Solved

IIS 7.5 Websphere Plugin Anonymous Access

Posted on 2011-09-29
5
1,127 Views
Last Modified: 2013-11-17
Here's my environment:

Windows 2008 R2
IIS 7.5 (SSL required)
Lotus Domino 8.5.2
Websphere Plugin is configured to issue requests via HTTP port 8888

I Have IIS setup to require client certificates, windows authentication, and anonymous authentication for users outside my domain.  The anonymous access users are receiving 403 denied errors.  The domino server console is displaying "User not authenticated ... Anonymous."  I have followed all documentation that I can find for anonymous access, including adding "Anonymous" to the database ACL with no luck.

I'm in my second day of battling this and getting pretty frustrated.  The domino log is showing "-" for "Authenticated User."  Any clues on how I should configure the ACL?  The requests are getting to the DB, but domino is rejecting them and I cannot figure out why.

Any clues are appreciated!
0
Comment
Question by:fredsmullin
  • 3
  • 2
5 Comments
 
LVL 10

Expert Comment

by:doninja
ID: 36815734
Two possible areas to look at on this.
First is a double SSL issue. Unless an application specifically requires HTTPS then the wepsphere plugin can simply talk http to the server as communication to the client is encrypted by IIS HTTPs so doesn't need to be encrypted again between Domino and websphere.

On permissions, check that server access has not been restricted as this would over ride the specific database ACL.

Check security tab in server configuration. Access server should not have all trusted directories selected and field with pull down option should be empty.

Also in Ports/Internet Ports tab on server ensure that Anonymous is enabled under Http and Https
0
 

Author Comment

by:fredsmullin
ID: 36816017
doninja,

Thanks for your suggestions.  Here is what I have done:

SSL: SSL is used on IIS and ASP.NET pages are invoked.  The ASP.NET pages have an IFRAME element that reference the .NSF file.  Websphere plugin is configured to issue requests via HTTP port 8888 to generate the repsonse to the IFRAME.  That part is working as the plugin TRACE is logging the request generation and getting a valid stream.  But the GET fails with 403.

Server Permissions:  I cleared the Access Server boxes so that it now says "All users can access this server."

Ports/Internet Ports: HTTP is enabled on 8888 with anonymous access enabled.  HTTPS is disabled.

I am still getting 403 errors when the plugin issues a GET to Domino.  I have a priority 1 ticket into IBM as well.  I'm waiting for the callback while I continue to experiment and bang my head against the desk.

Any other thoughts?
0
 
LVL 10

Expert Comment

by:doninja
ID: 36816221
You can test the link without using IIS by putting 8888 in url

http://server:8888/database.nsf/view/page

This will show if it is a Domino or websphere issue.

If you have enabled Anonymous access, Make sure it si Capital A and user type is unspecified.

Is this working if you do login to the server over HTTP using link above or via websphere, is it only Anonymous access issue.

Make sure the page being accessed is not redirecting to a url that does not use .nsf, making the websphere redirection not work.

On server config do not have set to "Load Internet Configurations form Server\Internet sites documents"
0
 

Accepted Solution

by:
fredsmullin earned 0 total points
ID: 36816485
doninja,

The domino support team contacted me and taught me about a magic setting introduced in 8.5.2 that works for client certificates.  

set config promoteunknowncerttoanonymous=1

If the client certificate does not match an entry in the address book, domino will not failover to Anonymous as a security feature.  Setting the above will cause unknown cert to be treated as anonymous and apply the ACL.

Everything is working now.  Thanks for trying to help me narrow it down.
0
 

Author Closing Comment

by:fredsmullin
ID: 36908441
Passing along information from IBM technical support
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Lync Mobile not working 11 127
DNN auto-updating it's core ? 2 45
Windows IIS SMTP Server Unable to relay emails 12 62
How do I generate a CSR on our root CA server? 1 23
What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question