IIS doesn't define $_SERVER['REQUEST_URI']), so all the redirects and csrf tokens break. Placing the following code at the top of common.php seems to fix this.
if (!isset($_SERVER['REQUEST_URI']))
{
$_SERVER['REQUEST_URI'] = $_SERVER["SCRIPT_NAME"] . "?" . $_SERVER['QUERY_STRING'];
}