Installing ISAPI dll’s on Microsoft IIS web servers

Microsoft have tightened security on their IIS web servers and made it more difficult to configure permissions to run CGI and ISAPI dll’s.

ISAPI Extension and ISAPI Filter are two completely different mechanisms to extend IIS functionality and are not interchangeable.

When Delphi creates an ISAPI dll it adds GetExtensionVersion and HttpExtensionProc in the exports and thus the dll is an ISAPI Extension and NOT an ISAPI Filter (an ISAPI Filter dll requires GetFilterVersion and HttpFilterProc function signatures instead).

An additional consideration is running 32-bit dll’s on a 64bit IIS web server.

Links to web pages which help to resolve this issues are:

Essentially, in Windows 2008 Server’s IIS 7 the following steps are needed:

  • copy your ISAPI dll to a folder on the web server such as c:\inetpub\scripts
  • ensure ISAPI module support is installed on the IIS web server
    • Control Panel | Programs and Features | Turn on Windows features on or off
    • go to Internet Information Services then World Wide Web Services
    • then Application Development Features
    • then tick ISAPI Extensions and ISAPI Filters (and CGI if you want that), then click OK
  • configure IIS to permit access to the specific dll’s required
    • open IIS manager, go to the web site, then open the Feature: ISAPI and CGI Restrictions and ADD each dll your app needs to use (this avoids using the much less secure, enabling “Allow unspecified ISAPI modules”)
  • if using 64-bit IIS, you will need to create a 32-bit application pool then an application and configure it:
    • in IIS manager, Application Pools, click ADD Application Pool
    • type an alias such as AppPool32, select Classic pipeline and don’t use .NET
    • in advanced settings set Enable 32bit to true
    • Start the pool
    • go back to the Default Web Site node and click ADD Application
    • create an alias name for your application (this will become like a virtual folder off your root folder), select your AppPool32 as your Application Pool, set the physical path to your dll folder, but note there is a bug in ISS that will result in test button failing – there is much discussions online regarding this.
    • now you have to allow your dll’s to execute within your new IIS “application”:
      • select the application node
      • open the feature Handler Mappings
      • for each dll, Add Script Map, then type a request path *.dll, select the ISAPI dll and give it a descriptor and click OK to enable it.
      • then for each dll, enable EXECUTE by selecting the dll and edit permissions to set “Read/Script/Execute” permissions
  • you may then need to give permissions to the dll folder for IIS_IUSRS so they can Read and Execute
  • then test it

Errors on testing:

400.x:

  • bad request

401.x:

  • access denied
  • 401.4 = authorization failed by filter
  • 401.5 = authorization failed by ISAPI/CGI application

403.x:

  • forbidden

404.0:

  • not found
  • may mean that the ISAPI extension you’re using is referencing (ie, including) another DLL as well.

404.1:

  • site not found

404.2:

  • denied by policy – ISAPI or CGI restriction
  • may mean you have forgotten to “allow” a specific ISAPI DLL

404.3:

  • denied by MIME map

404.4:

  • no handler

404.5:

404.6:

404.7:

404.8:

404.9:

  • denied as hidden file attribute has been set

404.10:

404.11:

500 – Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed.

  • 500.0 = Module or ISAPI error occurred.
  • 500.11 = Application is shutting down on the Web server
  • 500.12 = Application is busy restarting on the Web server
  • 500.13 = Web server is too busy
  • 500.19 – see here
  • etc.
  • see here

More HTTP status codes here

Leave a Reply