Hello,
I have recently ported a tomcat-based application from using IIS 5.1 to using IIS 6.0, and I am seeing an interesting change in the IIS configuration that I hoped someone could explain. I have an application where I want a subset of the URLs to go through Basic Authentication and the rest not to. In this case, I want all URLs under /application/foo to require Basic Authn. Original Environment: MS Windows XP Pro 2002 SP2 IIS Version 5.1 Tomcat 5.5 with the associated ISAPI redirect.dll. Under IIS, I have created a directory structure like this, /Default Web Site/ /jakarta/ (maps to the ISAPI filter, no Basic Authn enabled) /application/ (no Basic Authn enabled) /application/foo (Basic Authn enabled) All of this works fine, and the set-up supports SSL and Basic Authn appropriately. Upgraded Environment: MS Windows Server 2003 R2 IIS 6.0 Tomcat 5.5 with associated ISAPI redirect dll. In this environment, I set-up a similar folder structure (including security), but the only way I could get everything to work properly is to turn on both Anonymous and Basic Authn for the jakarta directory. If I just turned on Basic Authn, then Basic Authn would be enforced for requests that should have just been anonymous, and if I turned on just anonymous, then requests requiring Basic Authn would fail with a 401.2 error. This was not the case if I turned on Basic Authn for a folder that mapped to a directory on the system. Does anyone understand why this additional configuration was necessary in IIS 6.0 and not IIS 5.1? Thanks for any help you can provide, Matt