Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn
ISC Networking & Telecommunications

Penn WebLogin
Help
Application Development
WebLogin Management Console
Screen Guidance
Documentation
Sign up for Announcements
Quick Links
Initiate a session
Terminate a session
Related topics
WebLogin vs Shibboleth

User Guide
About WebLogin
WebLogin screens
Logout posters
Verify WebLogin Page

Two-Step Verification
Two-Step Home
FAQ
Authenticator Apps
Video Guides
Information for LSPs

Configuring IIS7 for Multiple Sites with CoSign

Introduction

This documentation is for installing multiple instances of a CoSign enabled site on a single IIS 7 server.

Assumptions: You have already registered > 1 service via the WebLogin Management Console. You can check your registrations by going to Weblogin Management Console:
https://weblogin.pennkey.upenn.edu/provision/service-registration.

Limitations: When installing multiple sites to a single IIS 7 server you may only use 1 certificate. All of the sites hosted on this webserver MUST use the same certificate.

Modifying Your WMC Registration

IIS 7 w/ CoSign may only use one certificate across all CoSign instances on the same server. Therefore, you must select one CoSign service Certificate to use for all CoSign services. The selected certificate will then have permissions for the other services/applications running on the same server. This can be accomplished as follows:

  1. Log into Web Management Console to view all of your registrations.
  2. You will see a list of all of the services which you have registered. Select one of the services to configure as the "master" service. This service and its certificate will be granted permissions for the other services which will reside on the same IIS 7 server.
  3. Open the desired "master" service name by clicking the hyperlink for the name. The details for the service will be opened.
  4. Locate the field Certificate Permissions and select the link for Configure. The Configure Certificate Permissions page will be displayed.
  5. Select any additional services to register with this certificate. If you must select more than one additional service hold down the Ctrl key while making your selections. Once all additional services are selected click Save. Note: You should be selecting all of the services associated with other web-sites which you plan on migrating to a single IIS 7 server.



Determine which services are going to exist on the same server. The "master" service certificate will be used for all other services. In most situations, you will still want a unique service for each Site/Application.



Open the details for the desired service which will have the "master" certificate. Select the Configure hyperlink and you will see a display similar to the screen shot above.



All services which a certificate has access to will be listed.

Which Bundle Will I Actually Use?
You will be using the bundle from the "Master" service which has been configured as above:
  • The actual configuration change was not made to the "Master" certificate, but the "Master" service bundle is the one you want to use on your host.
  • You will receive an e-mail notification about the service where the configuration was made, but this is NOT the bundle you will be using on your host.

Installing CoSign and Associated Sites.

Once the permissions have been established as specified above, we will need to move on to configuring the IIS 7 Server with multiple CoSign enabled sites. All of the required files for any typical IIS 7 must be installed on this server as well. Please consult the configuring IIS 7 documentation to review those setup items. These steps will vary slightly depending on if you have multiple sites with their own unique domain / IP versus sites which exist on a single domain / IP (that live in seperate directories).

Multi-Site IIS 7 Enabled CoSign Instructions with Multiple IP Addresses

Only use the following directions if you have multiple sites which all have their own unique domain / IP Address

  1. Install the web application/site files to C:\inetpub\wwwroot\ (or another location if you have site specific requirements).
  2. Open Internet Information Services Manager on the server.
  3. Right-Click the Sites Entry and select Add Web Site.
  4. Enter the following information for your web-site:
    1. Site Name: - A short name for your web-site.
    2. Physical Path: - Browse to the location you installed your files in step #1 above.
    3. Binding - usually you will select https here unless your application has other requirements.
    4. IP Address - select the IP Address which is to be associated with this site. You should know which IP address is associated with the web address of this web-site and select that IP Address.
    5. SSL Certificate - Select the appropriate certificate. This should be the same for all of your web-sites. It is the "master" certificate which was referenced in "Modifying Your WMC Registration" section above.
    6. Click OK to create your site.
  5. Once your site is established open the SSL settings option. Make sure "Require SSL" is checked and "Ignore Client Certificates" is selected if you are using an SSL enabled site.

Multi-Site IIS 7 Enabled CoSign with One IP Address

Only use the following directions if you have multiple sites working under a single domain and IP Address. This is useful for multiple applications which require their own authentication and are rooted at the same domain name (i.e. https://mydomain.edu/APP_A/ and https://mydomain/APP_B/ ).

Be Careful
Since your site will be in a sub-directory of the web domain you will need to ensure the following:
  • That your WMC validation handler URL (within the WMC registration application online) includes the sub-directory. For example, https://cosigndev.upenn.edu/app_a/cosign/valid
  • That your validation reference includes the sub-directory as well, or at least matches anything after the top-level domain.
  • That your handler in the web.config includes this as well... for example, instead of /cosign/valid/ it would be something like /app_a/cosign/valid/
  1. Install the web application/site files to C:\inetpub\wwwroot\ (or another location if you have site specific requirements). You should only be making a single directory under C:\inetpub\wwwroot\. Each application should be within this directory. For example, assume we have two applications for our Financial web-site. We would want the following directory: C:\inetpub\wwwroot\Financial\ with two sub-directories: C:\inetpub\wwwroot\Financial\Application_A\ and C:\inetpub\wwwroot\Financial\Application_B\.
  2. Open Internet Information Services Manager on the server.
  3. Right-Click the Sites Entry and select Add Web Site.
    1. Site Name: - A short name for your web-site.
    2. Physical Path: - Browse to the location you installed your files in step #1 above.
    3. Binding - usually you will select https here unless your application has other requirements.
    4. IP Address - select the IP Address which is to be associated with this site. You should know which IP address is associated with the web address of this web-site and select that IP Address.
    5. SSL Certificate - Select the appropriate certificate. This should be the same for all of your web-sites. It is the "master" certificate which was referenced in "Modifying Your WMC Registration" section above.
    6. Click OK to create your site.
  4. Your site should now be viewable in IIS Tree View. Expand the web-site and you should see all of the sub-directories which you added. Right-Click each of these applications and select Convert to Application.
  5. Once your site is established open the SSL settings option. Make sure "Require SSL" is checked and "Ignore Client Certificates" is selected if you are using an SSL enabled site.

Tweaking your Configuration

Your web.config and applicationHost.config files now need to be tweaked so your CoSign enabled sites can co-exist on the same IIS 7 server. Copying and pasting your old files from a previous setup will not work.

Tweaking Summary: You will be moving attributes out of the global applicationHost.config and into the site specific web.config files. The global applicationHost.config needs to know about the master certificate being used, and the web.config files need to know about the site specific service names and validation handler URLs.

Tweaking the applicationHost.config file

We will be making three modifications to the applicationHost.config file (Removing validation reference expression, removing the service name, and ensuring the crypto certifcateCommonName is correct).

  1. Navigate to C:\Windows\System32\config\ and open the file applicationHost.config.
  2. Backup your applicationHost.config file in case you need to revert any changes.
  3. Locate the cosign section which was put in place when CoSign was originally installed.
  4. Ensure that the attribute "crypto certificateCommonName" is set to the certificate which all sites on this server will be using. (This was done in the section "Modifying Your WMC Registration" above). If it is not set correctly make that modification now.
  5. Delete the following two entries from the cosign section (you may want to copy and paste them to a temporary notepad document for now, they might be re-used in site specific web.config files):
  6. <validation validReference="^https?://your\.server\.upenn\.edu/.*$" 
            errorRedirectUrl="https://weblogin.pennkey.upenn.edu/validation_error.html" />
    
    <service name=" <SERVICE REGISTRATION NAME FROM WMC> " />
    

Tweaking the web.config file for each CoSign enabled site

We will be adding two entries into the web.config file for each CoSign enabled web-sites on this server. We want a site specific service name entry as well as a validation reference regular expression.

  1. Navigate to C:\inetpub\wwwroot\ <LOCATION OF YOUR SITE FILES>
  2. Backup your web.config file in case you need to revert any changes.
  3. Locate the section of the xml where the CoSign specific entries exist. You want the section which has a "protected status=on" entry.
  4. You want to add two entries into this section, one for the service name associated with this site, and another for the validation reference regular expression. For example:
  5. <service name="<SERVICE REGISTRATION NAME FROM WMC>" />
    <validation validReference="^https?:// <MY EXPRESSION FOR VALID SITE NAME> $" 
            errorRedirectUrl="https://weblogin.pennkey.upenn.edu/validation_error.html" />
    
  6. Finally, make sure your handler in the web.config file specifies the directory path to this application. For single IP/multi-site, instead of /cosign/valid/ you will have something like /App_B/cosign/valid/. For multi-IP it should remain as /cosign/valid each site will need this entry in its web.config.

Troubleshooting

Getting Validation Looping

If you are getting validation looping then you need to check the WMC registration with each of your sites. The WMC service registration has a "Validation Handler URL" entry. This should look like:
https://<YOUR WEBSITE NAME>/cosign/valid

If you are using a single IP address you will need the directory where your application resides such as:
https://<YOUR WEBSITE NAME>/APP_A/cosign/valid

Note: This is different than your validation reference regular expression.

Getting Validation Error

If you get directed to a web-site which states URL Validation Failed then there is probably an error with the validation validReference regular expression provided in your web.config file for this web-site. Review the regular expression and ensure that it is setup to match the web-site. It is important to put an expression in which matches the site but not any site to prevent account compromise.

Getting HTTP 404-0 Not Found

You need to review the handler for cosign in the web.config file. Most likely, you have a multi-site single IP address setup and you need to configure your handler for this site to have more than just /cosign/valid. For example,

<add name="Cosign Validation" path="/App_B/cosign/valid*" verb="*" modules="Cosign" resourceType="Unspecified" />
    

The Service Name is not Appearing as Expected in the URL.

In some setups, the configuration may not be working where the service name is not appearing in the URL as expected. If this occurs, please check your XML configuration for the CoSign directives. The CoSign directives (i.e. service name, validation URL) need to be a child of system.webServer, but must not be a child of location. If this is set incorrectly CoSign will not be able to see the appropriate directives and may present the service as an empty string with the cosign prefix "cosign-".

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania