Wednesday, October 8, 2008

ASP.NET QUESTION AND ANSWERS PART 1


1. What are server controls?
ASP.NET server controls are components that run on the server and encapsulate user-interface and other related functionality. They are used in ASP.NET pages and in ASP.NET code-behind classes.
2. What is the difference between Web User Control and Web Custom Control?
Custom Controls
Web custom controls are compiled components that run on the server and that encapsulate user-interface and other related functionality into reusable packages. They can include all the design-time features of standard ASP.NET server controls, including full support for Visual Studio design features such as the Properties window, the visual designer, and the Toolbox.
There are several ways that you can create Web custom controls:
· You can compile a control that combines the functionality of two or more existing controls. For example, if you need a control that encapsulates a button and a text box, you can create it by compiling the existing controls together.
· If an existing server control almost meets your requirements but lacks some required features, you can customize the control by deriving from it and overriding its properties, methods, and events.
· If none of the existing Web server controls (or their combinations) meet your requirements, you can create a custom control by deriving from one of the base control classes. These classes provide all the basic functionality of Web server controls, so you can focus on programming the features you need.
If none of the existing ASP.NET server controls meet the specific requirements of your applications, you can create either a Web user control or a Web custom control that encapsulates the functionality you need. The main difference between the two controls lies in ease of creation vs. ease of use at design time.
Web user controls
are easy to make, but they can be less convenient to use in advanced scenarios. You develop Web user controls almost exactly the same way that you develop Web Forms pages. Like Web Forms, user controls can be created in the visual designer, they can be written with code separated from the HTML, and they can handle execution events. However, because Web user controls are compiled dynamically at run time they cannot be added to the Toolbox, and they are represented by a simple placeholder glyph when added to a page. This makes Web user controls harder to use if you are accustomed to full Visual Studio .NET design-time support, including the Properties window and Design view previews. Also, the only way to share the user control between applications is to put a separate copy in each application, which takes more maintenance if you make changes to the control.
Web custom controls
are compiled code, which makes them easier to use but more difficult to create; Web custom controls must be authored in code. Once you have created the control, however, you can add it to the Toolbox and display it in a visual designer with full Properties window support and all the other design-time features of ASP.NET server controls. In addition, you can install a single copy of the Web custom control in the global assembly cache and share it between applications, which makes maintenance easier.
Web user controls
Web custom controls
Easier to create
Harder to create
Limited support for consumers who use a visual design tool
Full visual design tool support for consumers
A separate copy of the control is required in each application
Only a single copy of the control is required, in the global assembly cache
Cannot be added to the Toolbox in Visual Studio
Can be added to the Toolbox in Visual Studio
Good for static layout
Good for dynamic layout

(Session/State)
3. Application and Session Events
The ASP.NET page framework provides ways for you to work with events that can be raised when your application starts or stops or when an individual user's session starts or stops:
· Application events are raised for all requests to an application. For example, Application_BeginRequest is raised when any Web Forms page or XML Web service in your application is requested. This event allows you to initialize resources that will be used for each request to the application. A corresponding event, Application_EndRequest, provides you with an opportunity to close or otherwise dispose of resources used for the request.
· Session events are similar to application events (there is a Session_OnStart and a Session_OnEnd event), but are raised with each unique session within the application. A session begins when a user requests a page for the first time from your application and ends either when your application explicitly closes the session or when the session times out.
You can create handlers for these types of events in the Global.asax file.
4. Difference between ASP Session and ASP.NET Session?
asp.net session supports cookie less session & it can span across multiple servers.
5. What is cookie less session? How it works?
By default, ASP.NET will store the session state in the same process that processes the request, just as ASP does. If cookies are not available, a session can be tracked by adding a session identifier to the URL. This can be enabled by setting the following:
6. How you will handle session when deploying application in more than a server? Describe session handling in a webfarm, how does it work and what are the limits?
By default, ASP.NET will store the session state in the same process that processes the request, just as ASP does. Additionally, ASP.NET can store session data in an external process, which can even reside on another machine. To enable this feature:
· Start the ASP.NET state service, either using the Services snap-in or by executing "net start aspnet_state" on the command line. The state service will by default listen on port 42424. To change the port, modify the registry key for the service: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters\Port
· Set the mode attribute of the section to "StateServer".
· Configure the stateConnectionString attribute with the values of the machine on which you started aspnet_state.
The following sample assumes that the state service is running on the same machine as the Web server ("localhost") and uses the default port (42424):
Note that if you try the sample above with this setting, you can reset the Web server (enter iisreset on the command line) and the session state value will persist.
**
7. What method do you use to explicitly kill a users session?
Abandon()
8. What are the different ways you would consider sending data across pages in ASP (i.e between 1.asp to 2.asp)?
Session
public properties
9. What is State Management in .Net and how many ways are there to maintain a state in .Net? What is view state?
Web pages are recreated each time the page is posted to the server. In traditional Web programming, this would ordinarily mean that all information associated with the page and the controls on the page would be lost with each round trip.
To overcome this inherent limitation of traditional Web programming, the ASP.NET page framework includes various options to help you preserve changes — that is, for managing state. The page framework includes a facility called view state that automatically preserves property values of the page and all the controls on it between round trips.
However, you will probably also have application-specific values that you want to preserve. To do so, you can use one of the state management options.
Client-Based State Management Options:
View State
Hidden Form Fields
Cookies
Query Strings
Server-Based State Management Options
Application State
Session State
Database Support
10. What are the disadvantages of view state / what are the benefits?
Automatic view-state management is a feature of server controls that enables them to repopulate their property values on a round trip (without you having to write any code). This feature does impact performance, however, since a server control's view state is passed to and from the server in a hidden form field. You should be aware of when view state helps you and when it hinders your page's performance.
11. When maintaining session through Sql server, what is the impact of Read and Write operation on Session objects? will performance degrade?
Maintaining state using database technology is a common practice when storing user-specific information where the information store is large. Database storage is particularly useful for maintaining long-term state or state that must be preserved even if the server must be restarted.
**
12. Explain the differences between Server-side and Client-side code?
Server side code will process at server side & it will send the result to client. Client side code (javascript) will execute only at client side.
13. Which ASP.NET configuration options are supported in the ASP.NET implementation on the shared web hosting platform?
A: Many of the ASP.NET configuration options are not configurable at the site, application or subdirectory level on the shared hosting platform. Certain options can affect the security, performance and stability of the server and, therefore cannot be changed. The following settings are the only ones that can be changed in your site’s web.config file (s):
browserCaps
clientTarget
pages
customErrors
globalization
authorization
authentication
webControls
webServices


(Security)
14. What is Role-Based security?
A role is a named set of principals that have the same privileges with respect to security (such as a teller or a manager). A principal can be a member of one or more roles. Therefore, applications can use role membership to determine whether a principal is authorized to perform a requested action.
**
15. How will you do windows authentication and what is the namespace? If a user is logged under integrated windows authentication mode, but he is still not able to logon, what might be the possible cause for this? In ASP.Net application how do you find the name of the logged in person under windows authentication?
16. What are the different authentication modes in the .NET environment?
17.         ="Windows|Forms|Passport|None">
18.            ="name"
19.                               loginUrl="url" 
20.                               protection="All|None|Encryption|Validation"
21.                               timeout="30" path="/" >
22.                               requireSSL="true|false"
23.                               slidingExpiration="true|false">
24.               ="Clear|SHA1|MD5">
25.                  ="username" password="password"/>
26.               
27.                          
28.            internal"/>
 
Attribute
Option
Description
mode
Controls the default authentication mode for an application.
Windows
Specifies Windows authentication as the default authentication mode. Use this mode when using any form of Microsoft Internet Information Services (IIS) authentication: Basic, Digest, Integrated Windows authentication (NTLM/Kerberos), or certificates.
Forms
Specifies ASP.NET forms-based authentication as the default authentication mode.
Passport
Specifies Microsoft Passport authentication as the default authentication mode.
None
Specifies no authentication. Only anonymous users are expected or applications can handle events to provide their own authentication.
29. How do you specify whether your data should be passed as Query string and Forms (Mainly about POST and GET)
Through attribute tag of form tag.
30. What are validator? Name the Validation controls in asp.net? How do u disable them? Will the asp.net validators run in server side or client side? How do you do Client-side validation in .Net? How to disable validator control by client side JavaScript?
A set of server controls included with ASP.NET that test user input in HTML and Web server controls for programmer-defined requirements. Validation controls perform input checking in server code. If the user is working with a browser that supports DHTML, the validation controls can also perform validation ("EnableClientScript" property set to true/false) using client script.
The following validation controls are available in asp.net:
RequiredFieldValidator Control, CompareValidator Control, RangeValidator Control, RegularExpressionValidator Control, CustomValidator Control, ValidationSummary Control.
31. Which two properties are there on every validation control?
ControlToValidate, ErrorMessage
32. How do you use css in asp.net?
Within the section of an HTML document that will use these styles, add a link to this external CSS style sheet that
follows this form:

MyStyles.css is the name of your external CSS style sheet.
33. How do you implement postback with a text box? What is postback and usestate?
Make AutoPostBack property to true
34. What is SQL injection?
An SQL injection attack "injects" or manipulates SQL code by adding unexpected SQL to a query.
Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password.
Username: ' or 1=1 ---
Password: [Empty]
This would execute the following query against the users table:
select count(*) from users where userName='' or 1=1 --' and userPass=''
35. Asp.net - How to find last error which occurred?
A: Server.GetLastError();
[C#]
Exception LastError;
String ErrMessage;
LastError = Server.GetLastError();
if (LastError != null)
ErrMessage = LastError.Message;
else
ErrMessage = "No Errors";
Response.Write("Last Error = " + ErrMessage);
36. How to do Caching in ASP?
A:
VaryByParam value
Description
none
One version of page cached (only raw GET)
*
n versions of page cached based on query string and/or POST body
v1
n versions of page cached based on value of v1 variable in query string or POST body
v1;v2
n versions of page cached based on value of v1 and v2 variables in query string or POST body
37.


The OutputCache directive supports several other cache varying options
· VaryByHeader - maintain separate cache entry for header string changes (UserAgent, UserLanguage, etc.)
· VaryByControl - for user controls, maintain separate cache entry for properties of a user control
· VaryByCustom - can specify separate cache entries for browser types and version or provide a custom GetVaryByCustomString method in HttpApplicationderived class
38. What is the Global ASA(X) File?
39. Any alternative to avoid name collisions other then Namespaces.
A scenario that two namespaces named N1 and N2 are there both having the same class say A. now in another class i ve written
using N1;using N2;
and i am instantiating class A in this class. Then how will u avoid name collisions?
Ans: using alias
Eg:
using MyAlias = MyCompany.Proj.Nested;
40. What is the use of web.config? Difference between machine.config and Web.config?
ASP.NET configuration files are XML-based text files--each named web.config--that can appear in any directory on an ASP.NET
Web application server. Each web.config file applies configuration settings to the directory it is located in and to all
virtual child directories beneath it. Settings in child directories can optionally override or modify settings specified in
parent directories. The root configuration file--WinNT\Microsoft.NET\Framework\\config\machine.config--provides
default configuration settings for the entire machine. ASP.NET configures IIS to prevent direct browser access to web.config
files to ensure that their values cannot become public (attempts to access them will cause ASP.NET to return 403: Access
Forbidden).
At run time ASP.NET uses these web.config configuration files to hierarchically compute a unique collection of settings for
each incoming URL target request (these settings are calculated only once and then cached across subsequent requests; ASP.NET
automatically watches for file changes and will invalidate the cache if any of the configuration files change).

41. What is the use of sessionstate tag in the web.config file?
Configuring session state:
Session state features can be configured via the section in a web.config file. To double the default timeout of 20 minutes, you can add the following to the web.config file of an application:
42. What are the different modes for the sessionstates in the web.config file?
Off
Indicates that session state is not enabled.
Inproc
Indicates that session state is stored locally.
StateServer
Indicates that session state is stored on a remote server.
SQLServer
Indicates that session state is stored on the SQL Server.
43. What is smart navigation?
When a page is requested by an Internet Explorer 5 browser, or later, smart navigation enhances the user's experience of the page by performing the following:
· eliminating the flash caused by navigation.
· persisting the scroll position when moving from page to page.
· persisting element focus between navigations.
· retaining only the last page state in the browser's history.
Smart navigation is best used with ASP.NET pages that require frequent postbacks but with visual content that does not change dramatically on return. Consider this carefully when deciding whether to set this property to true.
Set the SmartNavigation attribute to true in the @ Page directive in the .aspx file. When the page is requested, the dynamically generated class sets this property.
44. What base class do all Web Forms inherit from?
System.Web.UI.Page
45. How can we create pie chart in asp.net?
46. Is it possible for me to change my aspx file extension to some other name?
Yes.
Open IIS->Default Website -> Properties
Select HomeDirectory tab
Click on configuration button
Click on add. Enter aspnet_isapi details (C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll | GET,HEAD,POST,DEBUG)

Open machine.config(C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\CONFIG) & add new extension under tag


(WEBSERVICE & REMOTING)
47. What is a WebService and what is the underlying protocol used in it?Why Web Services?
Web Services are applications delivered as a service on the Web. Web services allow for programmatic access of business logic over the Web. Web services typically rely on XML-based protocols, messages, and interface descriptions for communication and access. Web services are designed to be used by other programs or applications rather than directly by end user. Programs invoking a Web service are called clients. SOAP over HTTP is the most commonly used protocol for invoking Web services.
There are three main uses of Web services.
0. Application integration Web services within an intranet are commonly used to integrate business applications running on disparate platforms. For example, a .NET client running on Windows 2000 can easily invoke a Java Web service running on a mainframe or Unix machine to retrieve data from a legacy application.
1. Business integration Web services allow trading partners to engage in e-business leveraging the existing Internet infrastructure. Organizations can send electronic purchase orders to suppliers and receive electronic invoices. Doing e-business with Web services means a low barrier to entry because Web services can be added to existing applications running on any platform without changing legacy code.
2. Commercial Web services focus on selling content and business services to clients over the Internet similar to familiar Web pages. Unlike Web pages, commercial Web services target applications not humans as their direct users. Continental Airlines exposes flight schedules and status Web services for travel Web sites and agencies to use in their applications. Like Web pages, commercial Web services are valuable only if they expose a valuable service or content. It would be very difficult to get customers to pay you for using a Web service that creates business charts with the customers? data. Customers would rather buy a charting component (e.g. COM or .NET component) and install it on the same machine as their application. On the other hand, it makes sense to sell real-time weather information or stock quotes as a Web service. Technology can help you add value to your services and explore new markets, but ultimately customers pay for contents and/or business services, not for technology
48. Are Web Services a replacement for other distributed computing platforms?
No. Web Services is just a new way of looking at existing implementation platforms.
49. In a Webservice, need to display 10 rows from a table. So DataReader or DataSet is best choice?
A: WebService will support only DataSet.
50. How to generate WebService proxy? What is SOAP, WSDL, UDDI and the concept behind Web Services? What are various components of WSDL? What is the use of WSDL.exe utility?
SOAP is an XML-based messaging framework specifically designed for exchanging formatted data across the Internet, for example using request and reply messages or sending entire documents. SOAP is simple, easy to use, and completely neutral with respect to operating system, programming language, or distributed computing platform.
After SOAP became available as a mechanism for exchanging XML messages among enterprises (or among disparate applications within the same enterprise), a better way was needed to describe the messages and how they are exchanged. The Web Services Description Language (WSDL) is a particular form of an XML Schema, developed by Microsoft and IBM for the purpose of defining the XML message, operation, and protocol mapping of a web service accessed using SOAP or other XML protocol. WSDL defines web services in terms of "endpoints" that operate on XML messages. The WSDL syntax allows both the messages and the operations on the messages to be defined abstractly, so they can be mapped to multiple physical implementations. The current WSDL spec describes how to map messages and operations to SOAP 1.1, HTTP GET/POST, and MIME. WSDL creates web service definitions by mapping a group of endpoints into a logical sequence of operations on XML messages. The same XML message can be mapped to multiple operations (or services) and bound to one or more communications protocols (using "ports").
The Universal Description, Discovery, and Integration (UDDI) framework defines a data model (in XML) and SOAP APIs for registration and searches on business information, including the web services a business exposes to the Internet. UDDI is an independent consortium of vendors, founded by Microsoft, IBM, and Ariba, for the purpose of developing an Internet standard for web service description registration and discovery. Microsoft, IBM, and Ariba also are hosting the initial deployment of a UDDI service, which is conceptually patterned after DNS (the Internet service that translates URLs into TCP addresses). UDDI uses a private agreement profile of SOAP (i.e. UDDI doesn't use the SOAP serialization format because it's not well suited to passing complete XML documents (it's aimed at RPC style interactions). The main idea is that businesses use the SOAP APIs to register themselves with UDDI, and other businesses search UDDI when they want to discover a trading partner, for example someone from whom they wish to procure sheet metal, bolts, or transistors. The information in UDDI is categorized according to industry type and geographical location, allowing UDDI consumers to search through lists of potentially matching businesses to find the specific one they want to contact. Once a specific business is chosen, another call to UDDI is made to obtain the specific contact information for that business. The contact information includes a pointer to the target business's WSDL or other XML schema file describing the web service that the target business publishes.
51. How to generate proxy class other than .net app and wsdl tool?
To access an XML Web service from a client application, you first add a Web reference, which is a reference to an XML Web service. When you create a Web reference, Visual Studio creates an XML Web service proxy class automatically and adds it to your project. This proxy class exposes the methods of the XML Web service and handles the marshalling of appropriate arguments back and forth between the XML Web service and your application. Visual Studio uses the Web Services Description Language (WSDL) to create the proxy.
To generate an XML Web service proxy class:
· From a command prompt, use Wsdl.exe to create a proxy class, specifying (at a minimum) the URL to an XML Web service or a service description, or the path to a saved service description.
Wsdl /language:language /protocol:protocol /namespace:myNameSpace /out:filename
/username:username /password:password /domain:domain
52. How you will protect / secure a web service?
For the most part, things that you do to secure a Web site can be used to secure a Web Service. If you need to encrypt the data exchange, you use Secure Sockets Layer (SSL) or a Virtual Private Network to keep the bits secure. For authentication, use HTTP Basic or Digest authentication with Microsoft® Windows® integration to figure out who the caller is.
these items cannot:
· Parse a SOAP request for valid values
· Authenticate access at the Web Method level (they can authenticate at the Web Service level)
· Stop reading a request as soon as it is recognized as invalid
53. What’s the attribute for webservice method? What is the namespace for creating webservice?
[WebMethod]
using System.Web;
using System.Web.Services;
54. What is Remoting?
The process of communication between different operating system processes, regardless of whether they are on the same computer. The .NET remoting system is an architecture designed to simplify communication between objects living in different application domains, whether on the same computer or not, and between different contexts, whether in the same application domain or not.
55. Difference between web services & remoting?
ASP.NET Web Services
.NET Remoting
Protocol
Can be accessed only over HTTP
Can be accessed over any protocol (including TCP, HTTP, SMTP and so on)
State Management
Web services work in a stateless environment
Provide support for both stateful and stateless environments through Singleton and SingleCall objects
Type System
Web services support only the datatypes defined in the XSD type system, limiting the number of objects that can be serialized.
Using binary communication, .NET Remoting can provide support for rich type system
Interoperability
Web services support interoperability across platforms, and are ideal for heterogeneous environments.
.NET remoting requires the client be built using .NET, enforcing homogenous environment.
Reliability
Highly reliable due to the fact that Web services are always hosted in IIS
Can also take advantage of IIS for fault isolation. If IIS is not used, application needs to provide plumbing for ensuring the reliability of the application.
Extensibility
Provides extensibility by allowing us to intercept the SOAP messages during the serialization and deserialization stages.
Very extensible by allowing us to customize the different components of the .NET remoting framework.
Ease-of-Programming
Easy-to-create and deploy.
Complex to program.
56. Though both the .NET Remoting infrastructure and ASP.NET Web services can enable cross-process communication, each is designed to benefit a different target audience. ASP.NET Web services provide a simple programming model and a wide reach. .NET Remoting provides a more complex programming model and has a much narrower reach.
As explained before, the clear performance advantage provided by TCPChannel-remoting should make you think about using this channel whenever you can afford to do so. If you can create direct TCP connections from your clients to your server and if you need to support only the .NET platform, you should go for this channel. If you are going to go cross-platform or you have the requirement of supporting SOAP via HTTP, you should definitely go for ASP.NET Web services.
Both the .NET remoting and ASP.NET Web services are powerful technologies that provide a suitable framework for developing distributed applications. It is important to understand how both technologies work and then choose the one that is right for your application. For applications that require interoperability and must function over public networks, Web services are probably the best bet. For those that require communications with other .NET components and where performance is a key priority, .NET Remoting is the best choice. In short, use Web services when you need to send and receive data from different computing platforms, use .NET Remoting when sending and receiving data between .NET applications. In some architectural scenarios, you might also be able to use.NET Remoting in conjunction with ASP.NET Web services and take advantage of the best of both worlds.
The Key difference between ASP.NET webservices and .NET Remoting is how they serialize data into messages and the format they choose for metadata. ASP.NET uses XML serializer for serializing or Marshalling. And XSD is used for Metadata. .NET Remoting relies on
System.Runtime.Serialization.Formatter.Binary and System.Runtime.Serialization.SOAPFormatter and relies on .NET CLR Runtime assemblies for metadata.
57. CAO and SAO.
Client Activated objects are those remote objects whose Lifetime is directly Controlled by the client. This is in direct contrast to SAO. Where the server, not the client has complete control over the lifetime of the objects.
Client activated objects are instantiated on the server as soon as the client request the object to be created. Unlike as SAO a CAO doesn’t delay the object creation until the first method is called on the object. (In SAO the object is instantiated when the client calls the method on the object)
58. singleton and singlecall.
Singleton
types never have more than one instance at any one time. If an instance exists, all client requests are serviced by that instance.
Single Call types always have one instance per client request. The next method invocation will be serviced by a different server instance, even if the previous instance has not yet been recycled by the system.
59. What is the use of trace utility?
Using the SOAP Trace Utility
The Microsoft® Simple Object Access Protocol (SOAP) Toolkit 2.0 includes a TCP/IP trace utility, MSSOAPT.EXE. You use this trace utility to view the SOAP messages sent by HTTP between a SOAP client and a service on the server.
Using the Trace Utility on the Server
To see all of a service's messages received from and sent to all clients, perform the following steps on the server.
0. On the server, open the Web Services Description Language (WSDL) file.
1. In the WSDL file, locate the element that corresponds to the service and change the location attribute for this element to port 8080. For example, if the location attribute specifies change this attribute to .
2. Run MSSOAPT.exe.
3. On the File menu, point to New, and either click Formatted Trace (if you don't want to see HTTP headers) or click Unformatted Trace (if you do want to see HTTP headers).
4. In the Trace Setup dialog box, click OK to accept the default values.
Using the Trace Utility on the Client
To see all messages sent to and received from a service, do the following steps on the client.
5. Copy the WSDL file from the server to the client.
6. Modify location attribute of the element in the local copy of the WSDL document to direct the client to localhost:8080 and make a note of the current host and port. For example, if the WSDL contains , change it to and make note of "MyServer".
7. On the client, run MSSOPT.exe.
8. On the File menu, point to New, and either click Formatted Trace (if you don't want to see HTTP headers) or click Unformatted Trace (if you do want to see HTTP headers).
9. In the Destination host box, enter the host specified in Step 2.
10. In the Destination port box, enter the port specified in Step 2.
11. Click OK.

(XML)
60. Explain what a DiffGram is, and a good use for one?
A DiffGram is an XML format that is used to identify current and original versions of data elements. When sending and retrieving a DataSet from an XML Web service, the DiffGram format is implicitly used.
The DataSet uses the DiffGram format to load and persist its contents, and to serialize its contents for transport across a network connection. When a DataSet is written as a DiffGram, it populates the DiffGram with all the necessary information to accurately recreate the contents, though not the schema, of the DataSet, including column values from both the Original and Current row versions, row error information, and row order.
DiffGram Format
The DiffGram format is divided into three sections: the current data, the original (or "before") data, and an errors section, as shown in the following example.











The DiffGram format consists of the following blocks of data:
<DataInstance>
The name of this element, DataInstance, is used for explanation purposes in this documentation. A DataInstance element represents a DataSet or a row of a DataTable. Instead of DataInstance, the element would contain the name of the DataSet or DataTable. This block of the DiffGram format contains the current data, whether it has been modified or not. An element, or row, that has been modified is identified with the diffgr:hasChanges annotation.
This block of the DiffGram format contains the original version of a row. Elements in this block are matched to elements in the DataInstance block using the diffgr:id annotation.
This block of the DiffGram format contains error information for a particular row in the DataInstance block. Elements in this block are matched to elements in the DataInstance block using the diffgr:id annotation.


(IIS)
61. In which process does IIS runs (was asking about the EXE file)
inetinfo.exe is the Microsoft IIS server running, handling ASP.NET requests among other things. When an ASP.NET request is received (usually a file with .aspx extension), the ISAPI filter aspnet_isapi.dll takes care of it by passing the request to the actual worker process aspnet_wp.exe.
62. Where are the IIS log files stored?
C:\WINDOWS\system32\Logfiles\W3SVC1
OR
c:\winnt\system32\LogFiles\W3SVC1
63. What are the different IIS authentication modes in IIS 5.0 and Explain? Difference between basic and digest authentication modes?
IIS provides a variety of authentication schemes:
· Anonymous (enabled by default)
· Basic
· Digest
· Integrated Windows authentication (enabled by default)
· Client Certificate Mapping
Anonymous
Anonymous authentication gives users access to the public areas of your Web site without prompting them for a user name or password. Although listed as an authentication scheme, it is not technically performing any client authentication because the client is not required to supply any credentials. Instead, IIS provides stored credentials to Windows using a special user account, IUSR_machinename. By default, IIS controls the password for this account. Whether or not IIS controls the password affects the permissions the anonymous user has. When IIS controls the password, a sub authentication DLL (iissuba.dll) authenticates the user using a network logon. The function of this DLL is to validate the password supplied by IIS and to inform Windows that the password is valid, thereby authenticating the client. However, it does not actually provide a password to Windows. When IIS does not control the password, IIS calls the LogonUser() API in Windows and provides the account name, password and domain name to log on the user using a local logon. After the logon, IIS caches the security token and impersonates the account. A local logon makes it possible for the anonymous user to access network resources, whereas a network logon does not.
Basic Authentication

IIS Basic authentication as an implementation of the basic authentication scheme found in section 11 of the HTTP 1.0 specification.
As the specification makes clear, this method is, in and of itself, non-secure. The reason is that Basic authentication assumes a trusted connection between client and server. Thus, the username and password are transmitted in clear text. More specifically, they are transmitted using Base64 encoding, which is trivially easy to decode. This makes Basic authentication the wrong choice to use over a public network on its own.
Basic Authentication is a long-standing standard supported by nearly all browsers. It also imposes no special requirements on the server side -- users can authenticate against any NT domain, or even against accounts on the local machine. With SSL to shelter the security credentials while they are in transmission, you have an authentication solution that is both highly secure and quite flexible.
Digest Authentication
The Digest authentication option was added in Windows 2000 and IIS 5.0. Like Basic authentication, this is an implementation of a technique suggested by Web standards, namely RFC 2069 (superceded by RFC 2617).
Digest authentication also uses a challenge/response model, but it is much more secure than Basic authentication (when used without SSL). It achieves this greater security not by encrypting the secret (the password) before sending it, but rather by following a different design pattern -- one that does not require the client to transmit the password over the wire at all.
Instead of sending the password itself, the client transmits a one-way message digest (a checksum) of the user's password, using (by default) the MD5 algorithm. The server then fetches the password for that user from a Windows 2000 Domain Controller, reruns the checksum algorithm on it, and compares the two digests. If they match, the server knows that the client knows the correct password, even though the password itself was never sent. (If you have ever wondered what the default ISAPI filter "md5filt" that is installed with IIS 5.0 is used for, now you know.
Integrated Windows Authentication
Integrated Windows authentication (formerly known as NTLM authentication and Windows NT Challenge/Response authentication) can use either NTLM or Kerberos V5 authentication and only works with Internet Explorer 2.0 and later.
When Internet Explorer attempts to access a protected resource, IIS sends two WWW-Authenticate headers, Negotiate and NTLM.
· If Internet Explorer recognizes the Negotiate header, it will choose it because it is listed first. When using Negotiate, the browser will return information for both NTLM and Kerberos. At the server, IIS will use Kerberos if both the client (Internet Explorer 5.0 and later) and server (IIS 5.0 and later) are running Windows 2000 and later, and both are members of the same domain or trusted domains. Otherwise, the server will default to using NTLM.
· If Internet Explorer does not understand Negotiate, it will use NTLM.
So, which mechanism is used depends upon a negotiation between Internet Explorer and IIS.
When used in conjunction with Kerberos v5 authentication, IIS can delegate security credentials among computers running Windows 2000 and later that are trusted and configured for delegation. Delegation enables remote access of resources on behalf of the delegated user.
Integrated Windows authentication is the best authentication scheme in an intranet environment where users have Windows domain accounts, especially when using Kerberos. Integrated Windows authentication, like digest authentication, does not pass the user's password across the network. Instead, a hashed value is exchanged.
Client Certificate Mapping
A certificate is a digitally signed statement that contains information about an entity and the entity's public key, thus binding these two pieces of information together. A trusted organization (or entity) called a Certification Authority (CA) issues a certificate after the CA verifies that the entity is who it says it is. Certificates can contain different types of data. For example, an X.509 certificate includes the format of the certificate, the serial number of the certificate, the algorithm used to sign the certificate, the name of the CA that issued the certificate, the name and public key of the entity requesting the certificate, and the CA's signature. X.509 client certificates simplify authentication for larger user bases because they do not rely on a centralized account database. You can verify a certificate simply by examining the certificate.

64. IIS Isolation Levels?
Internet Information Server introduced the notion "Isolation Level", which is also present in IIS4 under a different name. IIS5 supports three isolation levels, that you can set from the Home Directory tab of the site's Properties dialog:
· Low (IIS Process): ASP pages run in INetInfo.Exe, the main IIS process, therefore they are executed in-process. This is the fastest setting, and is the default under IIS4. The problem is that if ASP crashes, IIS crashes as well and must be restarted (IIS5 has a reliable restart feature that automatically restarts a server when a fatal error occurs).
· Medium (Pooled): In this case ASP runs in a different process, which makes this setting more reliable: if ASP crashes IIS won't. All the ASP applications at the Medium isolation level share the same process, so you can have a web site running with just two processes (IIS and ASP process). IIS5 is the first Internet Information Server version that supports this setting, which is also the default setting when you create an IIS5 application. Note that an ASP application that runs at this level is run under COM+, so it's hosted in DLLHOST.EXE (and you can see this executable in the Task Manager).
· High (Isolated): Each ASP application runs out-process in its own process space, therefore if an ASP application crashes, neither IIS nor any other ASP application will be affected. The downside is that you consume more memory and resources if the server hosts many ASP applications. Both IIS4 and IIS5 supports this setting: under IIS4 this process runs inside MTS.EXE, while under IIS5 it runs inside DLLHOST.EXE.
When selecting an isolation level for your ASP application, keep in mind that out-process settings - that is, Medium and High - are less efficient than in-process (Low). However, out-process communication has been vastly improved under IIS5, and in fact IIS5's Medium isolation level often deliver better results than IIS4's Low isolation. In practice, you shouldn't set the Low isolation level for an IIS5 application unless you really need to serve hundreds pages per second.


Print this post

No comments: