Microsoft have tightened security on their IIS web servers and made it more difficult to configure permissions to run CGI and ISAPI dll’s.
ISAPI Extension and ISAPI Filter are two completely different mechanisms to extend IIS functionality and are not interchangeable.
When Delphi creates an ISAPI dll it adds GetExtensionVersion and HttpExtensionProc in the exports and thus the dll is an ISAPI Extension and NOT an ISAPI Filter (an ISAPI Filter dll requires GetFilterVersion and HttpFilterProc function signatures instead).
- ISAPI Extensions are configured either as “Application Mappings” or “Wildcard Application Mappings”, or they are requested as-is on the URL request line (i.e. http://server/cgi-bin/myISAPI.dll?param=value) – see here
An additional consideration is running 32-bit dll’s on a 64bit IIS web server.
Links to web pages which help to resolve this issues are:
Essentially, in Windows 2008 Server’s IIS 7 the following steps are needed:
- copy your ISAPI dll to a folder on the web server such as c:\inetpub\scripts
- ensure ISAPI module support is installed on the IIS web server
- Control Panel | Programs and Features | Turn on Windows features on or off
- go to Internet Information Services then World Wide Web Services
- then Application Development Features
- then tick ISAPI Extensions and ISAPI Filters (and CGI if you want that), then click OK
- configure IIS to permit access to the specific dll’s required
- open IIS manager, go to the web site, then open the Feature: ISAPI and CGI Restrictions and ADD each dll your app needs to use (this avoids using the much less secure, enabling “Allow unspecified ISAPI modules”)
- if using 64-bit IIS, you will need to create a 32-bit application pool then an application and configure it:
- in IIS manager, Application Pools, click ADD Application Pool
- type an alias such as AppPool32, select Classic pipeline and don’t use .NET
- in advanced settings set Enable 32bit to true
- Start the pool
- go back to the Default Web Site node and click ADD Application
- create an alias name for your application (this will become like a virtual folder off your root folder), select your AppPool32 as your Application Pool, set the physical path to your dll folder, but note there is a bug in ISS that will result in test button failing – there is much discussions online regarding this.
- now you have to allow your dll’s to execute within your new IIS “application”:
- select the application node
- open the feature Handler Mappings
- for each dll, Add Script Map, then type a request path *.dll, select the ISAPI dll and give it a descriptor and click OK to enable it.
- then for each dll, enable EXECUTE by selecting the dll and edit permissions to set “Read/Script/Execute” permissions
- you may then need to give permissions to the dll folder for IIS_IUSRS so they can Read and Execute
- then test it
Errors on testing:
400.x:
- bad request
401.x:
- access denied
- 401.4 = authorization failed by filter
- 401.5 = authorization failed by ISAPI/CGI application
403.x:
- forbidden
404.0:
- not found
- may mean that the ISAPI extension you’re using is referencing (ie, including) another DLL as well.
404.1:
- site not found
404.2:
- denied by policy – ISAPI or CGI restriction
- may mean you have forgotten to “allow” a specific ISAPI DLL
404.3:
- denied by MIME map
404.4:
- no handler
404.5:
- IIS rejecting based on URL Sequencing – see Use Request Filtering
404.6:
- IIS rejecting based on disabled verbs – see Use Request Filtering
404.7:
- IIS rejects a request based on file extensions – see Use Request Filtering
404.8:
- IIS rejects based on Hidden Segments – see Use Request Filtering
404.9:
- denied as hidden file attribute has been set
404.10:
- denied as request header too long – see Use Request Filtering
404.11:
- IIS’s URLScan not configured correctly – see Use Request Filtering
500 – Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed.