Known issues and limitations
The following are known issues or limtiations for the Internet Information Services (IIS) Integration Kit.
Known limitations
-
The installer does not recognize IIS 7.0 (or IIS 7.5) as uninstalled and does not stop the installation if IIS has been previously installed and then uninstalled.
-
IIS Integration Kit does not support newline characters (such as '\n' and '\r') within attributes.
-
When using Form POST as the transport mode in the SP OpenToken adapter, a trailing / may be needed in the URL for accessing the protected resources.
-
The OpenToken name specified in the adapter setup must be unique within the given federation. This is not enforced in the user interface.
-
When using the installer to upgrade by uninstalling and reinstalling the agent, it is necessary to restart IIS after uninstall and before reinstall to ensure that old DLL’s are not used. You can reset IIS with the command:
resetiis /noforce
-
After uninstalling, it is necessary to remove any application mappings set up manually. The uninstall script cannot remove these mappings.
-
When using cookie as the transport method for OpenToken, the domain configured in the adapter setup must match the domain configured in
pfisapi.conf
. If they do not, it is possible to end up with a persistent cookie. This is not enforced. -
When using non-session cookie as the transport method for OpenToken, there is no session cookie configuration defined in the agent config file. Set the SessionCookie type in
pfisapi.conf
by removing the # and setting it to YES or NO. -
Classic managed pipeline mode is not supported
-
Attempting to access the POST data of a request in a native module in IIS 7 after the data has been accessed by a managed module (such as the OpenToken Module) prevents the native module from being able to access the data. This is a limitation of IIS 7. The issue also applies when using Query Parameter as the transport method. Using Cookie as the transport method is the only technique to resolve this issue.
-
The OpenToken Module cannot be selected from the list of module types. Instead, it must be entered manually as shown in Adding the OpenToken HTTP Module in IIS.
-
The OpenToken Module can only be added at the global server level. If you require implementation on a per-website basis, contact Ping Identity about PingAccess.