Solved

IIS 7.5 Websphere Plugin Anonymous Access

Posted on 2011-09-29
5
1,142 Views
Last Modified: 2013-11-17
Here's my environment:

Windows 2008 R2
IIS 7.5 (SSL required)
Lotus Domino 8.5.2
Websphere Plugin is configured to issue requests via HTTP port 8888

I Have IIS setup to require client certificates, windows authentication, and anonymous authentication for users outside my domain.  The anonymous access users are receiving 403 denied errors.  The domino server console is displaying "User not authenticated ... Anonymous."  I have followed all documentation that I can find for anonymous access, including adding "Anonymous" to the database ACL with no luck.

I'm in my second day of battling this and getting pretty frustrated.  The domino log is showing "-" for "Authenticated User."  Any clues on how I should configure the ACL?  The requests are getting to the DB, but domino is rejecting them and I cannot figure out why.

Any clues are appreciated!
0
Comment
Question by:fredsmullin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 10

Expert Comment

by:doninja
ID: 36815734
Two possible areas to look at on this.
First is a double SSL issue. Unless an application specifically requires HTTPS then the wepsphere plugin can simply talk http to the server as communication to the client is encrypted by IIS HTTPs so doesn't need to be encrypted again between Domino and websphere.

On permissions, check that server access has not been restricted as this would over ride the specific database ACL.

Check security tab in server configuration. Access server should not have all trusted directories selected and field with pull down option should be empty.

Also in Ports/Internet Ports tab on server ensure that Anonymous is enabled under Http and Https
0
 

Author Comment

by:fredsmullin
ID: 36816017
doninja,

Thanks for your suggestions.  Here is what I have done:

SSL: SSL is used on IIS and ASP.NET pages are invoked.  The ASP.NET pages have an IFRAME element that reference the .NSF file.  Websphere plugin is configured to issue requests via HTTP port 8888 to generate the repsonse to the IFRAME.  That part is working as the plugin TRACE is logging the request generation and getting a valid stream.  But the GET fails with 403.

Server Permissions:  I cleared the Access Server boxes so that it now says "All users can access this server."

Ports/Internet Ports: HTTP is enabled on 8888 with anonymous access enabled.  HTTPS is disabled.

I am still getting 403 errors when the plugin issues a GET to Domino.  I have a priority 1 ticket into IBM as well.  I'm waiting for the callback while I continue to experiment and bang my head against the desk.

Any other thoughts?
0
 
LVL 10

Expert Comment

by:doninja
ID: 36816221
You can test the link without using IIS by putting 8888 in url

http://server:8888/database.nsf/view/page

This will show if it is a Domino or websphere issue.

If you have enabled Anonymous access, Make sure it si Capital A and user type is unspecified.

Is this working if you do login to the server over HTTP using link above or via websphere, is it only Anonymous access issue.

Make sure the page being accessed is not redirecting to a url that does not use .nsf, making the websphere redirection not work.

On server config do not have set to "Load Internet Configurations form Server\Internet sites documents"
0
 

Accepted Solution

by:
fredsmullin earned 0 total points
ID: 36816485
doninja,

The domino support team contacted me and taught me about a magic setting introduced in 8.5.2 that works for client certificates.  

set config promoteunknowncerttoanonymous=1

If the client certificate does not match an entry in the address book, domino will not failover to Anonymous as a security feature.  Setting the above will cause unknown cert to be treated as anonymous and apply the ACL.

Everything is working now.  Thanks for trying to help me narrow it down.
0
 

Author Closing Comment

by:fredsmullin
ID: 36908441
Passing along information from IBM technical support
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question