Migrating to IIS7

It wasn’t until recently (December) that I started giving IIS7 any attention.  I suspect its because I don’t have to do much inside of IIS when I’m developing .NET applications on my Vista Machine and I haven’t deployed to many Windows Server 2008 machines yet.  Though there’s a impressive amount of information on the IIS Site and I’ve read and heard numerous accounts of how easy it is to migrate to IIS7, my experiences haven’t been effortless.

I first wrestled with IIS7 when I attempted to get SubText to run in Integrated Pipeline Mode:

Out of the box, SubText is unable to run under IIS7’s Integrated Pipeline Mode. Unfortunately, it goes beyond "migrating" the web.config to match the required format. For example, moving httpModules and httpHandlers to their new location within. As it turns out, Request is not available at Application_Start when running in Integrated mode and this causes SubText to fail too.

If we weren’t adding blog functionality to an existing, GoDaddy-hosted ASP.NET web site, we would be left with two options: Update the SubText codebase to not use the request context (plus fix whatever else surfaces) OR simply run SubText in classic mode.

Unfortunately, our current GoDaddy account is limiting as only a single app pool is available to us. Since the main site is configured for Integrated Pipeline Mode, we don’t have the freedom to change the IIS mode without impacting (read: breaking) the main site.

Short of switching to a more flexible host, the current plan is to modify the main site to run in classic mode. It’s a simple site and reverting the web.config to the classic mode format should not be a big deal. Alternatively, I’m toying with the idea of updating the SubText codebase to not use the request context at Application_Start. I haven’t heard on anyone running SubText in Integrated Mode and it might be a nice problem to solve — assuming there’s an end to the necessary updates.

Assuming there are about 8 more hours allocated to this effort, what’s the best approach? Am I missing any other options?

Ultimately, we settled and opted to run the Subtext in IIS7 but in Classic Mode:

As a follow up, we quickly commented out the Application_Start code which referenced the Request context. This experiment resulted in further exceptions. We’re currently moving forward with medications to the main site to run in classic mode.

Since my IIS7 initiation, I’ve started to get the swing of things.  Sure one needs to jump through a few hoops to get things running, but in retrospect it is all reasonable and once your get some of the basic steps down, it is pretty darn easy.  Hence, I offer three simple tips:

1 – Pretty much everything in IIS7 is locked down by default.  I’m pretty sure you can serve up an HTML page out of the box, but you need to enable even the most basic options like ASP.NET Services and Windows Authentication. Along those lines, here are two of the better articles I found on installing IIS7 on Windows Server 2008 and setting up IIS7 applications.

2 – Another big gotcha is related to configuration locking.  Basically, you need to unlock your web.config modules and handles sections before they can be formatted per IIS7 compliance. Execute the following at the command prompt and you are good to go:

%systemroot%\system32\inetsrv\APPCMD.EXE unlock config -section:system.webServer/modules

%systemroot%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/handlers

3 – Finally, let AppCmd.exe do your heavy lifting and make your web.config to IIS7 compliant by executing a like migration command:

%systemroot%\system32\inetsrv\APPCMD.EXE migrate config "Default Web Site/Application"

That’s it. Easy, right? By the way, if you are interested in learning more about IIS7, I highly recommend Jeff Brand’s Spaghetti Code Podcast on IIS7 with Robert Boedigheimer and I again suggest you check out the IIS Site.


  1. Hi! I just wanted to ask if you ever have any problems with hackers? My last blog (wordpress) was hacked and I ended up losing several weeks of hard work due to no back up. Do you have any solutions to protect against hackers?