-----Original Message----- From: Ellen Meiselman <elle...@gmail.com> Sent: Tuesday, February 25, 2020 12:04 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat
The directory containing the dll is at $TomcatHome/isapi/ I opened that wide up for testing after more secure configurations did not work. Don't worry - this will absolutely NOT be used for production: IUSR, I_USRS, and USERS all have full control. DefaultAppPool has everything but full control - Modify, execute, write. However, the isapi_redirect.dll's logs show that it is not getting tomcat errors the way it used to, so I do think it is connecting but then being banned by Tomcat itself. For example the logs used to have messages that tomcat wasn't listening on 8009 until I figured out that the AJP connector is now commented out by default in server.xml. After fixing that and a few other things, the logs suddenly started spitting back the complete html of the 403 error pages - in other words I do think it is now connecting. On Tue, Feb 25, 2020 at 12:54 PM <jonmcalexan...@wellsfargo.com.invalid> wrote: > What permissions are on the file containing the DLL, and Worker files? > > > Dream * Excel * Explore * Inspire > Jon McAlexander > Asst Vice President > > Middleware Product Engineering > Enterprise CIO | Platform Services | Middleware | Infrastructure > Solutions > > Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, > 12/13, > 12/20 – 12/31 > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > > This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose, or take any action based > on this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation. > > > -----Original Message----- > From: Ellen Meiselman <elle...@gmail.com> > Sent: Tuesday, February 25, 2020 11:51 AM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and > Tomcat > > Thank you - when I remove the secret line, save and restart Tomcat, it > results in the same 403 error. > > On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) < > a...@ice-sa.com> > wrote: > > > The workers.properties below look good to me at first sight. > > > > Just to eliminate something, could you try the following changes : > > > > 1) workers.properties : > > remove the line > > > worker.worker1.secret="mySecret". > > > > 2) AJP Connector in tomcat : > > > > <Connector protocol="AJP/1.3" > > address="127.0.0.1" > > port="8009" > > secretRequired="false" > > redirectPort="8443" /> > > > > then restart tomcat and IIS. > > What's happening then ? > > > > Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and > > earlier. > > Before, by default, the "secret" was disabled. Since 8.5.51, by > > default, the secret is enabled, and you have to disable it > > explicitly if you don't want it (as I did above). > > > > With the settings above, we are just trying to get back to a > > configuration without secret, to check if that works in your case. > > As indicated in the documentation > > ( > > http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Imp > > le > > mentations) > > you can > > do that in your case, because the communication between IIS and > > Tomcat is fairly secure, since it happens all within the same host. > > > > > > On 25.02.2020 18:06, Ellen Meiselman wrote: > > > Yes, everything is on the same server. > > > > > > workers.properties: > > > # Set properties for worker1 (ajp13) > > > worker.worker1.type=ajp13 > > > worker.worker1.host=127.0.0.1 > > > worker.worker1.port=8009 > > > worker.worker1.secret="mySecret". > > > > > > On Tue, Feb 25, 2020 at 11:27 AM > > > <jonmcalexan...@wellsfargo.com.invalid> > > > wrote: > > > > > >> -----Original Message----- > > >> From: Ellen Meiselman <elle...@gmail.com> > > >> Sent: Tuesday, February 25, 2020 10:01 AM > > >> To: Tomcat Users List <users@tomcat.apache.org> > > >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector > > >> and > > Tomcat > > >> > > >>> Hi, > > >> > > >>> I've been testing, and so far, there is no change in the behavior. > > >>> I am > > >> still getting the same tomcat->based 403 error. > > >> > > >>> Based on what you said above... > > >>> > > >>> secretRequired="true" (which is the default, so it can be > > >>> removed) secret="xxxxxxx" > > >> > > >> > > >>> ...I removed secretRequired="true" and left secret. So the > > >>> connector > > >> definition now looks like this: > > >>> <Connector protocol="AJP/1.3" > > >>> address="127.0.0.1" > > >>> port="8009" > > >>> secret="mySecret" > > >>> redirectPort="8443" /> > > >> > > >> <SNIP> > > >> > > >> I'm assuming that your web-front-end is on the same server as > > >> your > > Tomcat > > >> instance, based on you having the address set to 127.0.0.1, correct? > > What > > >> do you have in your workers.properties file? > > >> > > > > > > > > > -------------------------------------------------------------------- > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > Is it a 403.0 error, or 403.<something> Is there a Sub value?
