Are you one of the many people challenged with setting up a Web server? And do you plan to run Windows NT 4.0 Server on your network? If so, you need to know that Microsoft includes Internet Information Server (IIS) 2.0 with NT 4.0 Server and a peer version of IIS in NT 4.0 Workstation. (Steve Genusa reviews IIS, starting on page 62.)

Q: How do I install IIS?

Microsoft's integration of IIS into the OS makes setting up your Web server easier than with IIS 1.0. While installing NT 4.0, you can set up and configure your Internet services, including Web, FTP, and Gopher. If you've already installed NT 4.0, you can add IIS through the Control Panel. Click Network and then Services. Choose Add and select Microsoft Internet Information Server 2.0.

Follow the Setup routine carefully, because you must decide where to put the server and content directories as you go. You must also determine how much disk space you need. In addition to allocating approximately 5MB of disk to IIS, you need disk space for content you create for your Web site. If you plan to secure your site, your Web content must reside on an NT File System (NTFS) partition. By default, the content directories are in c:\inetpub\ (in IIS 1.0, the content directories were in c:\inetsrv\). Have your NT 4.0 CD handy so Setup can copy the necessary files.

Once you install IIS, a default Web site is up and running. To test your new Web server, connect to it with a Web browser on the server or on a networked PC. If you have Internet Explorer (IE), view the Microsoft IIS home page at http://\[your server name\]. This page (default.htm) is in the \inetpub\wwwroot directory, which is the default directory for your Web content. Under \inetpub, you also see \ftproot and \gophroot, if you installed FTP and Gopher. If you want to revise your Web pages, this is where you'll find them.

Q: What's new in IIS 2.0?

Once you install, test, and troubleshoot IIS, you can customize the default page to suit your needs or replace it. If you used IIS 1.0 on NT Server 3.51, you'll notice several other improvements in IIS 2.0:

  • Microsoft integrated IIS 2.0's setup with NT 4.0 setup.
  • IIS 2.0 returns host headers, rather than IP addresses, in the universal resource locator (URL) to the browser on redirection.
  • IIS 2.0 supports National Center for Supercomputing Applications (NCSA)-style map files and CERN map files.
  • IIS 2.0 supports Hypertext Transfer Protocol (HTTP) byte range copy.
  • IIS 2.0 supports enhanced logging of several IIS functions to the server log file.
  • Internet Database Connector (IDC) lets you use server variables in IF statements.
  • IDC also supports SQL query grouping as batch or multiple queries.
  • All environment variables defined in the Common Gateway Interface (CGI) specification are available to CGI applications.
  • You can use Hypertext Markup Language (HTML) through any Web browser to administer IIS from clients.
  • Microsoft added a graphical Key Manager tool for generating keys required in SSL security.

Dynamic Publishing
For advanced publishing, IIS lets you add content to your Web site by means of databases, Internet Server API (ISAPI) DLLs, and CGI scripts. With IDC script files, you can query or insert data into an Open Database Connectivity (ODBC)-compliant database such as SQL. You can also increase your site's interactivity by using CGI scripts written with Perl, C++, and even Visual Basic 4 (WinCGI scripts). With the ISAPI interface, you can create scripts with Microsoft Visual C++ 4.1 or 4.2. These scripts are faster than CGI or WinCGI scripts because they run in-process with IIS.

Q: How do I control access to my Web server?

IIS 1.0 and 2.0 provide three methods for authenticating users accessing a Web service: anonymous logon, basic authentication, and Windows NT challenge/response.

Anonymous logon. When you install IIS, it creates an account called iusr_<computername>, where <computername> is your network computer name. This account impersonates all anonymous users who connect to Web, FTP, or Gopher services on the server. This user account's only unique feature is the requirement that it have the Log on Locally user right, in the user manager\policies\user rights. All activities IIS performs on behalf of anonymous users must occur through this account. For example, if the IUSR account doesn't have access to the \system32 directory, DLLs that ODBC and Perl (and other programs) use won't load, causing scripts to fail.

Anonymous logon authentication secures Web and FTP content. IIS uses the access control lists on NTFS partitions to verify whether someone has access to a file or Web page. You can use NT Explorer or File Manager to set permissions on files. IIS uses local accounts by default, and like the IUSR account, any individual accounts IIS uses must have the Log on Locally user right. For example, to grant all users access to the \wwwroot directory and to a private area for elite friends or customers, you can create a subdirectory under \wwwroot and name it. Place the appropriate permissions on the private directory for the users to whom you want to grant access. For the permission changes to take effect immediately, exit all three Internet services in Internet Service Manager and then restart them. These steps update the token cache that IIS keeps for performance reasons. Ordinarily, this cache updates at 15-minute intervals.

Basic authentication. If you have problems getting anonymous logon authentication to work, try basic authentication. More browsers on the market support basic authentication than Windows NT challenge/response.

Windows NT challenge/response. This authentication method (also known as NTLM) is an encrypted way of passing the credentials across the Internet. NTLM is safer than basic authentication, which uses a clear text method. Both IE 2.0 for Windows 95 and IE 3.0 support NTLM.

Scripts

Q: What is WinCGI? How is it related to CGI?

IIS 1.0 and 2.0 support CGI scripts and ISAPI DLL scripts. You refer to these scripts as server extensions because they extend the functionality of your Web server.

WinCGI is another server extension specification similar to CGI, but WinCGI is usually used with scripts written in Visual Basic (VB). For a WinCGI script to run with IIS, you need a wrapper that performs standard input and output functions on behalf of your script. Scripts written with languages such as VB don't have standard I/O capability. The IS2WCGI sample included with the Microsoft ISAPI Software Development Kit is a wrapper that works with IIS. You can modify and compile your own version of this DLL (is2wcgi.dll) or obtain a compiled version from a third party.

You can obtain other freeware or shareware wrappers that work in a similar fashion to IS2WCGI on the Internet. We provide URLs at the end of this article to get you started.

Q: Do CGI scripts written with Perl work with IIS?

Perl scripts work with IIS if you install a Perl interpreter for NT. For example, you can download Hip Communications' Perl interpreter from the Internet.

To use Perl, install it, copy your Perl scripts to the IIS \scripts directory, and then create a script map in the IIS registry. Be careful not to place perl.exe in your scripts directory, or unwelcome visitors can attempt to issue Perl commands that can destroy your data. Here's the correct Registry location:

hkey_local_machine\system\currentcontrolset\services\w3svc\parameters\script map

Choose Edit\Add Value:

Value Name: .pl (Perl scripts usually use the .pl extension)

Data Type: REG_SZ

String: <Path to perl.exe and parameters> Example: c:\perl5\perl.exe %s %s

Script mapping lets you associate your script with an interpreter such as Perl. This technique is unique to IIS but similar to a file association in File Manager.

FTP

Q: I created a virtual directory for my FTP service, but users can't see it. Why not?

NT doesn't support symbolic linking, so when you create a virtual directory outside the FTP root directory, the virtual directory isn't visible. You can change the directory and use it, but you won't see it when issuing a DOS DIR or UNIX LS command. (This invisibility can be useful if you want to create a secret directory, because users won't know the name of the secret directory.) Most systems administrators want the directory to be visible. You can get around the visibility problem by creating your virtual directory outside your FTP root directory and then creating a dummy directory inside the FTP root directory, giving it the same name as the alias for the virtual directory. Now users can see the dummy directory, and IIS redirects them to the virtual directory when they change to the dummy.

Q: I created some user accounts so I can restrict access to my FTP server, but none of those users can log in. Why?

With all Internet server services, user accounts must have the Log on Locally user right. Make sure the non-anonymous users have this right and that they have, at minimum, Read permissions to the FTP root directory. You must stop and restart all three services before the new permissions take effect.

Q: I checked the permissions and user rights for the domain accounts that I've given access to the Web and FTP services, but they still can't log in. What am I missing?

If your server is a member of a domain, you can use local or domain accounts to restrict access. Local accounts work with no changes because IIS checks the local account database by default. For domain accounts, the user must specify both the domain name and username when logging on to the Web or FTP service, as shown in Screen 1.

You can eliminate this requirement for domain accounts by adding a Registry entry in IIS 2.0. However, altering the Registry can cause serious problems, so be careful when you change it.

Registry Path:

hkey_local_machine\system

\currentcontrolset

\services

\servicename

\parameters

where ServiceName is:

MSFTPSVC - FTP Service

GOPHERSVC - Gopher Service

W3SVC - Web Service

The default logon domain below validates a clear-text logon when no domain is specified in the username field. The default value is the domain name for servers that are domain controllers or the local computer's name (if it's a standalone).

DefaultLogonDomain REG_SZ

Range: string

Default: domainname

Q: I host a Web server for several users. How can I let them use FTP to update their Web pages?

You can set up FTP to allow users Read and Write access to their Web pages in two ways. The following examples illustrate two common methods.

Suppose you have a Web server called www.widgets.com. On this server, you create directories for several users under \wwwroot:

d:\inetpub\wwwroot\larry

d:\inetpub\wwwroot\bill

d:\inetpub\wwwroot\george

The IUSR account has Read access to each subdirectory, and Larry, Bill, and George have full privileges to their respective directories. Anonymous users can view the pages in these directories through the Web service, and Larry, Bill, and George can connect to FTP and read and write files to these directories.

Because all your guest Web authors want to use FTP to access their Web page content, you must create a virtual directory on the FTP Service Properties screen, as you see in Screen 2, for each author's directory. Then click Edit Properties and select both Read and Write access on the Directory Properties screen, which you see in Screen 3, for each virtual directory. Because you're using NTFS security, Web and FTP services share permissions.

The second method to let users update their Web pages using FTP is to set the NTFS permissions and point the FTP home directory (with Read and Write access enabled) to the Web home directory, as you see in Screen 4.

Q: My Web site has heavy traffic. How can I balance the load between two or more servers?

When clients try to connect to your domain, they usually query a Domain Name System (DNS) server to resolve the name to an IP address. (For more on administering DNS, see Spyros Sakellariadis, "Configuring and Administering DNS," August 1996, and "Integrating and Administering DNS," September; Mark Minasi discusses IP addressing in "How to Set up IP," February; "IP Routing with NT," March; "NT Workstations Using an IP Router," May; "Unlock Your Gateway to the Internet," June; "DHCP and Assigning IP Addresses," August; and "Gateways Re-visited," on page 47.)

DNS Servers (including Microsoft's new DNS server, which is part of Windows NT 4.0) can return addresses in a round-robin fashion to clients. If you list multiple IP addresses for one host name, DNS returns the first IP address to the first client, the second IP address to the second client, and so on.

Microsoft uses this method on www. microsoft.com, where several servers share the traffic load. Each server in turn satisfies a request.

Q: When I try to install my new Secure Sockets Layer (SSL) certificate, I get the message, "Key check failed with error 0x8009030e." Why?

This error usually occurs because you haven't saved the certificate (that the Certificate Authority emailed to you) in the correct format. You must save this certificate to a text file to install it into your IIS server. If you save the certificate as Unicode in the notepad, you will get the keycheck error.

To ensure successful installation of your SSL certificate, make sure you save the emailed certificate as a text file. Then, if you're using the copy/paste feature to get the file into the notepad and you're still getting the error, try exporting the file to the notepad from your mail program. The certificate will look like a clean block of ASCII text after you save it, as in Figure 1.

Q: Sometimes, when I connect to my Web server, the server name in the URL changes to the server's IP address. How can I prevent this?

This change happens when the server sends a redirect signal to the client. You can get around this situation in either of two ways. First, you can make sure you type a trailing slash at the end of your URL: Instead of www.joesplace.com, type www.joesplace.com/. Or, you can add the ReturnURLUsingHostName registry entry as follows:

Registry Path:

hkey_local_machine\system

\currentcontrolset

\services

\w3svc

\parameters

When the default is set to 0 and the server is doing redirects, the server returns its IP address to a client if the host header field isn't present. To return a host name or the server's computer name, change this registry setting to 1.

If you add a host name in the Host Name box of the DNS dialog, the server returns that name. Otherwise, it returns the server's computer name, which appears in the Host Name box by default.

To fill in a host name, open the TCP/IP property sheet in the NT Control Panel's Network application. Click the DNS tab, and type a name in the Host Name box.

-----BEGIN CERTIFICATE-----

JIEBSDSCEXoCHQEwLQMJSoZILvoNVQECSQAwcSETMRkOAMUTBhMuVrM

mIoAnBdNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMRwwGgYDVQ

QLExNQZXJzb25hIENlcnRpZmljYXRlMSQwIgYDVQQDExtPcGVuIE1hc

mtldCBUZXN0IFNlcnZlciAxMTAwHhcNOTUwNzE5MjAyNzMwWhcNOTYw

NTE0MjAyOTEwWjBzMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIER

hdGEgU2VjdXJpdHksIEluYy4xHDAaBgNVBAsTE1BlcnNvbmEgQ2VydG

lmaWNhdGUxJDAiBgNVBAMTG09wZW4gTWFya2V0IFRlc3QgU2VydmVyI

DExMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDU/7lrgR6vkVNX40BA

q1poGdSmGkD1iN3sEPfSTGxNJXY58XH3JoZ4nrF7mIfvpghNi1taYim

vhbBPNqYe4yLPAgMBAAEwDQYJKoZIhvcNAQECBQADQQBqyCpws9EaAj

KKAefuNP+z+8NY8khckgyHN2LLpfhv+iP8m+bF66HNDUlFz8ZrVOu3W

QapgLPV90kIskNKXX3a

------END CERTIFICATE-----

FIGURE 1:Sample SSL certificate

Q: Do I need more than one network to set up virtual servers?

No. When you set up virtual servers, you must type in an IP address for each new server. You must also add this new IP address to your net-work card. In control panel\network\protocols\tcp/ip protocol\advanced, NT lets you add up to five different IP addresses to a network card. Just add the new IP addresses to the IP Addresses box.

Q: How can I add more than five IP addresses to my NT network card?

You must add the remaining IP addresses through the Registry editor. For details, see the Knowledge Base article Q149426 at www.microsoft.com/kb/bussys/winnt/q149426.htm.

NT 3.51 users running Service Pack 4 can run a maximum of 14 to 17 IP addresses without ordering a hot fix. This limit is from an error in Microsoft's netbt.sys. A fix in Service Pack 5 will let you run more than 14 to 17 addresses. NT 4.0 includes this fix.

Q: What is IDC? How can I use it to publish information from my database?

IDC is an interface for IIS that provides access to any Open Database Connectivity (ODBC)-compliant database from a standard HTML Web page. To use IDC, you must have IIS, an ODBC-compliant database and driver, System Data Source Name (DSN), an HTML file, an IDC file, and an HTX file.

Q: How does IIS access data from a database?

IIS uses API calls to httpodbc.dll to access data from a database. The file httpodbc.dll is an installed component that comes with IIS.

Q: How does IDC use ODBC drivers?

IDC can use SQL to return information from tables and can use the database engine to run stored procedures and queries. IDC relies on the ODBC driver to accomplish these tasks.

ODBC drivers come in many types and versions. Be sure that your ODBC driver version is compliant with your database version. For example, you cannot use the SQL Server 6.0 driver with SQL Server 6.5 and vice versa.

To check your ODBC driver version, go to control panel\odbc. In the Data Sources dialog, click Drivers, highlight the driver in question (as shown in Screen 5) and click About. Screen 6 displays background information for the SQL Server driver.

Q: What's the role of DSN with IIS database access?

For an IDC file to connect to a database, you must set up a system DSN. You cannot use an ordinary Data Source with IDC. To set up a system DSN, go to control panel\odbc. First, click System DSN, which you see in Screen 7. In the System Data Sources dialog, click Add for a new system DSN. Next, select the ODBC-compliant driver that matches the type of database you will access with IDC, as shown in Screen 8.

For IDC to work correctly, you must fill in the DSN and server for this particular DSN setup. You configure the DSN setup dialog differently for each ODBC driver. After you set up the System DSN, you must write the HTML file that calls the IDC file.

Q: What is the function of the HTML file?

You can use the HTML file in different ways. You can use a form to pass variables to an IDC file, or the HTML file can just call an IDC file that returns a standard set of information from a database.

Let's look at some examples of different ways to retrieve data from an IDC file. Listing 1 shows how to use a form to send variable data. Listing 2 shows how to use IDC to return a static set of data from a database.

The form example lets you choose one of the states in the pulldown. You can then click Submit Form to run the IDC file, or click Reset Form. IDC stores the value you select from the pulldown in a variable called state. The program passes the variable to the IDC file to let the ODBC driver perform a query in the database.

Q: How are IDC files related to HTML files?

IDC files let simple HTML files communicate with databases. You can pass several parameters through the IDC file, but it requires only three parameters: Datasource, Template, and SQLStatement. Table 1 lists and describes all the possible parameters.

IDC also offers ODBCOptions. Consult your ODBC documentation and the ODBC SDK for options that allow debugging and tuning.

Listing 3 corresponds with the HTML file in Listing 1. Together, these files provide a form for sending variable data. You can create example_1.idc and example_2.idc, which you see in Listing 4, in any text editing program (such as Notepad) that creates ASCII text files. You must store IDC files in a directory that has execute permissions, because the IDC file is a script.

I've divided the SQL statement, example_1.idc, into several lines to make it easy to read and troubleshoot. The plus sign at the beginning of each line joins the lines into one SQL statement. For the variable state, I added two more percent signs to the end. The percent signs represent a wildcard.

If the example uses the variable alone, the statement looks like this:

+WHERE state LIKE '%STATE%'

However, the IDC file in this example calls for all states that begin with the value selected in the pulldown, and any other characters can follow that prefix. In SQL, the % sign is a wildcard, but because I joined the % sign to a variable, I need two extra %% signs to bind the variable to the wildcard.

The IDC file in Listing 4 corresponds with the HTML file in Listing 2. In the static example, the IDC file queries the database, selects some fields, and then sorts the fields by the store name.

IDC files have several other uses. They can run stored procedures and stored queries. Remember that the syntax for procedures and queries will vary, depending on the database type and version.

To run a stored procedure in SQL Server, you need a SQL statement like this:

SQLStatement:

+EXEC sp_processmail @subject=My Life, @filetype='CSV', @set_user='guest'

To run a query stored in an access database, you need a SQL statement like this:

SQLStatement:

+Select * FROM myquery

Q: What is an HTX file?

In the final stage of IDC, you return the values to the browser. An HTX file is an HTML file with some additional tags that place variable information into the page from ODBC. The first set of required tags, <%begindetail%> and <%enddetail%>, identify the beginning and end of a section for ODBC, as shown in Listing 5 (which corresponds with Listing 1) and Listing 6 (which also corresponds with Listing 1). The <% and %> markers surround the column names to tell the browser where the value belongs. In addition to standard tags, conditional tags exist. Table 2 lists tags and describes usage for each.

Q: How can I do multiple SELECTS and multiple drop-down selecting?

To perform a multiple SELECT, forget everything you know about SQL and follow one simple rule: For multiple SELECTS in one query, use the UNION command with parentheses around all SELECT statements except the first one, as you see in the following example:

SQLStatement:

+SELECT *

+FROM pubs.authors

+UNION

+(SELECT *

+FROM pubs.sales)

+UNION

+(SELECT *

+FROM pubs.titles)

Listing 7 is an example of selecting multiple items from a pulldown list.

Q: Where can I find more information on IIS?

You can find great information, user-to-user conversation, and tips at the IIS newsgroup, microsoft.public.inetserver.iis, on news server msnews.microsoft.com. For the latest IIS information from Microsoft, point your browser to microsoft.com/infoserv/. Microsoft Internet Information Server Frequently Asked Questions List is at rampages.onramp.net/~steveg/iis. html, and Windows NT Web Server Tools is at www.primenet.com/~ buyensj/ntwebsrv.html. Microsoft offers fee-based technical support at 1-800-936-5900.

Contact Info
Hip Communications' Perl interpreter * www.perl.hip.com/webkit.htm