Friday, January 12, 2007

Rewriting URLs in IIS with Ionic's ISAPI Rewrite

A little background: At the company I work for, we use a couple of internal web sites for intranet and web applications. The web applications have their own security based on the user's LDAP username. Until recently, the users were required to use a form based login before they can get to any of the web application. In the past few days I have been attempting to get rid of the form based login and just match their Windows username against LDAP. In ColdFusion that can be retrieved by "cgi.auth_user" or "cgi.remote_user". Of course, a couple of thing need to be true before you can get the user's Windows username:
  1. The web site or virtual directory under IIS has to be set to "Integrated Authentication" only.
  2. If the users are using Internet Explorer
    1. The option "Tools/Internet Options/Advanced/Security/Enable Integrated Windows Authentication" has to be checked
    2. The website attempting to use integrated authentication has to be called with the local hostname only such as "http://intranet"
  3. If the users are using Firefox:
    1. The option "network.automatic-ntlm-auth.trused-uris" has to contain a string of allowed hosts to witch to pass the user's Windows username (such as "localhost,webapps")

The issue:

We all know Internet Explorer sucks. In my case it concidered urls like "" to be outside of my domain name and therefore it would not pass the user's Windows username (even though was the Windows domain I am already logged into). So the problem was how to redirect request for existing application from "" to "http://intranet"

To the rescue - Ionic's ISAPI Rewrite Filter:

Part of my solution was to setup separate web site with the host header "". The web site just pointed to an empty directory on the web server. My thinking was that I don't want to rewrite every url request that comes to the server. If you don't care, for step 3 below, install the ISAPI filter for your whole web server instead of a web site or a virtual directory.

I have no idea why IIS doesn't come with one of these rewrite filters yet. You can get the one above at To install it, you:
  1. Copy the "IsapiRewrite4.dll" to a Windows directory such as "c:\winnt\system32\inetsrv"
  2. Copy the "IsapiRewrite4.ini" to a Windows directory such as "c:\winnt\system32\inetsrv"
  3. Add the ISAPI filter to your IIS site or virtual directory by going to "ISAPI Filters" and browsing to the "IsapiRewrite4.dll" file
  4. Edit the "IsapiRewrite4.ini". Here are the contents of mine:
    # IsapiRewrite4.ini
    # IsapiRewrite4 options
    # RewriteLog  c:\temp\iirfLog.out
    RewriteLogLevel 0
    MaxMatchCount 10
    IterationLimit 10
    # Match a fully qualifed domain name such as
    # and redirect it to http://intranet (plus any query parameters).
    # Replace "domain" with your domain name
    RewriteCond %{SERVER_NAME} ([^\.]+)\.domain\.com$ [I]
    RewriteRule ^(.*)$ http://%1$1 [R]

Now every request that comes to "" will be rewritten to "http://intranet" (with a status code of 302 - that's what the [R] is for). This is also valid for "" or "".

Damn you IIS and Internet Explorer!

No comments:

Post a Comment

// //]]>