Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn
ISC Networking & Telecommunications

Penn WebLogin
Help
Application Development
WebLogin Management Console
Screen Guidance
Documentation
Sign up for Announcements
Quick Links
Initiate a session
Terminate a session
Related topics
WebLogin vs Shibboleth

User Guide
About WebLogin
WebLogin screens
Logout posters
Verify WebLogin Page

Two-Step Verification
Two-Step Home
FAQ
Authenticator Apps
Video Guides
Information for LSPs

IIS7 Installation

Contents

Prerequisites

  1. Web site, properly configured and appearing in Sites in IIS Manager
    1. Information on creating a website on IIS 7.0: http://learn.iis.net/page.aspx/372/serving-new-content/
  2. SSL access, configured for web site and tested
    1. Self-signed certificates may be used during testing
    2. Information on configuring SSL for IIS7: http://technet2.microsoft.com/WindowsServer2008/f/?en/Library/bf4afb4c-4ce3-40e1-bd4b-d7df6daeb9b61033.mspx
  3. Installed architecture-specific "Microsoft Visual C++ 2008 SP1 Redistributable Package"
    1. x86: http://www.microsoft.com/downloads/details.aspx?familyid=A5C84275-3B97-4AB7-A40D-3802B2AF5FC2&displaylang=en
    2. x64: http://www.microsoft.com/downloads/details.aspx?familyid=BA9257CA-337F-4B40-8C14-157CFDFFEE4E&displaylang=en
  4. IIS7 configuration bundle downloaded after service registration in WebLogin Management Console (WMC)

Installation & Configuration

  1. Unzip the configuration bundle downloaded from WMC. The bundle contains the following:
    ca-cert.pem - CoSign backchannel CA certificate
    [service registration name].crt - CoSign backchannel service-specific certificate
    [service registration name].key - CoSign backchannel service-specific key
    [service registration name].pfx - PKCS#12 file containing the above
    IIS7/CosignModule-1.0.0beta2-upenn-1.zip - the IIS7 CosignModule filter binary (and source code)
    IIS7/DEBUGGING.txt - information on debugging CosignModule
    IIS7/README.txt - this file
    IIS7/vcredist_x64_sp1_en.exe - 64-bit Microsoft Visual C++ 2008 SP1 Redistributable Package
    IIS7/vcredist_x86_sp1_en.exe - 32-bit Microsoft Visual C++ 2008 SP1 Redistributable Package

  2. Import the PKCS#12 from the configuration bundle.
    Begin Start Menu -> Run
    Type mmc.exe (or mmc /64)
    <Ctrl> M
    Select Certificates -> Add
    Select Computer Account -> Local Computer
    Finish
    Ok
    Select Certificates -> Personal -> Certificates
    Right-click Import
    Select [service registration name from WMC].pfx
    Continue through the dialog. When prompted, supply the PKCS#12 password specified in WMC when downloading the bundle.

  3. Give IIS_IUSRS "Full Control" and "Read" from within certificate manager.
    Select [the certificate that matches the one to use for CoSign]
    Right-click All Tasks -> Manage Private Keys
    Give IIS_IUSRS "Full Control" and "Read" permissions

  4. Enable trust of the CoSign CA certificate
    Select the "CoSign CA" certificate
    Click & drag -> Trusted Root Certification Authorites"
    -> "Certificate" folder

  5. IIS_USRS (or the process IIS runs as) needs Full Control and Read permissions on the following Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY:
    Begin Start Menu -> Run
    Type regedit.exe
    Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY
    Right-click Permissions
    Give IIS_IUSRS "Full Control" and "Read" permissions

  6. Create a folder for the service cookie cache:
    Begin Start Menu -> Run
    Type cmd.exe
    > md "C:\inetpub\temp\Cosign Cookie DB"
    Give IIS_IUSRS "Full Control" permissions

  7. In the file C:\Windows\System32\inetsrv\config\applicationHost.config, insert the following XML tags used for configuration:
    	<configSections>
    		...
    		<sectionGroup name="system.webServer">
    			...
    			<section name="cosign" overrideModeDefault="Allow" />
    			...
    		</sectionGroup>
        </configSections>
    
    	...
    	
        <system.webServer>
    
          ...
    
          <cosign>
            <webloginServer name="weblogin.pennkey.upenn.edu"
                            loginUrl="https://weblogin.pennkey.upenn.edu/login?"
                            port="6663"
                            postErrorRedirectUrl="https://weblogin.pennkey.upenn.edu/post_error.html" />
    
            <crypto certificateCommonName="[service registration name from WMC]" />
    
            <cookieDb directory="%systemDrive%\inetpub\temp\Cosign Cookie DB\"
                      expireTime="120" />
    
            <proxyCookies directory="%SystemDrive%\inetpub\temp\Cosign Proxy DB" />
    
            <!--
            NOTE: THE FOLLOWING TAG IS NEW FOR CoSign v3
                  Be sure to replace validReference below with a regex that
                  appropriately matches URLs used to access your application(s) in your service
    
    	NOTE: The validReference pattern is CASE-SENSITIVE.
    	      Users will typically enter a lower-case domain name. We
    	      recommend your server's name be lower case as well.
            -->
            <validation validReference="^https?://your\.server\.upenn\.edu/.*$"
                        errorRedirectUrl="https://weblogin.pennkey.upenn.edu/validation_error.html" />
    
            <cookies secure="true"
                     httpOnly="true" />
    
            <service name="cosign-[service registration name from WMC]" />
    
            <protected status="off" />
          </cosign>
    
          ...
          
       </system.webServer>
    
    Each directory can also have a web.config file that overrides inherited configuration options:
       <?xml version="1.0" encoding="UTF-8"?>
       <configuration>
           <system.webServer>
              <cosign>
                   <protected status="on" />
               </cosign>
           </system.webServer>
       </configuration>
    

  8. Enable CosignModule in IIS7:
    Begin Start -> Run
    Type cmd.exe

    The following step is only needed when upgrading and CosignModule.dll cannot be overwritten.
       > iisreset /stop
    
    Copy the CoSign configuration schema and module DLL into place on the filesystem.
    
       > copy /Y Cosign_Schema.xml C:\Windows\System32\inetsrv\config\schema
    
       > copy /Y CosignModule.dll C:\Windows\System32\inetsrv
    
    The following step is unnecessary when upgrading rather than installing for the first time.
       > appcmd install module /name:"Cosign" /image:"CosignModule.dll" /add:"false" 
    
       > iisreset
    
    Should you need to remove CosignModule from the IIS7 config, execute the following commands:
       > appcmd uninstall module "Cosign"
       > iisreset
    

  9. Configure the validation handler mapping: Add the following directives to web.config at the root of the site to be protected by CoSign:
       <configuration>
           <!-- Disable CoSign protection for /cosign/valid -->
           <location path="cosign/valid">
               ...
               <system.webServer>
                   <cosign>
                       <protected status="off" />
                   </cosign>
               </system.webServer>
               ...
           </location>
    
           <system.webServer>
               ...
               <!-- Configure CosignModule.dll to handle /cosign/valid -->
               <handlers>
                   <add name="CoSign Validation Handler" path="/cosign/valid*" verb="*" modules="Cosign" resourceType="Unspecified" />
               </handlers>
               ...
           </system.webServer>
       </configuration>
    

  10. Set lockItem="false" for each module listed in C:\Windows\System32\inetsrv\config\applicationHost.config, as below:
       <configuration>
           <location path="" overrideMode="Allow">
               <system.webServer>
                   <modules>
                       ...
                       <add name="[some module name]" lockItem="false" />
                       ...
                   </modules>
               </system.webServer>
           </location>
       </configuration>
    

  11. Add CosignModule to configured website:
    Begin Start -> Run
    Type cmd.exe
    > appcmd add module /name:"Cosign" /app.name:
    "[name of website as listed in Sites tree]/"

    To remove CosignModule from the configured website:
       > appcmd delete module "Cosign" /app.name:"[name of website as listed in Sites tree]/"
    
    The module can also be added and removed from the IIS Manager interface.
    Please note: the CosignModule is not designed to be loaded as a global module.

  12. Increase priority of CosignModule:
    In IIS Manager, navigate to the site which your are configuring to use CoSign. Click on "Modules", then "View Ordered List..." in the sidebar. "Cosign" should appear in the list. Select "Cosign" and click "Move Up" until CoSign appears higher than WindowsAuthentication, FormsAuthentication, and DefaultAuthentication.
Your site should now be protected using Cosign.

Additional Information

This readme is based on README from cosignmodule-3.0.0.zip.

Official Microsoft IIS Site
top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania