IFSEXT.DLL and the dialog box that is so very WRONG


Ifsext.dll is the ADFS ISAPI used by the Token based Web Agent...We have seen issues before where we either need to add this manually or move it to the top of the list on the application config section of IIS.

Once you go the properties of a web site, the Virtual Directory tab has a button labeled Configuration.

The bottom section of the dialog has a box that is labeled Wildcard application maps (order of implementation).  This is where you may need to insert the ifsext.dll file.  When you do this - the box below is presented and you can browse to the needed file. 

For ADFS - this file must be at the top of the list.  Using the token based applications for SharePoint 2007 - this is a common "gotcha" - the ifsext.dll is below the Framework 2.0 ISAPI.  After setting everything up - you get an "access denied" error message from the site even though you have the proper group SID according to the ADFS logs and you have added that group to SharePoint permissions. Once you move the ifsext.dll to the top - everything works as expected.  I used to think that was a whipping - not anymore...

The dialog that is wrong - so very very wrong, is the part that says “Verify that file exists”

What would you think this means? I can tell you that I thought it meant - verify the .dll file placed in here actually exist before you say OK.

Well – that is NOT what it means…

From the IIS Documentation:

Add/Edit Application Extension Mapping (for Wildcard Application Maps)


Type the name of the executable file (.exe or .dll). The executable file must be located on your Web server's local hard disk.


Click to locate your Web server's local hard disk for the ISAPI application.

Verify that file exists

Select Verify that file exists to instruct the Web server to verify the existence of the requested script file and to ensure that the requesting user has access permission for that script file. If the script does not exist or the user does not have permission, the appropriate warning message is returned to the browser and the script engine is not invoked. This option can be useful for scripts mapped to non-CGI executables, such as the Perl interpreter, that do not send a CGI response if the script is not accessible. Because the script must be opened twice, once by the server and once by the script engine, enabling this option can impact performance.

WOW! The fact is that if the file doesn’t exist in the location you specified – you will get an error either way.

I mentioned a future blog on SQL Reporting Services and that is still going to happen.

After just understanding this after several hours of troubleshooting by many different people - I felt I had to quickly write about it.

Having this box checked on the reportserver directory will make it so a report will never render if the toolbar is enabled. The request for /ReportServer/Reserved.ReportViewerWebControl.axd does not exist in the ReportServer directory.

Comments (1)

  1. Anonymous says:

    Special thanks to Rahul Shelar and Sachin Mundra from the ADFS and SQL teams for working with me on this

Skip to main content