IIS7 Installation
Prerequisites
- Web site, properly configured and appearing in Sites in IIS Manager
- Information on creating a website on IIS 7.0:
http://learn.iis.net/page.aspx/372/serving-new-content/
- SSL access, configured for web site and tested
- Self-signed certificates may be used during testing
- Information on configuring SSL for IIS7:
http://technet2.microsoft.com/WindowsServer2008/f/?en/Library/bf4afb4c-4ce3-40e1-bd4b-d7df6daeb9b61033.mspx
- Installed architecture-specific "Microsoft Visual C++ 2008 SP1 Redistributable Package"
- x86:
http://www.microsoft.com/downloads/details.aspx?familyid=A5C84275-3B97-4AB7-A40D-3802B2AF5FC2&displaylang=en
- x64:
http://www.microsoft.com/downloads/details.aspx?familyid=BA9257CA-337F-4B40-8C14-157CFDFFEE4E&displaylang=en
- IIS7 configuration bundle downloaded after service
registration in WebLogin Management Console (WMC)
Installation & Configuration
- Unzip the configuration bundle downloaded from WMC. The bundle contains the following:
| ca-cert.pem | - CoSign backchannel CA certificate |
| [service registration name].crt | - CoSign backchannel service-specific certificate |
| [service registration name].key | - CoSign backchannel service-specific key |
| [service registration name].pfx | - PKCS#12 file containing the above |
| IIS7/CosignModule-1.0.0beta2-upenn-1.zip | - the IIS7 CosignModule filter binary (and source code) |
| IIS7/DEBUGGING.txt | - information on debugging CosignModule |
| IIS7/README.txt | - this file |
| IIS7/vcredist_x64_sp1_en.exe | - 64-bit Microsoft Visual C++ 2008 SP1 Redistributable Package |
| IIS7/vcredist_x86_sp1_en.exe | - 32-bit Microsoft Visual C++ 2008 SP1 Redistributable Package |
- Import the PKCS#12 from the configuration bundle.
| Begin |
Start Menu -> Run |
| Type |
mmc.exe (or mmc /64)
<Ctrl> M
|
| Select |
Certificates -> Add |
| Select |
Computer Account -> Local Computer
Finish
Ok |
| Select |
Certificates -> Personal -> Certificates
|
| Right-click |
Import
|
| Select |
[service registration name from WMC].pfx |
|
Continue through the dialog. When prompted, supply the
PKCS#12 password specified in WMC when downloading the bundle.
|
- Give IIS_IUSRS "Full Control" and "Read" from within certificate manager.
| Select |
[the certificate that matches the one to use for CoSign] |
| Right-click |
All Tasks -> Manage Private Keys
|
| Give IIS_IUSRS "Full Control" and "Read" permissions
|
- Enable trust of the CoSign CA certificate
| Select |
the "CoSign CA" certificate |
| Click & drag |
-> Trusted Root Certification Authorites"
-> "Certificate" folder
|
- IIS_USRS (or the process IIS runs as) needs Full Control
and Read permissions on the following Registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY:
| Begin |
Start Menu -> Run |
| Type |
regedit.exe |
| Navigate to |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY |
| Right-click |
Permissions |
|
Give IIS_IUSRS "Full Control" and "Read" permissions |
- Create a folder for the service cookie cache:
| Begin |
Start Menu -> Run |
| Type |
cmd.exe
> md "C:\inetpub\temp\Cosign Cookie DB"
|
| Give IIS_IUSRS "Full Control" permissions |
- In the file C:\Windows\System32\inetsrv\config\applicationHost.config,
insert the following XML tags used for configuration:
<configSections>
...
<sectionGroup name="system.webServer">
...
<section name="cosign" overrideModeDefault="Allow" />
...
</sectionGroup>
</configSections>
...
<system.webServer>
...
<cosign>
<webloginServer name="weblogin.pennkey.upenn.edu"
loginUrl="https://weblogin.pennkey.upenn.edu/login?"
port="6663"
postErrorRedirectUrl="https://weblogin.pennkey.upenn.edu/post_error.html" />
<crypto certificateCommonName="[service registration name from WMC]" />
<cookieDb directory="%systemDrive%\inetpub\temp\Cosign Cookie DB\"
expireTime="120" />
<proxyCookies directory="%SystemDrive%\inetpub\temp\Cosign Proxy DB" />
<!--
NOTE: THE FOLLOWING TAG IS NEW FOR CoSign v3
Be sure to replace validReference below with a regex that
appropriately matches URLs used to access your application(s) in your service
NOTE: The validReference pattern is CASE-SENSITIVE.
Users will typically enter a lower-case domain name. We
recommend your server's name be lower case as well.
-->
<validation validReference="^https?://your\.server\.upenn\.edu/.*$"
errorRedirectUrl="https://weblogin.pennkey.upenn.edu/validation_error.html" />
<cookies secure="true"
httpOnly="true" />
<service name="cosign-[service registration name from WMC]" />
<protected status="off" />
</cosign>
...
</system.webServer>
Each directory can also have a web.config file that overrides inherited
configuration options:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<cosign>
<protected status="on" />
</cosign>
</system.webServer>
</configuration>
- Enable CosignModule in IIS7:
| Begin |
Start -> Run |
| Type |
cmd.exe |
The following step is only needed when upgrading
and CosignModule.dll cannot be overwritten.
> iisreset /stop
Copy the CoSign configuration schema and module
DLL into place on the filesystem.
> copy /Y Cosign_Schema.xml C:\Windows\System32\inetsrv\config\schema
> copy /Y CosignModule.dll C:\Windows\System32\inetsrv
The following step is unnecessary when upgrading
rather than installing for the first time.
> appcmd install module /name:"Cosign" /image:"CosignModule.dll" /add:"false"
> iisreset
Should you need to remove CosignModule from the
IIS7 config, execute the following commands:
> appcmd uninstall module "Cosign"
> iisreset
- Configure the validation handler mapping:
Add the following directives to web.config at the root of the site
to be protected by CoSign:
<configuration>
<!-- Disable CoSign protection for /cosign/valid -->
<location path="cosign/valid">
...
<system.webServer>
<cosign>
<protected status="off" />
</cosign>
</system.webServer>
...
</location>
<system.webServer>
...
<!-- Configure CosignModule.dll to handle /cosign/valid -->
<handlers>
<add name="CoSign Validation Handler" path="/cosign/valid*" verb="*" modules="Cosign" resourceType="Unspecified" />
</handlers>
...
</system.webServer>
</configuration>
- Set lockItem="false" for each module listed in
C:\Windows\System32\inetsrv\config\applicationHost.config, as below:
<configuration>
<location path="" overrideMode="Allow">
<system.webServer>
<modules>
...
<add name="[some module name]" lockItem="false" />
...
</modules>
</system.webServer>
</location>
</configuration>
- Add CosignModule to configured website:
| Begin |
Start -> Run |
| Type |
cmd.exe
> appcmd add module /name:"Cosign" /app.name:"[name of website as listed in Sites tree]/"
|
To remove CosignModule from the configured website:
> appcmd delete module "Cosign" /app.name:"[name of website as listed in Sites tree]/"
The module can also be added and removed from the IIS Manager interface.
Please note: the CosignModule is not designed to be loaded as a global module.
- Increase priority of CosignModule:
In IIS Manager, navigate to the site which your are configuring to use
CoSign. Click on "Modules", then "View Ordered List..." in the
sidebar. "Cosign" should appear in the list. Select "Cosign" and click
"Move Up" until CoSign appears higher than WindowsAuthentication,
FormsAuthentication, and DefaultAuthentication.
Your site should now be protected using Cosign.
Additional Information
This readme is based on README from cosignmodule-3.0.0.zip.
Official Microsoft IIS Site
