogonName” -section:system.ftpServer/security/authorization /-“[roles=’FTPUsers’]” /commit:apphost

# Add above FTP user to virtual directory authorization list with read & write permission

appcmd set config “FTP_Server/$UserLogonName” -section:system.ftpServer/security/authorization /+”[accessType=’Allow’,users=’$UserLogonName’,permissions=’Read, Write’]” /commit:apphost

# Automatically open FTP server using windows explorer

explorer.exe ftp://<URL>

Posted in IIS | Tagged: | 2 Comments »

How to configure/import SAN certificate in IIS 7.x?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 5

How to configure/import SAN certificate in IIS 7.x?

  • Apart from SSL certificate (SAN) you may have to install another intermediate/chain certificate from your certificate authority to get your certificate work properly. Check with your provider.
  • You can import SSL cert using your Windows Certificate MMC or IIS – SSL Security settings.

Using Windows Certificate MMC:

  • Open Certificate MMC snap in for your computer
    • Click on Start – Run – MMC – File – Add/Remove Snap In – Select Certificates – Click Add – Select My Computer
  • Click on Personal – All Tasks – Import Certificate –Select the SSL certificate & import – Click yes on Thumbprint validation window

Using IIS Manager:

  • Open IIS Manager – Select Server in the left hand side & open “Server Certificates” from the mid working pane

  • Click on Import & Select certificate PFX file, type import password if you have kept at the time of certificate creation. If you want to export this certificate for further use in any of the server make sure you select “Allow this certificate to be exported”.

Bind SAN SSL Certificate to multiple web sites

  • After you have imported the SAN certificate to IIS you can bind the certificate to different websites in the same IIS 7.x server
  • To bind SAN SSL cert to multiple websites you have to configure different host headers for the websites. Make sure you keep host headers exactly to SAN URLs or SSL Subject Alternative Names; else you will get SSL error regarding the same.
  • Select the website, click on bindings. It will open up Site Bindings window

  • Click Add to create a new binding with host header, IP address & Port.
  • From Type select HTTPS, from IP Address menu select the IP Address & in Port input box type 443.
  • If you have only IP Address available then you may be selecting same IP address for all websites. In that case we have to type a UNIQUE host header as I told you earlier. But now this field may be grayed out.

  • Let’s select the imported SSL Cert (SAN) from SSL Certificate drop down menu. You may observe still the host header filed is not editable — phew! So you can’t type the unique hostheader name here.
  • IIS Provides a command line tool (appcmd) to do that. Well there is another IIS 7.x undocumented hack you can use for this purpose.

APPCMD for SSL Binding

  • You have to run below command after editing Website Name & Hostheader Value for each websites

appcmd set site /”<WEBSiteName>” /+bindings.[protocol=’https’,bindingInformation=’*:443:<hostHeaderValue>‘]

Undocumented IIS Hack for SSL Binding

  • From Certificate MMC, right click the SSL certificate name & add a asterisk (*) in front of the friendly name of the certificate. Now when you select the certificate you will able type the host header in the IIS Manager itself. Thanks to my friend Jason Heisley for telling me this little hack. Here is another blog article regarding this hack.

Posted in IIS | Tagged: , | 7 Comments »

How to generate SAN certificate from internal Windows 2003 certificate authority?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 4




How to generate SAN certificate from internal Windows 2003 certificate authority?

  • I expect you have already created a SAN Certificate Signing request following other blog post.
  • If you have enabled WEB Enrollment wizard in your certificate server, open up certificate services using http://<certificate server name>/certsrv URL
  • On welcome screen click on Request a certificate

  • On Advanced Certificate Request screen click Submit a certificate request by using a base-64-encoded CMC or PKCS#10 file or submit a renewal request by using a base-64-encoded PKCS#7 file

  • Open the SAN certificate request file with notepad, copy all contents & paste in the Saved Request window & select Web Server as certificate Template. And click Submit.

  • Download Base 64 encoded certificate for installation in the web server

Posted in IIS | Tagged: | 2 Comments »

How to make sure internal certificate authority is supporting SAN certificate feature?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 3

How to make sure internal certificate authority is supporting SAN certificate feature?

Certificate servers come with Policy Modules
to provide different services. There are different types of extensions attached to the policy modules can be turned on so clients can submit their requests for those features.

CertificateAuthority_MicrosoftDefault.Policy is the default policy module in a Windows 2003 Certificate server.

Certutil –getreg commad shows different configuration parameters for default policy module

Certutil -getreg policy\EditFlags shows which extensions are turned for the default policy module.

SAN certificate extension can be turned on using below syntax

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

SAN certificate extension can be turned off using below syntax

(I didn’t try this one – Just researched from Google – May be sometime later I will try this.)

certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

Here are some registry screenshots before & after turned on. I am not sure if it can be turned on by just changing below registry key. May be sometime later I will try this

After Turned ON

In Windows 2008 CA use below command to enable SAN extensions!

certutil –setreg policy\SubjectAltName enabled
certutil –setreg policy\SubjectAltName2 enabled
net stop certsvc
net start certsvc

Posted in IIS | Tagged: | 4 Comments »

How to create a SAN certificate signing request for IIS web server?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 2

  • How to configure multiple websites to access using host headers?
  • How to create a certificate signing request for our IIS web server?
  • How to make sure internal certificate authority is supporting SAN certificate feature?
  • How to generate SAN certificate from internal Windows 2003 certificate authority?
  • How to configure/import SAN certificate in IIS 7.x?

How to create a SAN certificate signing request for IIS web server?

  • Open Certificate MMC snap in for your computer
    • Click on Start – Run – MMC – File – Add/Remove Snap In – Select Certificates – Click Add – Select My Computer
  • Click on Personal – All Tasks – Advanced Operations – Create Custom request

  • Click next in Certificate Enrollment Wizard’s welcome window
  • Select “Proceed without enrollment policy” under Custom Request & click next
  • In Custom Request window Select (No template) Legacy key & PKCS #10 as request format
  • And Click Next

  • In Certificate Information Page click the Details icon then Properties. It will open up Certificate Properties window, where we can define different attributes.

  • Under Private Key, select key size. Over here I just left it as default. You may like to select 4096 for production servers.
  • Under Key Type select “Exchange

  • Under Extension tab select Extended Key Usage; add Server Authentication from the available options.

  • Under Subject Tab we will be defining our multiple DNS names for the certificate
  • From Drop down Subnet Name section select Common Name & type the value. Preferably the primary domain name & then click Add.
  • Under Alternative Name select DNS type all alternate DNS Names & add them.

  • Under General Tab type a friendly name.
  • Better to keep add a * in front of the friendly name now. It will help you to bind the certificate from IIS graphical user interface to all websites using same IP & port 443. If you don’t do this now, no worries, you can do it later or you can use Commadline tool to bind this cert. I have discussed the same in certificate installation/import post.
  • Click okay & In certificate information window click next

  • Give a file path to save this certificate request 7 select Base 64 as file format

  • It will generate “.req” file, you can open this file using notepad.
  • You use this file to generate your SAN certificate from external public certificate authority or from your internal certificate authority server.

Posted in IIS | Tagged: | 40 Comments »

How to configure multiple IIS websites to access using host headers?

Posted by Brajesh Panda on June 6, 2011

SAN Certificate for IIS 7.5 Web Servers – Part 1

  • How to configure multiple IIS websites to access using host headers?
  • How to create a certificate signing request for our IIS web server?
  • How to make sure internal certificate authority is supporting SAN certificate feature?
  • How to generate SAN certificate from internal Windows 2003 certificate authority?
  • How to configure/import SAN certificate in IIS 7.x?

I have a Windows 2008 R2 IIS web server; where I am going to create couple of websites for my lab 😉

How to configure multiple IIS websites to access using host headers?

  • For the same select the website, on hand side click on bindings
  • Select the default site binding http & click edit
  • From Drop Down menu select correct IP Address & for Port type 80
  • And in host header field type the complete host header
  • Click Okay, Close
  • Do the same thing for other websites; Only host header will be different

To test these custom websites you can create two Host entries in your workstation from where you can access these websites & try accessing them.

You should able to access them. If you can’t access check your firewall & other connectivity configurations. So now we are able to set up multiple websites using one IP & same HTTP port.

Posted in IIS | Tagged: | 11 Comments »

%d bloggers like this: