Re: IIS Isolation Mode
From: Amol Naik (anonymous_at_discussions.microsoft.com)
Date: Thu, 11 Dec 2003 20:16:08 -0800
We create some files and read some files in the ISAPI. Does this have to do some thing out here? Please let me know if it is so.
Thanks and Rgds
----- Wade A. Hilmo [MS] wrote: -----
From your description of the issue, it sounds like your ISAPI is doing
something that requires local system privileges, and if it doesn't have it,
it causes the worker process to terminate. This could either mean that it
crashes, or it could mean that it exists the process hosting the ISAPI some
From an administrative standpoint, there is nothing that you can do, except
to run it as local system. If you do this, you should consider creating an
application pool specifically for that ISAPI in order to isolate it from
other parts of the server that don't need local system.
From an ISAPI developer point of view, you should code review and debug the
ISAPI itself to see where its local system dependency is, and what it does
in the case where it has insufficient privileges. Once you know what that
dependency is, then you can determine if you can implement an administrative
solution (ie. changing ACLs somewhere), or whether the ISAPI itself needs to
As or the adsutil.vbs question, I don't know if they are the same. If you
are really curious, you could diff them. Even if they are different, I
would guess that the IIS 5 version will work correctly on IIS 6, since ADSI
is compatible between the two. Note, though, that some IIS 6 ADSI things
will not work on IIS 5, since changes were definitely made to ADSI itself to
support new metadata stuff in IIS 6.
I hope that this helps,
-Wade A. Hilmo,
"Amol Naik" <firstname.lastname@example.org> wrote in message
> We have been building an application for IIS 5.0. But now we want to
move to IIS 6.0. We tried to install using the same scripts that we had used
for IIS 5.0. It seems to install fine.
>> There were some changes in the scripts that we have done .. like the
virtual directory getting created in 5.0 in registry to the metabase.xml
file using CREATE, SET commands of adsutil.vbs file.
>> Now we get the problem with "Service Unavailable".
>> I tried to search in some of the newsgroups and found that we can remove
this by changing the DefAppPool security setting to local system. We want to
avoid this due to security issues. Can you please help us with this.
>> Few points that came to my mind:
>> 1. Is there any issues using DllMain etc in the IIS API in 6.0. Some where
I seem to read that there is some problem with the DllMain to be used in IIS
6.0. If so please let us know. But we dont want to change this as well since
we want the same binary to be used in both IIS 5.0 and IIS 6.0.
>> 2. "Run in IIS 5.0 Isolation Mode". This was one issue. We dont want to
use this either since it again uses the Local System authentication.
>>> Any inputs on the same as to how to make this work will be great.
>>> One more important thing to be asked:
>> 1. Is there any significant change in the adsutil.vbs file from IIS 5.0 to
IIS 6.0? Can we use the same file or do we need to use the one for IIS 6.0
in the AdminScripts for the same???
>> This information is very urgent for us to proceed and commit on the same.
>> My email Id is email@example.com. Any one can contact me on this id!!!
>> Thanks in Advance.