Efficient Deployment

1
Efficient Deployment Management of ASP.NET 2.0
Applications on IIS 6.0

• Alexis Eller
• Program Manager
• Internet Information Services
• Microsoft Corporation

2
Agenda

• What is ASP.NET?
• .NET Framework Concepts
• Global Assembly Cache (GAC)
• Configuration Layout
• Code Access Security (CAS)
• Versioning
• Deployment Management
• Running x64 on ASP.NET 2.0 solutions
• Summary / QA

3
What is ASP.NET?

• Part of the .NET Framework
• IIS 6.0 v2.0, v1.1 in Worker Process Isolation
  Mode
• IIS 6.0 v1.0 in IIS 5.0 Compatibility Mode
• IIS 5.0 only run one version at a time
• Builds significantly on the power of ASP
• ASP.NET is managed code - the .NET Framework
  manages memory, not the application (reduces the
  risk of memory leaks)

4
.NET Framework ConceptsGlobal Assembly Cache
(GAC)

• Registry for .NET assemblies
• Add an assembly to the GAC
• Generate a strong name, assembly 1) name, 2)
  version, 3) 64 bit public key hash - sn.exe, 4)
  culture
• Add to the GAC - gacutil.exe, .NET Configuration
  x.x (MMC Snap-in)
• Viewing the contents of the GAC
• gacutil /l
• start explorer windir\assembly
• .NET Configuration x.x (MMC Snap-in)
• Cannot XCOPY deploy GACed assemblies
• Security all GACed assemblies (for ASP.NET
  apps)
• Run as Full Trust
• Are accessible to all ASP.NET apps

5
Adding an assembly to the GAC
6
.NET Framework ConceptsConfiguration Layout
Inheritance
ASP.NET .NET Framework
ASP.NET
.NET Framework
web.config
root web.config
\Windows\Microsoft.NET\Framework\v2.0.50727\config
\web.config
machine.config
\Windows\Microsoft.NET\Framework\v2.0.50727\config
\machine.config
web.config files
root configuration files
7
.NET Framework ConceptsCode Access Security (CAS)

• Constrains managed code, including ASP.NET
• Do you trust your content providers?
• Do you trust that your applications cant be
  exploited?
• Control access to file system, registry,
  printers
• ASP.NET Trust Levels
• Full, High, Medium, Low, Minimal (can define
  custom)
• Defined by policy files windir\Microsoft.NET\F
  ramework\v2.0.50727\CONFIG\webtrust.config
• Full trust by default
• GACed assemblies run as Full trust always

8
.NET Framework ConceptsASP.NET Medium Trust
Can...
Cannot...

• Access SQL Server
• Send e-mail via SMTP
• Access certain common environment variables
• Access files within the application's directory

• Access files outside the application's directory
• Use reflection
• Use sockets
• Access unmanaged code

How to Use Medium Trust in ASP.NET 2.0
http//msdn.microsoft.com/library/default.asp?url
/library/en-us/dnpag2/html/PAGHT000020.asp
9
Setting and customizing ASP.NET Trust Levels
10
ASP.NET Request Processing

• IIS maps request to ASP.NET, forwards to
  aspnet_isapi.dll
• ASP.NET ISAPI creates appdomain

Authentication
NTLM
Basic
Anon

Determine Handler
CGI
Static File
ISAPI

Send Response
Log
Compress
11
Deployment and ManagementGetting started...

• Manual
• MMC snap-in (in IIS Manager)
• aspnet_regiis.exe command line tool
• Edit web.config files using Notepad or Visual
  Studio
• Automated
• Call aspnet_regiis.exe in a batch file
• Program against the ASP.NET configuration API
  (System.Configuration)

12
Deployment and Managementaspnet_regiis.exe

• Provides more functionality than MMC snap-in
• Enumerate all ASP.NET script map settings
• Install / uninstall ASP.NET
• Enable / disable ASP.NET ISAPI extension
• Unique version in each framework directory
• C\Windows\Microsoft.NET\Framework64\v2.0.50727
• Use in batch files for deployment / management
• Combine with other utilities to create batch
  files for deploying applications, content and
  configurations

13
Deployment and Managementaspnet_regiis.exe (2)

• Combine aspnet_regiis.exe with other utilities
  for automating deployment
• Adsutil.vbs to create application
  pooladsutil.vbs CREATE W3SVC/AppPools/BusyPool
  "IIsApplicationPool"
• IISweb.vbs to create the Web site in app pool
  IISweb.vs /create C\MySource "MySite" /ap
  BusyPool /dontstart
• Aspnet_regiis.exe to install ASP.NET 2.0 change
  the IIS scriptmap to 2.0C\WINDOWS\Microsoft.NET\
  Framework\v2.0.50727\apsnet_regiis.exe enable
  -ir C\WINDOWS\Microsoft.NET\Framework\v2.0.50727\
  apsnet_regiis.exe s W3SVC/ltmetabase pathgt

14
.NET Framework Versioning

• Can run one version per application pool
• Each framework version has its own version of
  aspnet_regiis.exe
• Different IIS scriptmap behavior depending on
  existing ASP.NET

15
Running ASP.NET 1.1 and 2.0 Side-by-Side
16
Deployment and ManagementASP.NET 2.0 MMC Snap-In

• Overview of the ASP.NET user interface
• Configuration tabs
• Understanding the behavior of the MMC snap-in

17
Deployment and ManagementOverview of ASP.NET MMC
Snap-in

• ASP.NET configuration is
• hierarchical and distributed
• complex enough to warrant a user interface
• The ASP.NET MMC Snap-in uses Microsoft Internet
  Information Services (IIS) Managers
  extensibility

18
Deployment and ManagementOverview of ASP.NET MMC
Snap-in

• Prevents typos, incorrect XML tags
• Manages versioning information
• Indicates file and virtual path
• Indicates the date file last modified

19
Deployment and ManagementConfiguration Tabs

• General
• Connection strings, Application data
• Custom Errors
• Authorization
• Authentication
• Authentication settings
• Membership provider
• Role Manager provider and enable/disable
• Application
• Compilation, Globalization, Identity
• State Management
• Session State settings
• Locations
• User-defined settings entered as ltlocationgt tags
  in configuration

20
Deployment and ManagementConfiguration Tab -
General

• What can be modified?
• Database Connections
• Application Settings
• Which web.config file is edited? Depends on the
  object selected in IIS Manager...
• Server (Web Sites)
• Web Site
• Virtual Directory / Folder

21
Deployment and ManagementConfiguration Tab
Custom Errors

• What can be modified?
• Enabling local or remote- only custom errors
• Redirect URLs for specific status codes
• Default redirect URL

• What cannot be modified?
• IISs custom errors configuration in the metabase

22
Deployment and ManagementConfiguration Tab
AuthN and AuthZ

• What can be modified?
• Authentication
• Forms vs. Windows
• Forms authentication settings
• Membership and Roles providers
• Authorization Rules only apply to content
  handled by the ASP.NET 2.0 ISAPI
• What cannot be modified?
• IIS Authentication Anonymous, Basic, Integrated,
  etc.
• IIS does access checks, not authorization rules
  per URL
• IIS 6.0 ships with Authorization Manager ISAPI
  (urlauth.dll) - this is different than ASP.NET
  authorization

23
Deployment and ManagementConfiguration Tab
Application

• What can be modified?
• Compilation and runtime settings
• Assign a theme to specific page or master page
• Debugging options
• Used for development purposes
• Should be used only in non-production
  environments (performance considerations)
• Tip ltdeployment retail"truefalse" /gt
• Globalization options
• Setting the Code Page, etc.
• Identity settings
• Use IISs impersonated token -or- override with a
  specified user identity

24
Deployment and ManagementConfiguration Tab
State Management

• What can be modified?
• Enable ASP.NET Session State Server
• Enable ASP.NET Session State in SQL Server
• State management connection strings
• ASP.NET Session State Server vs. ASP.NET Session
  State in SQL Server
• ASP.NET State Server stores state in a process
  separate from the ASP.NET application
• ASP.NET Session State in SQL Server stores
  application\session data in SQL

25
Deployment and ManagementConfiguration Tab
Locations

• What can be done with the Locations Tab?
• Lockdown of features at a granular level
• Examples
• AllowOverridefalse with a relative path
• Advanced concept - requires a thorough
  understanding of configuration

ltconfigurationgt ltlocation pathDefault Web
Site/App/Login.aspx allowOverridefalsegt
ltauthorizationgt ... lt/locationgt ltconfigurationgt
26
Configuring Forms Auth in the ASP.NET MMC Snap-in
27
Deployment and ManagementUnderstanding the MMC
Snap-in Behaviour

• Multiple configuration editors (such as
  administrators and developers) can cause errors
  in the configuration files
• Configuration errors in the files will cause
  errors in the user interface
• User interface cannot read invalid configuration
  files
• Updates to web.config files reload the
  applications appdomain loses in process
  session state, caches, etc.

28
Running ASP.NET 2.0 on x64

• ASP.NET 1.1 Requires WOW64
• 32 bit IIS worker processes on 64 bit OS
• Virtual memory from 2 GB to 4 GB
• Enable, from systemdrive\Inetpub\AdminScripts,
  run cscript.exe adsutil.vbs set
  W3SVC/AppPools/Enable32BitAppOnWin64 true
• ASP.NET 2.0 Runs native 64 bit or WOW64
• Virtual memory practically unlimited in native 64
  bit
• MMC Snap-in not supported on x64

29
Summary

• Global Assembly Cache (GAC)
• All GAC'ed assemblies run in Full trust
• GAC'ed assemblies cannot be xcopy deployed
• ASP.NET Trust Levels (CAS Permission Sets)
• Full trust is not secure enough, Medium is
  recommended
• Trust levels can be customized
• aspnet_regiis.exe automated deployment and
  management
• ASP.NET 2.0 MMC snap-in
• provides a safe way to edit configuration
• writes to hierarchical and distributed web.config
• ASP.NET v1.1 and v2.0 run side by side on IIS 6.0

30

• alexise_at_microsoft.com

31
Resources

• ASP.NET "Whidbey" Documentation Center on MSDN
• http//msdn.microsoft.com/asp.net/whidbey/default.
  aspx
• ASP.NET user interface
• http//msdn.microsoft.com/asp.net/articles/ui/
• ASP.NET 2.0 Fundamentals
• http//msdn.microsoft.com/asp.net/articles/fundame
  ntals/
• .NET Blog When is ReflectionPermission needed?
• http//blogs.msdn.com/shawnfa/archive/2005/03/08/3
  89768.aspx
• IIS Webcast Series iiswcast_at_microsoft.com
• http//www.iiswebcastseries.com