What's the most efficient way to install Internet Information Server (IIS) 4.0?

Thousands of IIS 4.0 servers are in use, even though Internet Information Services (IIS) 5.0 gets most of the press these days. My current IIS 4.0 installation procedure is as follows:

  • Install Windows NT 4.0.
  • Install NT Service Pack 6a (SP6a).
  • Install the most recent version of Microsoft Internet Explorer (IE).
  • Install IIS 4.0 and any other NT 4.0 Option Pack features you require. You'll get a scary message that IIS hasn't been tested to work with anything later than NT 4.0 SP3, but don't worry. Cruise by that message and continue with the installation.
  • Reapply NT SP6a.
  • Install the July 26, 2001, post­NT SP6a Security Rollup Package (SRP). You can download the SRP at http://www.microsoft.com/ntserver/nts/downloads/critical/q299444/default.asp. To read more information about the SRP, see the Microsoft article "Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)" (Q299444, http://support.microsoft.com).
  • Install Microsoft Security Bulletin MS01-044 (15 August 2001 Cumulative Patch for IIS). This bulletin is available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-044.asp. For more information about the patch, see the Microsoft article "MS01-044: Patch Available for SSI Privilege Elevation Vulnerability" (Q301625, http://support.microsoft.com).
  • Install Microsoft Data Access Components (MDAC) 2.6 SP1.
  • Reinstall IE.

If necessary, install available updates for the following features:

  • Active Directory Service Interfaces (ADSI—http://www.microsoft.com/ntworkstation/downloads/other/adsi25.asp)
  • Microsoft FrontPage 2002 Server Extensions and Microsoft SharePoint Team Services (http://msdn.microsoft.com/library/en-us/dnservext/html/fpse02win.asp?frame=true)
  • FrontPage 2000 Server Extensions (http://msdn.microsoft.com/library/?url=/library/enus/dnservext/html/winfpse.asp?frame=true)
  • MDAC (http://www.microsoft.com/data/download.htm)
  • Windows Script components (http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp? contentid=28001169)

At this point, use the Rdisk /s command to recreate any Emergency Repair Disks (ERDs) you made during NT installation. See the Microsoft article "Repair Windows NT After Installation of Service Pack 4 and Later" (Q196603, http://support.microsoft.com) for recommendations.

My company uses one Windows 2000 server as a file server and one Win2K server as a Web server. I used Internet Services Manager (ISM) to create a virtual directory on the Web server, and I used a Universal Naming Convention (UNC) pathname to configure the virtual directory to point to a remote share on the file server. IIS and the virtual directory seem to work correctly, but an error icon appears next to the virtual directory object when I try to view the directory through the Microsoft Management Console (MMC) Internet Information Services console on the Web server. How can I get rid of this icon?

The problem is that the Internet Information Services console lets a user enumerate the file server's directory listing according to the user account that's logged on to MMC rather than the user account you specified for authentication in the virtual directory's Connect As setting. When you click the virtual directory, the message Unable to enumerate file and directories because the following error occurred: Logon failure: unknown user name or bad password appears because no user account on the file server matches the user who's logged on to MMC. You can't see the files and folder in the Internet Information Services console, but IIS serves up the files as usual. To remove the icon, open the Internet Information Services console through a user account that has rights to view the virtual directory on the remote share.

Note that the user account you select for authentication on the virtual directory must be a valid account on the Web server; if the Web server can't authenticate the account locally, redirection will fail. The account can be a domain account that's valid on both servers, or you can create identical accounts (i.e., with the same username and password) on both the file server and Web server. See the sidebar "Virtual Directory Authentication" for further explanation of this process.

We recently used the Internet Information Services (IIS) 5.0 IIS Certificate Wizard to create a certificate request for use on our company's intranet. Because of a merger, however, this certificate won't be issued for a while—and we need to install a certificate now. We want to issue a self-signed certificate, but when we restart the IIS Certificate Wizard, the only options we receive are Process the pending request and install the certificate and Delete the pending request. How can we keep the corporate certificate request active but issue another request in the meantime?

The IIS Certificate Wizard (which you access by opening the Web site's Properties dialog box, going to the Directory Security tab, and clicking Server Certificate) is a big improvement over Internet Information Server (IIS) 4.0's Key Manager but still has a few quirks. For example, the wizard doesn't require that the certificate you install be the same certificate you requested. Here's a way you can use this glitch to work around the IIS Certificate Wizard's status-management rules and achieve your goals.

To begin, select Delete the pending request. Then, let the wizard step you through the creation of a new certificate request. After submitting the temporary certificate request to your Certificate Authority (CA), restart the wizard and select Process the pending request and install the certificate.

When you finally receive your corporate certificate, you have two options. Your first option is to use the wizard's Remove the current certificate option, then begin another certificate request for your permanent certificate. This process places the wizard in a state in which it thinks a request has been made, so it's ready to import a new certificate. After submitting the request, delete the certificate request file that the wizard created and relaunch the wizard. This time, you can go ahead and import the corporate certificate.

The second option is to use the IIS Certificate Wizard's Replace the current certificate option. First, open the server's certificate store, right-click the corporate certificate file, and select Install Certificate to launch the Certificate Import Wizard. Click Next and make sure that the Automatically select the certificate store based on the type of certificate check box is selected. Click Next, then click Finish. Launch the IIS Certificate Wizard and select the Replace the current certificate option, which opens the certificate store and displays the installed certificates. Select the corporate certificate, which will appear among the choices.