Just another Microsoft MVPs site

Windows SharePoint Services 3.0 and the IIS default web site

So I was visiting with a friend last night, and he indicated that he was having a bit of a problem with his WSS 3.0 installation.  Short story is that he has a dedicated Win2k8 box acting as a web server on his domain for internal sites.  They have several web-based LOB apps that run on that box, all as virtual directories under the default web site.  Even though they are running SBS 2003 with its WSS 2.0 companyweb, they wanted to install WSS 3 to take advantage of the new wiki site template.  So, they installed WSS 3 on the web server, which immediately broke their LOB apps.

So what happened?

When you first install WSS 3.0 and run the SharePoint Configuration Wizard, SharePoint creates a new web application (SharePoint – 80) and creates a new web site in IIS that takes over the default site.  Dana recognized this, so within IIS he edited the bindings for the SharePoint site to use port 81, allowing him to re-enable the original default website in IIS and get his LOB apps back.  The problem?  Not only was it a pain having to enter :81 after the servername to access the site, but clicking links on the SharePoint site continued to want to use port 80, resulting in constant 404 errors.

So how did we fix it?

If you’re new to SharePoint, it is worth taking a little time to explain some of the architecture and terminology around SharePoint 3.0 to help put the answer in to context.  First, it is important to understand the distinction between a SharePoint web application, and an IIS web site.  SharePoint (whether WSS or MOSS) can have multiple web applications.  These are created via SharePoint Central Administration.  You can think of a SharePoint Web Application as your top-level SharePoint site – but it is distinctly different from a website in IIS.  An IIS site that is mapped to a SharePoint web application can be thought of as a gateway to access the SharePoint web application.  You can delete the site from IIS without affecting any of the content in the SharePoint application.  (Obviously you won’t be able to access the SharePoint web application without an IIS site, but none of the SharePoint web application content or configuration is stored in the IIS site). 

There are several benefits to this approach – including the ability to have multiple IIS sites mapped to a single web application, with each site being bound by a different SharePoint security zone.  The distinction between the web application and the IIS site in Dana’s situation is that the original IIS site that was bound to port 80 with no host header was separate from the actual SharePoint web application, and even though that was the initial IIS site created to access the SharePoint web application, it isn’t necessary to use that IIS site.

The simplest solution for Dana was to create a new IIS site that used a host header to access his SharePoint web application.  This is actually very simple and straight-forward to do from within SharePoint Central Administration:

  1. Open SharePoint Central Administration  (Start | Administrative Tools | SharePoint 3.0 Central Administration) on your SharePoint server.
  2. Click on the Application Management tab
  3. Click on the link to Create or Extend an Existing Web Application
  4. Click the link to Extend an Existing Web Application  (we are extending an existing web application to another IIS site)
  5. Select the web application you want to extend.  (The default SharePoint web application on a stand-alone WSS installation is SharePoint – 80.  On SBS 2008, the companyweb application is  remote.yourdomain.com:987  )
  6. Select the option to create a new website and enter a description that is meaningful to you  (this will display in IIS)
  7. Change the port to 80
  8. Enter a value for the host header  (in Dana’s case, we used   wiki  – obviously, you will need to create the necessary DNS records so your host header name can be resolved via your internal DNS.  I personally prefer to create a CNAME (alias) that resolves to the host (server) that is running SharePoint.  Alternately, you could also create a new A record).
  9. In a typical small business deployment, you will accept the default security configuration options
  10. Select the appropriate zone and click OK.

This will create a new site in IIS that is mapped to the web application you selected.  After we had created the new site for Dana and created the necessary CNAME record for  wiki  in his DNS, we were able to browse to http://wiki on his internal systems and access the SharePoint application successfully, and navigate without 404 errors.

Additionally, we were able to delete the original IIS site that Dana had changed the bindings to port 81.  Since Dana & co were now accessing the web application via the new site (http://wiki) we didn’t need the original site on port 81 any more.  We also did this within SharePoint central administration:

  1. Go to the Application Management tab
  2. Click the link to Remove SharePoint from IIS Web Site
  3. Select the web application
  4. Select the site
  5. Optionally select to delete the site from IIS  (which we did select in Dana’s case)

So why was Dana getting the 404 errors after he changed the bindings to a new port number in IIS?  If you go back to the page where we extended the web application, take note of the description under the Load Balanced URL section:


The description reads:  “The load balanced URL is the domain name for all sites users will access in this SharePoint Web application.  This URL domain will be used in all links shown on pages within the web application.  By default, it is set to the current servername and port.”

When the SharePoint Configuration Wizard created the initial web site in IIS, the SharePoint load balanced URL for that site was http://servername:80  –  which will resolve to the default website on that server.  When Dana changed the port to 81 and re-enabled the original default website, links in the SharePoint web application (when accessed from the original IIS site) all used the Load Balanced URL, which resolved to the re-enabled default website on port 80 – thus resulting in the 404 errors.

The moral of the story here?  Well there are a couple:

  • You can have as many IIS sites linked to a single SharePoint web application as you want.
  • When administering SharePoint, do as much as you can in SharePoint Central Administration.  Chances are you won’t get the results you want if you try to make changes (such as site bindings) via IIS.

One of my personal rules when it comes to IIS is to leave the default website alone.  Personally, I always create new websites in IIS and use host headers to access those sites – so everything is accessible on port 80 (assuming http) and users don’t have to remember weird port numbers, etc.  Additionally, using host headers gives you the freedom to move websites to different web servers without affecting the end-user experience.  Just update your DNS record for the host header value to point to the new server and voila! – users are accessing the same site via the same URL and have no idea it has been moved to a different physical box.  And this is true of all web applications I use – DotNetNuke, Community Server, etc. 

The only exception to my rule of putting each web application in their own IIS web site is when we need multiple apps all on the same server accessible via SSL.  Since SSL traffic is encrypted, IIS is unable to inspect the host headers, meaning it can only direct SSL requests to the correct site based on the IP / port combination.  So, to have multiple web apps on a single box accessible via SSL, we either need to have multiple sites all on one IP listening on different ports (443, 444, etc.), or multiple IPs on the box so each site can listen on 443 on a separate IP, OR configure the different web applications as virtual directories under one IIS site that is listening on 443 for the one / all IP addresses.  Depending on the number of applications you need accessible via SSL, it can makes more sense to configure those apps as virtual directories under a single site, so you reduce your administrative overhead by not having to administer multiple IP addresses / ports / SSL certificates.   But even then, I create a new site in IIS to put everything under instead of using the default site.  Yeah, I know – I’m weird like that  smile_regular

Of course – there is always more than one way to skin a cat, so there is a completely different method we could have taken to fix Dana’s issue as well.

Let’s say there was a business need for Dana’s web applications (that were all virtual directories under the default site) to be accessible as virtual directories under his SharePoint site.   This approach was actually recommended to Dana by other individuals telling him to add an Application Exclusion to the SharePoint site.  Dana couldn’t find out how to do this – but there is good reason why:  Application Exclusions don’t exist in SharePoint 3.0.

Here’s the deal:  SharePoint 2.0 and 3.0 have considerable distinctions in their architecture.  For example, when you extended SharePoint 2.0 to a website in IIS, SharePoint assumed that the entire IIS site would be devoted to the SharePoint application.  As a result, if you wanted to have non-SharePoint virtual directories under the IIS site, you had to tell SharePoint 2.0 to exclude those virtual directories from its management, allowing the web applications in those virtual directories to work as intended. 

SharePoint 3.0 uses a different approach.  Instead of assuming the entire IIS site is devoted to the SharePoint web application, you have to explicitly tell SharePoint what paths in the IIS site are managed by SharePoint.  When we create a new SharePoint Web Application, SharePoint assumes that it will manage the root path as well as everything below the /sites/ path.  (Hint: when you create a new web application and are on the Create Site Collection page, this is why you have the to options for the URL:  http://hostheader/  or http://hostheader/sites/ )

What this means is that SharePoint 3.0 plays very nicely with other web applications in the same IIS site.  So in Dana’s case, when he first installed SharePoint 3.0 and it created a new IIS site that replaced his original default website, he could have simply recreated the virtual directories for each of his web based LOB apps under the IIS site SharePoint created as long as none of them used the sites name, since that was defined as a Managed Path for the SharePoint web application.  And even then, if he wanted to use the sites path for a non-SharePoint application instead, he could have removed the sites path from SharePoint management.

You can administer SharePoint’s managed paths from SharePoint Central Administration.  Simply navigate to the Application Management tab and click the link for Define Managed Paths.  When you add a managed path, you specify what type of inclusion it will be.  There are two types of inclusions – an explicit inclusion and a wildcard inclusion.  An explicit inclusion means that SharePoint will manage just that path, where as a wildcard inclusion tells SharePoint that every path under the wildcard inclusion path should be managed.  This is particularly useful if you are enabling self-site creation for users, so they could effectively create their own site collections (top-level SharePoint site) under a common directory (e.g /sites/). 


  1. Dana Epp

    And if I didn’t say it enough yesterday… thanks so much for getitng this working for me. It really was nice to work on the Wiki and not have a single 404!!!

    Great article. Thanks for posting. Wish it was available a few months back 🙂

  2. DNguyen

    What a great article. Thank you very much. Not many experts can explain clearly this way.

  3. Critter

    This should be simple – but can you tell me how to properly create the CNAME that you recommend? I’ve been in DNS, but have never really created anything there so am uncertain exactly how to do it.

  4. Tom

    Good article; well written.

  5. cgross

    Critter –

    Assuming you are running an Active Directory domain, you will want to open the DNS MMC on one of your Domain Controllers. Expand -> Forward Lookup Zones. Right-click on the forward lookup zone for your internal domain and select “New Alias (CNAME)”

Leave a Reply

Your email address will not be published. Required fields are marked *