Question

I have site minder installed on IIS7 and I am running ASP.NET site on the sever. It appears that Site minder SSO fails to protect ASP.NET MVC requests. It appears that all ASP.NET requests are processed by ASP.NET isapi filter which prevent Siteminder isapi filter from running. How can I make siteminder SSO work for protect my ASP.NET MVC site? Is there a way I can force isapi filter for Siteminder SSO to be loaded before ASP isapi filter?

Answer 1

The solution for us was to list the SiteMinder web agent ISAPI handler followed by the MVC ISAPI handler, in that order, in your web.config file.

I posted the code fragment here.

Answer 2

Have you tried ordering ISAPI filters in IIS? I have not done it with Win2008 IIS7, but with Windows 2003, SiteMinder agent installer reorders the filters. You should be able to check it in IIS Manager and reorder. SiteMinder filter should be on the top.

Answer 3

I had the same problem on my MVC-2 site enenthough the virtual folder was protected by siteminder.

Finally figured out what the issue was.

Changed the Application Pool mode to Classic from Integrated and voila! problem solved.

Answer 4

We have the same problem for MVC3 on IIS7 and we need to use Integrated Mode. Our solution is to use combination IHttpModule and Handler (.axd) but it is now uncessary since the new version of siteminder has IIS7WebAgent.dll which is a integrated MODULE instead of ISAPI filter (ISAPI6WebAgent.dll). I tested this and confirmed its working, it was able to protect all our MVC url and we can also read HTTP Header created by siteminder such as SM_USER from the MVC pipeline.

The siteminder version I tested is R12 SP 3. If your planning to use IIS7WebAgent.dll, you need to remove all occurances of ISAPI6WebAgent.dll on "Handler Mappings", "ISAPI & CGI Restrictions" and "ISAPI Filter" on IIS to make sure its not complicting.

友情链接