The <ISAPI> element provides a piece of functionality missing from IIS, namely the ability to obtain canonical scheme, host, and port information about an incoming request.

You'll need to restart IIS after changing this particular set of options.

This is essential for enforcing request-specific access policy from outside the IIS core engine (which filters like Shibboleth's have to do). It's also necessary to enable proper generation of redirects when running virtualized servers on internal ports.

Apache handles this with the ServerName and UseCanonicalName commands, and Sun/iPlanet servers have an extensible configuration file, but IIS is broken and does not support this capability. IIS will only report scheme, host, and port values based on what the client supplies in its request. This is impossible to trust and cannot be used to look up settings.

<ISAPI normalizeRequest="true">
    <Site id="1" name="">
    <Site id="1534573457" scheme="https" name="" port="443">

The first element defines a default IIS web site with an Instance ID of "1" that runs on the standard ports. It also authorizes clients to access the site with an alias, and allows the alias to be used when redirects are generated.

Note that content rules specified for the primary hostname will NOT apply when requests with the alias are made. Using an alias requires that you duplicate any request map settings for each host you want to allow.

The second example element is a virtual web site running behind an SSL accelerator that translates SSL requests to non-SSL requests. The scheme and port attributes override the physical settings with logical values seen by the client.


Child Elements