Microsoft Internet Information Services (IIS) version 6.0 introduces a new configurable-process architecture model. The configuration that you select can have a significant effect on the way that the ISAPI filters behave. This article describes the various issues that you must consider.
The SF_NOTIFY_READ_RAW_DATA event and IIS 6.0
Http.sys only supports routing raw request data to a single user mode process. This behavior prevents IIS 6.0 from supporting the SF_NOTIFY_READ_RAW_DATA
event in worker process isolation mode. This behavior occurs because global filters that register for the SF_NOTIFY_READ_RAW_DATA
event can be loaded in multiple worker processes. However, Http.sys cannot route raw data to all the multiple worker processes. Therefore, Secure Sockets Layer (SSL) processing remains the only raw data operation. SSL occurs in a single user mode process that is named lsass.exe.
In IIS 5.0 isolation mode, global filters that register for the SF_NOTIFY_READ_RAW_DATA
event are all loaded in a singleton process that is named Inetinfo.exe. SSL processing also occurs in the same process. Therefore, Http.sys can route all raw request data to that process.
ISAPI filter behavior in IIS 5.1 and earlier versions
A global filter is an ISAPI filter that is installed for the whole IIS service. The global filter recognizes requests and responses for all Web sites. A site filter is an ISAPI filter that is installed at the site level. The site filter only recognizes requests and responses for the site where the site filter is installed. An ISAPI filter that registers for the SF_NOTIFY_READ_RAW_DATA
event must be installed as a global filter. However, an ISAPI filter that registers for the SF_NOTIFY_SEND_RAW_DATA
event has no such restriction. Before IIS 6.0, all ISAPI filters run in the Inetinfo.exe process. The Inetinfo.exe process is guaranteed to run as the LocalSystem account and is single-instanced.
IIS 6 configurable-process architecture model
Starting in IIS 6.0, IIS supports two isolation modes:
- Worker process isolation mode that is the default
- IIS 5.0 isolation mode
IIS 6.0 running in IIS 5.0 isolation mode
IIS 6.0 behaves like earlier versions when IIS 6.0 is set to run in IIS 5.0 isolation mode with the following exceptions:
- Site filters do not load on IIS startup. Site filters load on first request to their associated Web site.
- Any ISAPI filter load failures cause IIS not to start. Previous IIS versions continue running.
IIS 6.0 running in worker process isolation mode
When IIS 6.0 runs in worker process isolation mode, ISAPI filters run in the worker processes. This lets multiple filters register for the SF_NOTIFY_READ_RAW_DATA
ISAPI event. This creates the risk of more than one process accessing the read raw data at the same time. Additionally, Http.sys can only route raw request data to a single process. Therefore, IIS 6.0 does not support the SF_NOTIFY_READ_RAW_DATA
ISAPI filter notification when IIS runs in worker process isolation mode. In IIS 5.0 isolation mode, Inetinfo.exe is the only process. Therefore, Inetinfo.exe can access the read raw data without a risk of other processes accessing the read raw data at the same time.
In IIS 6.0, we recommend that you replace filters that use the SF_NOTIFY_READ_RAW_DATA
event with ISAPI extensions. The ISAPI extensions should use the HSE_REQ_EXEC_URL
function. The ISAPI extensions should be configured with wildcard application mapping. This method enables manipulation of the whole request, including the following:
- Entity body
- Impersonation token
This method also runs in a performant, asynchronous manner.
SSL in IIS 6.0
In IIS 6.0, SSL is handled in a single process. This is because Http.sys can only provide the raw encrypted request data to one user mode process. In IIS 5.0 isolation mode, this process is Inetinfo.exe. In IIS 6.0 worker process isolation mode, this process is lsass.exe.Note
Not all raw data filters are the same. The only raw data filter that causes issues is the SF_NOTIFY_READ_RAW_DATA
ISAPI filter. The SF_NOTIFY_READ_RAW_DATA
ISAPI filter is supported in IIS 5.0 isolation mode only. The SF_NOTIFY_SEND_RAW_DATA
ISAPI filter does not cause issues. The SF_NOTIFY_SEND_RAW_DATA
ISAPI filter is supported in all modes.
For additional information about ISAPI filters, click the following article number to view the article in the Microsoft Knowledge Base:
ISAPI filters for earlier versions of IIS may not load
For more information about the Http.sys component of IIS 6.0, see the IIS "Performance Features" topic in the "Getting Started" section of the Server Administration Guide.
For more information about the architectural model of IIS 6.0, see the "Internet Information Services Architecture" topic in the Server Administration Guide.
For more information about ISAPI extensions, visit the following Microsoft Developer Network (MSDN) Web site: