IIS Insider - April 2004


By Brett Hill

For a list of previous months' questions and answers on IIS Insider columns, click here.

How COM and COM Objects Work with IIS

Q: We have an ASP application on IIS 5 that uses COM objects to implement a core application to our business. The objects were built using Visual Basic, but the application does not seem to work reliably and we can't quite figure out what the problem is. It works for a while, then hangs up. Do you have any advice for those of us using COM and IIS?

A: My best advice is to study. For those of you who may not know, COM (Component Object Model) is a Microsoft standard for creating executables (dlls) that can be invoked from any COM-enabled application. IIS can deliver web-based applications using ASP or other scripting or complied languages that use COM. COM "objects," as they are called, can be created using Microsoft languages such as Visual Basic, Visual C++ and others. COM interactions with IIS can be complex and take some time to understand. I've been a student of IIS for a long while, and though not a developer, I have spent some time learning how COM works in relationship to IIS.

As mentioned, COM objects can be created using a variety of languages. As an IIS administrator you want to know if COM objects are written in Visual Basic 6. If so, there are two very important features that must be enabled when your developers compile the components. They are "Retain in Memory" and "Unattended Execution." (See https://support.microsoft.com/default.aspx?scid=kb;en-us;241896&sd=tech). If these switches are not set by the developer when the COM object is created from the source code, you will have problems when they are run in IIS.

In addition to these issues, when using COM you can have problems related to "threading" that are far beyond what we can go into here. There is some information on this in the KB article referenced earlier as well.

If you want to learn more about COM and IIS, I can recommend the book Programming Windows Security by Keith Brown. You can also find ample information on MSDN such as COM Components for ASP and Designing COM Components for ASP. Finally, significant changes have been made on how IIS 6 works with COM.

Old Passwords Still Valid After Making Changes

Q: We are using a mixture of IIS 4 and IIS 5 servers to deliver our web application on the Internet. Users are required to authenticate using Basic authentication over SSL. We've noticed that when we change a password for a user, they are still able to logon using the old password for a period of time. Why doesn't IIS respect the user's password change?

A: With both Basic and Anonymous authentication, the user's logon credentials are cached on IIS for 15 minutes. If you make a change to the user's password, and the user has logged onto IIS within the 15 minutes of the password change, IIS will accept the old password until the cache is updated. This problem can also appear if you add a user to a group and their group memberships are not updated until the cache is refreshed. You can force a cache update by stopping and starting IIS.

IIS caches these credentials (Basic and Anonymous authenticated users) to improve performance. If the cache were not present, authentication would need to reoccur with every access, which could significantly reduce performance.

You can control the amount of time credentials are cached. In some circumstances, you may wish to adjust the amount of time upward or downward from the default of 15 minutes. To make this adjustment, follow the instructions in Microsoft Knowledge Base article Changing the Default Interval for User Tokens in IIS.

Note that the minimum value for IIS 4 is 30 seconds, which means that setting it to zero will still default to 30 seconds. For IIS 5, the minimum value is 1 second and if set to zero will still be 1 second. It is necessary to restart IIS for any of these changes to take effect.

IIS 6 is a bit different, in that a zero value results in disabling the cache. In this case you will need to recycle the proper application pool to update the cache. Additionally, you do not need to reboot the server after making the registry changes.

Page Not Found Error When Querying Valid ASP Pages

Q: I would like to be able to test ASP applications locally on my Windows XP Professional machine before posting them to my public web site. I have IIS 5.1 installed, but when I try to run ASP pages I get a Page Not Found error. My local machine is named "localhost" and I'm trying to access the following URL: https://localhost/directory/filename.asp. The file is present and located in \inetpub\wwwroot which is mapped to the default web site.

A: If you're getting a Page Not Found error then IIS is receiving the request and responding, so we don't need to troubleshoot that part of the problem. It's not a permissions issue, or you would be getting an Access Denied message or an authentication prompt. That leaves us with just a couple of things. First, if URLSCAN is installed, it could be denying access to the .ASP extensions. Otherwise, we have to believe that IIS simply cannot find the filename. The most common cause of this is having your system set up so that file extensions are not shown, which is the default. As an example, let's say that you create or rename a file in Notepad and save it as default.asp. However, the actual filename is default.asp.txt. When you ask for file default.asp, IIS is unable to find it. However, when you look at the file in Windows Explorer, it is displayed as default.asp. You can configure Windows XP and other Microsoft operating systems to show the file extensions by clearing the checkbox "Hide extensions for known file types" located at MyComputer, Tools, Folder Options, and the View tab (as shown below in Windows XP Professional).


Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.

For a list of previous months' questions and answers on IIS Insider columns, click here.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.