iisauthenticationtomcatisapi-redirect

Cannot get IIS ISAPI Tomcat connector to pass BASIC Authentication through to Tomcat


We've successfully configured IIS to front 2 Tomcat instances using isapi_redirect.dll. It's doing everything smartly, and we've been very happy. Now, however, we're using one of the Tomcat instances to serve up web services through AXIS. This requires BASIC Auth, and .NET clients are failing.
+ .NET clients can bypass IIS by surfing to "site:8180" and they're fine
+ Java clients can hit IIS and ISAPI passes them through and they authenticate just fine using basic.
+ .NET clients that hit IIS fail to authenticate using the same unpw.

Fiddler reports this session:
HTTP/1.1 401 Unauthorized
Date: Wed, 07 Jan 2009 14:31:59 GMT
Server: Microsoft-IIS/6.0
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Basic realm="Daily Control Module"
Content-Type: text/html;charset=utf-8
Content-Length: 954
Proxy-Support: Session-Based-Authentication

It kicks up what looks like a basic auth dialog, but instead of asking us to auth against Daily Control Module, it asks us to auth against the Windows server. And sure enough, the IIS server is asking for an NTLM auth. If I set the entire server to use Basic Auth, I get this from Fiddler:
HTTP/1.1 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Basic realm="serverName"
X-Powered-By: ASP.NET
Date: Wed, 07 Jan 2009 15:08:32 GMT

Sigh. Basic, but now the Basic Realm is changed to the IIS server. So, if I set the entire server to authenticate against Basic realm, Daily Control Module, then I get this:
HTTP/1.1 401 Unauthorized
Date: Wed, 07 Jan 2009 15:11:45 GMT
Server: Microsoft-IIS/6.0
WWW-Authenticate: Basic realm="Daily Control Module"
X-Powered-By: ASP.NET
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Basic realm="Daily Control Module"
Content-Type: text/html;charset=utf-8
Content-Length: 954

Weird with the dual WWW-Auth headers, no? At any rate, authenticating using same unpw that works directly against Tomcat fails, whether I specify the domain or not.

At this time:
+ Anon is Off
+ Integrated Windows Auth is Off
+ Basic auth is On, with the realm configured as Daily Control Module

Thanks for looking.


Solution

  • What is the configuration of the directory security?

    Are you sure that only basic authentication is enabled?

    Other point is. Maybe in the iis level you should use anonymous authentication. And tomcat is taking care of implementing the basic authentication interchange?

    The source of the problem ( from the header you posted ) is that the .net client recognize that the site support ntlm authentication. And try to authenticate with that protocol. The java client is just ignoring the ntlm option so it use whatever other authentication protocol the site supports.

    You should make sure that the integrated authentication is not enabled in the site and file level.