Hi Jon, The best information I have about the error is from the localhost log:
10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET /exposedApplication/simple.html HTTP/1.1" 403 618 10.00.00.00 - - [25/Feb/2020:10:00:52 -0500] "GET /exposedApplication/simple.html HTTP/1.1" 403 618 10.00.00.00 - - [25/Feb/2020:10:46:24 -0500] "GET //exposedApplication/simple.html HTTP/1.1" 403 618 On Tue, Feb 25, 2020 at 1:19 PM <jonmcalexan...@wellsfargo.com.invalid> wrote: > -----Original Message----- > From: Ellen Meiselman <elle...@gmail.com> > Sent: Tuesday, February 25, 2020 12:04 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and Tomcat > > The directory containing the dll is at $TomcatHome/isapi/ > > I opened that wide up for testing after more secure configurations did not > work. Don't worry - this will absolutely NOT be used for production: > IUSR, I_USRS, and USERS all have full control. > DefaultAppPool has everything but full control - Modify, execute, write. > > However, the isapi_redirect.dll's logs show that it is not getting tomcat > errors the way it used to, so I do think it is connecting but then being > banned by Tomcat itself. > For example the logs used to have messages that tomcat wasn't listening on > 8009 until I figured out that the AJP connector is now commented out by > default in server.xml. After fixing that and a few other things, the logs > suddenly started spitting back the complete html of the 403 error pages - > in other words I do think it is now connecting. > > > > > On Tue, Feb 25, 2020 at 12:54 PM <jonmcalexan...@wellsfargo.com.invalid> > wrote: > > > What permissions are on the file containing the DLL, and Worker files? > > > > > > Dream * Excel * Explore * Inspire > > Jon McAlexander > > Asst Vice President > > > > Middleware Product Engineering > > Enterprise CIO | Platform Services | Middleware | Infrastructure > > Solutions > > > > Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, > > 12/13, > > 12/20 – 12/31 > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > MAC: F4469-010 > > Tel 515-988-2508 | Cell 515-988-2508 > > > > jonmcalexan...@wellsfargo.com > > > > > > This message may contain confidential and/or privileged information. > > If you are not the addressee or authorized to receive this for the > > addressee, you must not use, copy, disclose, or take any action based > > on this message or any information herein. If you have received this > > message in error, please advise the sender immediately by reply e-mail > > and delete this message. Thank you for your cooperation. > > > > > > -----Original Message----- > > From: Ellen Meiselman <elle...@gmail.com> > > Sent: Tuesday, February 25, 2020 11:51 AM > > To: Tomcat Users List <users@tomcat.apache.org> > > Subject: Re: At wits end: Difficulties with IIS ISAPI connector and > > Tomcat > > > > Thank you - when I remove the secret line, save and restart Tomcat, it > > results in the same 403 error. > > > > On Tue, Feb 25, 2020 at 12:34 PM André Warnier (tomcat/perl) < > > a...@ice-sa.com> > > wrote: > > > > > The workers.properties below look good to me at first sight. > > > > > > Just to eliminate something, could you try the following changes : > > > > > > 1) workers.properties : > > > remove the line > > > > worker.worker1.secret="mySecret". > > > > > > 2) AJP Connector in tomcat : > > > > > > <Connector protocol="AJP/1.3" > > > address="127.0.0.1" > > > port="8009" > > > secretRequired="false" > > > redirectPort="8443" /> > > > > > > then restart tomcat and IIS. > > > What's happening then ? > > > > > > Note : this is something new in tomcat 8.5.51 compared to 8.5.50 and > > > earlier. > > > Before, by default, the "secret" was disabled. Since 8.5.51, by > > > default, the secret is enabled, and you have to disable it > > > explicitly if you don't want it (as I did above). > > > > > > With the settings above, we are just trying to get back to a > > > configuration without secret, to check if that works in your case. > > > As indicated in the documentation > > > ( > > > http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Standard_Imp > > > le > > > mentations) > > > you can > > > do that in your case, because the communication between IIS and > > > Tomcat is fairly secure, since it happens all within the same host. > > > > > > > > > On 25.02.2020 18:06, Ellen Meiselman wrote: > > > > Yes, everything is on the same server. > > > > > > > > workers.properties: > > > > # Set properties for worker1 (ajp13) > > > > worker.worker1.type=ajp13 > > > > worker.worker1.host=127.0.0.1 > > > > worker.worker1.port=8009 > > > > worker.worker1.secret="mySecret". > > > > > > > > On Tue, Feb 25, 2020 at 11:27 AM > > > > <jonmcalexan...@wellsfargo.com.invalid> > > > > wrote: > > > > > > > >> -----Original Message----- > > > >> From: Ellen Meiselman <elle...@gmail.com> > > > >> Sent: Tuesday, February 25, 2020 10:01 AM > > > >> To: Tomcat Users List <users@tomcat.apache.org> > > > >> Subject: Re: At wits end: Difficulties with IIS ISAPI connector > > > >> and > > > Tomcat > > > >> > > > >>> Hi, > > > >> > > > >>> I've been testing, and so far, there is no change in the behavior. > > > >>> I am > > > >> still getting the same tomcat->based 403 error. > > > >> > > > >>> Based on what you said above... > > > >>> > > > >>> secretRequired="true" (which is the default, so it can be > > > >>> removed) secret="xxxxxxx" > > > >> > > > >> > > > >>> ...I removed secretRequired="true" and left secret. So the > > > >>> connector > > > >> definition now looks like this: > > > >>> <Connector protocol="AJP/1.3" > > > >>> address="127.0.0.1" > > > >>> port="8009" > > > >>> secret="mySecret" > > > >>> redirectPort="8443" /> > > > >> > > > >> <SNIP> > > > >> > > > >> I'm assuming that your web-front-end is on the same server as > > > >> your > > > Tomcat > > > >> instance, based on you having the address set to 127.0.0.1, correct? > > > What > > > >> do you have in your workers.properties file? > > > >> > > > > > > > > > > > > > -------------------------------------------------------------------- > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > Is it a 403.0 error, or 403.<something> Is there a Sub value? >
