Configuring UNIFYBroker for use with IIS

For environments utilising the Identity Broker Web Component, or for finer control of security, access and other settings, UNIFYBroker can be configured for hosting by IIS.

In order to successfully connect with IIS, ensure that the UNIFYBroker self-hosted option is disabled. See Configuring for use with embedded web server for more information.

CHECK: The optional IIS components Windows authentication and ASP.NET v4.5 must be installed.

Setting up for use with IIS 8

CHECK: As of IIS 8, ISAPI and CGI restrictions is now an optional server role. Ensure that it has been added through the Windows add server role in Server Manager.

Continue configuration using the steps for IIS 7.5.

Setting up for use with IIS 7 or 7.5

CHECK: Before adding UNIFYBroker as a web site to IIS, a new or existing application pool must be updated to use .NET 4. This can be achieved by navigating to the Application Pools item in the Connections pane and clicking on Basic Settings for the new or existing application pool.

Image 3964

Right-click on Sites in the Connections pane and select Add Web Site....

Image 3965

Configure the website settings appropriately, ensuring to use a port that is not already in use. Ensure that the site is appropriately named, then select the physical path of the UNIFYBroker Web directory.

For a default install, this will be the Web directory. For an install utilising the optional Identity Broker Web Component, this will be the StandaloneWeb directory.

Image 3968

Select the appropriate application pool by using the Select... button.

Image 3967

Confirm the site settings are correct, then click OK.

Select the appropriate site in the Connections pane and navigate to Application Settings.

Image 3985

Ensure the UNIFYBroker endpoint addresses are correctly configured and pointing to the UNIFYBroker service, then click OK.

CHECK: For a remote instance of the UNIFYBroker Service, ensure that the service endpoint can be contacted.

Image 3986

Select the appropriate site in the Connections pane and navigate to Authentication.

Image 3987

Configure the web site to use Windows Authentication, and turn Anonymous Authentication off.

Image 3988

On the server Home page, confirm ASP.NET v4 is correctly configured under ISAPI and CGI Restrictions.

ALERT: Since .NET v4.5 is an in-place upgrade of v4, if you have v4.5 installed it will still show up as v4.

Image 3989

Image 3990

CHECK: If ASP.NET v4 is missing, open a command prompt and execute the following command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319>aspnet_regiis.exe -ir

Image 3991

Refresh the tab and verify the presence of the ASP.NET v4 entries. Ensure both are set to Allow.

Image 3990

Confirm that UNIFYBroker has been successfully configured by browsing to the configured address, or by browsing from IIS Manager.

Image 3992

Setting up for use with IIS 6

Add a new Web Site from IIS Manager using the menu item New followed by Web Site.

Image 3993

Enter a name for the site in the site description.

Image 3994

Configure the settings of the site. Ensure that the selected port is not currently in use, keeping in mind whether the self-hosted option is still in use. Consider turning the self-hosted option off.

Image 3995

Select the physical path of the UNIFYBroker Web directory. Turn anonymous access off.

For a default install, this will be the Web directory. For an install utilising the Web Component, this will be the StandaloneWeb directory.

Image 3996

Configure the permissions of the site as required.

Image 3997

Once the wizard has completed, right-click the new site and navigate to Properties.

Image 3998

Navigate to the Directory Security tab, then Edit under Authentication and access control.

Image 3999

Ensure that anonymous access has been disabled, and that Integrated Windows authentication is enabled. Click OK.

Image 4000

Under the ASP.NET tab, select ASP.NET 4.

Image 4001

The UNIFYBroker Web Component must be configured to point to the location of the UNIFYBroker Service. Locate the Web.config file. For the default install, this will by default be located at C:\Program Files\UNIFY Solutions\Identity Broker\Web\

For the web component, this will by default be located at C:\Program Files\UNIFY Solutions\Identity Broker\StandaloneWeb

Locate the endpoints of the following format:

<add key="endpointAddress" value="http://localhost:59990/IdentityBroker/IdentityBrokerManagementStudio.svc"/>

The value must be modified to match the location of the UNIFYBroker service. Typically, this involves changing localhost to the name of the server on which the service resides for each endpoint address.

Browse to the UNIFYBroker website at the address specified, or by clicking Browse from IIS.

Image 4002

This article was helpful for 1 person. Is this article helpful for you?

+1

The required server roles can be added using the following PowerShell command:

Install-WindowsFeature `
    Web-WebServer, `
    Web-Common-Http, `
    Web-Default-Doc, `
    Web-Dir-Browsing, `
    Web-Http-Errors, `
    Web-Static-Content, `
    Web-Health, `
    Web-Http-Logging, `
    Web-Performance, `
    Web-Stat-Compression, `
    Web-Security, `
    Web-Filtering, `
    Web-Windows-Auth, `
    Web-App-Dev, `
    Web-Net-Ext45, `
    Web-Asp-Net45, `
    Web-CGI, `
    Web-ISAPI-Ext, `
    Web-ISAPI-Filter, `
    Web-Mgmt-Tools, `
    Web-Mgmt-Console

Thanks to Matt Woolnough for supplying this.

Even after running Matts script, 'CGI and ISAPI Restrictions' does not appear as an option in IIS. Broker loaded OK in my test environment without checking it but do you know why this option doesn't appear?

It's quite confusing, so here's my take.

Firstly, "ISAPI and CGI restrictions" is an IIS Manager feature.  But it's not clear which Server Role is required to make that feature appear in IIS Manager.  Here are the Server Roles which show in the Server Manager wizard:


None of these are unambiguously the right thing.  Perhaps "CGI" is the one that's needed?

The image above shows which Server Roles are installed in my test VM, which is successfully running Broker and Broker/Plus (for both development and testing run-time activities).  However, in IIS Manager the ISAPI and CGI restrictions feature isn't visible:

I therefore believe (contrary to the advice above) that the ISAPI and CGI restrictions feature may not actually be required for normal function of Broker.

Note: my finding above are for IIS 10.0.

This says the ISAPI Extensions OR CGI needs to be installed. http://middlewarewarrior.blogspot.com/2014/12/isapi-and-cgi-restrictions-missing-iis.html I have both though. 

Are you looking at the configuration for a website or the server? Refer to the screenshot and take note of what item in the Connections pane is selected.

Beau you're spot on.  I was looking in the wrong place! :-(

Beau, exactly which optional Server Roles must be installed in order to enable ISAPI and CGI restrictions in IIS >= 8?  Right now it's not actually specified or shown in this knowledge base article.

I have just spoken to Matt, and for a up-to-date server running IIS 10 in 2019 here is a picture highlighting the specific server roles that are required: