Solved

IIS 7.5 Websphere Plugin Anonymous Access

Posted on 2011-09-29
5
1,116 Views
Last Modified: 2013-11-17
Here's my environment:

Windows 2008 R2
IIS 7.5 (SSL required)
Lotus Domino 8.5.2
Websphere Plugin is configured to issue requests via HTTP port 8888

I Have IIS setup to require client certificates, windows authentication, and anonymous authentication for users outside my domain.  The anonymous access users are receiving 403 denied errors.  The domino server console is displaying "User not authenticated ... Anonymous."  I have followed all documentation that I can find for anonymous access, including adding "Anonymous" to the database ACL with no luck.

I'm in my second day of battling this and getting pretty frustrated.  The domino log is showing "-" for "Authenticated User."  Any clues on how I should configure the ACL?  The requests are getting to the DB, but domino is rejecting them and I cannot figure out why.

Any clues are appreciated!
0
Comment
Question by:fredsmullin
  • 3
  • 2
5 Comments
 
LVL 10

Expert Comment

by:doninja
ID: 36815734
Two possible areas to look at on this.
First is a double SSL issue. Unless an application specifically requires HTTPS then the wepsphere plugin can simply talk http to the server as communication to the client is encrypted by IIS HTTPs so doesn't need to be encrypted again between Domino and websphere.

On permissions, check that server access has not been restricted as this would over ride the specific database ACL.

Check security tab in server configuration. Access server should not have all trusted directories selected and field with pull down option should be empty.

Also in Ports/Internet Ports tab on server ensure that Anonymous is enabled under Http and Https
0
 

Author Comment

by:fredsmullin
ID: 36816017
doninja,

Thanks for your suggestions.  Here is what I have done:

SSL: SSL is used on IIS and ASP.NET pages are invoked.  The ASP.NET pages have an IFRAME element that reference the .NSF file.  Websphere plugin is configured to issue requests via HTTP port 8888 to generate the repsonse to the IFRAME.  That part is working as the plugin TRACE is logging the request generation and getting a valid stream.  But the GET fails with 403.

Server Permissions:  I cleared the Access Server boxes so that it now says "All users can access this server."

Ports/Internet Ports: HTTP is enabled on 8888 with anonymous access enabled.  HTTPS is disabled.

I am still getting 403 errors when the plugin issues a GET to Domino.  I have a priority 1 ticket into IBM as well.  I'm waiting for the callback while I continue to experiment and bang my head against the desk.

Any other thoughts?
0
 
LVL 10

Expert Comment

by:doninja
ID: 36816221
You can test the link without using IIS by putting 8888 in url

http://server:8888/database.nsf/view/page

This will show if it is a Domino or websphere issue.

If you have enabled Anonymous access, Make sure it si Capital A and user type is unspecified.

Is this working if you do login to the server over HTTP using link above or via websphere, is it only Anonymous access issue.

Make sure the page being accessed is not redirecting to a url that does not use .nsf, making the websphere redirection not work.

On server config do not have set to "Load Internet Configurations form Server\Internet sites documents"
0
 

Accepted Solution

by:
fredsmullin earned 0 total points
ID: 36816485
doninja,

The domino support team contacted me and taught me about a magic setting introduced in 8.5.2 that works for client certificates.  

set config promoteunknowncerttoanonymous=1

If the client certificate does not match an entry in the address book, domino will not failover to Anonymous as a security feature.  Setting the above will cause unknown cert to be treated as anonymous and apply the ACL.

Everything is working now.  Thanks for trying to help me narrow it down.
0
 

Author Closing Comment

by:fredsmullin
ID: 36908441
Passing along information from IBM technical support
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
Notes Document Link used by IBM Notes is a link file which aids in the sharing of links to documents in email and webpages. The posts describe the importance and steps to create a Lotus Notes NDL file in brief.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now