Solved

IIS 7.5 Websphere Plugin Anonymous Access

Posted on 2011-09-29
5
1,123 Views
Last Modified: 2013-11-17
Here's my environment:

Windows 2008 R2
IIS 7.5 (SSL required)
Lotus Domino 8.5.2
Websphere Plugin is configured to issue requests via HTTP port 8888

I Have IIS setup to require client certificates, windows authentication, and anonymous authentication for users outside my domain.  The anonymous access users are receiving 403 denied errors.  The domino server console is displaying "User not authenticated ... Anonymous."  I have followed all documentation that I can find for anonymous access, including adding "Anonymous" to the database ACL with no luck.

I'm in my second day of battling this and getting pretty frustrated.  The domino log is showing "-" for "Authenticated User."  Any clues on how I should configure the ACL?  The requests are getting to the DB, but domino is rejecting them and I cannot figure out why.

Any clues are appreciated!
0
Comment
Question by:fredsmullin
  • 3
  • 2
5 Comments
 
LVL 10

Expert Comment

by:doninja
ID: 36815734
Two possible areas to look at on this.
First is a double SSL issue. Unless an application specifically requires HTTPS then the wepsphere plugin can simply talk http to the server as communication to the client is encrypted by IIS HTTPs so doesn't need to be encrypted again between Domino and websphere.

On permissions, check that server access has not been restricted as this would over ride the specific database ACL.

Check security tab in server configuration. Access server should not have all trusted directories selected and field with pull down option should be empty.

Also in Ports/Internet Ports tab on server ensure that Anonymous is enabled under Http and Https
0
 

Author Comment

by:fredsmullin
ID: 36816017
doninja,

Thanks for your suggestions.  Here is what I have done:

SSL: SSL is used on IIS and ASP.NET pages are invoked.  The ASP.NET pages have an IFRAME element that reference the .NSF file.  Websphere plugin is configured to issue requests via HTTP port 8888 to generate the repsonse to the IFRAME.  That part is working as the plugin TRACE is logging the request generation and getting a valid stream.  But the GET fails with 403.

Server Permissions:  I cleared the Access Server boxes so that it now says "All users can access this server."

Ports/Internet Ports: HTTP is enabled on 8888 with anonymous access enabled.  HTTPS is disabled.

I am still getting 403 errors when the plugin issues a GET to Domino.  I have a priority 1 ticket into IBM as well.  I'm waiting for the callback while I continue to experiment and bang my head against the desk.

Any other thoughts?
0
 
LVL 10

Expert Comment

by:doninja
ID: 36816221
You can test the link without using IIS by putting 8888 in url

http://server:8888/database.nsf/view/page

This will show if it is a Domino or websphere issue.

If you have enabled Anonymous access, Make sure it si Capital A and user type is unspecified.

Is this working if you do login to the server over HTTP using link above or via websphere, is it only Anonymous access issue.

Make sure the page being accessed is not redirecting to a url that does not use .nsf, making the websphere redirection not work.

On server config do not have set to "Load Internet Configurations form Server\Internet sites documents"
0
 

Accepted Solution

by:
fredsmullin earned 0 total points
ID: 36816485
doninja,

The domino support team contacted me and taught me about a magic setting introduced in 8.5.2 that works for client certificates.  

set config promoteunknowncerttoanonymous=1

If the client certificate does not match an entry in the address book, domino will not failover to Anonymous as a security feature.  Setting the above will cause unknown cert to be treated as anonymous and apply the ACL.

Everything is working now.  Thanks for trying to help me narrow it down.
0
 

Author Closing Comment

by:fredsmullin
ID: 36908441
Passing along information from IBM technical support
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question