SSO and MindTouch Directory Permissions

[mikepixel]

I am running MindTouch Core v.9.02.4 on Windows Server 2008, and have added LDAP/Active Directory authentication to the MindTouch site.

Everything works great when I allow for both Local and Active Directory login. The users can log in using AD accounts with no issues, but as soon as I follow the directions here ( http://developer.mindtouch.com/Deki/..._on_Windows%3F ) and enable SSO, the users get a 500 - Internal server error.

The IT folks don't, but we have full rights to the entire MindTouch directory on the C:drive. I found that when I give the users full rights to the MindTouch Directory on the C:drive they can then login using SSO.

Am I missing something? Do I need to set folder permissions outside of IIS and on the entire MindTouch folder (directory)?

I have poured over the MindTouch documentation and haven't found anything on this.

I am really getting frustrated. Has anyone run into this yet?

Thanks,

[crb]

When you enable Windows authentication, IIS impersonates that user to read the files off the disk, not the generic anonymous user.

You therefore have to have read permission on "the files" to be able to serve them.

What "the files" are exactly, I don't know - I suspect that FastCGI intercepts requests to the php files - but you will easily see the failures in Process Monitor. Filter on w3wp.exe and failures.

Let me know if I can help you further.