Mike Volodarsky posts a Breaking Change list in IIS 7

December 11, 2007 @ 12:05 am- from Maui, Hawaii

Mike's posted a comprehensive and readable list of breaking changes in IIS 7 along with workaround for most of them. There are 25 issues posted and if you are using Vista or planning to go to IIS 7 when Windows Server 2008 is shipped early next year this is a good thing to keep an eye on.

Most of the items on the list are not critical and have workarounds but I bet a few of them are going to have frequent impact.

A couple that jumped out at me:

12) Requests with querystrings larger then 2048 bytes will be rejected by default

While 2048 bytes is quite long given the coming wave of REST base services from Microsoft this may pose a problem for some apps. Likewise for some apps that construct really long license plate ids or use integrated features like cookieless sessions it's possible to overrun that limit. The thing that's possible scary about this is that it will sneak up in an application since likely most request will fall underneath 2048 bytes and then bite occasionally. It's one to watch out for. There's a config setting that overrides.

16) It is not possible to access the request through the HttpContext.Current property in Application_Start in global.asax

This one's not a huge deal but this one bit me early when I was working with IIS 7. I've had a number of applications in the past where I hooked startup object creation and static application properties which failed when trying to read from HttpContext. For me this was easily fixed with static constructors that instead fired on first access of the objects. Another workaround is to handle this operation in Application_BeginRequest and using a flag to determine first access.

4) Applications cannot simultaneously use FormsAuthentication and WindowsAuthentication

This can be problematic in some situations such as when you use Forms Authentication for the HTML content of a site, but use Windows Authentication for Web Service access. I never noticed this behavior before but with some quick testing I am finding really, really odd behavior when I have both Forms and Windows Auth enabled. For example, Forms Auth doesn't authenticate even in the folder where only Forms auth is active. In a folder where both are active I get both prompts, no errors but it also doesn't work. I suspect the change Mike mentions will be new for 2008 server and the Vista update that goes with it. <shrug> It's not a huge problem - I suppose you can always stick services into a separate virtual if needed - otherwise mixed authentication certainly isn't a good idea in the first place.

18) ASP.NET modules in early request processing stages will see requests that previously may have been rejected by IIS prior to entering ASP.NET. This includes modules running in BeginRequest seeing anonymous requests for resources that require authentication.

Because the Integrated pipeline is in effect running ASP.NET code, rather than ASP.NET being executed as a separate ISAPI handler, certain behaviors change in how requests traverse the event pipeline. Most notably is probably the fact that early application events will see non-authenticated requests as these events fire before the authentication events in IIS. This has some potential security implications as well - it's possible that

It's worth reading through this list to get a feel what's changed and what's different. Most of the items in the list have to do with the fact that a number of features have migrated out of the 'ASP.NET runtime' into the IIS native space (if you can even draw that distinction anymore) with some of the ASP.NET behaviors replaced with the more general IIS behavior. The other set of issues evolve around the slight changes that are incurred due to the small reshuffling of the ASP.NET event sequence in IIS Integrated mode.

I've been running IIS 7 locally on my machine since the early beta days and I've run into a couple of these issues, but they were all minor. Certainly the small number of incompatibilities are worth the gain of new functionality and control that's gained by using Integrated mode. It's good to read up though and get a feel of what 'might happen'...

Posted in IIS

Feedback for this Weblog Entry

re: Mike Volodarsky posts a Breaking Change list in IIS 7
by Roger Martin December 11, 2007 @ 7:09 am

There is another breaking change not on this list, with no known workaround other than using Classic Mode. I am using <a href="http://www.brettle.com/neatupload">Dean Brettle's NeatUpload server control</a> to provide real time feedback of file uploads. This control does not work in IIS 7's Integrated Pipeline Mode because HttpRuntime.ProcessRequest() silently fails when it is passed a class derived from HttpWorkerRequest. I am told many file upload controls that provide real time feedback use this technique, so they all potentially fail under IIS 7. Dean submitted a <a href="https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=308352">bug report</a> and MS says it is working on it. If this is important to you, please vote on the bug.

Cheers,
Roger Martin
<a href="http://www.galleryserverpro.com" title=".NET photo gallery">Gallery Server Pro</a>

re: Mike Volodarsky posts a Breaking Change list in IIS 7
by Rick Strahl December 18, 2007 @ 5:09 am

Roger, I'm pretty sure that that particular change won't come back given that the IIS Pipeline is basically a replacement for the HttpRuntime Host and is directly tied into IIS. I think that's a lost cause to expect to happen.

It's an interesting discussion though. It sure would be nice if there was an easier way to tie into the inbound request stream. I'd rather like to see Microsoft build the mechanics for this directly into IIS and the integrated .NET pipeline than fix the bug/change...