Information about ISAPI filters that register the SF_NOTIFY_READ_RAW_DATA event in Internet Information Services version 6.0

Article translations Article translations
Article ID: 311852 - View products that this article applies to.
This article was previously published under Q311852
Expand all | Collapse all

On This Page

INTRODUCTION

Microsoft Internet Information Services (IIS) version 6.0 introduces a new configurable-process architecture model. The configuration that you select can have a significant effect on the way that the ISAPI filters behave. This article describes the various issues that you must consider.

MORE INFORMATION

The SF_NOTIFY_READ_RAW_DATA event and IIS 6.0

Http.sys only supports routing raw request data to a single user mode process. This behavior prevents IIS 6.0 from supporting the SF_NOTIFY_READ_RAW_DATA event in worker process isolation mode. This behavior occurs because global filters that register for the SF_NOTIFY_READ_RAW_DATA event can be loaded in multiple worker processes. However, Http.sys cannot route raw data to all the multiple worker processes. Therefore, Secure Sockets Layer (SSL) processing remains the only raw data operation. SSL occurs in a single user mode process that is named lsass.exe.

In IIS 5.0 isolation mode, global filters that register for the SF_NOTIFY_READ_RAW_DATA event are all loaded in a singleton process that is named Inetinfo.exe. SSL processing also occurs in the same process. Therefore, Http.sys can route all raw request data to that process.

ISAPI filter behavior in IIS 5.1 and earlier versions

A global filter is an ISAPI filter that is installed for the whole IIS service. The global filter recognizes requests and responses for all Web sites. A site filter is an ISAPI filter that is installed at the site level. The site filter only recognizes requests and responses for the site where the site filter is installed. An ISAPI filter that registers for the SF_NOTIFY_READ_RAW_DATA event must be installed as a global filter. However, an ISAPI filter that registers for the SF_NOTIFY_SEND_RAW_DATA event has no such restriction. Before IIS 6.0, all ISAPI filters run in the Inetinfo.exe process. The Inetinfo.exe process is guaranteed to run as the LocalSystem account and is single-instanced.

IIS 6 configurable-process architecture model

Starting in IIS 6.0, IIS supports two isolation modes:
  • Worker process isolation mode that is the default
  • IIS 5.0 isolation mode

IIS 6.0 running in IIS 5.0 isolation mode

IIS 6.0 behaves like earlier versions when IIS 6.0 is set to run in IIS 5.0 isolation mode with the following exceptions:
  • Site filters do not load on IIS startup. Site filters load on first request to their associated Web site.
  • Any ISAPI filter load failures cause IIS not to start. Previous IIS versions continue running.

IIS 6.0 running in worker process isolation mode

When IIS 6.0 runs in worker process isolation mode, ISAPI filters run in the worker processes. This lets multiple filters register for the SF_NOTIFY_READ_RAW_DATA ISAPI event. This creates the risk of more than one process accessing the read raw data at the same time. Additionally, Http.sys can only route raw request data to a single process. Therefore, IIS 6.0 does not support the SF_NOTIFY_READ_RAW_DATA ISAPI filter notification when IIS runs in worker process isolation mode. In IIS 5.0 isolation mode, Inetinfo.exe is the only process. Therefore, Inetinfo.exe can access the read raw data without a risk of other processes accessing the read raw data at the same time.

In IIS 6.0, we recommend that you replace filters that use the SF_NOTIFY_READ_RAW_DATA event with ISAPI extensions. The ISAPI extensions should use the HSE_REQ_EXEC_URL function. The ISAPI extensions should be configured with wildcard application mapping. This method enables manipulation of the whole request, including the following:
  • Entity body
  • Impersonation token
This method also runs in a performant, asynchronous manner.

SSL in IIS 6.0

In IIS 6.0, SSL is handled in a single process. This is because Http.sys can only provide the raw encrypted request data to one user mode process. In IIS 5.0 isolation mode, this process is Inetinfo.exe. In IIS 6.0 worker process isolation mode, this process is lsass.exe.

Note Not all raw data filters are the same. The only raw data filter that causes issues is the SF_NOTIFY_READ_RAW_DATA ISAPI filter. The SF_NOTIFY_READ_RAW_DATA ISAPI filter is supported in IIS 5.0 isolation mode only. The SF_NOTIFY_SEND_RAW_DATA ISAPI filter does not cause issues. The SF_NOTIFY_SEND_RAW_DATA ISAPI filter is supported in all modes.

REFERENCES

For additional information about ISAPI filters, click the following article number to view the article in the Microsoft Knowledge Base:
327611 ISAPI filters for earlier versions of IIS may not load
For more information about the Http.sys component of IIS 6.0, see the IIS "Performance Features" topic in the "Getting Started" section of the Server Administration Guide.

For more information about the architectural model of IIS 6.0, see the "Internet Information Services Architecture" topic in the Server Administration Guide.

For more information about ISAPI extensions, visit the following Microsoft Developer Network (MSDN) Web site:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3fd05620-78f1-4d51-8709-b142807cf9de.mspx

Properties

Article ID: 311852 - Last Review: December 3, 2007 - Revision: 1.7
APPLIES TO
  • Microsoft Internet Information Services 6.0
Keywords: 
kbtshoot kbinfo KB311852

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com