English

FAQ: Why does ArcIMS map service authentication through the servlet connector fail when IIS authentication is used?

Question

Why does ArcIMS map service authentication through the servlet connector fail when IIS authentication is used?

Answer

Authentication is processed through Hypertext Transfer Protocol (HTTP) when using map service authentication through the servlet connector. When Internet Information Services (IIS) receives a request with authentication information for a resource that is authentication enabled, then IIS processes the request and checks to see if the account is a valid Windows account. With map service authentication, the account is not a Windows account, but an account configured in an Access Control List (ACL) file for database. Even though a user provides correct map service authentication information for ArcIMS, IIS processes the request first then denies the request.

With IIS, authentication is enabled if any of the authentication mechanisms are checked (Basic, Digest, Integrated Windows Authentication). Authentication is enabled even if anonymous access is allowed.

The following conditions must be met in order for IIS to allow the ArcIMS Servlet Connector to process authentication:

1. The Internet Server Application Programming Interface (ISAPI) filter dll (Dynamic Link Library) for the servlet engine must have authentication disabled.

2. The ISAPI filter dll for the servlet engine must allow anonymous access.
These dlls can be found in the following locations:

- The ISAPI filter DLL for Tomcat is called isapi_redirector.dll and is often put in a Jakarta virtual directory.

- The ISAPI filter DLL for JRun is called jrun.dll and often placed in the scripts directory.

- The ISAPI filter DLL for ServletExec is called ServletExec_ISAPI.dll and can be in the scripts or in a special ServletExec virtual directory.