Worker PROCESS:

When IIS starts, the Web Administration Service initializes the http.sys namespace routing table with one entry for each application. This routing table determines to which application pool an application should be routed. When http.sys receives a request, it asks WAS to start up one or more worker processes to handle that application pool. This isolation of processes makes the web server as a whole more stable.

What is the Role of Http.Sys in IIS ?

HTTP.SYS is the kernel level components of IIS. All client request comes from client hit the HTTP.Sys of Kernel level. HTTP.SYS then makes a queue for each and every request for each and individual application pool based on the request.

Whenever we create any application pool IIS automatically registers the pool with HTTP.SYS to identify the particular during request processing.

APPLICATION POOL

Application pools are used to separate sets of IIS worker processes that share the same configuration and application boundaries. Application pools used to isolate our web application for better security, reliability, and availability and performance and keep running without impacting each other . The worker process serves as the process boundary that separates each application pool so that when one worker process or application is having an issue or recycles, other applications or worker processes are not affected.

One Application Pool can have multiple worker process Also

IIS: it has the websites and websites are working under the application pools.

for every site different application pool will be there or default app pool will be there.

if there are issues with app pool it will impact only one website, else if issues is for default app pool it will impact the all the sites..

we can set the logging for the sites at the server level for the IIS

http redirect: it is the future used to re direct to a page for a site in the downtimes.

authentication:

here we have some authentications

Anonymous authentication:

asp.net impersonation:

Another important security feature is the ability to control the identity under which code is executed. Impersonation is when ASP.NET executes code in the context of an authenticated and authorized client. By default, ASP.NET does not use impersonation and instead executes all code using the same user account as the ASP.NET process, which is typically the ASPNET account. This is contrary to the default behavior of ASP, which uses impersonation by default. In Internet Information Services (IIS) 6, the default identity is the NetworkService account.

If you enable impersonation, ASP.NET can either impersonate the authenticated identity received from IIS or one specified in the application’s Web.config file.

•Impersonation is disabled. This is the default setting. For backward compatibility with ASP, you must enable impersonation and change the ASP.NET process identity to use the Local System account. In this instance, the ASP.NET thread runs using the process token of the application worker process regardless of which combination of IIS and ASP.NET authentication is used. By default, the process identity of the application worker process is the ASPNET account. For more information, see ASP.NET Process Identity.

Copy<identity impersonate="false" />

•Impersonation enabled. In this instance, ASP.NET impersonates the token passed to it by IIS, which is either an authenticated user or the anonymous Internet user account (IUSR_machinename).

Copy<identity impersonate="true" />

•Impersonation enabled for a specific identity. In this instance, ASP.NET impersonates the token generated using an identity specified in the Web.config file.

Copy<identity impersonate="true"

userName="domain\user"

password="password" />

basic authentication

forms authentication

windows authentication

ASP.NET Delegation

Impersonation enables ASP.NET to execute code and access resources in the context of an authenticated and authorized user, but only on the server where ASP.NET is running. To access resources located on another computer on behalf of an impersonated user requires authentication delegation (or delegation for short). You can think of delegation as a more powerful form of impersonation, as it enables impersonation across a network.

IIS first checks to make sure the incoming request comes from an IP address that is allowed access to the domain. If not it denies the request.

Next IIS performs its own user authentication if it configured to do so. By default IIS allows anonymous access, so requests are automatically authenticated, but you can change this default on a per – application basis with in IIS.

If the request is passed to ASP.net with an authenticated user, ASP.net checks to see whether impersonation is enabled. If impersonation is enabled, ASP.net acts as though it were the authenticated user. If not ASP.net acts with its own configured account.

Finally the identity from step 3 is used to request resources from the operating system. If ASP.net authentication can obtain all the necessary resources it grants the users request otherwise it is denied. Resources can include much more than just the ASP.net page itself you can also use .Net’s code access security features to extend this authorization step to disk files, Registry keys and other resources.

The windows Authentication provider lets you authenticates users based on their windows accounts. This provider uses IIS to perform the authentication and then passes the authenticated identity to your code. This is the default provided for ASP.net.

The passport authentication provider uses Microsoft’s passport service to authenticate users.

The forms authentication provider uses custom HTML forms to collect authentication information and lets you use your own logic to authenticate users. The user’s credentials are stored in a cookie for use during the session.

<authentication mode="windows">

authentication mode="passport">

<authentication mode="forms">

How the SSL works:

When you open website like facebook.com or gmail.com, first it creates TCP connection to web server of that site.

If we send the password of this accounts, there might be chance of it getting hacked.

In this case, we will be using the cryptography method.

In this, we will encrypt the data using the key and decrypt it using the same key. This is called symmetric key

This is not a good option as we would use same key for to decrypt it.

What if , we use one key for encryption and another key for decryption. This is called asymmetric key.

We will do the public key to encrypt the data and private key to decrypt the data.

Here is how the SSL hand shake works

After TCP connection established, then the process of SSL hand shake starts

For this hand shake, first client sends client hello message which contains client highest SSL version, ciphers /compressions and random data

And server responds with the SSL version that will be used ,ciphers/compressions and random data and session id for the session.

After this, server sends the digital certificate and this certificate serves 2 purposes,

1. Public key and also chain of certificates.

2. It establishes the identify of server, from where it is coming.

Then server sends server hello done message

Then client sends certificate verified message

Client again sends change cipher messages means from now on wards , the data sends over this http session will be encrypted

Browser sends finished message with all the messages that exchanged till now, to check none of the messages have been tampered

Server sends the change cypher messages

Server sends finished message with all the messages that exchanged till now, to check none of the messages have been tampered

At this point, ssl hand shake is set to be complete and the browser can generate Asymmetric secret key that will be used by session to encrypt and decrypt.

This key is only decrypted by server.

If the some validations failed, SSL connection will be terminated and browser shows the error.

Server certificates:

what are the certificates installed at the server level.

edit permissions for the site is used to give the permissions for the site and share it etc.

ssl settings : we have settings here for the client certificate

to see the certificate i.e. binded to site.. go to site and right click and edit bindings and edit it so that u can see the certificate…

if we want to add/remove the services we can use the server manager, roles->web services and do the things.

regards,

Chaitanya