AEM IIS dispatcher flush 403

0
votes

I'm getting a 403 error when I try to set up dispatcher flush through author in IIS. I'm fairly certain I need to set up authentication for the AEM author instance in IIS but I'm not sure which steps to take to do that. I've looked at Authentication for the site and anonymous authentication is set to Application Pool Identity. The dispatcher flush user is set to replication-receiver so I'm a little confused as to why IIS is reporting the user is anonymous. How do I allow my author instance to get access to /dispatcher/invalidate.cache? I've also looked at my dispatcher cache and I'm not seeing the dispatcher folder or invalidate.cache. Is this something that will appear once the permissions are resolved?

Stackoverflow won't let me post links so I've put a Q in front of all the links. That doesn't appear in the log.

IIS log: 2016-10-14 18:09:37 999.999.999.999 GET /dispatcher/invalidate.cache - 80 - 999.999.999.999 Jakarta+Commons-HttpClient/3.1 about:blank 403 0 0 1

AEM test log: Replication test to Qhttp://www.myproject.ca:80/dispatcher/invalidate.cache

14.10.2016 18:11:09 - Create new HttpClient for Production Dispatcher Flush

14.10.2016 18:11:09 - * Auth User: replication-receiver

14.10.2016 18:11:09 - * HTTP Version: 1.1

14.10.2016 18:11:09 - adding header: CQ-Action:Test

14.10.2016 18:11:09 - adding header: CQ-Handle:/content

14.10.2016 18:11:09 - adding header: CQ-Path:/content

14.10.2016 18:11:09 - deserialize content for delivery

14.10.2016 18:11:09 - No message body: Content ReplicationContent.VOID is empty

14.10.2016 18:11:09 - Sending GET request to Qhttp://www.myproject.ca:80/dispatcher/invalidate.cache

14.10.2016 18:11:09 - sent. Response: 403 Forbidden

14.10.2016 18:11:09 - Replication (TEST) of /content not successful. Conversation follows

14.10.2016 18:11:09 - ------------------------------------------------

14.10.2016 18:11:09 - Sending message to www.myproject.ca:80

14.10.2016 18:11:09 - >> GET /dispatcher/invalidate.cache HTTP/1.0

14.10.2016 18:11:09 - >> CQ-Action: Test

14.10.2016 18:11:09 - >> CQ-Handle: /content

14.10.2016 18:11:09 - >> CQ-Path: /content

14.10.2016 18:11:09 - >> Referer: about:blank

14.10.2016 18:11:09 - >> Content-Length: 0

14.10.2016 18:11:09 - >> Content-Type: application/octet-stream

14.10.2016 18:11:09 - --

14.10.2016 18:11:09 - << HTTP/1.1 403 Forbidden

14.10.2016 18:11:09 - << Cache-Control: private

14.10.2016 18:11:09 - << Content-Type: text/html; charset=utf-8

14.10.2016 18:11:09 - << Server: Microsoft-IIS/8.5

14.10.2016 18:11:09 - << Date: Fri, 14 Oct 2016 18:11:09 GMT

14.10.2016 18:11:09 - << HTTP Error 403.0 - Forbidden

14.10.2016 18:11:09 - << You do not have permission to view this directory or page.

14.10.2016 18:11:09 - << Most likely causes:

14.10.2016 18:11:09 - << This is a generic 403 error and means the authenticated user is not authorized to view the page.

14.10.2016 18:11:09 - << Things you can try:

14.10.2016 18:11:09 - << Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, Qhttp://go.microsoft.com/fwlink/?LinkID=66439

14.10.2016 18:11:09 - << Detailed Error Information:

14.10.2016 18:11:09 - Module

14.10.2016 18:11:09 - << Notification    ExecuteRequestHandler

14.10.2016 18:11:09 - << Handler    AEM

14.10.2016 18:11:09 - << Error Code    0x00000000

14.10.2016 18:11:09 - << Requested URL     Qhttp://www.myproject.ca:80/dispatcher/invalidate.cache

14.10.2016 18:11:09 - << Physical Path    C:\inetpub\wwwroot\dispatcher\invalidate.cache

14.10.2016 18:11:09 - << Logon Method    Anonymous

14.10.2016 18:11:09 - << Logon User    Anonymous

14.10.2016 18:11:09 - << More Information:

14.10.2016 18:11:09 - << This generic 403 error means that the authenticated user is not authorized to use the requested resource. A substatus code in the IIS log files should indicate the reason for the 403 error. If a substatus code does not exist, use the steps above to gather more information about the source of the error.

14.10.2016 18:11:09 - << Qhttp://go.microsoft.com/fwlink/?LinkID=62293&IIS70Error=403,0,0x00000000,9600 View more information

14.10.2016 18:11:09 - Message sent.

14.10.2016 18:11:09 - ------------------------------------------------

14.10.2016 18:11:09 - Replication (TEST) of /content not successful. Replication test failed Forbidden

1
authenticationiisaem

1 Answers

0
votes

As far as I can tell your request to the dispatcher flush url path /dispatcher/invalidate.cacheis returning a HTTP status 403 (Forbidden).

This seems to be happening because you did not allow this path in your dispatcher.any configuration. Usually, best practice is to deny all paths by default and then whitelist the paths that are allowed. This is done in the dispatcher filter rules.

To fix this you should have a look at your dispatcher.any and try something like this:

[...]

    /filter
        {
            /glob "* /dispatcher/invalidate.cache"
            /type "allow"
        }

[...]