Login/Register
IIS 8.5 Application Initialization and Windows Authentication
Asked Answered
Solved iisiis-8.5
B

1

8

I am trying to use the Application Initialization module on IIS 8.5 to warm up intranet applications. The setup is correct and the warm up works, however once I disable Anonymous Authentication the app is no longer preloaded (memory usage is only 20mb vs around 200mb when initialization hits the site).

As these are intranet applications that require authentication, we have traditionally always enabled only Windows Authentication and kept Anonymous Authentication disabled.

I am looking for a way to keep this setup and also have Application Initialization work. I found on this page that IIS is using the NT AUTHORITY\IUSR for the request.

As I see it, my options are:

  1. Enable anonomous authentication.
  2. Change the account IIS uses to make the request.

Ideally I would like to keep Anonomous Authentication disabled. Does anyone know how I can achieve this?

Bontebok answered 18/11, 2014 at 22:4 Comment(1)
normally when you enable the Anonymous authentication priority goes to that... in your problem cache memory history may be the problem. to solve this try like this... first disable the anonymous authentication and enable the windows authentication then restart the IIS but not from the terminal restart it from the services list. then it should be reinitialized if not restart the machine and check ... ******** NOTE **** i suppose you are using a correct APP Pool......Kit
M
9

In a nutshell, I suggest allowing non-SSL, anonymous access to something like a single Init.aspx page in each of your apps. I added such a page to my app for this purpose with documentation in it to help subsequent admins/developers figure out how to make it work if they ever have to move the code to a new server.

One reference in particular that helped me figure out how to get it working was the reference for the web.config <applicationInitialization> tag.

Here's the Init.aspx page I added to my app in case you want to use a derivative of it:

<%@Page ContentType="text/plain" Language="C#" EnableSessionState="False" EnableViewState="false" AutoEventWireup="false" EnableTheming="false" StylesheetTheme="" Theme="" %>
<%--

The built-in application initialization/preload feature can help in situations where the application takes a while to 
start and/or in situations where some components of the site run as services (e.g. performing scheduled tasks).  This 
feature will make sure that the site is quick when the first user visits the site after a restart and/or will ensure that 
scheduled processes are up and running regardless of when people use the site.

Requirements/procedure for application initialization/preload:
(The procedure is slightly different in versions of IIS before 8.5 because there are no UI options.  Must instead alter
applicationHost.config.  See additional reading for more info.)

1.  Set the app pool for the application to "AlwaysRunning" :
    (IIS Manager > Application Pools > YourAppPoolHere > Advanced Settings... > Start Mode)

2.  Enable Preload: (IIS Manager > Sites> YourSiteOrAppHere > Advanced Settings... > Preload Enabled)

3.  Set initialization properties in the web.config.  e.g.:
      <applicationInitialization doAppInitAfterRestart="true">
        <add initializationPage="/PathToYourApp/Init.aspx" hostName="YourWebsiteNameHere.com" />
      </applicationInitialization>
    See this reference for more info (which can be very important):
    http://www.iis.net/configreference/system.webserver/applicationinitialization

4.  Make the Init.aspx page accessible via HTTP with Anonymous access (which may entail one or more of the following).
      - Set NTFS Permissions on the file to include the IUSR (or Everyone) security principal.
      - Adjust the Authentication, Authorization Rules, IP Address Restrictions, SSL Settings, and any other restrictions 
        for *only* the Init.aspx page:
          4.1  IIS Manager > Sites > YourSiteOrAppHere 
          4.2  Switch from 'Features View' to 'Content View' 
          4.3  Find this Init.aspx page in the right pane and highlight it 
          4.4  Switch back from 'Content View' to 'Features View' once the Init.aspx page is selected.
          4.5  You should now see Init.aspx in the tree view in the left pane.  You can now adjust the access restrictions 
               on just this page (e.g. disable SSL, enable anonymous, etc.)
               Some stuff like this might be in your config:
                 <location path="Init.aspx"><system.webServer><security><authorization>
                   <add accessType="Allow" users="?" />
                 </authorization></security></system.webServer></location>

Additional Reading:

  Some decent guides on installing and enabling Application Initialization:
  http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-application-initialization
  http://weblog.west-wind.com/posts/2013/Oct/02/Use-IIS-Application-Initialization-for-keeping-ASPNET-Apps-alive

  The reference for the init parameters:
  http://www.iis.net/configreference/system.webserver/applicationinitialization

-----------------------------------------------------

Note that by the time the code gets to this page, the code in your Global.asax Application_Start and/or any 
Application_Start HTTP Modules will already have fired, so you may not have any extra work to do here.  This page could 
simply be a dummy page.

TO DO: Add any extra initialization tasks outside of the comment section here if you really want to. e.g.:
<%
MyAppNameSpace.UtilityClass.DoExpensiveStartupRoutine();
%>

//.. and last, just write some dummy text if you ever want to see this page in a browser:
--%>
Application Initialized.
Moskow answered 13/1, 2015 at 22:36 Comment(4)
Can you give an exact example of what the authorization/authentication should like for both the page and the whole site? I've tried your steps but the only way I've been able to get it to work is to leave Anonymous Authentication on for the whole site.Protocol
@skeletank: Sorry to hear of the trouble. In theory, anonymous access should work for only the Init.aspx page in the same way you got it working for the site in general; you should be able to do what worked for the site root to only the Init.aspx file. To troubleshoot this, it might help to visit the Init.aspx page and review the IIS 'Detailed Error' for the security exception. Sometimes the exception details will tell you exactly what it doesn't like. E.g. 'ACL on resource' means NTFS. 'Invalid Headers' sometimes means authorization rules, etc.Moskow
+100 for that excellent comment block. Future maintainers must love you!Combo
Thank you for the excellent comment block!! One other thing I want to mention is that your App Pool must be running in 'Integrated Mode'. Mine had been running in 'Classic Mode' ever since they were brought over from earlier versions of IIS. After applying all the configurations you listed above, I still had to switch my App Pool from Classic to Integrated.Utimer

© 2022 - 2024 — McMap. All rights reserved.