Appcmd will turn off SSL in IIS 7.0 following this command line from microsoft:
appcmd set config " Default Web Site "/section: access /sslFlags:None /commit:APPHOST
I am replacing "Default Web Site" with our own. The command returns with a statement that it succeeded. However, when looking at the SSL setting in IIS Mgr, it is still enabled, and the web page is also complaining of the security issue. I can turn it off via IIS Mgr, but for our needs, it needs to be done at the command line.
There doesn't seem to be any other security issue regarding changing the setting that I have found. I have tried stopping the site, then applying the appcmd above, starting the site, and same issue.
Any suggestions?
Windows Server 2007
The command you have above (minus it's spacing problems) works perfectly well for me. i've just tried it on W7 and IIS7.5
appcmd set config "Default Web Site" /section:access /sslFlags:None /commit:APPHOST
Are you running the command prompt as administrator?
To be clear, that will not turn off SSL, that will just tell IIS that it is ok to allow customers not to use SSL, but the SSL endpoint could very well be there.
If your goal is to remove SSL altogether then you need to also remove the binding from the site that points to 443 something like:
appcmd.exe set config sites /-"[name='YourSite'].bindings.[protocol='https',bindingInformation='*:443:']" /commit:apphost
Also, be aware that this will still leave the SSL binding in http.sys so you will need to do also a "netsh http del sslcert 'endpoint in here' "
Related
hope someone can provide me some insight on this iss problem!
Th situation is this, i understand that upgrading to IIS7 is absolutely necessary for security but will do so in the future but now, i'm using IIS6 and would like to force IIS6 to display qualified hostname of the IP address.
So far my other websites had gone through and been changed to display the qualified hostname but my dotnetnuke server (version 4.08.04), i am unable to locate the file(dnn or iis6) to change this.
I've used this procedure below for changing
IIS < 7
Force IIS to Display Hostname
It is possible to force IIS to display the hostname of the server instead of the IP address via the following:
Open a command window
Select "Start"
Select "Run"
Type in "cmd" and press enter or select the "OK" button
Browse to the "C:\inetpub\adminscripts" directory (or wherever this directory is located on your server)
Run the following commands:
adsutil set w3svc/UseHostName True
net stop iisadmin /y
net start w3svc
The IIS web service will now return the qualified hostname instead of the IP address.
You can do this with a setting in DNN using the Ifinity Friendly URL provider http://www.ifinity.com.au/Products/Friendly_Url_Provider_For_DNN
Because you are on such an old version of DNN thought you might have to go back to a fairly old version of that provider to make it work. DNN 4.8.4 has quite a few security bugs, so upgrading to a later version of DNN (even on IIS 6) would be ideal.
I believe you could upgrade to DNN 6.2.8 (or whatever the last 6.* release was) without having to upgrade IIS, though you would need .NET 4.0 for any version of DNN after 5.1
I have a site running in IIS 7.5 that is accessed using a DNS alias different from the actual server name. In IE 8, integrated authentication is failing, but in Firefox and Chrome everything works fine. (IE presents a credential challenge a few times, then displays a 401.1 error page.)
I have figured out that this is due to IE using Kerberos (aka "Negotiate") over NTLM, and Kerberos requires registering a Service Principal Name (using SETSPN) so that the mismatch between the DNS name and the server name is properly handled.
My web site, however, doesn't need impersonation--it is enough to have delegation. So instead of messing with SetSPN, I would just like to remove "Negotiate" from the list of WindowsAuthentication methods in IIS.
I have searched for quite some time to find out how to do this in IIS. I have played with many appcmd commands--but I just can't find online examples, or figure out how by reading MSDN documentation or using appcmd /? to make appcmd commands apply only to a particular application within a site rather than to the entire web server. A few search-hours later over two days, and at least 3 dozen web pages visited, I am still coming up fruitless.
How in tarnation do I get this done--it seems like it should be so easy!
Open the Configuration Editor in IIS. It comes with IIS 7.5, or you can download the IIS administration pack for IIS 7.0. Navigate to the scope you want to affect (server, site, or application) and then open the icon:
.
Change the Section to system.webServer/security/authentication/windowsAuthentication:
Click on the providers item, and then click Edit Items on the right. Select the "Negotiate" item and click "Remove":
Close the dialog and click Apply in the Actions pane on the right.
Your problem is solved! No more Kerberos/negotiate!
Note: you can also click Generate Script in the actions pane to display the code that will make the change in either C#, javascript, or with appcmd from the command line.
For reference, here is the appcmd statement to do the job without using the Configuration Editor.
appcmd.exe set config "Virtual/path/to/application" -section:system.webServer/security/authentication/windowsAuthentication /-"providers.[value='Negotiate']" /commit:apphost
I have a set of applications running in my IIS Server 7.0. I need to "Expire Web Content" of one of those applications through command line. Running appcmd.exe works, but it changes this configuration for all the applications in IIS. Is there a way to do this for a single application?
This is the command which I ran.
appcmd.exe set config /section:staticContent /clientCache.cacheControlMode:DisableCache
Thanks.
Use the following command, just replace "SITENAME" with your site id.
appcmd.exe set config "SITENAME" /section:staticContent /clientCache.cacheControlMode:DisableCache
I added the following entries in the HOSTS file.
127.0.0.1 abc.localhost.com
127.0.0.1 xyz.localhost.com
Using the VS2010 ASP.NET Development server I am unable to run or execute the website.
When browsing http://localhost:2687/TestProject/ it shows up the default.aspx page. But when accessing http://abc.localhost:2687/TestProject/ it shows a website cannot be found page.
Is there anything else to be done when setting up subdomain on localhost.
EDIT: To make this work I removed the .com and in IE-->Connections-->LAN uncheck everything. Subdomains with port works are correctly getting forwarded. Nothing else need to be configured.
Obvious mistake is that in your hosts file you have abc.localhost.com, whereas you are browsing to http://abc.localhost/folder
Not the same thing.
Not sure this will work as you intend anyhow. I would also recommend IIS Express, part of WebMatrix, which I think is still in beta, or just use IIS. IIS 7+ on Vista, W7, Server 2008 is all really easy to use.
Use IIS or IIS express, rather than Cassini. (For several reasons, which you can google or look for on stackoverflow)
With the IIS you can easily add a hostheader entry to you webapplication with just 2 clicks.
Be aware, that you are assigning both a Url and a port.
So adding abc.localhost won't allow you to browse abc.localhost2687, just the default port (80). If you also want to browse to abc.localhost:2687 you need to a a hostheader entry according to that that Url and port.
This screenshot shows you the dialog to add hostheaders (the picture is from IIS 6, but in IIS 7 or IIS 7.5 it looks very similar)
Deployed an ASP.NET application to our internal production server as a virtual directory under the default web site. I had been getting 403 errors when trying to connect to it. So I verified the folder permissions and when I went to look at the IIS (7) SSL settings I saw that "Require SSL", "Require 128-bit SSL" and require client certificates have been enabled. This application does not need SSL.
The problem is that these checkboxes and radio buttons have been greyed out and I can't seem to figure out how to disable them. Also, in the upper right hand corner of the IIS manager, I see in the alerts box "The site does not have a secure binding (HTTPS) and cannot accept SSL connections.
How do I disable the SSL settings?
For anyone else having this issue, here is what I found that cleared the SSL configuration:
appcmd set config "Default Web Site" /section:access /sslFlags:None /commit:APPHOST
That was a bug in IIS Manager, the workaround is to temporarily add a binding using SSL so that the checkboxes become enabled, then uncheck them, and remove the ssl binding.
ALternatively using AppCmd, or Configuration Editor (in IIS Manager) you should be able to achieve that as well.
Just open IIS Manager, navigate to the site using the Tree view, and double click Configuration Editor, then select system.webServer/security/access in the section list. Change that value to None.
If your application has no relationship to your Default Site in IIS, you should really create your own Web Site in IIS so that you are completely isolated from the settings you would inherit from running in a virtual directory.
In the Bindings for your new site, distinguish your site from the Default Site by using a different port or alternately use a different domain name, such as a sub-domain of the domain used by the Default site (requires your internal DNS to be updated to support this new domain).