IIRF Loaded but does nothing on one W2003 but works on another

Topics: Developer Forum, User Forum
Sep 25, 2007 at 4:52 PM
Edited Sep 25, 2007 at 4:52 PM
I have 2 Win2003/IIS6 web servers in a very similar configuration (they are used as 2 load balancing nodes, and the IIS configuration is identical on both).
I have placed the IIRF dll on both machines in the same place with the same configuration file (ini), attached it to the same virtual website, set permissions on the dll and c:\temp to Everyone-Full Control (in desparation), and made the isapi dll an "allowed web extension".

On both of the machines, the dll SEEMS to be loaded (the arrow in ISAPI Filters tab is green, and the priority reads low) HOWEVER on one of the machines, the filter works perfectly while on the other, it does nothing.
moreover, on the machine where it doesn't work, I can actually rename the dll file while IIS is working (the IIS MMC still shows "loaded" ?!?) which indicates to me that the dll is not actually loaded (on the machine where it works, I cannot, of course do that as the file is in use).

More info:
- Running the Test driver on the machine where IIRF does nothing work works fine.
- I have placed the dll & ini in other places in the file system with the same results.
- ASP.NET works on the machine, so I guess ISAPI filters do work (aspnet_isapi is a filter, right?)
- There are no related messages in the event log
- No log file gets created, even when I turn logging on and iisreset
- Both machines have latest service pack and all patches. They are not R2
- using a small vbs script that extracts information from iis, I could get the following information:
Filters for website W3SVC/1797253222 on server localhost
+ Filter EAWebsites URL Rewrite - "Ionic URL Rewriting ISAPI Filter v1.2.12c"
Filter File = C:\Program Files\...(removed path)....\IsapiRewrite4.dll
FilterState = 1 (Loaded OK)
FilterFlags = 67244547
FilterEvent = UrlMap Log AuthComplete
Listens on SecurePort
Listens on NonSecurePort
Runs as Low Priority

The only notable differences between the 2 machines are:
1. The "bad" machine is W2003 web edition, the "good" machine is standard edition
2. The "bad" machine is a domain member, the "good" machine is a domain controller

could there be some initialization condition where the dll returns an "OK" value (which would lead iis to think it is loaded) but uctually unloads the dll?
Sep 25, 2007 at 7:17 PM
Update -- I just found out that if I switch IIS on the "bad" machine (the one that is a domain member) to "IIS 5.0 isolation mode" the filter works fine!
However, I can't leave the machine on those settings for production use...

Any advice? Are any additional permissions necessary because the identity used for the app pool is a domain user?
I'm getting closer to figuring this out, but any hints would be appreciated...
Sep 25, 2007 at 9:46 PM

The issue is solved. it is not strictly an IIRF issue, but may be interesting for others in the same/similar scenario, and may be interesting when an installer is created for this filter (may want to verify this setting)

There are ACLs defined in different levels in the IIS 6.0 metabase. In particular, the LOCAL IISWPG group must have permissions for the IIS://localhost/W3SVC/Filters (or IIS://localhost/W3SVC/{siteid}/Filters for site filters) otherwise filters in that site will not be loaded.

You can use Microsoft's Metabase editor (part of IIS resource kit) to view/change manually, or use Metaacl.vbs (also available from Microsoft) to set this programatically as in:
cscript /nologo Metaacl.vbs IIS://{servername}/W3SVC/{siteid}/Filters {servername}\IISWPG RWUE

(I am not sure "W" permission is required... but it seems that is the default.)

In my case, those permissions were missing because of the use of domain groups/users.

Feb 26, 2008 at 7:13 AM
I had a very similiar problem to you and the suggestion about putting the server into 5.0 Isolation mode also solved my problems, but is not a permanent fix. Unfortunately, the solution you posted does not work for me. That user already had permissions on that node. Would you happen to have any further suggestions? I have my own post here: