This article would like to show the possibilities of Feature Delegation that is part of the Internet Information Services (IIS) 8.5 that is available on Windows Server 2008 R2.
For those who has never heard about the IIS 8.5 I suggest that visit the following URL: http://www.iis.net/learn
What is Feature Delegation?
Per definiton: „Use the Feature Delegation page to configure the delegation state of IIS Manager features for sites and applications on your web server. When you configure the delegation state of a feature from IIS Manager, you specify whether the feature’s related configuration section is locked or unlocked in the server-level configuration files (ApplicationHost.config and root Web.config) for IIS 8.5. When you lock a feature, configuration can only be read and written in the server-level configuration file for that feature. However, you can unlock a feature when you want configuration to be read and written in lower-level configuration files, such as a Web.config file in your site or application.”
Why should it be used?
Since Windows Server 2008 or more accurately since IIS 7.0 there is an option that only the members of the local Administrators group are allowed to manage the web services. I believe that this way gets along with that concept that the administration and design (or even development) jobs draw different type of activities and responsibilities. Therefore Microsoft has decided that (real) administrators will only be able to give permissions for the designers and the developers.
Because of the things above Microsoft has created the Feature Delegation module.
Going through an example the idea (perhaps) can be shown.
Let’s imagine a Windows Server 2012 R2 and an IIS 8.5 on it. Let it be a single machine, so it is neither member of any domain nor a domain controller.
Only the administrator user is in the Administrators (local) group. Nobody else is allowed to log in remotely through rdp only the Administrators group members. IIS 8.5 is up and running on the system and Default Web Page is available on All Unassigned IP addresses.
In this case the designers (or developers) are not allowed to manage their modules and applications on the server. How they are even manage their systems?
There is an important module that must be installed. Without this the connection between the IIS Managers will not work. Therefore it should be installed and of course the service should be started. On the left picture the service has not switched on yet. Central picture shows that Apply button has pressed on. And on the picture on the right side we can notice that the service has started successfully.
Very simple to configure the module. The following picture shows you what should be configured:
- Enable the Remote Connections
- Choose the appropriate credentials (if Windows credentials are not enough choose the mixed mode) IIS Manager is able to provide unique credentials from its own database.
- Choose an IP Address and an appropriate port. For this be sure that the firewall(s) open between the computers. In this example we have only one firewall:
After the things above we need to tell to the IIS which users will be able to connect to.
And here comes an important thing:
- if the user is not the member of the Administrators group then it will not able to create a connection to the server remotely
- the user should be added in the IIS Manager Permission module but this cannot be configured on the server level
- Therefore we need to have an existing web site and our non-admin user should be added to the this site in the IIS Manager Permission module
- Let’s try to make a connection to the web site remotely:
- Now we are able to manage our web site(s) remotely but we need to check what delegated possibilities do we have. We can check them on the newly created site at the bottom of the central pane.
- Of course remotely we cannot configure the delegation settings if we are not in the Administrators group on the host server. If we are only a simple developer or builder we do not have right to change anything in the configuration.
First of all we need to ensure that the Feature Delegation module has installed already. For this in the IIS Manager on the server level the module should be checked.
As we can see the icon above the Feature Delegation is available. We are able to configure it. It is not difficult either way.
If we have multiple web sites we are allowed to configure separate delegation rules. It means we are allowed to use the inherited basic configuration on all of our sites but we are allowed as well to configure the delegations site by site.
Using this is very simple. We are able to configure the module delegation to Read Only – Read/Write – Not Delegated.
It is important to understand that we do not configure this for each user who has access. We configure the module accessibility at the site for any user who has access to it. In other words we do not assign permissions to the users we only do assign access level to the modules.
After this theoretical and GUI overview, let’s see, how we can do this by scripting.
Our scenario is about an IIS in what all necessary modules are installed and we need to configure it by script. We need to enable the Management Service and we need to configure the Feature Delegation.
First of all let’s open the port on firewall. We would like to open the port 8172 on TCP for all profile on all IP addresses.
|New-NetFirewallRule -DisplayName “Allow Inbound Port 8172” -Direction Inbound –LocalPort 8172 -Protocol TCP -Action Allow|
Additional Powershell commands importing
Management Service by scripting
to be continued ….