Configuring Tomcat-Connector for IIS 7.0 (Windows Server 2008)

This page is part of the installation guide for the Confluence SharePoint Connector. It tells you how to configure access to Confluence using Integrated Windows Authentication via IIS.

This section of the guide describes the steps necessary to set up an IIS website that will perform authentication using NTLM or Kerberos, and then forward the authenticated requests to the Confluence instance. You will do this by installing a custom ISAPI filter in IIS that understands how to use the AJP protocol (Apache JServ Protocol) to communicate with Confluence.

On this page:

Installation

Step 1. Install and Configure the AJP Connector

1. Download the latest Tomcat Connector ISAPI Filter binaries from the download page on apache.org, ensuring that you select the version that is appropriate for your operating system and CPU architecture. At the time this installation guide was written, the latest version was jk-1.2.30. Use the table below to help identify the correct download version for your server.

   Operating System	CPU Architecture	Download Link
   Windows Server 2008 x86 (32-bit)	Any	win32
   Windows Server 2008 x64 (64-bit)	Intel 64 or AMD64 (x86-64)	win64-amd64
   Windows Server 2008 x64 (64-bit)	Intel Itanium (IA-64)	win64-ia64

2. Download the tomcat_iis_connector.zip file attached to this page. It contains the configuration files necessary for the ISAPI filter to run and communicate with your Confluence server.
3. Extract the downloaded zip file and place the contents in a folder alongside the downloaded binary file in a convenient location on your server. The default location is C:\tomcat_iis_connector.
4. Rename the downloaded binary file to isapi_redirect.dll (that is, remove the version number from the file name).
5. If you extracted the AJP Connector to a directory other than the default (C:\tomcat_iis_connector), then edit the isapi_redirect.properties file and ensure that the log_file, worker_file, worker_mount_file and rewrite_rule_file properties point to the correct locations.
6. If your Confluence server is not running on the same server as IIS (for example, if Confluence is running on a non-Windows server), then edit the worker.properties.minimal file in the conf directory so that the worker.worker1.host property points to the IP address or host name of your Confluence server.
7. If you wish to change the default port for Confluence's AJP Connector, then edit the worker.properties.minimal file in the conf directory and change the worker.worker1.port property to specify the required port number. The default port used in this guide for Confluence's AJP Connector is 8009.

Step 2. Add ISAPI Filter

1. Open the Internet Information Services (IIS) Manager.
2. In the 'Connections' panel, ensure that the IIS Web Site that will be used to proxy Confluence requests is selected.
3. Double-click the 'ISAPI Filters' icon in 'Features View'.
   
4. In the 'Actions' panel on the right, select 'Add'.
5. Set the 'Filter name' to 'tomcat' and set the 'Executable' to the isapi_redirect.dll that you downloaded in step 1.
   
6. Click 'OK'.
7. The new filter should now be listed in the ISAPI Filters list for the website.

Step 3. Add Virtual Directory

Now you will add a virtual directory in the IIS website to host the ISAPI Filter.

1. In the 'Connections' panel, ensure that the correct IIS Web Site is selected.
2. Right-click the IIS Web Site and select 'Add Virtual Directory'.
   
3. Set the 'Alias' to 'jakarta'.
4. Set the 'Physical Path' to the directory where you extracted the ISAPI Filter in step 1 (such as, C:\tomcat_iis_connector).
5. Click 'OK'.
6. Verify that a 'jakarta' virtual directory is now present under the selected website.
7. Next, select the 'jakarta' virtual directory in the 'Connections' panel.
8. Double-click the 'Handler Mappings' icon in 'Features View'.
9. Click the 'Edit Feature Permissions' link in the 'Actions' panel.
10. Ensure that the 'Execute' option is selected.
    
11. Click 'OK'.

Step 4. Enable Integrated Windows Authentication

This step involves modifying the security of the IIS Web Site to use NTLM or Kerberos authentication.

1. Select the IIS Web Site modified in step 3 and double-click the 'Authentication' icon in 'Features View'.
2. Use the 'Disable' and 'Enable' items in the 'Actions' panel to ensure that 'Windows Authentication' is the only authentication method listed in the table as 'Enabled'.

Step 5. Register the ISAPI Extension

Now you will register the isapi_redirect.dll as an authorised ISAPI Extension.

1. In the 'Connections' panel, ensure that the local IIS Server is selected.
2. Double-click the 'ISAPI and CGI Restrictions' icon in 'Features View'.
3. Click 'Add' in the 'Actions' panel.
4. Set the 'ISAPI or CGI path' to the isapi_redirect.dll you downloaded in step 1.
5. Set the 'Description' to 'tomcat'.
6. Ensure that the 'Allow extension path to execute' is selected.
   
7. Click 'OK'.
8. Verify that the new ISAPI restriction is listed in the table with a restriction of 'Allowed'.

Step 6. Allow Double Escaping

By default, IIS 7 prohibits any URL that contains a '' character in the URL from being served. This is referred to as 'double escaping'. In Confluence, any page with a space in the title will be served from a URL with spaces replaced by the '' sign (such as, 'http://confluence/display/spacekey/This+Page+Has+Spaces+In+The+Title'). You will need to disable this security feature in IIS 7 in order for the ISAPI filter to correctly process any Confluence page URLs.

1. In the 'Connections' panel, ensure that the IIS Web Site that will be used to proxy Confluence requests is selected.
2. Double-click the 'Request Filtering' icon in 'Features View'.
   
3. Click the 'Edit Feature Settings' link in the 'Actions' panel.
4. Ensure that the 'Allow double escaping' option is selected.
   
5. Click 'OK'.

Next Step

You have now set up a Tomcat connector for IIS. Please continue with the next step in configuring access to Confluence using IWA via IIS.