Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn
ISC Networking & Telecommunications

Penn WebLogin
Help
Application Development
WebLogin Management Console
Screen Guidance
Documentation
Sign up for Announcements
Quick Links
Initiate a session
Terminate a session
Related topics
WebLogin vs Shibboleth

User Guide
About WebLogin
WebLogin screens
Logout posters
Verify WebLogin Page

Two-Step Verification
Two-Step Home
FAQ
Authenticator Apps
Video Guides
Information for LSPs

IIS6 Installation

Jump to: navigation, search

Contents

Prerequisites

  1. Configure and test website
    1. Before installing CoSign, configure your website using IIS Manager (or your tool of choice) and verify that the website works properly.
  2. Configure and test SSL access
    1. All applications in your service which will be configured to use CoSign must be SSL-protected. Configure and verify the correct behavior of SSL access to your website before you begin the CoSign installation process.
  3. Register service in WebLogin Management Console (WMC)
    1. Follow the provided instructions to register your web service for CoSign authentication.
  4. All installations will be required to make TCP connections to weblogin.pennkey.upenn.edu port 6663.

Installation

  1. Unzip the configuration bundle downloaded from WMC. The bundle contains the following:
    DEBUGGING.txt - provides information on debugging problems during the IISCosign installation and configuration process
    iiscosign-2.1.0-rc2.zip - the IISCosign filter binary and source code
    msxml.msi - MSXML 4.0 Service Pack 2.0, required by IISCosign
    README.txt - this documentation, placed into a plain text file for user convenience
    vcredist_x86.exe - Microsoft Visual C++ 2005 Runtime, 32-bit, required by IISCosign on 32-bit platforms
    vcredist_x64.exe - Microsoft Visual C++ 2005 Runtime, 64-bit, required by IISCosign on 64-bit platforms

    NOTE: Ensure that MSXML 4.0 and the appropriate Microsoft Visual C++ Runtime for your platform is installed prior to unzipping the file.

  2. Create a new directory: C:\Program Files\IISCosign\.
  3. Unzip the file iiscosign-2.1.0-rc2.zip and place the contents in C:\Program Files\IISCosign\.
  4. In C:\Program Files\IISCosign\, create the following directories:
    • \SSL
    • \SSL\CA
    • \Logs
    • \CookieDB
  5. Set appropriate filesystem permissions:
    1. For your entire C:\Program Files\IISCosign\ folder:
      • IIS_WPG needs everything selected except for Special Permissions. Be sure to select the option that applies these permissions to the folder contents and sub-folders.
    2. For the \CookieDB\ folder:
      • IUSR_[machine name] (Internet Guest Account) needs Read and Write selected.
    3. For the \Logs\ folder:
      • IUSR_[machine name] needs Read & execute, List Folder Contents, Read, and Write.
  6. Create required system registry settings by running the file cosign.reg located in C:\Program Files\IISCosign\.

Configuration

Install Certificate and Key

  1. Locate the certificate and key inside the configuration bundle that you've downloaded from WMC.
  2. Place the service's certificate and key in C:\Program Files\IISCosign\SSL\
  3. Place the CA certificate inside C:\Program Files\IISCosign\SSL\CA\
  4. From C:\Program Files\IISCosign\, determine the hash value of CA certificate using the following command:
    C:\Program Files\IISCosign> openssl x509 -noout -hash -in SSL\CA\CAcertFileName.pem
    The hash value will look similar to 838d00c5.
  5. Copy SSL\CA\CAcertFileName.pem to SSL\CA\[hash value].0
  6. Copy sample.cosign.dll.config to cosign.dll.config

Configure IISCosign

  1. Update the following tags as shown:
    <CAFilePath>C:\Program Files\IISCosign\SSL\CA\</CAFilePath>
    ...
    <ChainFilePath>C:\Program Files\IISCosign\SSL\[service name from WMC].crt</ChainFilePath>
    ...
    <PrivateKeyFilePath>C:\Program Files\IISCosign\SSL\[service name from WMC].key</PrivateKeyFilePath>
    ...
    <Log>
    	...
    	<Path>C:\Program Files\IISCosign\Logs</Path>
    	...
    	<WriteDataToEventViewer>true</WriteDataToEventViewer>
    </Log>
    ...
    <CookieDB>
    ...
    	<Path>C:\Program Files\IISCosign\CookieDB</Path>
    ...
    </CookieDB>
    ...
    <LoginServer>
    ...
    	<DNSName>weblogin.pennkey.upenn.edu</DNSName>
    	...
    	<LoginURL>https://weblogin.pennkey.upenn.edu/login?</LoginURL>
    	...
    	<LoginPostErrorURL>https://weblogin.pennkey.upenn.edu/post_error.html</LoginPostErrorURL>
    </LoginServer>
    
    We recommend that you specify the cookie settings based on your website's configuration and requirements:
    <Cookies>
    	<Secure>true</Secure>     <!-- Cookie only sent over SSL connection -->
    	<HttpOnly>true</HttpOnly> <!-- Cookie may not be accessed by JavaScript -->
    </Cookies>
    

    NOTE: In releases prior to iiscosign-3.0.0, the <Cookies/> stanza must appear before the <ConnectionPoolSize/> tag.

    Beginning with iiscosign-3.0.0, two new configuration tags now appear between the <Cookies/> and <ConnectionPoolSize/> tags:
    <ValidReference>^https?:\/\/your\.server\.upenn\.edu\/.*$</ValidReference>
    <ValidationErrorRedirect>https://weblogin.pennkey.upenn.edu/validation_error.html</ValidationErrorRedirect>
    

    <ValidReference/> contains a regular expression that is used to match URLs to which users by may redirected after login. These will likely be original destination URLs that users may attempt to access before being prompted to authenticate at https://weblogin.pennkey.upenn.edu. The regular expression supplied in <ValidReference/> should account for any URL specified in a <Protected/> or <AllowPublicAccess/> tag below. See Cosign 3 Changes for more discussion of what is new in CoSign protocol version 3.

    To avoid problems with some web clients browsing through proxies, it is recommended to configure<CheckIPAddress/> as follows:
    <CheckIPAddress>never</CheckIPAddress>

    Please see http://www.upenn.edu/computing/web-security/websec-proxy.html for additional information on this problem as it affected WebSec.

    Now specify a service stanza, and note protected and public areas appropriately:
    <Service>
    	<Name>cosign-[service name as returned from WMC]</Name>
    	<!-- Website refers to the host DNS name as specified in IIS Manager-- >
    	<Website>[insert host DNS name as specified in IIS Manager]</Website>
    	<!-- IISDescription refers to "Web Site Identification Description" as specified in IIS Manager -->
    	<!-- <IISDescription>[Web Site Identification Description as specified in IIS Manager]</IISDescription> -->
    	<!-- CoSign will redirect users to this url after verifying central authentication -->
    	<SiteEntry>https://[service url]</SiteEntry>
    
    	<!-- You may also specify a <Cookies> stanza on a per-Service basis -->
    	<!--
    		<Cookies>
    			<Secure>true</Secure>     <!-- Cookie only sent over SSL connection -->
    			<HttpOnly>true</HttpOnly> <!-- Cookie may not be accessed by JavaScript -->
    		</Cookies>
    	-->
    
    	<RequireFactor>UPENN.EDU</RequireFactor>
    	<!-- <RequireFactor>mtoken</RequireFactor> -->
    
    	<!-- Be sure that there are no trailing / in the paths specified below. -->
    	<!-- Require authentication for this directory -->
    	<Protected>/private</Protected>
    	<!-- Does not require authentication --> 
    	<Unprotected>/public</Unprotected>
    	<!-- Credentials available if user is authenticated, but does not require authentication --> 
    	<AllowPublicAccess>/home</AllowPublicAccess>
    </Service>
    

Configure IIS

  1. Open IIS Manager.
  2. Select the website you wish to configure for CoSign for authentication. Right-click, and selct Properties.
  3. In the Properties dialog, click on the ISAPI Filters tab.
  4. Click Add to add a filter. Name the filter "CoSign Filter", then click Browse and navigate to C:\Program Files\IISCosign\cosign.dll. Click Open to select C:\Program Files\IISCosign\cosign.dll.
  5. Click OK to add cosign.dll as a filter.
  6. Again, click OK to close the Properties dialogue window.
  7. Close IIS Manager.

Restart IIS

  1. Open the Services management console at Start/Programs/Control Panel/Administrative Tools/Services.
  2. Select World Wide Web Publishing Service.
  3. Right-click and select Restart to restart IIS.
  4. Read the dialog that appears to verify that IIS restarts without error.

Test authentication via CoSign

You should now be able to browse to the <Protected> section of your site and be prompted for authentication via CoSign.

Your service is now configured for CoSign Authentication.

Schedule cleanup of Cosign CookieDB directory

The IIS Cosign module creates files on the file system under the CookieDB location for each session. They are not automatically purged once they expire so a process needs to be put in place to periodically delete the old session files so they don't endlessly accumulate.

Powershell Method

Using Powershell create the following filter:

filter FileAge($days) { if ( ($_.CreationTime -le (Get-Date).AddDays($days * -1) )) { $_ } }

Make sure that Powershell is set to execute Powershell scripts, instead of only allowing interactive commands to be run in the Powershell environment:

set-executionpolicy RemoteSigned

Create a Powershell script with notepad that contains a command to delete files of a certain age in the CookieDB directory. Below is an example Powershell script (named CookieDbCleanup.ps1) that you can run nightly with the windows scheduler and removes anything older than 24 hours (Cosign's default cookie expiration time) from the CookieDB directory:

dir C:\Program Files\IISCosign\CookieDB | FileAge 1 | del

Debugging

See DEBUGGING.txt in the service bundle downloaded from WMC.

Further Information

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania