Cassini considered harmful

Visual Studio 2005 includes the development web server. While this is very useful to do simple stuff and proof of concept work – I see an increasing amount of issues in the ASP.NET newsgroups that all boil down to this statement: “it worked in the dev web server, but not on IIS”.

There are some areas where the VS web server behaves differently than IIS – the issues in the newsgroups are mostly security related, but the VS web server is just not the “the real thing” and IMHO I would never ever develop/test/debug a real project using the VS web server.

Don’t get me wrong – the VS web server is really nice and light-weight and for people running as non-admin it is much easier to work with ASP.NET, but there are certain issues you should be aware of:

  • VS web server runs in the security context of the logged on user. This is a totally different security context than a IIS service account like NETWORK SERVICE. Combined with the fact, that a lot of devs run as admin – the web application effectively runs with administrative privileges. This means unrestricted access to NTFS files, registry keys, event logs, WMI, key containers, APIs etc..
    This situation will totally change when the application gets deployed to IIS. A different security context (admin vs. least privilege service account) is used for DACLS checks and integrated authentication, e.g. to a file server or SQL server. Impersonation/Delegation will also behave differently… (and I’ve seen admins “fixing” this problem by running the production app with administrative/SYSTEM rights).
  • In VS web server, all incoming requests are mapped to the ASP.NET runtime, this includes static files like .xml and .html etc. This means that these file are protected by ASP.NET URL authorization. IIS behaves totally different here. Only the standard extensions like .aspx, .ashx etc. are mapped to ASP.NET. Static content will be served by IIS directly and will not be routed to ASP.NET authorizaion. You have to manually configure IIS for this scenario. Be aware of this!

Keep this in mind when you start a new project with the VS web server, and IMO – better switch early to IIS for testing.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s