Setup FTP 7.5 on Windows Server 2008 and publish through Forefront TMG 2010

Introduction

Microsoft has created a new FTP service that has been completely rewritten for Windows Server® 2008. This new FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options.

• Integration with IIS 7: IIS 7 has a brand-new administration interface and configuration store, and the new FTP service is tightly integrated with this new design. The old IIS 6.0 metabase is gone, and a new configuration store that is based on the .NET XML-based *.config format has taken its place. In addition, IIS 7 has a new administration tool, and the new FTP server plugs seamlessly into that paradigm.
• Support for new Internet standards: One of the most significant features in the new FTP server is support for FTP over SSL. The new FTP server also supports other Internet improvements such as UTF8 and IPv6.
• Shared hosting improvements: By fully integrating into IIS 7, the new FTP server makes it possible to host FTP and Web content from the same site by simply adding an FTP binding to an existing Web site. In addition, the FTP server now has virtual host name support, making it possible to host multiple FTP sites on the same IP address. The new FTP server also has improved user isolation, now making it possible to isolate users through per-user virtual directories.
• Custom authentication providers: The new FTP server supports authentication using non-Windows accounts for IIS Managers and .NET Membership.
• Improved logging support: FTP logging has been enhanced to include all FTP-related traffic, unique tracking for FTP sessions, FTP sub-statuses, additional detail fields in FTP logs, and much more.
• New supportability features: IIS 7 has a new option to display detailed error messages for local users, and the FTP server supports this by providing detailed error responses when logging on locally to an FTP server. The FTP server also logs detailed information using Event Tracing for Windows (ETW), which provides additional detailed information for troubleshooting.
• Extensible feature set: FTP supports extensibility that allows you to extend the built-in functionality that ships with the FTP service. More specifically, there is support for creating your own authentication and authorization providers. You can also create providers for custom FTP logging and for determining the home directory information for your FTP users.

Additional information about new features in FTP 7.5 is available in the “What’s New for Microsoft and FTP 7.5?” topic on Microsoft’s http://www.iis.net/ web site.

This document will walk you through installing the new FTP service and troubleshooting installation issues.

Installing FTP for IIS 7.5

IIS 7.5 for Windows Server 2008 R2

1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
6. Click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Results page, click Close.

Installing FTP for IIS 7.0

Prerequisites

The following items are required to complete the procedures in this section:

1. You must be using Windows Server 2008.
2. Internet Information Services 7.0 must be installed.
3. If you are going to manage the new FTP server by using the IIS 7.0 user interface, the administration tool will need to be installed.
4. You must install the new FTP server as an administrator. (See the Downloading and Installing section for more.)
5. IIS 7.0 supports a shared configuration environment, which must be disabled on each server in a web farm before installing the new FTP server for each node. Note: Shared configuration can be re-enabled after the FTP server had been installed.
6. The FTP server that is shipped on the Windows Server 2008 DVD must be uninstalled before installing the new FTP server.

Downloading the right version for your server

There are two separate downloadable packages for the new FTP server; you will need to download the appropriate package for your version of Windows Server 2008:

• 32-bit Installation Package:
  • FTP 7.5 for IIS 7.0 (x86)
• 64-bit Installation Package:
  • FTP 7.5 for IIS 7.0 (x64)

Launching the installation package

You will need to run the installation package as an administrator. This can be accomplished by one of the following methods:

1. Logging in to your server using the actual account named “Administrator”, then browsing to the download pages listed above or double-clicking the download package if you have saved it to your server.
2. Logging on using an account with administrator privileges and opening a command-prompt by right-clicking the Command Prompt menu item that is located in the Accessories menu for Windows programs and selecting “Run as administrator”, then typing the appropriate command listed below for your version of Windows to run the installation:
   • 32-bit Windows Versions:
     • msiexec /i FTP 7_x86_75.msi
   • 64-bit Windows Versions:
     • msiexec /i FTP 7_x64_75.msi

Note: One of the above steps is required because the User Account Control (UAC) security component in the Windows Vista and Windows Server 2008 operating systems prevents access to your applicationHost.config file. For more information about UAC, please see the following documentation:

• http://go.microsoft.com/fwlink/?LinkId=113664

The following steps walk you through all of the required settings to add FTP publishing for the Default Web Site.

Walking through the installation process

1. When the installation package opens, you should see the following screen. Click Next to continue.
   
2. On the next screen, click the I accept check box if you agree to the license terms, and then click Next.
   
3. The following screen lists the installation options. Choose which options you want installed from the list, and then click Next.
   • Common files: this option includes the schema file. When installing in a shared server environment, each server in the web farm will need to have this option installed.
   • FTP Publishing Service: this option includes the core components of the FTP service. This option is required for the FTP service to be installed on the server.
   • Managed Code Support: this is an optional component, but features that use managed extensibility require this option before using them, such as ASP.NET and IIS manager authentication. Note: This feature cannot be installed on Windows Server 2008 Core.
   • Administration Features: this option installs the FTP 7 management user interface. This requires the IIS 7.0 manager and .NET framework 2.0 to be installed. Note: This feature cannot be installed on Windows Server 2008 Core.
     
4. On the following screen, click Install to begin installing the options that you chose on the previous screen.
   
5. When installation has completed, click Read notes to view the FTP README file, or click Finish to close the installation dialog.
   

Note: If an error occurs during installation, you will see an error dialog. Refer to the Troubleshooting Installation Issues section of this document for more information.

Troubleshooting Installation Issues

When the installation of FTP 7 fails for some reason, you should see a dialog with a button called “Installation log”. Clicking the “Installation log” button will open the MSI installation log that was created during the installation. You can also manually enable installation logging by running the appropriate command listed below for your version of Windows. This will create a log file that will contain information about the installation process:

• 32-bit Windows Versions:
  • msiexec /L FTP 7.log /I FTP 7_x86_75.msi
• 64-bit Windows Versions:
  • msiexec /L FTP 7.log /I FTP 7_x64_75.msi

You can analyze this log file after a failed installation to help determine the cause of the failure.

Clicking the “Online information” button on the error dialog will launch the “Installing and Troubleshooting FTP 7.5” document in your web browser.

Note: If you attempt to install the downloaded package on an unsupported platform, the following dialog will be displayed:

Known Issues in This Release

The following issues are known to exist in this release:

1. While Web-based features can be delegated to remote managers and added to web.config files using the new IIS 7 configuration infrastructure, FTP features cannot be delegated or stored in web.config files.
2. The icon of a combined Web/FTP site may be marked with a question mark even though the site is currently started with no error. This occurs when a site has a mixture of HTTP/FTP bindings.
3. After adding an FTP publishing to a Web site, clicking the site’s node in the tree view of the IIS 7 management tool may not display the FTP icons. To work around this issue, use one of the following:
   • Hit F5 to refresh the IIS 7 management tool.
   • Click on the Sites node, then double-click on the site name.
   • Close and re-open the IIS 7 management tool.
4. When you add a custom provider in the site defaults, it shows up under each site. However, if you attempt to remove or modify the settings for a custom provider at the site-level, IIS creates an empty <providers /> section for the site, but the resulting configuration for each site does not change. For example, if the custom provider is enabled in the site defaults, you cannot disable it at the site-level. To work around this problem, open your applicationHost.config file as an administrator and add a <clear/> element to the list of custom authentication providers, the manually add the custom provider to your settings. For example, in order to add the IIS Manager custom authentication provider, you would add settings like the following example:
   <ftpServer>
   <security>
   <authentication>
   <customAuthentication>
   <providers>
   <clear />
   <add name=”IisManagerAuth” enabled=”true” />
   </providers>
   </customAuthentication>
   </authentication>
   </security>
   </ftpServer>
5. The following issues are specific to the IIS 7.0 release:
   • The FTP service that is shipped on the Windows Server 2008 DVD should not be installed after the new FTP service has been installed. The old FTP service does not detect that the new FTP service has been installed, and running both FTP services at the same may cause port conflicts.
   • IIS 7 can be uninstalled after the new FTP service has been installed, and this will cause the new FTP service to fail. If IIS is reinstalled, new copies of the IIS configuration files will be created and the new FTP service will continue to fail because the configuration information for the new FTP service is no longer in the IIS configuration files. To fix this problem, re-run the setup for the new FTP service and choose “Repair”.

To Add FTP Site from the IIS management Console

Creating a New FTP Site Using IIS 7 Manager

The new FTP service makes it easy to create new FTP sites by providing you with a wizard that walks you through all of the required steps to create a new FTP site from scratch.

Step 1: Use the FTP Site Wizard to Create an FTP Site

In this first step you will create a new FTP site that anonymous users can open.

Note: The settings listed in this walkthrough specify “%SYSTEMDRIVE%inetpubftproot” as the path to your FTP site. You are not required to use this path; however, if you change the location for your site you will have to change the site-related paths that are used throughout this walkthrough.

1. Open IIS 7 Manager. In the Connections pane, click the Sites node in the tree.
2. As shown in the image below, right-click the Sites node in the tree and click Add FTP Site, or click Add FTP Site in the Actions pane.
   • Create a folder at “%SystemDrive%inetpubftproot”
   • Set the permissions to allow anonymous access:
     1. Open a command prompt.
     2. Type the following command:
        ICACLS "%SystemDrive%inetpubftproot" /Grant IUSR:R /T
     3. Close the command prompt.

   

3. When the Add FTP Site wizard appears:
   • Enter “My New FTP Site” in the FTP site name box, then navigate to the %SystemDrive%inetpubftproot folder that you created in the Prerequisites section. Note that if you choose to type in the path to your content folder, you can use environment variables in your paths.
   • When you have completed these items, click Next.

   

4. On the next page of the wizard:
   • Choose an IP address for your FTP site from the IP Address drop-down, or choose to accept the default selection of “All Unassigned.” Because you will be using the administrator account later in this walk-through, you must ensure that you restrict access to the server and enter the local loopback IP address for your computer by typing “127.0.0.1” in the IP Address box. (Note: If you are using IPv6, you should also add the IPv6 localhost binding of “::1”.)
   • Enter the TCP/IP port for the FTP site in the Port box. For this walk-through, choose to accept the default port of 21.
   • For this walk- through, do not use a host name, so make sure that the Virtual Host box is blank.
   • Make sure that the Certificates drop-down is set to “Not Selected” and that the Allow SSL option is selected.
   • When you have completed these items, click Next.

   

5. On the next page of the wizard:
   • Select Anonymous for the Authentication settings.
   • For the Authorization settings, choose “Anonymous users” from the Allow access to drop-down, and select Read for the Permissions option.
   • When you have completed these items, click Finish.

   

Summary

You have successfully created a new FTP site using the new FTP service. To recap the items that you completed in this step:

1. You created a new FTP site named “My New FTP Site”, with the site’s content root at “%SystemDrive%inetpubftproot”.
2. You bound the FTP site to the local loopback address for your computer on port 21, and you chose not to use Secure Sockets Layer (SSL) for the FTP site.
3. You created a default rule for the FTP site to allow anonymous users “Read” access to the files.

Step 2: Adding Additional FTP Security Settings

Creating a new FTP site that anonymous users can browse is useful for public download sites, but web authoring is equally important. In this step, you add additional authentication and authorization settings for the administrator account. To do so, follow these steps:

1. In IIS 7 Manager, click the node for the FTP site that you created earlier, then double-click FTP Authentication to open the FTP authentication feature page.
   
2. When the FTP Authentication page displays, highlight Basic Authentication and then click Enable in the Actions pane.
   
3. In IIS 7 Manager, click the node for the FTP site to re-display the icons for all of the FTP features.
4. You must add an authorization rule so that the administrator can log in. To do so, double-click the FTP Authorization Rules icon to open the FTP authorization rules feature page.
   
5. When the FTP Authorization Rules page is displayed, click Add Allow Rule in the Actions pane.
   
6. When the Add Allow Authorization Rule dialog box displays:
   • Select Specified users, then type “administrator” in the box.
   • For Permissions, select both Read and Write.
   • When you have completed these items, click OK.
     

Summary

To recap the items that you completed in this step:

1. You added Basic authentication to the FTP site.
2. You added an authorization rule that allows the administrator account both “Read” and “Write” permissions for the FTP site.

Step 3: Logging in to Your FTP Site

In Step 1, you created an FTP site that anonymous users can access, and in Step 2 you added additional security settings that allow an administrator to log in. In this step, you log in anonymously using your administrator account.

Note: In this step log in to your FTP site using the local administrator account. When creating the FTP site in Step 1 you bound the FTP site to the local loopback IP address. If you did not use the local loopback address, use SSL to protect your account settings. If you prefer to use a separate user account instead of the administrator account, set the correct permissions for that user account for the appropriate folders.

Logging in to your FTP site anonymously

1. On your FTP server, open a command prompt session.
2. Type the following command to connect to your FTP server:FTP localhost
3. When prompted for a user name, enter “anonymous”.
4. When prompted for a password, enter your email address.

You should now be logged in to your FTP site anonymously. Based on the authorization rule that you added in Step 1, you should only have Read access to the content folder.

Logging in to your FTP site using your administrator account

1. On your FTP server, open a command prompt session.
2. Type the following command to connect to your FTP server:FTP localhost
3. When prompted for a user name, enter “administrator”.
4. When prompted for a password, enter your administrator password.

You should now be logged in to your FTP site as the local administrator. Based on the authorization rule that you added in Step 2 you should have both Read and Write access to the content folder.

Summary

To recap the items that you completed in this step:

1. You logged in to your FTP site anonymously.
2. You logged in to your FTP site as the local administrator.

Publish FTP site from Forefront TMG 2010

Let’s begin

Note:
Keep in mind that the information in this article is based on a release candidate version of Microsoft Forefront TMG and is subject to change.

A few months ago, Microsoft released RC 1 (Release Candidate) of Microsoft Forefront TMG (Threat Management Gateway), which has a lot of new exciting features.

One of the new features of Forefront TMG is its ability to allow FTP server traffic through the Firewall in both directions. It does this in the form of Firewall access rules for outbound FTP access and with server publishing rules for inbound FTP access through a published FTP Server. This server is located in your internal network or a perimeter network, also known as a DMZ (if you are not using public IP addresses for the FTP Server in the DMZ).

First, I will show you the steps you will need to follow in order to create a Firewall rule which will allow FTP access for outgoing connections through TMG.

FTP access rule

Create a new access rule which allows the FTP protocol for your clients. If you want to allow FTP access for your clients, the clients must be Secure NAT or TMG clients, also known as the Firewall client in previous versions of Forefront TMG.

Please note:
If you are using the Web proxy client, you should note that through this type of client only FTP read-only access is possible and you cannot use a classic FTP client for FTP access, only a web browser FTP access is possible with some limitations.

The following picture shows a FTP access rule.

Figure 1: FTP access rule

A well-known pitfall beginning with ISA Server 2004 is, that by default, after the FTP access rule has been created, the rule only allows FTP read-only access for security purposes in order to prevent users from uploading confidential data outside the organization without permission. If you want to enable FTP uploads you have to right click on the FTP access rule, and then click Configure FTP.

Figure 2: Configure FTP

All you have to do is remove the read only flag, wait for the new FTP connection to be established, and the users get all the necessary permissions to carry out FTP uploads.

Figure 3: Allow write access through TMG

FTP Server publishing

If you want to allow incoming FTP connections to your internal FTP servers, or to FTP servers located in the DMZ, you have to create server publishing rules if the network relationship between the external and the internal/DMZ network is NAT. If you are using a route network relationship, it is possible to use Firewall rules to allow FTP access.

To gain access to an FTP server in your internal network, create an FTP server publishing rule.

Simply start the new Server Publishing Rule Wizard and follow the instructions.

As the protocol you have to select the FTP Server protocol definition which allows inbound FTP access.

Figure 4: Publish the FTP-Server protocol

The standard FTP Server protocol definiton uses the associated standard protocol which can be used for inspection by NIS, if a NIS signature is available.

Figure 5: FTP-Server protocol properties

The Standard FTP Server protocol definition allows FTP Port 21 TCP for inbound access and the protocol definition is bound to the FTP access filter which is responsible for the FTP protocol port handling (FTP Data and FTP control port).

Figure 6: FTP ports and FTP Access Filter binding

Active FTP

One of the changes in Microsoft Forefront TMG is that the Firewall does not allow Active FTP connections by default anymore, for security reasons. You have to manually allow the use of Active FTP connections. It is possible to enable this feature in the properties of the FTP access filter. Navigate to the system node in the TMG management console, select the Applicaton Filters tab, select the FTP Access filter and in the task pane click Configure Selected Filter (Figure 7).

Figure 7: FTP Access filter properties

In the FTP access filter properties select the FTP Properties tab and enable the checkbox Allow Active FTP Access and save the configuration to the TMG storage.

Figure 8: Allow Active FTP through TMG

FTP alerts

Forefront TMG comes with a lot of predefined alert settings for several components and events. One of them is the alert function for the FTP Filter Initialization Warning. This alert informs Administrator when the FTP filter failed to parse the allowed FTP commands.

Figure 9: Configure FTP alert options

The alert actions are almost the same as in ISA Server 2006, so there are no new things to explain for experienced ISA Administrators.

Conclusion

In this article, I showed you some ways to allow FTP access through the TMG Server. There are some pitfalls for a successful FTP implementation. One of the pitfalls is that since the introduction of ISA Server 2004, allowing FTP write access through the Firewall and the other pitfall is new to Forefront TMG. Forefront TMG does not allow Active Mode FTP connections by default, so you have to manually activate this feature if you really need this type of special configuration.

SharePoint Performance Tuning

I was recently looking for the SharePoint 2010 performance articles on Microsoft pages and established blogs, and found that most of them weren’t covering all the details. Some of them simply described MS SQL-based tips, , some were straight system related, and it was extremely hard to find useful SharePoint-based performance tips. I’ve decided to try to fix this hole and provide you all the SharePoint performance steps and details I know in one place .

SharePoint Hardware Planning

Before you even start thinking about improving your performance, keep in mind that even best tips won’t help you if your hardware is simply too weak to handle SharePoint environment.

This article is not intended to explain how to plan your hardware environment, but the only detail that is worth mentioning is that you should know the future details of your SharePoint farm BEFORE you buy the hardware, such as:

• Total number of SharePoint farm users
• Simultaneous number of SharePoint farm users
• Services that would be provided (Search, FAST Search Server, Office Web Access, Visio Services etc. may decrease performance so you probably need to provide dedicated hardware for this)
• Amount of data that will be stored and processed by the SharePoint farm on a  daily/weekly/monthly basis.

Knowing the above, you can probably design your infrastructure successfully and be happy with the performance of your SharePoint farm after the deployment.

Note: a useful tool to plan your infrastructure (if you know the above details) is HP Sizer for Microsoft SharePoint, which can be accessed athttp://h20338.www2.hp.com/activeanswers/Secure/548230-0-0-0-121.html .

SharePoint Front End Caching

With the SharePoint Server 2010ships with strong caching capabilities, like BLOB (BinaryLarge OBject) cache, profiled cache and object cache. We’ll start with the BLOB.

BLOB cache is disk-based caching that highly increases browser performance and reduces database loads, since the SharePoint reads cached content from BLOB files, instead of databases.  When you open a web page for first time, the files will be copied from the database to the cache on the hard drive on SharePoint server and then all subsequent  requests to this site will be accessed from the local hard drive cache instead of issuing a resource intensive request to the SQL Server database.

To enable the BLOB cache for a Web Application of your choice, you need to edit web.config file. Access your IIS Manager on the Front-End Server where your web application is, and use Explore option to find where it is located on the hard drive (usually C:inetpubwwwrootwss…).

IIS Manager Explore option for application SharePoint – 80

Next, open the web.config file with your favorite text editor (notepad will be sufficient for this).

Web.config file in the application root directory

Now, find the line starting with:

<BlobCache location=

and set the properties correctly. We need to set the cache directory and change the “enable” attribute to “true”. It is strongly recommended to store the cache on a dedicated partition, which isn’t a part of the operating system (C: partition is not recommended). This is why I’ve stored my cache on D: partition.

<BlobCache location="D:BlobCache14" path=".(gif|jpg|jpeg|jpe|jfif|bmp|dib|tif|tiff|ico|png|wdp|hdp|css|js|asf|avi|flv|m4v|
mov|mp3|mp4|mpeg|mpg|rm|rmvb|wma|wmv)$" maxSize="10" enabled="true" />

In the path attribute, you can add or remove file extensions that will be cached. The maxSizeis used for changing the maximum size of the cache on your hard drive in gigabytes (GB), the default maximum size is 10GB.

To configure cache profiles, we will also use web.config file. This will allow us to override the user interface cache profile settings, so we have full control over the process. To use the cache profiles, site collections must have the publishing feature enabled first.

To enable cache profiles, find the line in web.config:

<OutputCacheProfiles

and set the attributes of this tag appropriately:

useCacheProfileOverrides=”false” : change this to “true” to enable overriding the cache profile settings.

Next three attributes (varyByHeader, varyByParam and varyByCustom) define custom parameters in the .NET Framework Class library – we don’t need to change these so the default settings are fine. The varyByRights attribute removes the requirement for identical effective permissions on all securable objects within the cached pages of any other users. Change this value to “false”.

The cacheForEditRights attribute bypasses the default behavior of the page caching per user. Change this attribute to “true”.

The final result of the modified output cache profiles line in web.config should be similar to this:

<OutputCacheProfiles useCacheProfileOverrides="true" varyByHeader="" varyByParam="*"
 varyByCustom="" varyByRights="false" cacheForEditRights="true" />

Next we need to configure the  Object Cache. Object cache settings can be altered at the site collection level using the user interface and this cache is enabled by default. The maximum size of this cache can be configured on the web application level on the Web-Front-End servers (as with  the cache profiles). To use the object cache, the site collections must have publishing feature enabled.

To change Object cache settings, open the  web.config file of our application find the line:

<ObjectCache maxSize

The default value for the maxSize attribute is 100, which means 100 megabytes (MB) will be used for entire web application for object caching. You should modify this value to  use most of your physical memory on the front-end server. If you see that a server consistently has more than 30% available memory, you can improve the site performance by increasing the maxSize attribute.

That’s all about the SharePoint caching options, which are mostly configured in the web.config file. Now, when we have BLOB cache enabled, cache profiles and object cache tweaked to fully use our hardware we can move on to tweaking the performance SharePoint authentication which will be the focus of part 2 of the SharePoint performance series.

Enabling Kerberos Authentication

If your sites are serving numerous requests at a time, and you are experiencing a slow page load, you should consider switching the site-level authentication from NTLM to Kerberos. Whilst NTLM is good for small or medium sized sites, Kerberos is useful when your environment requires high workload and needs to process a large number of requests. Using NTLM, authentication requests aren’t cached and they need to go to the domain controller every time a request is made to an object which is a performance drag. With Kerberos authentication,  requests can be cached, so the process won’t have to communicate with the domain controller to retrieve the object from the site this can dramatically improve SharePoint performance.

To enable Kerberos authentication for your web application, we’ll have to specify the application pool identity and then create a new SPN using the setspn.exe tool.

Go to the IIS Manager on the web server server, and select the website where you want to enable Kerberos authentication (1), using the left pane. Then go into the Authentication Icon, select Windows Authentication (2) (which should be enabled) and click on Advanced Settings (3). You need to make sure that the “Enable Kernel-mode authentication” option is checked (4), checking this option will perform an IIS Reset before resuming.

Enabling Kernel Mode Authentication in IIS Manager

Next, we need to run appcmd and set the useAppPoolCredentials attribute to true for our web application (SharePoint – 80). You need to run cmd console in administrator mode if your server has User Account Control enabled. The appcmd tool can be accessed fromC:WindowsSystem32inetsrv folder.

Now, execute a command:

Appcmd set config “SharePoint – 80” /section:windowsauthentication /useAppPoolCredentials:true /commit:MACHINE/WEBROOT/APPHOST

CMD console with appcmd command

Now we need to check if the application host configuration is properly configured in order to continue with Kerberos authentication setup. OpenC:WindowsSystem32inetsrvconfigapplicationHost.config and check if our application (SharePoint – 80) has the proper attributes set in the system.webServer section.

My entire SharePoint – 80 entry in the applicationHost.config file is below:

<location path="SharePoint - 80">

<system.webServer>

<handlers accessPolicy="Read, Execute, Script" />

<security>

<authentication>

<windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true">

<providers>

<clear />

<add value="NTLM" />

</providers>

<extendedProtection tokenChecking="None" />

</windowsAuthentication>

<anonymousAuthentication enabled="false" />

<digestAuthentication enabled="false" />

<basicAuthentication enabled="false" />

</authentication>

</security>

<urlCompression doStaticCompression="true" doDynamicCompression="true" />

<httpErrors existingResponse="PassThrough" />

<httpProtocol>

<customHeaders>

<clear />

<add value="ASP.NET" />

<add name="MicrosoftSharePointTeamServices" value="14.0.0.4762" />

</customHeaders>

</httpProtocol>

</system.webServer>

</location>

Please note the attributes   bolded above  are the attributes we’ve just set which are required for Kerberos authentication to work properly.

Now perform IISReset /noforce command to reload the changes on the web server. We have only one step left on the backend configuration of Kerberos – we need to set SPN, which is required to map the service and host name to our custom application pool account.

On the Web-Front End server open command prompt with administrative privileges, and execute the command:

Setspn –A http://SiteURL domainapplication_pool_account

It is very important to type in the valid application URL and the domain account that is the identity of the application pool of the site. If you are unsure what the application pool identity is, go to IIS Manager, select Application Pools section in the left pane, and read the account that is running on your application pool (SharePoint – 80 in this example)

Application Pools view in IIS Manager

As you can see in our example, the SharePoint – 80 application pool is using account chaosspsadmin, so the command in my environment will be like:

Setspn –A http://sps2010 chaosspsadmin

Now, we should enable the trust for delegation for this account. To do this, go to the Domain Controller and launch Active Directory Users and Computers console, then locate the account (in our example it is chaosspsadmin account) and in the properties of the account, select the Delegation tab and then select “Trust this user for delegation to any service (Kerberos Only)” option.

Note, that you won’t see the Delegation tab if you have missed a step or made a mistake during the configuration using setspn command for the application pool identitity.

Now the last Kerberos step – we need to enable Kerberos on the Web Application itself. To do this, launch Central Administration, select Application Management – Manage Web Applications, and mark our web application (SharePoint – 80). You should now see in the ribbon the Authentication Providers icon – click on it.

Central Administration – Authentication Providers icon in the ribbon

Select the correct zone for your web application where we’ll be enabling Kerberos authentication (by default it is Default zone) and in the IIS Authentication settings change the radio button from NTLM to Negotiate (Kerberos).

Authentication for the application changed from NTLM to Kerberos

We’ve spent quite some time configuring Kerberos, but believe me – it is worth the time consumed, especially in larger environments, where you’ll probably need to tweak performance ratings in the first place.

Application Pool Recycling.

There’s not so much to configure, but a lot to explain in this section. It is very important to tweak the application pool recycling to suit your farm infrastructure and server architecture. It is best to recycle the pools at night, when your sites has the lowest user traffic. If you have multiple load balancing servers, it’s strongly recommended to turn of the recycling server from the Load Balancer, or you’ll experience poor performance during the process. Since SharePoint Server 2010, which requires 64-bit environment, you can forget about maximum memory based limits since this is managed by the IIS Server itself.

Application Pool recycling settings

Checked Out Pages

If your sites are using Enterprise Content Management and Check-In/Check-Out functionality, you should never leave sites checked out, because this decreases the page rendering performance visibly to the users. Instead, check them in as quickly as possible to avoid slower performance.

Now we have looked at most of the front-end SharePoint performance settings. In Part 3 we will look at some of the back-end performance tuning.

Related Articles:

Configuring Remote Administration & Delegation in IIS 7

Introduction

IIS 7 (IIS 7.0 on Windows Server® 2008 or IIS 7.5 on Windows Server 2008 R2) provides administrators and developers with a new configuration system that is accessible, extensible and distributable. The new XML-based format allows for easy configuration of the modules and features available in IIS 7. It also enables granular control of the locations at which settings for individual features can be configured (for example, at the server level in the applicationHost.config file, or at a site or an application level in a Web.config file).

The new IIS 7 administration user interface (UI), IIS Manager, fully supports this new configuration system and adds additional features that provide a powerful and granular system for configuring the Web server. Two of these additional features are remote administration of servers, sites and applications, and support for user-based authentication and authorization.

This article explains how to enable remote connections, configure users and permissions, and delegate features to a site or application level. There are many scenarios where an IIS 7 server administrator might want to delegate administrative control of a certain feature or features to someone, or where the administrator might want to prevent others from viewing existing configuration. Take the following scenario, for example.

Edward is a server administrator on a computer that hosts several sites. The computer is part of a domain, and some of the site owners belong to the same domain. However, some of the site owners are outside of the domain, and Edward must create IIS Manager user accounts for them by creating a user name and password for each owner. After he has created the necessary IIS Manager user accounts, Edward sets up IIS Manager permissions for each site to specify which of the users are allowed to connect to a particular site. To do this, Edward opens the IIS Manager Permissions feature in each site and adds Windows users and IIS Manager users. This action does two things. First, it configures IIS 7 to allow a user to connect to the site when the user provides valid credentials. Second, it permits users who successfully connect to configure any delegated features in that site.

Edward also wants to delegate configuration of some features that he trusts to be configured by a site owner in his or her own site. This eliminates the need for a site owner to request that Edward configure features that vary by site, such as default documents. He decides to delegate configuration for the following features in all sites on his server: Default Documents, Directory Browsing, and Error Pages. In addition, Edward decides to delegate configuration of an additional feature, HTTP Redirect, to the site Contoso, because he knows that the site often needs to be redirected and trusts the site owners to configure those settings. He sets all other features to be Read Only so that site owners can see the settings but not configure them in their sites.

Julian and Catherine are site owners for the site Contoso on Edward’s computer. Julian has a Windows user account, and Catherine has an IIS Manager user account for which Edward has provided her credentials. They can both open IIS Manager on their own computers, and connect to Contoso because Edward has permitted their accounts to configure the Contoso site. They each see all of the features that have been delegated to the site level. They can configure Default Documents, Directory Browsing, Error Pages, and HTTP Redirect because Edward delegated configuration of those settings to their site.

Prerequisites

The following items are required to be installed to complete the procedures in this article:

• IIS 7.0 on Windows Server® 2008 or IIS 7.5 on Windows Server 2008 R2
• IIS Manager

Configuring Remote Connections in IIS Manager

In IIS 7, IIS Manager makes it easy to perform remote administration. In addition to managing IIS 7 on the local computer, IIS Manager can manage remote servers, sites, and applications. The server administrator uses remote administration features to add IIS Manager user accounts and to allow those users to connect to any sites or applications for which they have permission.

Configuring remote administration involves enabling remote connections in IIS Manager and configuring the type of credentials required to connect to the server. Optionally, you can change default connection and logging settings, and add connection restrictions based on IP addresses or domain names.

Install the Management Service

The default IIS 7 installation options do not include the Management Service (also referred to as the Web Management Service (WMSVC)), which is required for remote administration. If you have not installed the Management Service, follow the steps in this procedure to install it.

To install the Management Service:

1. Click Start, type Server Manager in the Search box, and press ENTER to open Server Manager.
2. In the tree, under Roles, select Web Server (IIS).
3. Click Add role services, and then select Management Service as shown in the image below.
4. Click Next and follow the instructions to complete the installation.

Enable Remote Connections and Configure Identity Credentials

Enable remote connections so that Windows users and IIS Manager users (configured later in this article) can connect to this computer by using IIS Manager on their computers. By default, the Management Service allows connections only from users that have Windows credentials, but you can configure it to also allow connections from users with IIS Manager credentials. For the purposes of this article, configure the Management Service to allow both credential types as shown in the image below.

Note: The next section in this article explains IIS Manager credentials.

To enable remote connections and allow connections from Windows users and IIS Manager users:

1. In IIS Manager, in the Connections pane, click the server node in the tree.
2. Double-click Management Service to open the Management Service feature page.

4 .Select the Enable remote connections check-box.

5. Under Identity Credentials, select Windows credentials or IIS Manager credentials.

6. In the Actions pane, click Apply to save the changes, and then click Start to start the Management Service.

Additional Information

You do not have to enable remote connections to start the Management Service. If remote connections are disabled and the Management Service is started, you can connect to the Management Service from the local computer but not from a remote computer. If you cannot connect from a remote computer, make sure that remote connections are enabled.

You should check your firewall settings to ensure that connections are allowed to the Management Service. When the Management Service is installed, the setup process adds a firewall rule that allows traffic to the Management Service on port 8172 (the default port) which is on by default. If you ever change the port that the Management Service uses, you must add a new firewall rule to allow traffic to the Management Service on that port.

Configure Connection and Logging Settings for the Management Service

In addition to the Management Service settings that were configured in the above section, you can configure connection settings and specify where to log requests. The following table describes each field and its default setting. If you change any settings, make sure to click Apply in the Actions pane and then restart the Management Service.

Property	Description	Default Setting
IP Address	Specifies the IP address to which the service is bound.	All Unassigned
Port	Specifies the port number that the service uses for requests.	8172
SSL Certificate	Specifies the SSL certificate used by the service. All requests to the service use HTTPS over the port specified in the Port field. This list contains the SSL certificates that are available to the server. If you want to add additional SSL certificates, use the Server Certificates feature at the server level.	Self-signed certificate that is installed during setup
Log requests to	Specifies the path to the log files for the Management Service.	%SystemDrive%InetpublogsWMSVC

Configure IP and Domain Restrictions for the Management Service

By default, the Management Service accepts all requests made to its configured IP address and port, and users are allowed to connect when they are added to IIS Manager (as explained in the next section). However, you can configure the service to deny access for unspecified requests and instead add specific allow rules so that only requests made from a specific IP address or domain are accepted. For more information about allowing or denying requests from IP addresses or domains, see the procedures under Configuring Remote Management on Microsoft TechNet.

Configuring Users and Permissions for IIS Manager

When you configured the Management Service in the above section, you selected the Windows credentials or IIS Manager credentials option. This option enables users with either Windows user accounts or IIS Manager user accounts to connect to a site or application on the remote computer by using IIS Manager. Both types of users must provide valid credentials (a user name and password pair) when they connect remotely. A Windows user must provide valid Windows credentials for a user account on the remote computer or for a user account in the domain if the computer is a member of a domain. An IIS Manager user must provide valid IIS Manager credentials, which are configured in IIS Manager by a server administrator on the remote computer. In both cases, a user is able to use IIS Manager to connect to sites or applications for which the server administrator has given the user permission.

Add an IIS Manager User

The following procedures explain how to open the IIS Manager Users feature and add a user. When the IIS Manager Users feature page opens, the list displays each IIS Manager user name and whether the account is enabled or disabled. Only enabled accounts are allowed to connect to sites or applications for which they have been granted permission.

To add an IIS Manager user:

1. In IIS Manager, in the Connections pane, click the server node in the tree.
2. On the server home page, double-click IIS Manager Users.

3. On the IIS Manager Users page, in the Actions pane, click Add User.

4. In the User name box, type a user name.

5. In the Password box, type a password and then retype the password in the Confirm password box.

6. Click OK.

Configure IIS Manager Permissions for a Site or an Application

In order for a user to remotely connect to a site or application on the server, they must be granted permission to a site or application by the server administrator. After they are granted permission, they can use IIS Manager to connect to the site or application using either their Windows credentials (if they are a Windows user) or their IIS Manager user credentials (if they are an IIS Manager user).

To permit an IIS Manager user to connect to a site or an application:

1. In IIS Manager, in the Connections pane, select the site or application for which you want to configure permissions.
2. On the home page for the site or application, double-click IIS Manager Permissions.

3. On the IIS Manager Permissions page, in the Actions pane, click Allow User.
4. On the Allow User dialog box, select IIS Manager and click Select.

5. On the Users dialog box, select one or more IIS Manager users from the list and then click OK.

6. Click OK to dismiss the Allow User dialog box.

To permit a Windows user to connect to a site or an application:

1. On the IIS Manager Permissions page, in the Actions pane, click Allow User.
2. On the Allow User dialog box, select Windows and then click Select.
3. On the Select User or Group dialog box, type a user name or search for a user account, and then click OK.

4. Click OK to dismiss the Allow User dialog box.

Configure Access Control Lists (ACLs) for Content Directories

In order for IIS Manager to work correctly when a user connects to a site or an application, the ACLs must be configured properly for the physical directory of the site or application. For Windows users, you must configure directory and file ACLs for each Windows user or group that needs to access the directories and files. For IIS Manager users, you must configure directory and file ACLs for the WMSVC user (NT ServiceWMSVC by default).

For the physical directory of a site or an application, configure read, write, and execute permissions for the WMSVC user (if you are permitting IIS Manager users to connect) and for any Windows users who need to connect to that site or application.

If the physical directory of the site or application is on a different machine (i.e. on a UNC share) then you will need to configure WMSVC to run as a user which has read, write, and execute permissions for the content on that UNC share (the default user, NT ServiceWMSVC, cannot access items on a different machine).

Connect to a Site or an Application in IIS Manager

After you have configured the Management Service and configured users and permissions, a user can connect to his or her site or application.

To connect to a site or an application

1. In IIS Manager, click File and then click Connect to a Site (or Connect to an Application).
2. On the Connect to Site or Connect to Application wizard, type the server name and the site name to which you want to connect. If you are connecting to an application, type the application name also. Then click Next.

3. On the Provide Credentials page of the Connect to Site or Connect to Application wizard, select whether you want to use current credentials or to specify the credentials to connect to the site. When you specify credentials, the default is Windows credentials unless you select the Use IIS Manager credentials check-box. After you specify the credentials, click Next to connect to the server.

4. If the connection succeeds, IIS Manager will display a final page on the Connect to Site or Connect to Application wizard to name the connection. As shown in the image below, the TestAdmin user has created a site connection to the Contoso.com site.

Additional Information

In the next section, we look at Feature Delegation. However, before we do that, and to better explain Feature Delegation and what it does, we look at one feature of the site we have just connected to. The site should be highlighted and the site home page should be displayed. On the home page, double-click Error Pages.

As shown in the image below, on the right-hand side of the page there is an alert saying “This feature has been locked and is read only.” This alert is displayed when a feature has been locked; the next section explains Feature Delegation and locking in more detail.

Delegating Features in IIS Manager

The Feature Delegation feature page lets a server administrator configure the delegation state of features that are configurable in Web.config files at the site and application levels in IIS Manager. He or she might want to delegate configuration of certain features, such as Default Documents and Directory Browsing, to an individual site owner so that the owner can configure those delegated features in his or her site.

Or a server administrator might delegate a feature as read only so that a site owner can view the configuration of a feature but cannot change the settings. The server administrator can even prevent features from appearing in IIS Manager at the site and application levels.

There are several different delegation states, each of which determines whether a feature is delegated to lower levels in the configuration system and whether the feature displays in IIS Manager when users are connected at lower levels. The following table describes each delegation state.

Delegation Type	Description
Not Delegated	The configuration is locked and any configuration of the feature in a Web.config file will cause a runtime error. The feature is not visible or configurable in IIS Manager when a user is connected at levels below where this state is set. For example, if a feature is configured to be Not Delegated at a site level, users connected to applications in that site will not see the feature and cannot configure it in IIS Manager.
Read Only	The configuration is locked and any configuration of the feature in a Web.config file will cause a runtime error. The feature is visible in IIS Manager when a user is connected at lower levels, but the configuration is locked so that changes cannot be made.
Read/Write	The feature can be configured in Web.config. The feature appears in IIS Manager and can be configured when a user is connected at lower levels (site or application level).
Configuration Read Only	The meaning is the same as Read Only; however, there are settings or data for the feature that are stored and managed outside of IIS, such as in a database.
Configuration Read/Write	The meaning is the same as Read/Write; however, there are settings or data for the feature that are stored and managed outside of IIS, such as in a database.

Note: Server administrators can modify the configuration for all features, so if they are connected to the server, they will see all features at all levels even if a feature has been configured to not display at lower levels.

Configure Default Delegation States for Features in IIS Manager

When you first open the Feature Delegation feature page, you can configure the default delegation state of features in IIS Manager. These delegation states are the default settings used by IIS Manager for all sites and applications on the server.

To configure default delegation states for features in IIS Manager

1. In IIS Manager, in the Connections pane, click the server node in the tree.
2. On the server home page, double-click Feature Delegation.

3. Select Delegation from the Group by list to organize the list of features by their current delegation states.

4. Select Error Pages in the Feature Delegation list, and then review the available delegation states in the Actions pane. The Error Pages feature is selected and the available options under Set Feature Delegation are Read/Write, Remove Delegation and Reset to Inherited.

5. Select Error Pages. In the Actions pane, click Read/Write to unlock the configuration section that is related to the Error Pages feature. This makes the feature configurable in Web.config files and in IIS Manager at the site and application levels.

Additional Information

The following excerpt from the IIS configuration files shows that the values can be overridden at every location (also referred to as “path”):

<location path="" overrideMode="Allow">

    <system.webServer>

        <httpErrors>

            ...

            ...

        </httpErrors>

    </system.webServer>

</location>

  

To further demonstrate what this action does, look at Error Pages feature at a site level. In the Connections pane, connect to a site and then double-click Error Pages on the site home page. As shown in the image below, the Error Pages feature can now be configured by the user connected to the site level.

Configure Custom Delegation States for Features in a Site or an Application

The steps above configured the default delegation state for the Error Pages feature in all sites on the server. There may also be a time when you do not want the delegation state that you configure to be applicable to all sites. In this case, you can configure a custom delegation state for a specific site. You can also copy custom delegation states of all features from one site to another site.

To configure custom delegation states for features in a specific site

1. In IIS Manager, double-click Feature Delegation.
2. On the Feature Delegation page, in the Actions pane, click Custom Web Site Delegation.
3. From the Sites list, select the site for which you want to configure custom delegation settings.

4. Select a feature, and then click a delegation state in the Actions pane.

To copy custom delegation states from one site to another site

1. On the Custom Web Site Delegation page, in the Sites list, select the site from which you want to copy delegation to another site.
2. Click Copy Delegation.
3. On the Copy Delegation dialog box, select the site or sites to which you want to copy the delegation states and then click OK.

Reset Feature Delegation States

There may be a time in which it is necessary to undo the changes that have been made to the delegation states of features. Perhaps the changes were made to a particular site or application by accident, or some ‘experimentation’ with the feature has gone wrong. In this case, reset the delegation states of all features back to their default states. Or, reset only one feature back to its default state.

To reset feature delegation states

1. Open the Feature Delegation feature page.
2. To reset all feature delegation states, in the Actions pane click Reset All Delegation.

To reset the delegation state of a specific feature, select the feature in the list, and in the Actions pane click Reset to Inherited.