I'm trying to monitor several applications within the same site in IIS.
With just running the msi of the tracer dd-trace-dotnet, I started to see the events, but these are registered as [site name]/[application] e.g default_web_site/docs_webhook
I would love to be able to logs them under a custom service name for each application, but according to the documentation, this is only possible at the site level.
Manual instrumentation is described for windows services, setting the environment variable DD_SERVICE_NAME in the registry entry HKLM\System\CurrentControlSet\Services\{service name}\Environment is enough, but does not apply to IIS applications.
NOTE: Creating separate sites for each application is not an option right now.
For each web application that you want to configure with a different Datadog APM service name, you need to set the environment variable DD_SERVICE_NAME. If they're all running under the same IIS process, that's not possible.
In IIS there's a feature named Application Pool, which can be used to isolate multiple web applications by running them under different processes.
The first thing you need to do is to create a separate application pool for each web application. Once you're done with that, you can set a different DD_SERVICE_NAME for each application pool. The command to set an environment variable scoped to a specific application pool is
appcmd.exe set config -section:system.applicationHost/applicationPools /+"[name='MyAppPool'].environmentVariables.[name='DD_SERVICE_NAME',value='my-service']" /commit:apphost
where MyAppPool is the name of the application pool, and my-service is the service name that you want to use for the Datadog APM.
After running the above command, you have to restart IIS for the changes to take effect:
net stop was /y
net start w3svc
Starting with version 1.0 of Datadog's .NET Tracer, you can set most settings in your application's app.config/web.config file. For example, to set DD_SERVICE_NAME:
<configuration>
<appSettings>
<add key="DD_SERVICE_NAME" value="my-service"/>
</appSettings>
</configuration>
[Disclaimer: I am a Datadog employee]
Related
I have an MSBuild script that is generating a deployment script for my web app.
Project.build (excerpt)
<MSBuild Projects="xxxxx.sln" Properties="
CreatePackageOnPublish=true;
DeployOnBuild=true;
IncludeIisSettings=true;
IncludeAppPool=true;" >
<Output TaskParameter="TargetOutputs" ItemName="CompiledAssembly" />
</MSBuild>
When this is executed, it does produce a Package folder in the output that contains a deployment .cmd file and associated .zip file.
xxxx.SetParameters.xml (generated)
<?xml version="1.0" encoding="utf-8"?>
<parameters>
<setParameter name="IIS Web Application Name" value="Default Web Site\xxxxx" />
<setParameter name="DefaultConnection-Web.config Connection String"
value=" ... snipped ..." />
</parameters>
As you can see, there is no reference to app pool here. Likewise, there is mention of app pool in the generated xxxx.zip\parameters.xml
When I execute xxxxxx.deploy.cmd /Y, it correctly creates the application in IIS. The problem is, it seems to use the default application pool for the machine. It's a .net 4 app, so if the default is .net 2, the app fails to run.
Is there a way to make the deployment script include an app pool definition so that it won't require manual app pool changes to run?
I did find this question, which seems to be the same. However, as you can see, I've already included the answer from that question, and it has no effect.
If you're trying to deploy a 4.0 app to a 2.0 default app pool without providing an override it will not fail to run but fail to deploy, MSDeploy would simply fail to precreate a virtual app with ERROR_APPPOOL_VERSION_MISMATCH error.
IncludeAppPool is the correct property, but it only tells the packager to include the settings, you have to provide the source, i.e. the "master" virtual app with correct app pool to copy from.
Open project properties and switch from IIS Express to Local IIS, this will enable app pool flag under the package/publish options. I believe you can switch back afterwards, the settings will remain.
This would basically do 2 things, add <IncludeAppPool>true</IncludeAppPool> as well as add the master app under <WebProjectProperties> section. Now when you build or package your source manifest will not have the managedRuntimeVersion requirement but your parameters will now have IIS Web Application Pool Name to customize.
If you want to actually create a new app pool then it gets tricky. I'm not aware of a way to create it during iisApp creation or with some MSBuild flag, but with MSDeploy (the tool behind your .cmd) it would require a dump of your local pool and sync up with appPoolConfig provider, probably as part of your .build script before the .cmd call.
msdeploy -verb:sync -source:appPoolConfig=Foo -dest:package=foo.zip
msdeploy -verb:sync -source:package=foo.zip -dest:appPoolConfig=Foo,computerName=Bar
Keep in mind that without specifying individual appPoolConfig the sync, as it should, would destroy other pools, so do -whatIf first just in case.
You can probably try to merge the archive.xml of your package and the archive.xml with the app pool definition, but I can't image how it would work and what relationship between iisApp and appPoolConfig providers is there.
Edit: You can use manifest provider to combine package or iisApp with appPoolConfig
This question seems to be similar to this one: IIS site not using identity specified in app pool IIS 7 +
However, there are no answers there.
There's a tl;dr at the bottom.
A thing to keep in mind is that I'm not the one who set up the server so they may have changed some settings I don't know about.
We have an ASP.NET web service running on IIS 7. The web service is set to use DefaultAppPool, and the app pool's Identity is set to a domain user (let's say it's "localdomain\user1").
The web service was unable to save to a certain network folder, so we gave localdomain\user1 read/write permissions to that folder. It still can't save there, however.
I can't remote debug, and it works fine on my own computer (probably because it's running in Visual Studio's IIS express and my user does have access), so I tried to change the web service so that the error message contains the user name it's running under.
If I use Environment.UserName to get it, the result is "IUSR". If I use System.Security.Principal.WindowsIdentity.GetCurrent().Name, it returns "NT AUTHORITY\IUSR".
Unless the above methods are not reliable, the web service seems to be running under the default user (IUSR) and not the one set in its application pool. I can't figure out why, can anyone explain?
EDIT: The Task Manager on the server, if I log in using RDP, shows that the w3wp.exe process IS being run by user1. I'm not sure which one to believe.
Thank you.
tl;dr: The web service's application pool is set to a domain user, but it seems to be running under IUSR anyway. How do I prevent that?
Impersonation was the issue. I didn't know this was a setting in the web service's web.config.
Changing <identity impersonate="true"/> to <identity impersonate="false"/> allows it to run as localdomain\user1.
We have a Windows Azure cloud service application i.e. ASP.NET MVC web application which is hosted on production slot and uses SSL , it also has ACS configured on it.
I want to deploy the same application on the Staging slot of the cloud service where we have this GUID.cloudapp.net.
Is it possible that, when my application is running in the staging slot it will refer to another web.config and when I will swap the deployment to the production slot then the application should refer another web.config?
Why I want to do this is because I have ACS configured on my application whose settings are defined in the web.config file e.g. realm.
Any feedback on this will be appreciated.
I have managed this by modifying the web.config on Role start method.
More information at - ACS settings in Windows Azure cscfg
When trying to deploy an ASP.NET application deployment package to IIS, I receive an error
(The application pool that you are trying to use has the 'managedRuntimeVersion' property set to 'v2.0'. This application requires 'v4.0'.
I have taken these steps:
ensured my server's default .NET Framework version is 4 (restarted the IIS service on the machine)
ensured my web application is set for .NET 4
ensured the application's web.config has no references to requiring .NET 2 or 3.5
What is the root cause of this error, and how can it be solved?
Web Deploy uses the default IIS web site settings while publishing. To change/confirm this on your IIS machine:
go to IIS->Default Web Site->Basic Settings->Application Pool
select ASP.NET v4.0 or the appropriate app pool using the appropriate Framework version
If you're trying to import this application into an existing site, ensure that its application pool is the same version. I was attempting the same, but didn't realize my 'new' website was running on an app pool that was v2.
Be sure that your Application Pools by default are configured also for v4.0 by default.
ASP.NET 4 is installed when you install Visual Studio. However, the installation process does not automatically register ASP.NET 4 with IIS, and existing IIS Web sites are not automatically assigned to.NET 4 application pools.
To fix this, register ASP.NET with IIS and set the application pool of the destination IIS Web site to the .NET Framework version that is required by the package.
To do this, open Command Prompt as administrator and go to C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and type: aspnet_regiis -i
According to Web Deployment FAQ for Visual Studio and ASP.NET
I was trying to use Continuos Deployment in VSTS/TFS, in my Release Definition (which was default), I had a IIS Web App Manage Task (named Manage IISWebApplication), where it had Parent website name setting with the correct website name, and the Virtual Path setting was right as well.
I just had to fix the web site name in the Deployment Process section, where it has the Environment Name and Website name as well.
Silly, but it got me 2 days to notice the web site name was in two places in the Release Definition.
I am learning ASP.NET MVC 3 from many sources on the internet. I am worrying whether my settings based on the mixed information contains unnecessary things leading to security risks.
In this topic, I need your suggestion or comment pertaining to my settings explained below. I will assign a number to each step to make it easier to be referenced in your comment or suggestion.
STEP 1: Enabling IIS
STEP 2: Installing .NET 4
No image :-)
STEP 3: Installing SQL-Server 2008R2
No image :-)
STEP 4: Installing Visual Studio 2010
No image :-)
STEP 5: Make a project, e.g., NerdDinner
I put my project file (including NerdDinner.mdb) under C:\
NerdDinner.mdb is already populated with dummy data.
STEP 6: Configuring Global Application Pool
STEP 7: Make Virtual Directory using Visual Studio 2010
Shown in IIS Manager, NerdDinner is an application under the default web site.
STEP 8: Configuring Application Pool for NerdDinner web app
STEP 9: Attaching and Configuring NerdDinner.mdb using Sql-Server Management Studio
STEP 10: Configuring Connection String
<add name="NerdDinnerEntities"
connectionString="metadata=res://*/Models.NerdDinner.csdl|res://*/Models.NerdDinner.ssdl|res://*/Models.NerdDinner.msl;provider=System.Data.SqlClient;provider connection string="
Data Source=.\sqlexpress;
Initial Catalog=NerdDinner;
Integrated Security=True;
MultipleActiveResultSets=True
""
providerName="System.Data.EntityClient" />
Testing
Everything works well, but I am not sure whether or not these steps contains security issues.
This is more of a production environment tip, but you should practice it on your development machine as well.
IIS7.x by default will create a separate application pool for your website named after the name you give the website.
Instead of running the application pool and the site/application under NETWORK SERVICE, run both the site and the pool as ApplicationPoolIdentity.
In the website or application features pane open the Authentication feature select Anonymous Authentication and do right-click Edit:
Next, ensure your website is running in its own application pool. Sub applications may benefit from their own application pool, but we tend to put them in the same pool as the parent site unless there is a need for a different runtime configuration such as a different version of ASP.NET or Pipeline mode.
When you have configured this grant the requisite permissions to the pool identity on your web folders by doing:
ICACLS c:\dynamic\NerdDinner\NerdDinner /grant "IIS AppPool\site1":(CI)(OI)(M)
Or you can apply these permissions via explorer:
Click Check Names then OK:
In SQL Server the same thing applies, instead of giving permissions on your database to NETWORK SERVICE, give permissions to the ApplicationPoolIdentity instead. As with NETWORK SERVICE this will only work if the SQL database is on the same machine as the web server if you're running a standalone server.
For example:
In the dialogue shown above, don't search and Check Names because this will replace the IIS AppPool\ portion of the username with your machine name. When you click OK SQL will complain that it can't locate [MACHINENAME]\NerdDinner.
Next set the add as a login to the NerdDinner database:
I'm setting as DB Owner here but you can choose the role you see fit for your needs. If this is your development machine then DBO will be fine because you can then do DDL from within Visual Studio. Most shared host production environments will make the first login (which is usually all you get) DBO anyway because many apps such as DotNetNuke etc need full control over their databases.
The connection string you've provided in your example should work as-is without any changes.
For more information on this topic:
Application Pool Identities (IIS.NET)
New in IIS 7 - App Pool Isolation (Ken Schaefer)
I can't see anything obviously wrong here - the only things I would perhaps query are:
Do you really need IIS 6 Metabase
configuration compatibility here, if,
as it looks like, you're building a
server from scratch?
Rather than your
database user the having db_owner
role, could you get away with just
having db_datareader/db_datawriter? (I don't know the NerdDinner database so it could be totally correct, it's just an observation)