Installing and configuring CoSign on an IIS web server

The instructions on this page cover installation and configuration of the CoSign software on an IIS web server.

If you simply want to use CoSign functionality on a server that already has CoSign installed and configured, you should read the instructions on using CoSign.

What is CoSign

CoSign is the Web Single Sign-On operated by ISS for use on central and departmental web servers and applications. Where possible, CoSign authenticates users (i.e. proves their identity) based on their existing credentials, so that no additional password prompts are necessary. Where this is not possible, either because there are no existing credentials, or because the browser is unable to pass them securely, the user will be prompted for his or her password just once per browser session, and the password will always be sent over a secure connection.

CoSign Web applications do not need to handle users' passwords; they are simply notified of the user's identity.

CoSign has been tested with a wide variety of browsers and operating systems, and is believed to operate correctly and securely in all circumstances.

How to install iiscosign on an IIS web server

iiscosign is an ISAPI filter module for IIS that is required for participation in a CoSign Single Sign-On environment.

Obtaining IISCosign

• Download the IIS Cosign filter from https://sourceforge.net/projects/cosign/files/cosign-windows/
• Create a folder called "C:\Program Files\IISCosign" on your web server
• Unzip the iiscosign filter into the above folder
• Within "C:\Program Files\IISCosign", create the following sub-folders:
  • SSL
  • Logs
  • CookieDB

Request a certificate for use with CoSign

• Open a command prompt and cd to your "C:\Program Files\IISCosign" folder.
• Follow the general instructions for creatiing a certificate request at:
  http://www.lancs.ac.uk/iss/tsg/cosign/csr.html
  Alternatively:
  • Copy "luconfig.cfg" (from ?) to your "C:\Program Files\IISCosign" folder. Amend this file to include your web server name and contact email.
  • Run the following commands (where servername is the name of your web server):
    openssl genrsa 1024 > servername.key
    openssl req -new -config luconfig.cfg
        -key servername.key
        -out servername.csr
    
  • Send an e-mail to Steve Bennett, attaching the servername.csr file
• In reply, you should receive a file named 'tt>servername-cert.pem'.
• Take the 'cert' part of the servername-cert.pem file and put it into a new file called servername.cert. The cert part is the data between and including the lines:
  -----BEGIN CERTIFICATE-----
  -----END CERTIFICATE-----
  Be sure the line with BEGIN CERTIFICATE is the very first line of the servername.cert file.
• Copy the servername.cert file into the \SSL sub-folder.
• Download the following files and save them in the \SSL sub-folder:
  • https://www.lancs.ac.uk/iss/ca/LUrootCA.pem (Save as LUrootCA.pem)
  • https://www.lancs.ac.uk/iss/ca/LU-rootca-2016.pem (Save as LU-rootca-2016.pem)
  • https://www.lancs.ac.uk/iss/ca/LU-cosignCA-2016.pem (Save as LU-cosignCA-2016.pem)

Configure IISCosign

• Copy sample.cosign.dll.config to cosign.dll.config
• Amend the settings in cosign.dll.config: Replace "server.name" with your web server name (including the .lancs.ac.uk).
  
• For the <LoginServer> element set:
  <DNSName> = "cosign.lancs.ac.uk"
  <LoginURL> = "https://weblogin.lancs.ac.uk/?"
  <LoginPostErrorURL> = "https://weblogin.lancs.ac.uk/post_error.html"
  
• For the <Service> element set:
  <Name> = "cosign-http-" + web server name (including .lancs.ac.uk)
  <Website> = web server name (including .lancs.ac.uk)
  
• Remove <SiteEntry> element, and all of the elements relating to multi-factor authentication Set the <Protected>, <AllowPublicAccess> and <Unprotected> elements as appropriate depending on which locations within your IIS website you want to use the Cosign filter for authentication.
• Move msxml4.dll and msxml4r.dll to the System32 folder.
• Run regsvr32 msxml4.dll from a command prompt. You should see a dialog box confirming success.
• Open up the Internet Services Manager. Stop the web site you would like to have protected by cosign.
• Right-click on the site you just stopped and select 'Properties.' Select the 'ISAPI Filters' tab. Click 'Add.' Browse or type in the path where you placed Cosign.dll and name it "Cosign Filter."
• Restart the web site.
• It is now filtered! Try visiting your site: make sure you're properly redirected to the weblogin server and are then redirected back with authenticated access. PLEASE NOTE: Some servers require you to Restart IIS for the filter to load properly.

Additional configuration required on Windows 2003

• For your entire \IISCosign\ folder: IIS_WPG needs needs everything selected except for "Special Permissions." Be sure to select the option that applies these permissions to the folder contents and sub-folders.
• For the \CookieDB\ folder: Internet Guest Account, IUSR_[machine name] needs Read and Write selected.
• For the \Logs\ folder: IUSR_[machine name] - Read & execute, list folder contents, Read, and Write.

If you encounter problems it can be useful to load up the debug version of the Cosign ISAPI filter (cosigndbg.dll) and use DebugView (free download from SysInternals) to capture the logging information.