Tomcat + IIS = no basic windows authentication

[Dark_Angel]

Hey

Please forgive my slightly lengthy post. The server is running Windows Server 2003 and is running IIS version 6.0.

Problem
--------

If I enable “Basic Windows Authentication” and then navigate to the website hosting it using a web browser, for example http://url/nclexrn3500 it will then prompt for the user name and password. If I enter any user name or password (including admin ones) it will not accept it, and after several tries tell me I am not allowed to view the page.

If I specify the port as 8080, for example http://url:8080/nclexrn3500 it will go straight in to the program, and completely by pass all security prompts.
The application is an installation, which creates a few virtual directories within the website. The program uses Jakarta Tomcat as one of the virtual directories, which is located in the same main folder as the program itself (c:/program files/LWW/Tomcat).

Under web service extensions (under IIS) I have added the “c:\program files\lww\tomcat\bin\ISAPI_Redirect.dll”, and have also allowed “ALL Unknown ISAPI Extensions”.

I had posted a long while ago with the same problem, but now after much googling and searching the problem seems to be caused by Jakarta’s Tomcat – does anyone have any ideas of a work around solution ?

Thanks a lot,

 

[JIMA]

Hi,

Have you looked at Remote Address Filter and Remote Host Filter valves in Tomcat? These restrict access to users whose IP address or hostname (respectively) matches one or more regular expressions. You might also need to make changes in your web.xml to tell Tomcat that security applies to all pages on your site.

Another option would be to use LDAP to control authentication, I believe later versions of Tomcat can do this.

I haven't actually used these myself so can't vouch for how easy to use or effective they are but thought the info might help anyway.

Jim

 

[ToastedCheese]

Not sure of the solution to your exact issue.

But I think I'm correct in saying Basic Authentication is not very secure as the passwords are not encrypted.

You may be better enabling 'Anonymous' login on IIS and coding you login within the hosted application instead.

 

[Dark_Angel]

Ok, I have made a little progress.

I can now get in via administrator, but no other user lets me in. I have given full permissions to the folder (lww) which also contains the tomcat folder, but I still can NOT get in. I have also given full permissions to asapi_redirect.dll and it is the same thing. The moment I promote a user to admin though it works instantly.

I have even tried putting a user (test) in to every single user group on the server, minus the admin one and it still won't let me in. The second I put them in the admin group though it works instantly. Can someone *please* help me with this, I am seriously being driven insane with this problem.