ASPInsiders Summit 2006 - IIS 7

Earlier this month was the ASPInsiders Summit at Microsoft. As finishing the QA cycle for, deploying, and supporting a project at work has kept me busy, followed immediately by the holidays, I haven't had much chance to blog about it until now. This is partly a good thing, since it means others more punctual than me have blogged about it first and saved me some trouble. Thanks, Steve!

As usual, they talked a bit about stuff that's recently been released, such as Visual Studio 2005 Team Edition for Database Professionals and the now-released action-packed VS 2005 SP1, where Web Application Projects becomes a first-class citizen in the Visual Studio world as they should have been since day one.

One of the cooler things from the first day, beginning in Scott Guthrie's opening talk and continuing into its own sessions, was IIS 7. I'm more focused on writing C# code for the web and SQL Server database maintenance than IIS administration lately, but I've been responsible for varying degrees of it since IIS 4. I remember when Gartner published their scathing recommendation that companies ditch IIS until it's rewritten, which as I understand happened soon after with version 6. Still, Scott said IIS 7 is the biggest release of IIS in years (though he may have meant the three and a half years since IIS 6 came out!).

There's a new system.webServer configuration file section for IIS settings, like the system.web settings used for ASP.NET applications today. This puts another nail in the coffin of the horrible, brittle binary metabase from IIS 5 and earlier, moving things like directory browsing and default document settings into a config file, allowing you to set it on the machine level and override it during xcopy deployment per application if you want. And you can make changes programmatically.

IIS 7 also takes another step towards a more modular design, going from about 6 components today to about 42. So you can take things like ISAPI filters, CGI, ASP, ASP.NET, and Windows authentication and enable/disable them as needed for your particular server. Making up for lost time on the security front, this allows administrators to greatly reduce IIS's attack surface. Plus, if you don't like the way IIS does something, you can write your own module in ASP.NET and override it. Scott's example showed the directory list module replaced by one he'd written, that instead of giving you a boring file listing, gives you a thumbnail-based image gallery instead. Cool!

(As a budding photographer, I was impressed by the pictures he used to demonstrate this--close-ups of lions he'd taken with a monster 400mm lens during a recent vacation to South Africa.)

ASP.NET gets one step closer to (if not reaching entirely) full-class citizenship. As Mike Volodarsky explains, whereas requests before had to go through the IIS framework before reaching the ASP.NET framework, the two duplicate layers are now integrated into one. An example of why the old way sucked is how many folks had applications set up to be anonymous in IIS, so it would pass through authentication to ASP.NET which would then authenticate the request. An example of why the new way is cool is that since all the authentication happens at the same level--Basic, Anonymous, Windows, and ASP.NET's Forms Authentication, to name a few--you can now have ASP and PHP apps, as well as static files like JPG and CSS, authenticating via ASP.NET Forms Authentication. Cool. We've got some sites that still have a lot of ASP pages to migrate over, so this could help out a lot.

Oh, and they're getting rid of ISAPI too. As I said, you can write modules in .NET, or in C++ using a new, better API. I'm not a Windows C++ programmer, so you're on your own with that one.

This is all built into Windows Vista as I understand it (having not had much opportunity to dig into Vista yet myself); the upcoming "Longhorn" release of Windows Server will have even more, which unfortunately is under NDA at the moment. As a feature-complete, publicly-available Beta 3 is expected in the first half of 2007, you'll hear about it soon enough.