Webhosting Performance Tunings For IIS7

Source: http://blogs.iis.net/mukhtard/archive/2009/04/21/webhosting-performance-tunings-for-iis7.aspx


In a webhosting environment you have hundreds of web sites on a single server. Each web site may not see a significant traffic but when you combine the traffic to all the sites on the server it is quite significant and so it is necessary to tune the server for a webhosting environment.
Here are a few performance related tunings that you can make to help performance and host more sites on your IIS7 server:
1. Make sure your server is running a 64-bit operating system(OS) thus allowing the OS to address more than 4GB of virtual address space. Run your application pools as SysWow64 aka 32-bit on 64-bit windows OS. The advantage in running as SysWow64 is that when compared to the native 64-bit the worker process is light weight – lower memory foot print - allowing more number of worker processes to run at any given time.
2. Perhaps the most important feature for web hosting environment is the new dynamicIdleThreshold feature in IIS7. In a web hosting environment you can divide all active(running) sites on a web server into two categories: hot and cold. Hot sites are the ones which are frequently visited while the cold ones see very low traffic. When hundreds of worker processes are spawned to serve these sites, available memory on the system starts running thin. At one point the system will run out of memory and the performance of the running active sites will suffer. Furthermore, new requests to new sites will not be honored. The dynamicIdleThreshold feature allows you to work around this problem. This feature keeps track of how much memory is being used on the system, and if it reaches a particular set threshold, it cuts down the idle timeout for the application pools, thus shutting down the worker processes which meet the new lower idle timeout. Let’s see in detail how the feature works:
By default the feature is disabled, so the default value for dynamicIdleThreshold is 0. The value set for this attribute is interpreted as ‘% of physical memory(RAM) committed’. So, what is committed memory, it is the processes virtual memory allocations for which the OS has allocated(or committed) a page in the physical memory and/or in the page file. The dynamicIdleThreshold feature will kick in when the total committed memory reaches 80% of the value that is set for the dynamicIdleThreshold. Let’s take an example to understand this better:
Let’s say we have a machine with 2GB physical memory and we set the dynamicIdleThreshold to 150. So the feature will kick in when the total committed memory reaches 80% of 3GB(150% of 2GB) which is 2.4GB. Note that the limit for the committed memory is greater than your physical memory, this limit is typically the sum of the physical memory(excluding the system memory part) and total paging files size on the machine. The following table lists, by how much the idle timeout will be cut, remember that it is windows process activation service(WAS) which is doing the idle timeout chopping:

dynamicIdleThreshold percentage reached	Action
80%	WAS sets idle-timeout of all worker processes to ½ of original value.
85%	WAS sets idle-timeout of all worker processes to 1/4th of original value.
90%	WAS sets idle-timeout of all worker processes to 1/8th of original value.
95%	WAS sets idle-timeout of all worker processes to 1/16th of original value.
100%	WAS sets idle-timeout of all worker processes to 1/32 of original value.

On the other side should the committed memory usage fall below 75% of the configured dynamicIdleThreshold value WAS will restore the original idle timeout settings.
In our internal testing we have seen that setting the dynamicIdleThreshold to around 130 gives optimum performance in a webhosting environment. Use trial and error to find out what will be a good value for your webhosting environment.
So as you can see from the above description the feature limits the number of worker processes that can be run at any point of time by shutting down the least used processes and thus allowing new requests to be served. Compare this to Windows 2003 where in, once you have run out of memory, new request would see ‘service unavailable’ errors, you have to wait till a worker process times out and shuts down freeing up memory for a new worker processes to be launched. Thus on Windows 2008 if you enable this feature you are pretty much guaranteeing that a new request will be served even if the memory is scarce.
3. The new configuration system in IIS7 now supports thousands of sites and application pools that could be used in the web hosting scenario. IIS7’s configuration system is scalable to thousands of sites. You might want to use the new API’s like Microsoft.Web.Administration namespace, Microsoft.ApplicationHost.WritableAdminManager or the appcmd tool to provision hundreds of sites at a time instead of the older API’s like ADSI or WMI which are quite slow when it comes to provisioning new sites and applications.

Test Connection failes with an authorization warning

The problem

When you create a new website in IIS 7 and choose to "Test Settings", or when you do this on an existing website, you are prompted with an error. And this happens without you doing anything wrong, you just accepts the default values. The error is:

Cannot verify access to path

The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that \$ has Read access to the physical path. Then test these settings again.

The explanation

You see this error message (actually it is a warning message) because you have choosen to use pass-through authentication. In this situation, the application pool is run under a low-privileged built-in account, usally Network Service, or ApplicationPoolIdentity. IIS cannot verify that the built-in account has proper settings, this can only be done at run-time.
In addition to this, the "Test Settings" process does not know which user you have authenticated as. So basically, you need to verify that the application pool identity has read access to the files and configuration files. You also need to make sure that the application identity has proper security settings.
So in most situations, you can safely ignore the warning message, because on a default setup, all the permission settings are correct.


Solution:
1- Open IIS 7.0
2- Select Default Web Site and Right-Click on it
3- Select Add Application... or Add Virtual Directory...
4- Select Contact as..
5- Change Path credentials: from Application user (pass-through authentication) to Specific user:
6- Add a Admin User with password like COMPUETRNAME\Administrator User

Additional information

If you set up the application pool to use a custom identity, you will not see this warning message. But, do not do this with the purpose of getting rid of the warning, since the warning may not mean anything to you.




source: http://www.it-notebook.org/iis/article/test_connection_authorization_failed.htm
http://amastaneh.blogspot.ca/2011/04/authorization-cannot-verify-access-to.html

使用程序分析IIS日志文件

不过，目前的日志分析工具并不是很完善，有些功能并不具备，特别是针对某个URL地址进行攻击的分析并不多，下面是一个VB Script程序，保存为VBS程序后可以在服务器上运行，用于分析和检测IIS日志里针对某个URL地址进行攻击的IP地址。

'代码开始
targeturl = "/archives/2761.html"  '受攻击网站的URL地址。
logfilepath = "C:\LogFiles\W3SVC\ex110813.log"  '受攻击网站的日志路径。
On Error Resume Next
Set fileobj = CreateObject("scripting.filesystemobject")
Set fileobj2 = CreateObject("scripting.filesystemobject")
Set myfile = fileobj2.opentextfile(logfilepath, 1, False)
 
Do While myfile.atendofstream <> True
myline = myfile.readline()
myline2 = Split(myline, " ")
newip = myline2(9)
myurl = myline2(5)
If targeturl = myurl Then
      writelog newip
End If
Loop
myfile.Close
Set fileobj2 = Nothing
Msgbox "结束."
Sub writelog(errmes)
ipfilename = "blockip.txt"
Set logfile = fileobj.opentextfile(ipfilename, 8, True)
logfile.writeline errmes
logfile.Close
Set logfile = Nothing
End Sub
'代码结束
 

分析出来的IP如果出现异常，可以通过程序，将其批量添加到IIS的屏蔽IP列表里，下面是网上找到的一段VBScript代码，将其改名为vbs后，把上面那段程序的IP导入，即可批量屏蔽攻击者的IP地址。

'代码开始
'/*=========================================================================
' * Intro VBScript使用ADSI为IIS批量添加屏蔽或允许访问的IP
' * FileName VBScript-ADSI-IIS-Add-Deny-Grant-IP-Change-MetaBase.xml.vbs
' *==========================================================================*/
'AddDenyIP2All "192.168.1.106,255.255.255.0"
'AddDenyIP "123456","127.0.0.1"
'AddDenyIP2All "14.113.226.116"
'添加要屏蔽的IP或一组计算机，到一个指定站点上
Sub AddDenyIP(strWebNo, strDenyIp)
On Error Resume Next
Set SecObj = GetObject("IIS://LocalHost/W3SVC/" & strWebNo & "/Root")
Set MyIPSec = SecObj.IPSecurity
MyIPSec.GrantByDefault = True
IPList = MyIPSec.IPDeny
i = UBound(IPList) + 1
ReDim Preserve IPList(i)
IPList(i) = strDenyIp
MyIPSec.IPDeny = IPList
SecObj.IPSecurity = MyIPSec
SecObj.Setinfo
End Sub
'添加要屏蔽的IP或一组计算机，到IIS公共配置，以应用到所有站点
'如果之前对有些站点单独做过屏蔽IP设置，在些设置不会生效，得在总的网站上设置一下，然后覆盖所有子结点
Sub AddDenyIP2All(strDenyIp)
On Error Resume Next
Set SecObj = GetObject("IIS://LocalHost/W3SVC")
Set MyIPSec = SecObj.IPSecurity
MyIPSec.GrantByDefault = True
IPList = MyIPSec.IPDeny
i = UBound(IPList) + 1
ReDim Preserve IPList(i)
IPList(i) = strDenyIp
MyIPSec.IPDeny = IPList
SecObj.IPSecurity = MyIPSec
SecObj.Setinfo
End Sub
'添加允许的IP或一组计算机，到一个指定站点上
Sub AddGrantIP(strWebNo, strGrantIp)
On Error Resume Next
Set SecObj = GetObject("IIS://LocalHost/W3SVC/" & strWebNo & "/Root")
Set MyIPSec = SecObj.IPSecurity
MyIPSec.GrantByDefault = False
IPList = MyIPSec.IPGrant
i = UBound(IPList) + 1
ReDim Preserve IPList(i)
IPList(i) = strGrantIp
MyIPSec.IPGrant = IPList
SecObj.IPSecurity = MyIPSec
SecObj.Setinfo
End Sub
'添加允许的IP或一组计算机，到IIS公共配置，以应用到所有站点
'如果之前对有些站点单独做过屏蔽IP设置，在些设置不会生效，得在总的网站上设置一下，然后覆盖所有子结点
Sub AddGrantIP2All(strGrantIp)
On Error Resume Next
Set SecObj = GetObject("IIS://LocalHost/W3SVC")
Set MyIPSec = SecObj.IPSecurity
MyIPSec.GrantByDefault = False
IPList = MyIPSec.IPGrant
i = UBound(IPList) + 1
ReDim Preserve IPList(i)
IPList(i) = strGrantIp
MyIPSec.IPGrant = IPList
SecObj.IPSecurity = MyIPSec
SecObj.Setinfo
End Sub
'显示IIS公共配置里禁止访问的IP
Sub ListDenyIP()
Set SecObj = GetObject("IIS://LocalHost/W3SVC")
Set MyIPSec = SecObj.IPSecurity
IPList = MyIPSec.IPDeny 'IPGrant/IPDeny
WScript.Echo Join(IPList, vbCrLf)
' For i = 0 To UBound(IPList)
' WScript.Echo i + 1 & "-->" & IPList(i)
' Next
End Sub

source:  http://www.williamlong.info/archives/2771.html

Appcmd ERROR: Cannot read configuration file due to insifficient permissions

Grant whatever access you need, but don't assume that access is automatic just because you're an admin.  It's an account or group, and permissions can be set just as with any other account or mgroup.

So adding my userid to the folder %systemroot%\system32\inetsrv\config to fix the issue

How to monitor / check the current connections to iis per site

@ Web Service \ Current Connections perfmon counter -- get either _Total or per site.

Add an Output Caching Rule (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Output cache rules are helpful when you must cache requests for a certain file type differently than for other file types on your server, site, or application. For example, you might want to keep ASP.NET pages in the cache longer than other file types in your application because the ASP.NET pages require more resources for processing than would the other file types.

Prerequisites

For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Output Caching Feature Requirements (IIS 7) [ http://technet.microsoft.com/en-us/library/cc754226(WS.10).aspx ] .
Exceptions to feature requirements

• None
  

To create an output cache rule

You can perform this procedure using the user interface (UI) or a command line.
To use the UI

1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7) [ http://technet.microsoft.com/en-us/library/cc770472(WS.10).aspx ] . For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7) [ http://technet.microsoft.com/en-us/library/cc732920(WS.10).aspx ] .
   
2. In Features View, double-click Output Caching.
   
3. Click Add in the Actions pane.
   
4. In the Add Cache Rule dialog box, in the File name extension box, enter the file name extension, such as .aspx, for which you want to create a cache rule.
   
5. Select the User -mode caching check box to enable output caching, and select one of the following options:
   
   • Using file change notifications: if you want an item to be removed from the cache when it is updated.
     
   • At time intervals (hh:mm:ss): if you want an item to be removed from the cache after a certain time elapses. Then type a time in the format of hh:mm:ss (where h is hours, m is minutes, and s is seconds) in the corresponding box.
     
     

     Note
     If you configure different values for this property in the User-mode caching and Kernel-mode caching sections, the value in the Kernel-mode caching section will be used.

   • Prevent all caching: to prevent all caching of the designated file type.
     
6. Select the Kernel-mode caching check box if you want to enable kernel caching in addition to output caching, and select one of the following options:
   
   • Using file change notifications: if you want an item to be removed from the cache when it is updated.
     
   • At time intervals (hh:mm:ss): if you want an item to be removed from the cache after a certain time elapses. Then type a time in the format of hh:mm:ss (where h is hours, m is minutes, and s is seconds) in the corresponding box.
     
   • Prevent all caching: to prevent all caching of the designated file type.
     
7. Click OK.
   

Configuration

The procedure in this topic affects the following configuration elements:
collection under the element
For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema [ http://go.microsoft.com/fwlink/?LinkId=88551 ] on MSDN.

source: http://technet.microsoft.com/en-us/library/cc770547%28WS.10,printer%29.aspx

IIS7: How to set cache control for static content?

Caching is popular technique for reducing network traffic and server recourses when it comes to web content. But how we can cache static content like .jpg, gif, .js files?! 
1. Allow overriding static content setting:
open %systemroot%\System32\inetsrv\config\applicationHost.config
search for

change it to

overrideModeDefault="Allow" />

 
2. set cache settings using following commands (from IIS.NET forums)
set max-age to 1hr for all static files under /images on default-web-site, run the following
 
\Windows\system32\inetsrv\appcmd.exe set config "Default Web Site/images" -section:system.webServer/staticContent -clientCache.cacheControlMode:UseMaxAge
 
\Windows\system32\inetsrv\appcmd.exe set config "Default Web Site/images" -section:system.webServer/staticContent -clientCache.cacheControlMaxAge:"01:00:00"
 
If you give it a shot now you will see that the content is cached! Not believe?! Try to request image from the browser, overwrite the image with image with same name and different content and request image from the browser again...
But the bad news is that caching is on the server - so you haven't reduced network traffic as web server is still hit.
 
3. Cache it on client
open %systemroot%\System32\inetsrv\config\applicationHost.config
and change the lines like this
 

<location path="MyWebsite"> 

<system.webServer> 

<caching> 

<profiles> 

<add extension=".html" policy="CacheUntilChange" kernelCachePolicy="DontCache" location="Client" /> 

<add extension=".htm" policy="CacheUntilChange" kernelCachePolicy="DontCache" location="Client" /> 

<add extension=".gif" policy="CacheUntilChange" kernelCachePolicy="DontCache" location="Client" /> 

<add extension=".js" policy="CacheUntilChange" kernelCachePolicy="DontCache" location="Client" /> 

<add extension=".css" policy="CacheUntilChange" kernelCachePolicy="DontCache" location="Client" /> 

<add extension=".jpg" policy="CacheUntilChange" kernelCachePolicy="DontCache" location="Client" /> 

<add extension=".jpeg" policy="CacheUntilChange" kernelCachePolicy="DontCache" location="Client" /> 

<add extension=".zip" policy="CacheUntilChange" kernelCachePolicy="DontCache" location="Client" /> 

<add extension=".rar" policy="CacheUntilChange" kernelCachePolicy="DontCache" location="Client" /> 

profiles> 

caching> 

system.webServer> 

location>

source: http://www.galcho.com/Blog/PermaLink.aspx?guid=490f3c31-1815-40fc-a871-5d6899fa35e0  

Win2008/ R2 IIS7.x Classic Asp upload 200K limit solution

During the process of migrating a site to IIS 7 we came across an issue with Classic ASP file uploads throwing 500 errors when larger than 200kb. There is an EASY fix for this.
In IIS 7, click your site and expand it then click the ASP icon.
Expand the Limits Properties icon, and change the value in the “Maximum Requesting Entity Body Limit” to a value larger than 200000 (which is about 200kb). 2000000 would be roughly 2mb, 20000000 would be 20mb.
Click the APPLY button. That’s it!

IIS7.0的修改方法如下：
打开IIS管理器--双击“IIS”中的“ASP”-- 打开“配置 ASP 应该程序的属性”--展开“限制属性”；
修改“最大请求实体主体限制”的值，默认值为200000（即不到200KB）；
把它修改为你想修改的大小，如：52000000（50MB）。
修改完成点击“应用”OK！

IIS6.0的修改方法如下：
在服务里关闭iis admin service服务
找到windows\system32\inetsrv\下的metabase.xml,
打开，找到aspmaxrequestentityallowed 把他修改为需要的值，默认为204800，即200k
把它修改为51200000（50MB）
然后重启iis admin service服务

Tips for Classic ASP developers on IIS7.x

There are a few changes in IIS7 which Classic ASP developers should be aware of.

ASP not installed by default

First things first!  If you're moving from XP to Windows Vista / Longhorn Server, you may be getting this error:
--------------------------------------------------------------------------------------------------------------------
HTTP Error 404.3 - Not Found
Description: The page you are requesting cannot be served because of the Multipurpose Internet Mail Extensions (MIME) map policy that is configured on the Web server. The page you requested has a file name extension that is not recognized, and is not allowed.

--------------------------------------------------------------------------------------------------------------------

this is usually the case when you haven't installed the ASP component.  Go to where you installed IIS and look under IIS/WWW Services/Application Development/ASP and install it.  :)

Access and Classic ASP

A lot of people use Access as a database - because it is small, can be copied around, and is easy to manage.  One of the changes we made in IIS7 in Vista broke using ASP and Access by default.  I described this change in more detail in this post, but essentially it has to do with the fact that Application Pools now use the Application Pool identity's profile and temporary directory, rather than \windows\temp by default.  And since the only one that can write to Network Service's temp directory is the Network Service, anonymous or authenticated ASP applications break, since ASP uses the impersonated identity to access the database.  If you use ASP and Access on IIS7, you've probably seen this error, or a variation of it: 
--------------------------------------------------------------------------------------------------------------------
Microsoft JET Database Engine error '80004005'
Unspecified error

--------------------------------------------------------------------------------------------------------------------

The answer is pretty straight forward:  turn off loadUserProfile, or ACL the temp directory to allow writes.  As a result of this and other compatibility issues, we're considering reverting this change in Longhorn Server / Vista SP1.  In the mean time, you can work around it by doing either of the following:
This appcmd command will turn off loadUserProfile for the Default Application Pool.  if your application runs in a different AppPool, make the corresponding change:
%windir%\system32\inetsrv\appcmd set config /section:applicationPools /[name='DefaultAppPool'].processModel.loadUserProfile:false
This command will ACL the Network Service temp directory to allow creator write / read privledges.  If you run your Application Pool under a different identity, you'll need to ACL that owner's temp directory:
icacls %windir%\serviceprofiles\networkservice\AppData\Local\Temp /grant Users:(CI)(S,WD,AD,X)
icacls %windir%\serviceprofiles\networkservice\AppData\Local\Temp /grant "CREATOR OWNER":(OI)(CI)(IO)(F)

**Update 2/19/2009** if you are having issues with Access and ASP you might want to read this terrific guide recently posted on IIS.NET: http://learn.iis.net/page.aspx/563/using-classic-asp-with-microsoft-access-databases-on-iis-70-and-iis-75/ 

 

Script errors no longer shown in browser by default

As a result of our security paranoia, we turned off ASP's default behavior of sending script errors (including line number and code snippet to the browser.  So instead of seeing the typical error you would see ASP throw, you will now see this:
--------------------------------------------------------------------------------------------------------------------
An error occurred on the server when processing the URL. Please contact the system administrator
--------------------------------------------------------------------------------------------------------------------
To revert back to IIS6- behavior, simply run the following command:
%windir%\system32\inetsrv\appcmd set config -section:asp -scriptErrorSentToBrowser:true
Or you can find it in the UI here:


then you'll be back to seeing this style of error instead:
--------------------------------------------------------------------------------------------------------------------
Microsoft VBScript compilation error '800a03ea'
Syntax error
/test.asp, line 4

Response.Write("I love classic ASP" && foo)
-------------------------------------^

--------------------------------------------------------------------------------------------------------------------

 

Parents paths disabled by default (redux)

We disabled parent paths by default with IIS6, but I've seen this hit people on Vista coming from XP, where it is still enabled by default in IIS5.1  The enableParentPaths setting determines where ASP "includes" should be allowed to escape the parent directory (eg. ../../../includeFile.inc).   You'll see this error by default if you try to escape the current directory:
--------------------------------------------------------------------------------------------------------------------

Active Server Pages error 'ASP 0131'
Disallowed Parent Path
/test.asp, line 1
The Include file '../bad.inc' cannot contain '..' to indicate the parent directory.
--------------------------------------------------------------------------------------------------------------------

or you may see this error if you are using a path with ../ in it and your ADODB code

--------------------------------------------------------------------------------------------------------------------

Server.MapPath() error 'ASP 0175 : 80004005'
Disallowed Path Characters
/testdir/test.asp, line 9
The '..' characters are not allowed in the Path parameter for the MapPath method.
--------------------------------------------------------------------------------------------------------------------
To revert back to IIS 5.x behavior, simply run the following command:
%windir%\system32\inetsrv\appcmd set config -section:asp -enableParentPaths:true
or you can find the UI setting here:

APPL_PHYSICAL_PATH no longer returns "\" with path

If you use Request.ServerVariables("APPL_PHYSICAL_PATH") to get at the physical path for your application, you may notice that the physical path no longer returns with a trailing slash.  In previous releases of IIS, we returned this value as stored in the metabase.  In IIS7, we calculate this value based on the configuration store, and we never return a trailing slash.  You'll need to account for this especially if you are the return value with some other part of the path in your application.

 

 

Session_OnEnd not firing

If you find that Session_onEnd event in your global.asa is not firing, check out this blog post from Lou on the issue and the fix.

Classic ASP on IIS 7 (setting, tips...)

It's not really difficult to run classic ASP on Internet Information Server 7, but there are some bumps down the road. Here's a little help to get you started:
First of all, check whether you have the Windows feature for ASP installed. Go to Programs and Features in Control Panel and click Turn Windows features on and off. Navigate down the tree of features and make sure ASP is checked.

Next, go to Internet Information Server (IIS) Manager (run inetmgr from the Start Search box to get there fast) and create a new application pool for ASP.

This should be a "No managed code" and "Classic" app pool if you do not intend to mix and match the .NET Framework and ASP.NET in the same pool. The Integrated pipeline would not make sense, because it only applies to integrating HTTP modules that are either native or managed .NET implementations.
I had some difficulties setting the identity of the application pool to the new built-in IUSR account. This account replaces the former computer account called IUSR_machinename. Same goes for the IIS_WPG group for application pools that is replaced by the builtin group IIS_IUSRS. Read more about it here. Under the Advanced Settings of the "ASP" application pool you will find the Identity property under Process Model. The default value is NetworkService. I found no way to set this to the BUILTIN\IUSR by choosing SpecificUser and setting BUILTIN\USR under Identity SpecificUser Credentials. I guess that you shouldn't be running ASP sites under IUSR anymore. It is used for anonymous users automatically.

To easy the administration effort, there is a way to turn off the IUSR account without turning off anonymous identification:
appcmd set config -section:anonymousAuthentication -userName:"" --password
And lastly, create your new web application. For example, copy the ASP site folder under C:\inetpub\wwwroot, where the default installation location of "Default Web Site" of IIS. Convert the folder (or virtual directory) to an application and choose "ASP" as the application pool. Check whether the .asp extension is mapped to the correct handler and whether it is enabled. Also make sure that the identity of your application pool has sufficient rights (and no more than that) to access the files in the web site's folder.

One final note: whenever there is a error in the ASP website, and you get this error message: "An error occurred on the server when processing the URL. Please contact the system administrator",

it's probably because by default no error messages are sent to the client in IIS7. Change the setting "Send Errors To Browser" of your web application under the ASP icon to reveal such errors.

Side note: if you get the nice Internet Explorer 500 error message and no particular details at all, remember to uncheck the "Show friendly HTTP error messages" checkbox under Internet Options, Advanced of IE.