I have been trying to configure isapi_redirector.dll so that only users in a particular ActiveDirectory group can access tomcat via IIS 5.
The approach I have been trying to take is to set appropriate NTFS permissions on the isapi_redirect.dll
After some frustration, this approach seems to be working, subject to the problem described below.
I removed all access to isapi_redirect.dll, then granted Read & Execute, Read etc to:
Administrators (SPEED\Administrators)
Internet Guest Account (SPEED\IUSR_D200)
Launch IIS Process Account (SPEED\IWAM_D200)
NETWORK
SERVICE
SYSTEM(Further experimentation may show that some of these are not required)
After restarting IIS, with this setup, Speed\Administrator can authenticate with IIS, and its requests are passed through to tomcat as expected. An ordinary end user Speed\jharrop gets a 401.
So i think that all i'll now need to do is to grant Read & Execute permission to a group which includes the relevant users.
The outstanding problem is as follows:
After restarting IIS, the first user to invoke a context which tomcat is supposed to handle _must_ be someone with appropriate NTFS permissions to access isapi_redirect.dll.
If it turns out that the first user to attempt to authenticate (IIS logs shows GET /jakarta/isapi_redirect.dll 401) doesn't have appropriate NTFS permissions, they'll get a 404, and all subsequent attempts by anyone to access the context will immediately return a 404 (without prompting for authentication)!!
So currently, after restarting IIS, I have to make sure someone with appropriate NTFS permissions is the first to access isapi_redirect.dll.
If there is an explanation for this behaviour, or even better, some way to change it, I'd love to know.
thanks
Jason
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
