1.1) Make sure that you have configured Apache to use the Prefork MPM (not the Worker MPM) to avoid hangs caused by an AJP bug. See here for details.
1.2) Ensure that an AJP connector is defined in your [tomcat]/conf/server.xml file. This is the case by default, so you probably don't need to change anything. There should be a line like the following in server.xml:
In these instructions, we have assumed that Tomcat is installed in a directory called c:\Tomcat. Adapt the instructions according to where you have it installed. It is also assumed that the webapp will be called 'asset-bank'.
2.1.2) Place isapi_redirect.dll in c:\Tomcat\bin\win32 (create the sub-directory if necessary). You need to ensure that the following IIS and service accounts have permission to read and execute this file:
IIS_IUSRS (IIS_WPG for IIS 6, or if there is no IIS_IUSRS account)
Internet Guest Account(<machine_name>\IUSR<machine_name>)
2.1.3) Place the properties files in your Tomcat conf directory, i.e. c:\Tomcat\conf. Add permissions as above for the IIS accounts.
2.1.4) Open the file workers.properties and check that the values for workers.tomcat_homeand workers.java_home are correctly mapped to your tomcat and java installation locations respectively.
2.1.5) Place the file isapi.log in your tomcat logs directory, i.e. c:\Tomcat\logs. Make sure that the IIS user account(s) have permission to read from, execute and also write to this file.
2.1.7) In the file replace all instances of 'c:\\Tomcat' with the actual path to your tomcat installation (remember to replace all \'s with \\ in the path).
2.1.8) Double click on the file isapi_filter.reg to update your registry with the necessary keys.
2.1.9) Navigate to your host and double click on the ISAPI and CGI Restrictions icon. On the right hand panel, click ‘Add...’. Point the path to your isapi_redirect.dll file and give it a description ‘tomcat’. Check "Allow extension path to execute"
2.1.10) click on the Default Website and navigate to ISAPI Filters. On the right hand panel, click on Add... and point to your isapi_redirect.dll file, give the filter a name (‘tomcat’).
2.1.11) Navigate to your Default Website again. Add a virtual directory and name it ‘jakarta’, point this to the directory containing isapi_redirect.dll
2.1.12) Click on the newly created virtual directory jakarta. Navigate into Handler Mappings, on the right hand side you will see a panel called Actions. Click on Edit Feature Permissions and tick the execute permission.
2.1.14) Finally, navigate to your host context again and restart IIS.
Running Asset Bank from the ROOT webapp
To change the default webapp name from asset-bank to something else or run it from the ROOT webapp you need to edit uriworkermap.properties. To run it from the ROOT webapp replace the existing two lines with the line below.
You will now also need to move the content of \webapps\asset-bank\ into \webapps\ROOT\. Afterwards you can delete \webapps\asset-bank\.
IIS Integration Troubleshooting
When I attempt to browse to http://<server name>/asset-bank I get a blank page/page not found error: This normally means that the ISAPI redirect filter hasn't loaded correctly (you can check this by looking at the 'Isapi Filters' tab of the properties for the IIS site, if the filter is shown with a red downward pointing arrow it means it hasn't loaded). If the filter hasn't loaded correctly then there are a few potential problems to check:
Are the permissions correct? The ISAPI filter will only load if the IIS user accounts have read and execute access to all three properties files and isapi_redirect.dll, and read, write and execute access to isapi.log. If you are experiencing errors due to permissions, then you could initially allow 'Everyone' read, write and execute permissions on all files, in order to establish that the ISAPI plugin is working, then tighten the permissions to allow on the required IIS accounts.
Are you installing onto 64bit Windows? If so, have you used the 64bit version of isapi_redirect.dll? If both of these are true and the filter still isn't loading it might be the case that your installation of IIS is using a 32bit version of ASP.NET. The following article explains how to change IIS to use a 64bit version of ASP.NET: http://support.microsoft.com/kb/894435
When I attempt to browse to http://<server name>/asset-bank I get a 'You are not authorized to view this page' error message: This normally indicates that the permissions on your Asset Bank webapp directory are preventing the IIS guest user from browsing the site. This should be resolved by giving the IIS anonymous access user read and execute permissions on your Asset Bank webapp.
2.2. IIS Forwarding
If you have successfully integrated Tomcat with IIS and would like Asset Bank to be available at http://<server name> rather than just http://<server name>/asset-bank/ then complete the following steps:
2.2.1) Download default.zip, unzip it and put the file default.asp into the root of your Default IIS website.
2.2.2) Using the IIS management console make sure that your website has execute permissions for scripts. Select properties for the Default Web Site and select the Home Directory tab. Execute permissions should be set to Scripts only or Scripts and executables.
2.2.3) Using the IIS management console make sure that your website has Default.asp as a default document. Select properties for the Default Web Site and select the Documents tab. Make sure Enable Default Document is checked and that Default.asp is at the top of the list of default documents.
2.2.4) (IIS 6) Using the IIS management console, select Web Service Extensions in the IIS Console Server Tree. Make sure that Active Server Pages is Allowed rather than Prohibited.
2.2.5) Restart IIS (restart the IIS service, e.g. in the manager console choose the Server, right-click, choose All Tasks, choose Restart IIS).
2.2.6) The application should now be available to view at http://<server name>
2.3. IIS Single-signon
Note that because of changes to enable the Flash Uploader to be used with IIS SSO these instructions require Asset Bank version 3.1127 or above. If you have an earlier version of Asset Bank, and want to enable IIS SSO without upgrading, please contact us.
For single sign on to work, you must first have user accounts set up in Asset Bank corresponding to the Windows usernames for the users you would like to have access. This is normally done by synchronising Asset Bank accounts with Active Directory, read instructions for LDAP integration.
2.3.1. In the IIS management console, select properties on the Default Web Site. On the Directory Security tab, click Edit by ‘Authentication and access control’.
2.3.2. Check ‘Enable anonymous access’. In the ‘Authenticated access’ section, check the ‘Integrated Windows authentication’ box. Click OK on the dialogs to apply.
2.3.3. The isapi_redirect.dll should have read permissions for the Internet Guest Account (ie the account that ‘anonymous access’ is set for), and also read permissions for Authenticated Users (i.e. the users who will be logging in via the single sign on).
2.3.4. Restart IIS.
2.3.5 Tomcat configuration. Find the Connector element for the AJP connector in [tomcat]/conf/server.xml, and add tomcatAuthentication="false":
<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false" />
2.3.6 In the file ApplicationSettings.properties, set the values of settings as follows: sso-enabled=true sso-plugin-class=WIASSOPlugin show-forgotten-password=false
If after setting up single-signon you are having problems with form submissions and certain pages not loading this may be to do with the http headers being too large for the integrated authentication setup (this can be confirmed by checking for errors relating to header size in the isapi.log that was setup in 2.1.4). If you think you are experiencing this problem then please try the following resolution:
Ensure that the authentication on the Asset Bank website in IIS is set to anonymous access.
Add a new virtual directory to the Asset Bank website called 'redirector'. This should be mapped to [asset bank iis site root]/redirector on the hard disk (you’ll need to create the ‘redirector’ subdirectory)
Copy the file default.asp from the folder [tomcat home]/webapps/asset-bank/WEB-INF/manager-config/iis to the new 'redirector' IIS websites virtual directory
Make sure that the default.asp is executable
Update the 'redirector' virtual directory in IIS to make use of ‘windows integrated authentication’
Update the default document for the Asset Bank IIS website to use the default.asp in the new virtual directory
Restart tomcat and IIS
“Asset Bank were easy to deal with and very friendly but professional. We are delighted to be working with them.”
Sam Smith, Graphic designer BT