Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1184
  • Last Modified:

IIS 7.5 Websphere Plugin Anonymous Access

Here's my environment:

Windows 2008 R2
IIS 7.5 (SSL required)
Lotus Domino 8.5.2
Websphere Plugin is configured to issue requests via HTTP port 8888

I Have IIS setup to require client certificates, windows authentication, and anonymous authentication for users outside my domain.  The anonymous access users are receiving 403 denied errors.  The domino server console is displaying "User not authenticated ... Anonymous."  I have followed all documentation that I can find for anonymous access, including adding "Anonymous" to the database ACL with no luck.

I'm in my second day of battling this and getting pretty frustrated.  The domino log is showing "-" for "Authenticated User."  Any clues on how I should configure the ACL?  The requests are getting to the DB, but domino is rejecting them and I cannot figure out why.

Any clues are appreciated!
0
fredsmullin
Asked:
fredsmullin
  • 3
  • 2
1 Solution
 
doninjaCommented:
Two possible areas to look at on this.
First is a double SSL issue. Unless an application specifically requires HTTPS then the wepsphere plugin can simply talk http to the server as communication to the client is encrypted by IIS HTTPs so doesn't need to be encrypted again between Domino and websphere.

On permissions, check that server access has not been restricted as this would over ride the specific database ACL.

Check security tab in server configuration. Access server should not have all trusted directories selected and field with pull down option should be empty.

Also in Ports/Internet Ports tab on server ensure that Anonymous is enabled under Http and Https
0
 
fredsmullinAuthor Commented:
doninja,

Thanks for your suggestions.  Here is what I have done:

SSL: SSL is used on IIS and ASP.NET pages are invoked.  The ASP.NET pages have an IFRAME element that reference the .NSF file.  Websphere plugin is configured to issue requests via HTTP port 8888 to generate the repsonse to the IFRAME.  That part is working as the plugin TRACE is logging the request generation and getting a valid stream.  But the GET fails with 403.

Server Permissions:  I cleared the Access Server boxes so that it now says "All users can access this server."

Ports/Internet Ports: HTTP is enabled on 8888 with anonymous access enabled.  HTTPS is disabled.

I am still getting 403 errors when the plugin issues a GET to Domino.  I have a priority 1 ticket into IBM as well.  I'm waiting for the callback while I continue to experiment and bang my head against the desk.

Any other thoughts?
0
 
doninjaCommented:
You can test the link without using IIS by putting 8888 in url

http://server:8888/database.nsf/view/page

This will show if it is a Domino or websphere issue.

If you have enabled Anonymous access, Make sure it si Capital A and user type is unspecified.

Is this working if you do login to the server over HTTP using link above or via websphere, is it only Anonymous access issue.

Make sure the page being accessed is not redirecting to a url that does not use .nsf, making the websphere redirection not work.

On server config do not have set to "Load Internet Configurations form Server\Internet sites documents"
0
 
fredsmullinAuthor Commented:
doninja,

The domino support team contacted me and taught me about a magic setting introduced in 8.5.2 that works for client certificates.  

set config promoteunknowncerttoanonymous=1

If the client certificate does not match an entry in the address book, domino will not failover to Anonymous as a security feature.  Setting the above will cause unknown cert to be treated as anonymous and apply the ACL.

Everything is working now.  Thanks for trying to help me narrow it down.
0
 
fredsmullinAuthor Commented:
Passing along information from IBM technical support
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now