Uncrippling Windows XP's IIS 5.1

June 28, 2005

Scott Mitchell says the best new ASP.NET feature in VS.NET 2005 is the integrated webserver. I agree. No more ditzing around with annoying IIS dependencies and install issues: aspnet_regiis, anyone? Tight coupling of VS.NET to IIS is also number three in K Scott Allen's worst of the .NET 1.x years. Good riddance IIS, hello Son of Cassini!

Unfortunately, we're still stuck with VS.NET 2003 in the meantime, and Windows XP's IIS 5.1 is thoroughly crippled out of the box. It allows only one root website, and a maximum of ten concurrent connections to that website. Microsoft really, really doesn't want us hosting slashdot.org on our XP Pro box. These limits are so aggressive that they can get in the way of legitimate localhost development. But there are workarounds.

  1. Increase the 10 concurrent connection limit

    Are you getting 403.9 "Access Forbidden: Too many users are connected" errors on an XP Pro website? You're limited by default to 10 concurrent connections by design, but this can be increased. First, make sure your default windows script host is set to the console (cscript.exe) one. 

    cscript //h:cscript

    Next, let's increase the connection limit to 40. 

    C:\Inetpub\AdminScripts\adsutil set w3svc/MaxConnections 40

    Note that this is a hard-coded limit; it can't be increased any further unless you like patching windows system files. You can, however, make the IIS connection timeout more aggressive so connections don't last as long.

  2. Run more than one root website

    IIS 5.1 only allows one root website. This is fine if your websites run under subfolders: 

    http://localhost/MyWebsite1
http://localhost/MyWebsite2

    But it's kind of a pain if your websites must run as root, or need to be tested when running as root: 

    http://MyWebsite1/
http://MyWebsite2/

    In that case, you'd have to edit your hosts file, and switch the default home directory for the default website. But there's a better way. You can hack up multiple web sites in IIS 5.1 via command line tricks, or you can use this nifty little GUI utility which automates that for you. It works great-- you'll even see multiple websites show up in the IIS manager. But bear in mind that, unlike the server versions of IIS, only one website can be active at any given time.

Posted by Jeff Atwood
23 Comments

There's also a tool on codeproject to do it. Haven't tested it but they reckon they based it on IISAdmin and made it better - http://www.codeproject.com/csharp/IIsAdminNet.asp

Or, iismultiplex, which someone recommends in a message on the IISAdminNet page - http://www.codeproject.com/csharp/IIsAdminNet.asp#xx1138522xx

Wish I had've seen these before i hand rolled my own bodgy hack solution :-)

Dan F on June 28, 2005 3:48 AM

bank's web application was programmed to use root or admin level access for everything?

I guess I don't see a big disparity between testing with ASP.NET running as admin on localhost, then deploying to a server where ASP.NET runs as a less privileged account.

Note that I'm not ADVOCATING this per se, but if Cassini and the VS.NET 2005 embedded webserver implementations *require* admin as you say, I think it's a reasonable tradeoff to get rid of the IIS dependency which is an ongoing PITA.

Jeff Atwood on June 28, 2005 7:02 AM

I hear what you're saying, but is security really such a big deal for a web app that's going to run 100% server side? To me, that's more about validating input and making sure your host IIS/windows is hardened.

I think the "run as limited user" functionality in VS.NET 2005 is far more important and useful. As it stands in 2003, it's nearly impossible to test limited user rights (eg, limited framework permission) scenarios.

Jeff Atwood on June 28, 2005 1:21 PM

One tip. Don't forget to enable INTEGRATED AUTHENTICATION for any websites you're debugging at the root via VS.NET 2003. This is standard, of course, but for some reason, I was getting a really cryptic error when trying to do this via localhost, so it was hard to tell what was wrong.

Jeff Atwood on June 29, 2005 5:46 AM

Here's how I solved the problem.

Bought a workstation with 2 gigs of ram.

Installed VMWare Workstation.

Installed W2003 Server Enterprise in a virtual box. Put SQL Server Reporting Services in there, too. Found other uses for this, too, like having a place for VS Studio 2005 beta.

Even did this on my laptop (1.5 gig).

Yeah!!

Jimmy on August 28, 2005 10:03 AM

There are several alternatives on the net for adding sites to IIS on XP, all seem preet much equal in features and all are free:
- IIS admin (mentioned above - fisrt served)
- IIsAdmin.NET (mentioned above - codeproject)
- Windows XP IIS Manager v1.7 (http://www.codeproject.com/w2k/EasyIIS.asp?df=100forumid=163141exp=0select=1225836)
- XP PRO IIS Admin (http://jetstat.com/iisadmin/)

Having no preference I use the one I found first.

dreamer on June 1, 2006 11:33 AM

Correct link for XP Pro IIS Admin is:
http://jetstat.com/iisadmin/

That util also provide automatic setup of some asp scripts at your local web server and some other features.
Next version will support "hosts" file. :)

Eugene on June 28, 2006 7:08 AM

Even better: get rid of IIS and install Apache+mod_mono in Linux. That's what I use to run my blog directory and it works wonderfully!
Cheers,

Icarus

Icarus on January 11, 2007 4:20 AM

XP Pro IIS admin with hosts file support has been just released.
you can check it here:
http://jetstat.com/iisadmin/

Major updates: Windows vista support, hosts file management, using hosts names in addition to localhost and port value other then 80 support on local websites.

Eugene on January 30, 2007 11:24 AM

when I go to enter the ---adsutil set w3svc/MaxConnections 40---,
I get an "error trying to get the object: w3svc". It worked fine on one xp system, but the one I really want it to work on gives the error. Anyone seen this?

frank m on February 10, 2007 5:06 AM

Thank you very much for the tips.

Guti on February 13, 2007 12:51 PM

I have applied the setting recomended above.
They work but i am still not satisfied because my client can only afford to run the production app on an XP license. I am so desperate that i am thinking of configuring multiple 3 or four XP boxes as web servers and assigning different web clients to different servers.

Vin Klassen on April 2, 2007 8:34 AM

Cassini is a horrid way of doing any serious web development work.

It's great for a quick start server or for the hobbyist, but if you are billing someone for web development or building something for yourself that makes any use of user authentication, multiple sessions or requires high levels of availability then you're going to only hurt yourself persisting with Cassini.

Rob on September 12, 2007 6:16 AM

or you could just use apache.

none of the limitations from iis

http://httpd.apache.org

jay on September 27, 2007 1:00 PM

it would be nice if the unix geeks could resist with switch to apache comments. you're not helping.

joe on May 12, 2008 4:03 AM

I'm not a unix geek, but I use Apache on a Windows XP box, and none of the limitations of IIS 5.1. :o)

But if you want ASP, you have to grab one of the ASP on Apache ports, though I've never used them (php for the win!), I've read that some of them work fine.

Ken on May 13, 2008 10:32 AM

DUDE! The link on how to create new websites from the command line totally saved my bacon. THANKS!!!!

Al Partridge on November 14, 2008 7:07 AM

who are you?

xxfflower on March 13, 2009 8:39 AM

I wish people would stop promoting Cassini as a solution. It's utterly inappropriate for development. Cassini runs as an interactive user process not as a service under a specified service account. This makes building anything with security in mind very difficult and sometimes impossible. If you do attempt to build a secure application using Cassini you run the very great risk of writing extra code that is unnecessary for your production environment.

BTW, the minimal webserver included in VS 2005 runs into the same problems. Microsoft has not solved the problem of ASPNET development on XP Pro.

Monsoon Dawn on February 6, 2010 9:29 PM

Would you be okay if you knew your bank's web application was programmed to use root or admin level access for everything? Security is very important for a server application.

Monsoon Dawn on February 6, 2010 9:29 PM

Why not run Cassini through runas and attach-to-process for the security-sensitive test cases?

Seems like more of a solution than IIS5.1@localhost for development.

Jon Choy on February 6, 2010 9:29 PM

After entering adsutil set w3svc/MaxConnections 40 my iis install stops serving pages for anything other than Default Web Site. Has anyone else had this issue?

jason on February 6, 2010 9:29 PM

bizarre - it's started working again... I tried the dispnode.vbs script to take a look at the site I was attempting to configure and the server magically started working again. sorry for the false alarm.

jason on February 6, 2010 9:29 PM

The comments to this entry are closed.