Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn
ISC Networking & Telecommunications

Penn WebLogin
Help
Application Development
WebLogin Management Console
Screen Guidance
Documentation
Sign up for Announcements
Quick Links
Initiate a session
Terminate a session
Related topics
WebLogin vs Shibboleth

User Guide
About WebLogin
WebLogin screens
Logout posters
Verify WebLogin Page

Two-Step Verification
Two-Step Home
FAQ
Authenticator Apps
Video Guides
Information for LSPs

IIS7 Installation

Contents

The latest documentation for IIS7 and CoSign is below. This documentation assumes that a new application is being installed and no existing authentication mechanisms need to be converted to CoSign authentication.

If you are looking for single server / multi-site configuration documentation please goto:
IIS7 multi-site configurations

Prerequisites

  1. Microsoft IIS7 is installed on your server. Additional Information for creating an IIS7 Web-Site
  2. Your service is registered in the Web Management Console (WMC)
  3. You have downloaded the configuration bundle after registering your service from the Weblogin Management Console (WMC)
  4. The appropriate Microsoft Visual C++ 2008 SP1 redistributable packages are installed for your web server's architecture.
    1. x86: http://www.microsoft.com/downloads/details.aspx?familyid=A5C84275-3B97-4AB7-A40D-3802B2AF5FC2&displaylang=en
    2. x64: http://www.microsoft.com/downloads/details.aspx?familyid=BA9257CA-337F-4B40-8C14-157CFDFFEE4E&displaylang=en
  5. All installations will be required to make TCP connections to weblogin.pennkey.upenn.edu port 6663.

Cosign Configuration

Extract the WMC Bundle on the Web Server

The following files should be available after extraction:
Filename File Description
ca-cert.pem CoSign backchannel CA certificate
<SERVICE REGISTRATION NAME>.crt CoSign backchannel service-specific certificate
<SERVICE REGISTRATION NAME>.key CoSign backchannel service-specific key
<SERVICE REGISTRATION NAME>.pfx PKCS#12 file containing the above
.\IIS7\CosignModule-1.0.0beta2-upenn-1.zip the IIS7 CosignModule filter binary (and source code)
.\IIS7\DEBUGGING.txt information on debugging CosignModule
.\IIS7\README.txt Similar instructions to this configuration/install file
.\IIS7\vcredist_x64_sp1_en.exe 64-bit Microsoft Visual C++ 2008 SP1 Redistributable Package
.\IIS7\vcredist_x86_sp1_en.exe 32-bit Microsoft Visual C++ 2008 SP1 Redistributable Package

Copy CoSign Files to their Correct Locations

  1. From the extracted CoSign zip file navigate to the following location:
    <SERVICE REGISTRATION NAME>/IIS7/Cosignmodule-3.X.0/Cosignmodule-3.X.0/
  2. Copy the files to your IIS Server as follows:
    From CoSign Package To Windows Directory
    ./cosign_schema.xml C:\Windows\System32\inetsrv\config\schema\
    ./x64/CosignModule.dll C:\Windows\System32\inetsrv\
    ./x86/CosignModule.dll C:\Windows\SysWOW64\inetsrv\
Yes, x64 files go to System32
Windows 64 bit will use the C:\Windows\System32\ directory for its 64-bit library and executable files. So, the 64-bit CoSign module will be copied to C:\Windows\System32\inetsrv\.

If you are not running a 64-bit version of Windows then only copy the ./x86/CoSignModule.dll file to the C:\Windows\System32\inetsrv\ directory.

Import the Public-Key Cryptography Standards

  1. From the Start menu open the microsoft management console by running the following command: mmc
  2. Within the console select File -> Add/Remove Snap-in. (Or simply press Ctrl + M)
  3. Select Certificates from Available Snap-Ins then click Add > to add it to the Selected Snap-Ins.
  4. Select Computer Account
  5. Click Next
  6. Select Local Computer
  7. Click Finish
  8. Click OK
  9. You should be returned to the main console. A new entry should be available listed as "Certificates (Local Computer)".
  10. Expand the Certificates by clicking the plus sign next to it.
  11. Right-click the Personal folder and select: All Tasks -> Import.
  12. In the wizard select Next then browse for the .PFX file which was extracted in the section above (Note: You will need to change the search to the Personal Information Exchange file type).
  13. Select Open.
  14. Click Next.
  15. Provide the PKCS password which was entered when the WMC bundle was created. Click Next.
  16. Leave the default to place the certificates in the Personal certificate store. Click Next.
  17. Click Finish.

Setting the Appropriate Application Permissions and Trust for CoSign

Setting Privileges for the service certificate
  1. Within the Microsoft Management Console (MMC) select Console Root -> Certificates (Local Computer) -> Personal -> Certificates
  2. The right-pane will be populated with all available certificates. Select the one for this application / service (Note: It will have the same name as registered in the Weblogin Management Console).
  3. Right-Click the certificate and select All Tasks -> Manage Private Keys.
  4. The permissions for the certificate are displayed. Select Add.
  5. Change the account location to the IIS Server as opposed to the domain (which is probably defaulted).
  6. Enter the following string within the textbox "IIS_IUSRS" and click Check Names. The name should resolve to <Machine Name>\IIS_IUSRS
  7. Click OK. Confirm that the user which was just added has Full Control and Read Permissions.
Enabling Trust of the CoSign CA Certificate
  1. Within the Microsoft Management Console (MMC) select Console Root -> Certificates (Local Computer) -> Personal -> Certificates
  2. Locate the "CoSign CA" Certificate. Right-Click it and select Cut.
  3. Open the Console to Console Root -> Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates
  4. Paste the "CoSign CA" Certificate into this location.
Setting Privileges for System Certifications
  1. Open the Windows Start Menu and enter regedit within the command search function.
  2. Right-click regedit and run the program as an administrator.
  3. Navigate to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\MY\
  4. Right-Click the "My" key and select Permissions.
  5. Change the account location to the IIS Server as opposed to the domain (which is probably defaulted).
  6. Enter the following string within the textbox "IIS_IUSRS" and click Check Names. The name should resolve to <Machine Name>\IIS_IUSRS
  7. Click OK. Confirm that the user which was just added has Full Control and Read Permissions.
Create and Assign Privileges for the Cookie Cache
  1. Navigate to the following Windows Directory: *C:\inetpub\temp*
  2. Create a new folder at this location and name it exactly "Cosign Cookie DB".
  3. Once the folder is created right-click it and select Properties
  4. Select the Security tab and select Edit to modify the permissions on this folder.
  5. Select Add.
  6. Select Add.
  7. Change the account location to the IIS Server as opposed to the domain (which is probably defaulted).
  8. Enter the following string within the textbox "IIS_IUSRS" and click Check Names. The name should resolve to <Machine Name>\IIS_IUSRS
  9. Click OK. Confirm that the user which was just added has Full Control and Read Permissions.

Installing the CoSign Module to IIS

  1. Open the Windows Start Menu and enter cmd within the command search function.
  2. Right-click the cmd program and run it as an administrator.
  3. Change directories to C:\Windows\System32\inetsrv\ - This can be done by entering the command "cd C:\Windows\System32\inetsrv\"
  4. Run the following command to add the cosign module to the website:
> appcmd install module /name:"Cosign" /image:"CosignModule.dll" /add:"false"
Be Careful
You must be within the C:\Window\System32\inetsrv\ directory to run the appcmd command, or this directory may be within your path.

Web Application Configuration

  1. Copy the web application directory (i.e. all of the files for your web application) to the following location: C:\inetpub\wwwroot
  2. Open the IIS Manager via: Start Menu -> Administrative Tools -> Internet Information Services (IIS) Manager.
  3. From the left panel labeled Connections expand all nodes and right-click the item labeled Sites.
  4. Select Add Web-Site and enter the following information:
    1. Site Name - The name of the web application / site.
    2. Physical Path - Use the browse button and navigate to C:\inetpub\wwwroot\ to select your web application top-level folder.
    3. Type - Select https.
    4. SSL Certificate (becomes available once the type is set to https) - Select the SSL Certificate which is the same as the service name entered in WMC. Select OK.
  5. Within IIS Manager the web-site which has just been added should be displayed. All features should be displayed in the center pane.
  6. Open SSL: Settings. Ensure that Require SSL is checked and the radio button for Ignore is selected.

Configuring IIS Server and Web-Site for CoSign (XML Configuration Files)

Introduction

There are two XML files which require configuration for the use of CoSign:

File Name
File Location
Description
applicationHost.config C:\Windows\System32\inetsrv\config\ The main configuration file for IIS. It includes definitions of all sites/applications as well as global defaults for the web server. The settings within this configuration file can typically be over-ridden at the site level through the use of the web.config file which is described below.
web.config C:\inetpub\wwwroot\ <NAME OF YOUR WEB APPLICATION> The web.config file is unique to each web application which is being deployed with IIS. Configuration in this file will override configurations specified in the applicationHost.config file.
Warning
You should backup these files before making modifications. XML has very specific requirements regarding how modifications are made and configurations are changed.

Modifying the ApplicationHost.Config File

The XML file is structured as a hierarchy. The additions for CoSign are required to be entered within a specific level of the hierarchy. Add the section name entry within Configuration::configSections::sectionGroup::System.webserver
Locate the appropriate section of the XML where all sections names are listed under the section group system.webServer. Add a newline which contains the following contents:
<section name="cosign" overrideModeDefault="Allow" />
Add the CoSign configuration within Configuration::system.webServer::cosign
  <cosign>
    <webloginServer name="weblogin.pennkey.upenn.edu" loginUrl="https://weblogin.pennkey.upenn.edu/login?" port="6663" postErrorRedirectUrl="https://weblogin.pennkey.upenn.edu/post_error.html" />
    <crypto certificateCommonName=" _<THE NAME OF YOUR SERVICE AS LISTED IN WMC>_ " />
    <cookieDb directory="%systemDrive%\inetpub\temp\Cosign Cookie DB\" expireTime="120" />
    <proxyCookies directory="%SystemDrive%\inetpub\temp\Cosign Proxy DB" />
    <!--
          NOTE: THE FOLLOWING TAG IS NEW FOR CoSign v3
              Be sure to replace validReference below with a regex that
              appropriately matches URLs used to access your application(s) in your service
    -->
    <cookies secure="true" httpOnly="true" />
    <service name=" _<THE NAME OF YOUR SERVICE AS LISTED IN WMC>_ " />
    <protected status="off" />
  </cosign>
Set lockitem=false for all modules listed within Configuration::location path::system.webServer::modules
Change all of the lockitem values to false within the XML file.
  <modules>
    <add name="HttpCacheModule" lockItem="false" />
    <add name="StaticCompressionModule" lockItem="false" />
    <add name="DefaultDocumentModule" lockItem="false" />
    <add name="DirectoryListingModule" lockItem="false" />
    <add name="IsapiFilterModule" lockItem="false" />
    <add name="ProtocolSupportModule" lockItem="false" />
    <add name="StaticFileModule" lockItem="false" />
    <add name="AnonymousAuthenticationModule" lockItem="false" />
    <add name="BasicAuthenticationModule" lockItem="false" />
    <add name="WindowsAuthenticationModule" lockItem="false" />
    <add name="RequestFilteringModule" lockItem="false" />
    <add name="CustomErrorModule" lockItem="false" />
    <add name="IsapiModule" lockItem="false" />
    <add name="HttpLoggingModule" lockItem="false" />
    <add name="ConfigurationValidationModule" lockItem="false" />
    <add name="OutputCache" type="System.Web.Caching.OutputCacheModule" preCondition="managedHandler" />
    <add name="Session" type="System.Web.SessionState.SessionStateModule" preCondition="managedHandler" />
    <add name="WindowsAuthentication" type="System.Web.Security.WindowsAuthenticationModule" preCondition="managedHandler" />
    <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />
    <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="managedHandler" />
    <add name="RoleManager" type="System.Web.Security.RoleManagerModule" preCondition="managedHandler" />
    <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" preCondition="managedHandler" />
    <add name="FileAuthorization" type="System.Web.Security.FileAuthorizationModule" preCondition="managedHandler" />
    <add name="AnonymousIdentification" type="System.Web.Security.AnonymousIdentificationModule" preCondition="managedHandler" />
    <add name="Profile" type="System.Web.Profile.ProfileModule" preCondition="managedHandler" />
    <add name="UrlMappingsModule" type="System.Web.UrlMappingsModule" preCondition="managedHandler" />
  </modules>
See the full ApplicationHost.config file

Useful Tip
You can review an example ApplicationHost.config file and search the file to see where the XML has been added or modified.

Modifying the web.config file for the web-site.

Add the cosign specific configurations to configuration::system.webServer
<location path="cosign/valid">
  <system.webServer>
    <cosign>
      <protected status="off" />
    </cosign>
  </system.webServer>
</location>
<cosign>
  <protected status="on" />
  <service name="YOUR SERVICE NAME" />
  <validation validReference=" A VALID REGULAR EXPRESSION FOR YOUR WEBSITE " errorRedirectUrl="https://weblogin.pennkey.upenn.edu/validation_error.html" />
</cosign>
  <!-- Configure CosignModule.dll to handle /cosign/valid -->
  <handlers>
    <add name="Cosign Validation" path="/cosign/valid*" verb="*" modules="Cosign" resourceType="Unspecified" />
  </handlers>
    

See the full web.config file

Add the CoSign Module to the Configured Web-Site

  1. Open the Windows Start Menu and enter cmd within the command search function.
  2. Right-click the cmd program and run it as an administrator.
  3. Change directories to C:\Windows\System32\inetsrv\ - This can be done by entering the command "cd C:\Windows\System32\inetsrv\"
  4. Run the following command to add the cosign module to the website:
> appcmd add module /name:"Cosign" /app.name:"<WEBSITE NAME AS IT APPEARS IN IIS>/"
Be Careful
You must be within the C:\Window\System32\inetsrv\ directory to run the appcmd command, or this directory may be within your path.

Increase CoSign Priority

  1. Open the IIS Manager via: Start Menu -> Administrative Tools -> Internet Information Services (IIS) Manager.
  2. From the left panel labeled Connections expand all nodes and left-click your web-site.
  3. The middle pane should show the features view which should have Modules icon available. Open it.
  4. From the right pane select View Ordered List.
  5. Select "Cosign" and click "Move Up" until CoSign appears higher than WindowsAuthentication, FormsAuthentication, and DefaultAuthentication.

Additional Information

This readme is based on README from cosignmodule-3.0.0.zip.

Official Microsoft IIS Site

Supplemental information on configuring SSL for IIS7:
http://technet2.microsoft.com/WindowsServer2008/f/?en/Library/bf4afb4c-4ce3-40e1-bd4b-d7df6daeb9b61033.mspx
top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania