HOWTO: Deploying your Web Application to Windows 2003 Server

The information in this article applies to:

• Deploy
• Windows 2003
• Web
• COM+, v1.5
• Security
• IIS, v6.0
• ASNA Visual RPG, Release 4.0 and lower
• ActiveX

SUMMARY:

Here is some information on what is needed to deploy your AVR Classic COM based web applications on Windows 2003 Server. Click here for deployment for Windows 2000 and NT Server. This article does not apply to AVR for .NET web deployment.

STATUS:

Current.

MORE INFORMATION:

Note: Please coordinate with your Network Administrator or Microsoft when working with Microsoft Windows 2003 Server, Internet Information Server, or COM+ Application Server.

DISCLAIMER:  This knowledge base article is a guideline.  Please read and understand Microsoft's documentation on how Security has changed on Windows 2003 Server. The following link is an example on Securing a Windows 2003 Server and INFO: Default Permissions and User Rights for IIS 6.0, as there are many Security based articles from Microsoft. This article does not encompass all security and items needed to prevent malicious threats. ASNA will not be held liable for you not securing your server.

AVR Web Application Installation Requirements:

1. Web Server should have these products installed: Component Services (COM+ v1.5) for 2003 and Microsoft Internet Information Server (IIS v6).  They are NOT installed by default.
2. Installation of ASNA's Deployment is required if you are installing ASP DLLs.  You can also create your own installation using InstallShield or equivalent Installation Package.  ASNA provides wizards for Windows based applications for InstallShield Express v2.x and InstallShield Professional - Windows Installer Edition v2.01.  These wizards are in the "C:\Program Files\ASNA\Deployment" folder.   You can modify these wizards to deploy the necessary files for your application.
3. If  using database files, you are required to:
   • Configure a Public Database Name on the Server where your web application will be installed.
   • Acceler8DB Web Server License.  You can email "codes@asna.com" or call ASNA's Sales for a license.
   • If the database is local (not recommended), you will need to install the Acceler8DB Engine.  We recommend having another Server (e.g. AS/400 or Acceler8DB on Windows Server) as a Database Server.  Make sure there are enough licenses for Acceler8DB Engine; otherwise, "user count exceeded" errors will be in the $$AVRERR.TXT file. You can email "codes@asna.com" or call ASNA's Sales for a license.
4. Enable Server Extensions in IIS 6:
http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/cl_as_enext.mspx



Figure 1

5. Create an Application Pool in IIS 6 that will run the application:
http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/gs_apppool.mspx

TIP: Click here for IIS 6 Overview

• Figure 2 below is an example of an application pool designated to run COM based applications, instead of using DefaultAppPool:



Figure 2

 

6. Your Web Application, which consists of: Web Pages (i.e. HTML, ASP, ASA files) and your AVR created ActiveX DLLs:

• Web Pages (IIS 6 Product Documentation):

• How to create Virtual Directories & Web Sites: Web Site Administration
• Migration tips and tricks: http://www.microsoft.com/TechNet/iis/ready.asp
• Click here to know what is a Virtual Directory

Once you have a Web Site created and configured a Virtual Directory, you can place the web pages into these locations.



Figure 3

Select the Application Pool for the virtual directory (See Figure 4):



Figure 4

• AVR ActiveX DLL - Configure in COM+:

TIP: Creating COM+ (1.5) Applications on Windows2003 Server, changes compared to COM+ 1.0, click here.

NOTE: We recommend not to install and register your AVR ActiveX DLLs in the "wwwroot" folder on the web server.  We recommend installing them in their own separate folder, for example: "c:\program files\<your company web dll>"

NOTE: Make sure you configure the identity with a user that has sufficient permissions (Figure 8 below):

INFO: Rights and Permissions Needed by the Identity Account of an MTS/COM+ Package

The two items you will need to run your ActiveX DLL are:

• Windows 2003 (click here for COM+ overview, critical information):
  1. Create an Application
  2. Add a Component

7. If using any third party controls, you will need to refer to the vendors documentation to get them deployed.  If you don't know what third party controls, you can look in your Project References to see which third party controls are selected.  Please see the additional links below for more information.

NOTE: ASNA Miscellaneous Control (miscctls.ocx) is not a part of the standard ASNA Deployment.  You will need to deploy and register this control on the target machine.

Configuring Security on Windows 2003 to enable Launch Permissions:

This section will discuss configuration items needed for the Application Pool, Virtual Directory, and COM+ application created above.  Remember, this is a guideline that will have to be reviewed for your specific needs and you will have to ultimately decide the on the security level for your environment.

1. Using this guideline from Microsoft, create a user profile on the server that will run the application:
• http://support.microsoft.com/default.aspx?kbid=812614
2. Configure the Application Pool to use the profile created above, under properties on the Application Pool level:



Figure 6

 

3. Configure the Virtual Directory Security created above, on the Directory Security Tab, Edit button:



Figure 7

 

4. Configure the COM+ Application created above, set the Identity and Role (See Figure 8, 9, and 10).

   NOTE: The Role is important, as it is new to COM+ v1.5, with Application Access Checking is on by Default. This was not the case with COM+ 1.0 on Windows 2000:

   • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/htm/whatsnewcomplus_350z.asp

   • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/htm/pgservices_security_1odq.asp

Figure 8

Figure 9

Figure 10

The following contains more information on COM+ Launch Permissions, Microsoft excerpt from:

http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/ca_configappstousecom.mspx

Configuring Launch Permissions for COM+ Server Objects

Changes in Windows Server 2003 Component Object Model (COM) services and IIS 6.0 have security implications for COM+ objects in ASP pages, ISAPI extensions, or any other application that runs on IIS. To minimize security risks, the new process model for IIS 6.0 requires all worker processes to run under an identity other than LocalSystem. If the identity of the worker process does not have launch permissions for that object, the object will not be successfully created. You must grant sufficient user rights to allow the IIS worker process to successfully create the object without granting so many rights that the identity poses a security risk.

The following recommendations can provide sufficient security while reducing administrative overhead:

•	Instead of adding individual users directly to the launch permissions for an object, create a group on the computer on which the COM+ object runs, and then add the individual users to this group. Then, add this group to the launch permissions for the object.
•	If a COM+ object was created from the GetExtensionVersion method of an ISAPI extension, from an ISAPI filter, or from an ISAPI extension that is running as the identity of the current process, add the IIS_WPG group to the launch permissions for the object. Important You should not modify the default launch permissions for an application.

• Below are potential issues that might arise if the configuration is not set correctly:

Q: I am getting the following error: ASP 0134 Invalid ProgID Attribute: MSWC.MyInfo (See Figure 11)?

Active Server Pages error 'ASP 0134' Invalid ProgID attribute /LM/W3SVC/599050834/Root/global.asa, line 1 The object has an invalid ProgID of 'MSWC.MyInfo'.

Figure 11

A: Global.asa has incorrect configuration. See this link for more information: http://www.innerprise.net/forum/forum_posts.asp?TID=722&PN=1.

Q: I am getting Access denied errors in IIS Server Log, what could be the issue (See Figure 12)?

2004-06-29 20:00:19 127.0.0.1 GET /avr40_400_call/login.asp - 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0 2004-06-29 20:00:22 127.0.0.1 POST /avr40_400_call/processlogin.asp |3|ASP_0178_:_80070005|Server.CreateObject_Access_Error 80 - 127.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 500 0 0

Figure 12

A: Permissions are not set correctly on the COM+ Application. See configuring security above on COM+, step 4, particularly Figures 9 and 10.

Q: Why am I still getting COM/DCOM Errors in the System Event log (See Figure 13a and 13b)?

Figure 13a

Figure 13b

Figure 13c

A: The COM+ Application doesn't have the correct Role assigned. Click here for security settings to enable Launch privileges.

TIP: (Regarding Figure 13c) Don't be mislead by the DCOM Server error or GUID or follow the help link, as it pertains to Windows 2000, not 2003 (notice the version number above). This GUID does not exists, unless, the COM+ App does indeed use a DCOM System object. Don't follow this link either, as it applies to IIS 5 and lower, not IIS 6.

RESOLUTION: ** Double check the Role assigned to the COM+ App, and double check the System Policy for the user specified in the Role. Use this link as a guideline. **

TIPS:

• Click here to learn how to deploy the Graph Control to your Windows 2003 Server.
• If a web application works correctly on a machine, then the best method of deploying is to "mirror" the IIS and COM+ settings on to the new machine. NOTE: This method doesn't apply 100% when comparing Windows 2000/NT with Windows 2003.
• Create a Public Database Name if the Server will not have a user Logged into the console.
• Have Firewall configured to allow Acceler8DB communications if going to AS/400.
• Creating a Secure Web Site with Verisign.
• Credit Card Validation and security via AIS Media, Inc

Other ASNA KB Articles:

• IIS Web Serving and AS/400 Security (DataGate/400 Security related information)
• INFO: Differences between Private and Public Database Names
• HOWTO: Securing an Acceler8DB Public Database Name (Acceler8DB Security related information)
• PROBLEM: Web Application doesn't run on Web Server
• HOWTO: Configuring Firewall to allow Connections to Acceler8DB
• Upgrading your Windows 9x/NT Web DLL to run in Windows 2000/2003 or XP Professional
• Consequences of Web Application Deployment Without MTS
• PROBLEM: Error "File is busy" or "Access Denied" when trying to update a Web ActiveX DLL
• Component instantiation within MTS / COM+
• HOWTO: Shutdown a Windows 2000/2003 COM+ Web Application from AVR
• Can't find Database Name when running within an ASP in a Web application

Here are other Microsoft KB Articles that you may want to refer to:

• Recylcing Application Pools in IIS 6
• System Performance Decreases, and Many Event ID 576 Entries are Logged to the Security Event Log
• PRB: COM+ Server Application That Uses Interactive User Identity Fails to Load
• MOD2000: How to Avoid Common Mistakes When You Create Distributable Run-Time Applications (Q247530)
• Licensing and Distribution of Microsoft components
• Determining what is required on the Web Server (helpful hints)
• Stress testing your Web Application 
• MS TechNet Web Services
• HOW TO: Implement Windows Authentication and Authorization in ASP.NET
• ActiveX Controls: Distributing ActiveX Controls
• Best Practices for Securing COM+ Applications (Security related information)
• MS Setting MTS Authentication Levels (Security related information)
• MS Setting MTS Package Identity (Security related information)
• MS HOWTO: Set System Package Identity (Security related information)
• MS Configure COM+ with IIS 6.0 (Security related information)
• INFO: Default Permissions and User Rights for IIS 6.0 (Security related information)

Keywords: deployment, web, application, security, COM+ 1.5, IIS 6.0, test, client, install, secure, license, distribution