Info
KeePass Hub
A. Install
Activating Software
Next Steps
Updating Software
Zero Knowledge Encryption
IIS Hosting
Cloud Hosting with Multiple IIS Servers
Cloud Hosting
Hardware and Software Requirements
Azure Integration
Redirect HTTP Requests to HTTPS
New Blank Install
Setup Switches
Digital Signatures and Checksum Hashes
Sitemap
Info  >  KeePass Hub  >  A. Install  >  IIS Hosting Page last modified Feb 18 2024, 09:36

IIS Hosting

Website Documentation for your KeePass client and Pleasant Password Server

Hosting with IIS (Internet Information Services) provides a full management interface to configure the network traffic to your website.

Have Questions?  Contact Us

Related Topics:

External Reference Links:

Benefits of IIS Hosting

IIS provides more features, scalability, & robustness than the lightweight IIS Express. IIS Express is a smaller, self-contained version, which is installed by default and starts as a task with the Pleasant Password Server service.

  • Allows more configuration
  • Allows for more authentication options, such as:
  • Additional logging options
  • etc.

Below are the migration steps, which in the future, will be replaced with a more automated solution.

Migration Steps From IIS Express to IIS

If PPASS is already installed skip to step 3.

Step 1: Copy your Application files to the IIS Machine

Do this step if you are migrating to a different machine running IIS. (Otherwise, skip to Step 2).

  • Copy the Registry entries:
    • On the IIS Express machine, open the Windows registry and expand the HKEY_LOCAL_MACHINE\SOFTWARE\Pleasant Solutions, right click on it, and click Export.
    • On the IIS machine locate the same same branch, right-click on it, and click Import.

 

  • Copy application folders from the IIS Express machine to the IIS machine:
    • C:\Program Files (x86)\Pleasant Solutions
    • C:\ProgramData\Pleasant Solutions\Pasѕword Server folders

Step 2: Install your Application on IIS

  • Install the Application on the IIS Machine (if it is not installed already):
    • Install Pleasant Password Server
    • Stop the "Pleasant Pasѕword Server" service
    • Disable the "Pleasant Pasѕword Server" service
      • Stopping/Disabling this service is stopping the IIS Express service which we will be replacing with the IIS site.

Step 3:Enable IIS Feature

If IIS is already installed and visible in the Server Manager, then skip to step 4.

  • Enable IIS feature, if it's not already:

    • Open Control Panel > Server Manager and enable IIS feature.

Step 4: Add IIS Features

  • Add 3 features

    1. Open the Server Manager > "Add Roles and Features" Wizard: Server Roles > Web Server (IIS) > Web Server > Application Development (click add features):

    2. Next download and install this feature:

      • URL Rewrite
        • Download URL Rewrite and install file from:
        • https://www.iis.net/downloads/microsoft/url-rewrite
          • e.g. rewrite_amd64_en-US.msi 

Step 5: Create a New IIS Site

  • Select Sites > Add Website
  • Site name is for your own management
  • In the IIS Manager, create the new site and set the Physical path to:
    • C:\Program Files (x86)\Pleasant Solutions\Pleasant Password Server\www
  • Bind the site to type HTTPS
  • May choose to use a non-standard port such as 10001 (443 is also acceptable but be sure to match it in your service config), to limit traffic flowing to Password Server
  • Host name: Should be FQDN
  • Choose a SSL Certificate (needs to be uploaded to Pleasant Configuration Utility - we can use the placeholder if we aren't ready for this yet.)
  • Ensure "start website immediately" is unchecked

Add IIS website

  • NOTE:
    • When switching from IIS Express service to our new IIS site, using the same hostname as in IIS Express will bring down the IIS Express site.
    • So alternatively we can first set a new hostname and then change it back when we are finally ready to make the switch-over.

Add Website Warning

Step 6: Configure the IIS Site

  • For the IIS site:
    • Click on the IIS website > Look on the right-hand side panel for:
      • Advanced Settings > (General) > 
      • Set Preload Enabled = True
      • Click Ok
  • IIS homepage 
    • Now on the homepage on the left of the IIS console:
      • Click the IIS "Authentication" icon
        • For versions >= 7.9.0: Set ASP.NET Impersonation = Disabled
        • For versions < 7.9.0: Set ASP.NET Impersonation = Enabled

Step 7: Configure the IIS Application Pool User

IIS Manager

  • Select Application Pools under the homepage on the left of IIS console
  • Configure the account used for Password Server's "Application Pool"
    • Right-click on the Application Pool > Select "Advanced Settings" > Click Identity
      • Choose one of the following options:
        • Option A: LocalSystem (easiest)
        • Option B: Service Account (recommended)
        • Option C: ApplicationPoolIdentity (advanced)
  • Stay in the App Pool window and continue to step 7

Option A - LocalSystem (Easiest)

  • Uses the account which is the most powerful on the machine, with access privileges across the network

Option B - Service Account (Recommended)

  • A service account with Local Admin access (a local account or AD/LDAP account).

AppPoolIdentity

Option C - ApplicationPoolIdentity (Very Difficult Setup Steps)

Choosing this route will likely entail more challenging setup steps of account permissions.

  • Use a separate, unique Application Pool Identity
    • Explanation: This creates a new, virtual account to secure the application and it's communications in IIS an across the network with a custom, least privileged account (such as NetworkService). Rather than creating a new account for each application, this account will allow both: running in it's own space and connection to other network locations (e.g. Backup, and MS-SQL).
  • Set Identity = ApplicationPoolIdentity

  • Your new virtual user account can be referenced by this handle:

    • IIS APPPOOL\<YourApplicationPoolName>
    • This user will not be found by searching in your machine/network users
    • This user is only selected by referencing the "IIS APPPOOL\" location, indexed by the name of your application pool

  • (Note: in the next step 7, be sure to set Load User Profile = True)

 

Step 8: Configure the IIS Application Pool Settings

  • Application Pool > Select the application pool > Advanced Settings:

    • (General) > Start Mode = AlwaysRunning
      • Keep the website running
    • Process Model > Idle Time-out (minutes) = 0
      • Stop the website's App Pool from shutting down if it has been idle for awhile (after 20 minutes)
    • Process Model > Maximum Worker Processes = 0
      • Allow numerous processes at a time
    • * Process Model > Load User Profile = True
      • * Only needed if you are:
        • Using a Service Account or ApplicationPoolIdentity user, OR,
        • Seeing IsolatedStorage errors in server Logging Details

Step 9: Configure the Application Pool User Permissions

  • Configure Local Machine Access: 

    • If you have chosen a Local Admin account or LocalSystem:

      • Your account will have the permissions needed on this machine

    • Otherwise, provide access:

      • If using the ApplicationPoolIdentity, see how to reference this user in Step 6, Option A.

      • File Folders:

        • Give the account "modify" rights on these folders:
          • C:\Program Files (x86)\Pleasant Solutions
          • C:\ProgramData\Pleasant Solutions\Pasѕword Server

      • Registry Keys:

        • Give the account "Full Control" rights for the registry settings:
          • Expand the HKEY_LOCAL_MACHINE\SOFTWARE\Pleasant Solutions
          • Right-Click the folder > select Permissions... > select the Group or username > Advanced > Permissions tab
            • Select the Group or username > Click Add or View button
              • Type: Allow
              • Applies to: This key and subkeys (Replaces all child object permissions)
              • Must remove the permission "Write DAC" - without this the permissions will be reset at restart.

  • Configure Network Access:

    • This account may need access for the following connections:

      • Network Backups: if your automatic Backups are placed on a network share
      • MS SQL Server Database: give this same user (selected in step 6) access to your database instance

    • (Note: If using the ApplicationPoolIdentity, see how to reference this user in Step 6, Option A.)

Step 10: Start the IIS site

  1. If you have not done so, Stop the "Pleasant Password Server" service

    • Disable the "Pleasant Password Server" service

  2. Select Application Pool > Select site

    • Recycle the Application Pool

  3. The site will now appear under "sites" in the IIS console on the left

    • Click to Start the site (from the right-hand side panel)

  4. If necessary, reboot the server and restart IIS

 

Please Contact Us!  If you have any questions or any difficulties regarding these steps.

Troubleshooting

  • If the site does not start or you notice errors:

    • Check for error details in Windows Event Logs, or temporarily increase the IIS webpage error 500 details (see below for more info).

    • Increase the Server Logging Details, and check logging activity.

 

  • If you see "Requested registry access is not allowed"
    • There is an issue with permissions. Switch to using either: a Service account user with local admin on the server, or to the LocalSystem user.
    • Contact us and let us help resolve the issue.

 

  • If you see an error accessing Web.config file: 

    • There could be a couple potential problems:

      • 1) The Application Pool user (for this website) may not have the file folder permissions to access the web.config file.
        • - We would encourage using a User Service Account with local admin privileges to this machine, or the LocalSystem user.
        • - You may need to give the process running your web app the permissions explained in Step 6.
        • - Some customers are expressed difficulty using the "ApplicationPoolIdentity" virtual user, which are looking into

      • 2) If one of the necessary IIS Features has not been installed (explained in step 3):

              - URL Rewrite module
              - IIS: ASP.NET

         

  • If you receive an "IsolatedStorage" error:
    • Consider upgrading to the most recent stable or higher which better handles this.
    • Set "Load User Profile" = True   (step 7)

 

  • If you receive a "Method Not Allowed" error, when modifying an entry in KeePass for Pleasant client:
    • Remove the WebDAV feature from IIS, and reboot the server
      • Open Control Panel > All Control Panel Items > Programs and Features > Select Turn Windows features on or off
      • Uncheck the WebDAV feature:
        • Internet Information Services > World Wide Web Services > Common HTTP Features
      • Reboot and restart IIS server
      • Double check settings in step 6 as this reboot can sometimes affect this setup

 

  • If you notice the Application Pool starts and immediately stops:

 

  • If you see an 500 error in your browser, 
    • View this HTTP Error Codes for IIS page and lookup the 0x800 error code: eg. 0x8007000d 
    • Check that the 3 features listed at the start may are added:
      • in particular IIS: ASP.NET 
      • URL Rewrite 2.1 may need to be re-installed
    • Check for additional Logging detail errors or the windows Event logs.

Increasing Error 500 details:

If you are receiving an error 500 or 400 you can increase the details by following these steps:

HTTP error 500

Open the error pages:

IIS increase details

Edit the custom error page

IIS edit custom error