ssl diagnostics for iis7

I have spent the better part of the day trying to figure out why a client cert that’s send to our servers just plain out doesn’t work. We get a 403.17 when we shouldn’t. It’s maddening because all we can get out of IIS is the 403.17, and since we do not own the client cert, there’s no easy way for us to test. So we have to trust that our b2b partner has things set up right (we don’t think they do) and then wait 30-35 minutes in between requests for them to re-test. It’s maddening.

This post contains some good troubleshooting info and steps.

Here is a link to some info and a utility for mapping client certs, something that Microsoft inexplicably left out of IIS7. (Why?!)

Another tool I found during this whole process was the IIS7 ssl checker utility. It didn’t (hasn’t) helped our specific situation, but it is something that looks useful that I will save for future problems that will definitely come up.

windows 7, getting that app back on a monitor you actually have

windows does a horrible job of recognizing that a monitor is gone but sending your program’s window to it. (Example would be if you have a laptop in a dock with 2 monitors at work, but at home you just use the laptop display – not an unheard of pattern of use.) In the pre W7 days, you could right click on it in the taskbar, choose “move” and then arrow key the thing around, unfortunately in W7 they took that away. It took me a whole lot of searching to find a solution, and it was in the comments of a post about the old trick in Vista. So, the trick is:

If you hit the Windows Logo Key plus the left or right arrow keys it snaps the off-screen window to the left or right side of the desktop (of the “active” display).

script: creating an app pool, application and assigning the pool to the application

As usual, this one was harder than it should have been. Granted, this task is pretty easy through the UI, but I have a bunch of environments to manage that must be the same… except for minor exceptions like the names of the site. Of course you have to supply the name of the site in these scripts. So what I did was find a way to output the name of the site based off the url of http://localhost and then set that to en environment variable that we use for the rest of the script.

You call this script with: scriptname vdirname path

******script******

set vdir=%1
set path=%2

echo %vdir%
echo %path%

%windir%system32inetsrvappcmd add apppool /name:%vdir%

FOR /F "tokens=*" %%i in (‘%windir%system32inetsrvappcmd list site http://localhost /text:site.name’) do SET IISSITENAME=%%i

%systemroot%system32inetsrvAPPCMD add app /site.name:%IISSITENAME% /path:/%vdir% /physicalPath:%path%

%systemroot%system32inetsrvAPPCMD set app "%IISSITENAME%/%vdir%" /applicationPool:%vdir%

******script******

script: iis7 making compression work

This was harder than it should have been, the permissions were wrong on the inetpubtempIIS Temporary Compressed Files folder and it made things difficult to fix. Here’s the script that I wrote. Basically we are setting the directory (probably redundant but I would rather play it safe), making the directory, applying the permission, and then enabling the compression.

You will need to go to a working server and export the permissions and run this first (I could let you have my file, but what admin would download a random file from some dude on the internet and run it? Not me!) Here’s the command that does that:

icacls "c:inetpubtempIIS Temporary Compressed Files" /save cinetpubtempiiscompressedfiles.acl

 

Then place that file with your script and run it on the offending server.

******Script*********

mkdir "C:inetpubtempIIS Temporary Compressed Files"

icacls c:inetpubtemp /restore cinetpubtempiiscompressedfiles.acl

%windir%system32inetsrvappcmd set config -section:system.webServer/httpCompression -directory:"C:inetpubtempIIS Temporary Compressed Files"

%windir%system32inetsrvappcmd set config -section:urlCompression /doDynamicCompression:true

******Script*********