I've run into this exact issue several times, and every time, the solution was to:
- go to the Control Panel
- go to the "Windows Components" area
- remove IIS, let it uninstall
- reboot
- re-add IIS (make sure to include the ASP.NET stuff when you check off the boxes).
- Run: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727>aspnet_regiis.exe -I
I spent hours debugging this at a client site once, and that was the trick. Since then, every time this has happened, this was the fix.
I'm not sure what the root cause is, but we tore the IIS configuration apart once trying to figure it out, and even had Microsoft RDC'ing into the server in question for 2 or 3 hours, and they couldn't help either.
So I write it off as an undocumented bug in ASP.NET/IIS.
Your security department wants you to do this to make the server type harder to identify. This may lessen the barrage of automated hacking tools and make it more difficult for people to break into the server.
Within IIS, open the web site properties, then go to the HTTP Headers tab. Most of the X- headers can be found and removed here. This can be done for individual sites, or for the entire server (modify the properties for the Web Sites object in the tree).
For the Server header, on IIS6 you can use Microsoft's URLScan tool to remote that. Port 80 Software also makes a product called ServerMask that will take care of that, and a lot more, for you.
For IIS7 (and higher), you can use the URL Rewrite Module to rewrite the server header or blank it's value. In web.config (at a site or the server as a whole), add this content after the URL Rewrite Module has been installed:
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
You can put a custom value into the rewrite action if you'd like. This sample sourced from this article which also has other great information.
For the MVC header, in Global.asax:
MvcHandler.DisableMvcResponseHeader = true;
Edited 11-12-2019 to update the IIS7 info since the TechNet blog link was no longer valid.
Best Answer
If you are using the NLB clustering that ships as part of windows server 2003 then you are looking for the affinty setting. If you set this to "single affinty" then communication from one IP address will always route to the same server, thus allowing the client to get access to the InProc session state. There is some documentation on how to set it at http://technet.microsoft.com/en-us/library/bb734858.aspx