7

I'm trying to setup a highly available IIS for public facing websites, and I'm having a hard time finding information on the best and most secure method of setting up the permissions, correctly configuring IIS, and verifying that my setup plan is optimal.

After much research, I've settled on this setup:

  • 2x IIS servers, using shared config.
  • Both IIS servers connect to the same Windows Failover Cluster SMB File Share for application website data.
  • The File Server uses Starwind vSAN.
  • IIS servers will receive requests from a NLB/ARR cluster.
  • Servers are VMs on two Hyper-V hosts
  • Mysql will run on two Linux VMs with MariaDB Galera Cluster.

The general consensus I found was to not use SOFS for IIS, so it is a standard File Server setup as an SMB Share - Application. Starwind was used because there is no single point of failure on the two node system, and replication is synchronous. Data will have regular backups and shadow copies, and VMs will have replicas on another host.

My problems currently come from understanding the permissions and users needed for setting up shared IIS data.

Currently data is local to the server and has permissions for built-in users, system, administrators, trustedinstaller, and IUSR is set for write permissions on certain folders. ApplicationPoolIdentiy is used with pass-through authentication. Anonymous Authentication is set to IUSR.

For shared data, I have only gotten my websites to work after setting the application pool to use a domain user, and setting the Anonymous Authentication to use ApplicationPoolIdentity. I've added the domain user to have full permissions on the SMB share. I've also seen some recommendations of adding the computer account to permissions and keeping with local system accounts for Application pools, except IUSR still must be changed to appidentity for anon authentication. Is one method preferred? What NTFS and SMB permissions are necessary, and who needs write access when IUSR was previously used?

Also, are there any concerns with having shared files in IIS? Can logs, caching and php session folders be shared? I'm currently having write permission errors on logs and caching despite giving full permissions.

Any help, thoughts, and opinions would be greatly appreciated!

Justin M
  • 123
  • 1
  • 6

1 Answers1

6

The NTFS/SMB permissions for shared IIS storage are detailed described in ms guide: https://docs.microsoft.com/en-us/iis/web-hosting/configuring-servers-in-the-windows-web-platform/configuring-share-and-ntfs-permissions

If you have some webapp/scripts, which should write data in folder on file server, then you should configure appropriate permissions for this folder.

The web-farm configuration is better to store on shared drive. Here is a link:

https://docs.microsoft.com/ru-ru/iis/web-hosting/configuring-servers-in-the-windows-web-platform/shared-configuration_211

Regarding the non-content data (logs, cache sessions, etc), you won’t get a big advantage storing them on share. So it’s up to you.

batistuta09
  • 8,723
  • 9
  • 21
  • 3
    Thanks, that's the best breakdown I've seen yet. My only problem left seems to be the iis logs. I've given full permissions to the logs, logfiles, and w3svc* folders, but iis keeps complaining that they can't be written. Ownership is set to built-in/administrator. Any ideas what else it could be? Thanks! – Justin M Mar 05 '19 at 20:03
  • 1
    So I never did get the shared folder log file to work, but have since read that multiple iis servers can't write to the same log file anyway due to locked writes. Best solution if you need a single place for log files would be to write a script that runs on a scheduled task that copies and joins log files to a shared location. – Justin M Jul 08 '19 at 19:26