Set up IIS 2 factor authentication
Relevant Versions: ALL
1. Download the ISAPI Redirect DLL from the apache site. When downloading, choose the version of Windows that IIS is running on (win32), and then choose the latest available jk version. The file to download is called isapi_redirect.dll. 2. Place the DLL into the Tomcat bin directory. For the purpose of this document, we will assume the directory is C:\ 3. Create a file in the same directory called isapi_redirect.properties. Using Notepad, edit the file and enter the following contents. Some adjustment for directory names may be required. # Configuration file for the Jakarta ISAPI Redirector # The path to the ISAPI Redirector Extension, relative to the website # This must be in a virtual directory with execute privileges extension_uri=/jakarta/isapi_redirect.dll # Full path to the log file for the ISAPI Redirector log_file=C:\ # Log level (debug, info, warn, error or trace) log_level=info # Full path to the workers.properties file worker_file=C:\ # Full path to the uriworkermap.properties file worker_mount_file=C:\ 4. In the Tomcat conf directory (C:\ uriworkermap.properties # uriworkermap.properties - IIS # # This file provides mappings for the workers # defined in workermap.properties.minimal. # The general syntax for this file is: # [URL]=[Worker name] /ProtectManager/*=worker1 workers.properties # workers.properties.minimal # This file provides minimal jk configuration properties needed to connect to Tomcat. # The workers that jk should create and work with. worker.list=worker1 # Defining a worker named worker1 and of type ajp13. # Note that the name and the type do not have to match. worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8009 5. Ensure that the file permissions are good for isapi_redirect.dll. Enable the Internet Guest Account to access the Tomcat bin folder with Read & Execute permissions Apply the same permissions to the DLL itself. 6. Open Control Panel, then Administrative Tools and open Internet Information Services. Optionally, you may right click on My Computer and select Manage, then navigate down the tree to Services and Applications à Internet Information Services (IIS) Manager. 7. Add an ISAPI Filter to IIS. 8. Create a virtual directory for ProtectManager in IIS. This is the name of the Tomcat application for Note: The reason for creating a virtual directory is so that requests without the trailing slash still work. 9. Create a virtual directory for access to the isapi_redirect.dll in IIS. Note: This Virtual Directory is needed for the connector to work. The alias that you give the directory needs to be the same as the path set in the isapi_redirect.properties file, extension_uri property. In our example this value is: /jakarta/isapi_redirect.dll. 10. If using IIS 6.0 you will also need to add the DLL as a Web Service Extension, as follows: 11. Also, for IIS 6, you will need to set the service to run in IIS 5.0 Isolation Mode. From the Web Sites container, right click and select Properties, then the Service tab. Check the Run WWW service in IIS 5.0 isolation mode option. 12. You will need to restart the IIS Service. If you have the Computer Management application running, just right click on the Internet Information Service (IIS) Manager container and select All Tasks à Restart IIS… 13. After restarting, check that the ISAPI filter is running. 14. Edit the file C:\ Look for this section: <!-- Define an AJP 1.3 Connector on port 8009 --> <!-- <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> --> 15. Delete the comments around the connector (highlighted) and save the file. 16. For testing purposes, you may set the SSL port for IIS. Enabling SSL within IIS is out of scope for this document, but for testing purposes, the port is set to 444 above. As such, the 17. Restart the
18. Browse to https://localhost:444/ProtectManager .