Textpattern CMS

#1 2005-11-21 22:20:40

jcromartie

New Member

Registered: 2005-11-21

Posts: 5

Password protection tag in IIS?

I am (not by my own choice, believe me!) running the latest version of Textpattern on an IIS server. I can’t recall the version off the top of my head, but anyway the txp:password_protect tag doesn’t work. Does this tag create .htaccess files or some other incompatibility? What’s going on?

The page just comes up with “HTTP 401.5 – Unauthorized: Authorization by ISAPI or CGI application failed”

Last edited by jcromartie (2005-11-21 22:21:22)

#2 2005-11-21 23:49:20

Mary

Sock Enthusiast

Registered: 2004-06-27

Posts: 6,236

Re: Password protection tag in IIS?

That tag uses http auth headers, and the variables PHP_AUTH_USER and PHP_AUTH_PW. The PHP manual mentions this:

Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft’s IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration “Directory Security”. Click on “Edit” and only check “Anonymous Access”, all other fields should be left unchecked.

Another limitation is if you’re using the IIS module (ISAPI) and PHP 4, you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(‘:’, base64_decode(substr($_SERVER[‘HTTP_AUTHORIZATION’], 6)));

IIS Note:: For HTTP Authentication to work with IIS, the PHP directive cgi.rfc2616_headers must be set to 0 (the default value).

Does that help any?

#3 2005-11-22 19:29:41

jcromartie

New Member

Registered: 2005-11-21

Posts: 5

Re: Password protection tag in IIS?

I figgered it out. Thanks to a post buried deep in the PHP.net manual pages:

“Regarding HTTP authentication in IIS with the php cgi 4.3.4, there’s one more step. I searched mightily and didn’t find this information anywhere else, so here goes. When using HTTP auth with the php CGI, you need to do the following things:

1. In your php.ini file, set “cgi.rfc2616_headers = 0”

2. In Web Site Properties -> File/Directory Security -> Anonymous Access dialog box, check the “Anonymous access” checkbox and uncheck any other checkboxes (i.e. uncheck “Basic authentication,” “Integrated Windows authentication,” and “Digest” if it’s enabled.) Click OK.

3. In “Custom Errors”, select the range of “401;1” through “401;5” and click the “Set to Default” button.

It’s this last step that is crucial, yet not documented anywhere. If you don’t, instead of the headers asking for credentials, IIS will return its own fancy but useless ‘you are not authenticated’ page. But if you do, then the browser will properly ask for credentials, and supply them in the $_SERVER[‘PHP_AUTH_*’] elements.”

Number 3 is the most important step and by far the most infuriating step because it’s just put one more nail in IIS’s coffin for me. I friggin’ hate IIS like a fat kid hates aerobics.