Microsoft KB Archive/311852

= Information about ISAPI filters that register the SF_NOTIFY_READ_RAW_DATA event in Internet Information Services version 6.0 =

Article ID: 311852

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Services 6.0

-



This article was previously published under Q311852



INTRODUCTION
Microsoft Internet Information Services (IIS) version 6.0 introduces a new configurable-process architecture model. The configuration that you select can have a significant effect on the way that the ISAPI filters behave. This article describes the various issues that you must consider.



The SF_NOTIFY_READ_RAW_DATA event and IIS 6.0
Http.sys only supports routing raw request data to a single user mode process. This behavior prevents IIS 6.0 from supporting the SF_NOTIFY_READ_RAW_DATA event in worker process isolation mode. This behavior occurs because global filters that register for the SF_NOTIFY_READ_RAW_DATA event can be loaded in multiple worker processes. However, Http.sys cannot route raw data to all the multiple worker processes. Therefore, Secure Sockets Layer (SSL) processing remains the only raw data operation. SSL occurs in a single user mode process that is named lsass.exe.

In IIS 5.0 isolation mode, global filters that register for the SF_NOTIFY_READ_RAW_DATA event are all loaded in a singleton process that is named Inetinfo.exe. SSL processing also occurs in the same process. Therefore, Http.sys can route all raw request data to that process.

ISAPI filter behavior in IIS 5.1 and earlier versions
A global filter is an ISAPI filter that is installed for the whole IIS service. The global filter recognizes requests and responses for all Web sites. A site filter is an ISAPI filter that is installed at the site level. The site filter only recognizes requests and responses for the site where the site filter is installed. An ISAPI filter that registers for the SF_NOTIFY_READ_RAW_DATA event must be installed as a global filter. However, an ISAPI filter that registers for the SF_NOTIFY_SEND_RAW_DATA event has no such restriction. Before IIS 6.0, all ISAPI filters run in the Inetinfo.exe process. The Inetinfo.exe process is guaranteed to run as the LocalSystem account and is single-instanced.

IIS 6 configurable-process architecture model
Starting in IIS 6.0, IIS supports two isolation modes:
 * Worker process isolation mode that is the default
 * IIS 5.0 isolation mode

IIS 6.0 running in IIS 5.0 isolation mode
IIS 6.0 behaves like earlier versions when IIS 6.0 is set to run in IIS 5.0 isolation mode with the following exceptions:
 * Site filters do not load on IIS startup. Site filters load on first request to their associated Web site.
 * Any ISAPI filter load failures cause IIS not to start. Previous IIS versions continue running.

IIS 6.0 running in worker process isolation mode
When IIS 6.0 runs in worker process isolation mode, ISAPI filters run in the worker processes. This lets multiple filters register for the SF_NOTIFY_READ_RAW_DATA ISAPI event. This creates the risk of more than one process accessing the read raw data at the same time. Additionally, Http.sys can only route raw request data to a single process. Therefore, IIS 6.0 does not support the SF_NOTIFY_READ_RAW_DATA ISAPI filter notification when IIS runs in worker process isolation mode. In IIS 5.0 isolation mode, Inetinfo.exe is the only process. Therefore, Inetinfo.exe can access the read raw data without a risk of other processes accessing the read raw data at the same time.

In IIS 6.0, we recommend that you replace filters that use the SF_NOTIFY_READ_RAW_DATA event with ISAPI extensions. The ISAPI extensions should use the HSE_REQ_EXEC_URL function. The ISAPI extensions should be configured with wildcard application mapping. This method enables manipulation of the whole request, including the following:
 * Entity body
 * Impersonation token

This method also runs in a performant, asynchronous manner.

SSL in IIS 6.0
In IIS 6.0, SSL is handled in a single process. This is because Http.sys can only provide the raw encrypted request data to one user mode process. In IIS 5.0 isolation mode, this process is Inetinfo.exe. In IIS 6.0 worker process isolation mode, this process is lsass.exe.

Note Not all raw data filters are the same. The only raw data filter that causes issues is the SF_NOTIFY_READ_RAW_DATA ISAPI filter. The SF_NOTIFY_READ_RAW_DATA ISAPI filter is supported in IIS 5.0 isolation mode only. The SF_NOTIFY_SEND_RAW_DATA ISAPI filter does not cause issues. The SF_NOTIFY_SEND_RAW_DATA ISAPI filter is supported in all modes.

