Installing and configuring CoSign on Windows Server 2003/IIS6
The instructions on this page cover installation and configuration of the CoSign
software on an IIS6 web server running on Windows Server 2003.
Installation instructions for other types can be found using the following links:
If you simply want to use CoSign functionality on a server that already has
CoSign installed and configured, you should read the
instructions on using CoSign.
What is CoSign
CoSign is the Web Single Sign-On operated by ISS
for use on central and departmental web servers and applications.
Where possible, CoSign authenticates users (i.e. proves their identity)
based on their existing credentials,
so that no additional password prompts are necessary.
Where this is not possible,
either because there are no existing credentials,
or because the browser is unable to pass them securely,
the user will be prompted for his or her password just
once per browser session,
and the password will always be sent over a secure connection.
CoSign Web applications do not need to handle users' passwords; they are
simply notified of the user's identity.
CoSign has been tested with a wide variety of browsers and operating systems,
and is believed to operate correctly and securely in all circumstances.
How to install iiscosign on Windows Server 2003/IIS6
Pre-requisites
Before starting your cosign installation make sure you have the following installed/setup on your server:
- IIS6
- The domain name you wish to use
- An SSL certificate for the domain name
Notation
In these instructions the following notation is used:
- domainname - this is the root domain name for your web server which will be followed by ".lancs.ac.uk". For example "mydomain.lancs.ac.uk". The domain name must have the SSL certificat associated with it.
- servername - this is the name of the web server. For example "MIS-SPRING".
Obtaining the Cosign Windows Filter (IIS Cosign)
iiscosign is an ISAPI filter module for IIS
that is required for participation in a CoSign Single Sign-On environment.
- Go to
http://weblogin.org/ and download the zip file for:
- Extract these files onto the desktop of the server. The folder will be called iiscosign-[version].
- Move the iiscosign-[version] into "C:\Program Files" and rename the folder "IISCosign".
- Within "C:\Program Files\IISCosign", create the following sub-folders:
Additional configuration required on Windows 2003
If you're using Windows 2003, you'll need to set some additional permissions:
- For your entire \IISCosign\ folder update the permissions for IIS_WPG.
It needs everything selected except for "Special Permissions". Make sure you select the option
that applies these permissions to the folder contents and sub-folders.
- For the \CookieDB\ folder update the permissions for
Internet Guest Account and IUSR_[machine name]. They need "Read" and "Write"
selected.
- For the \Logs\ folder update the permissions for
IUSR_[machine name]. It requires "Read & execute", "list folder contents", "Read",
and "Write".
Request a certificate for use with CoSign
Configure IISCosign
- In the IISCosign folder make a copy of the file sample.cosign.dll.config and rename it to cosign.dll.config
- Amend the settings in cosign.dll.config:
<Cosign xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="iiscosign.xsd">
...
<ChainFilePath>C:\Program Files\IISCosign\SSL\domainname.lancs.ac.uk.cert</ChainFilePath>
<PrivateKeyFilePath>C:\Program Files\IISCosign\SSL\domainname.lancs.ac.uk.key</PrivateKeyFilePath>
...
<LoginServer>
<DNSName>cosign.lancs.ac.uk</DNSName>
<LoginURL>https://weblogin.lancs.ac.uk/?</LoginURL>
<LoginPostErrorURL>https://weblogin.lancs.ac.uk/post_error.html</LoginPostErrorURL>
...
</LoginServer>
...
<ValidReference>^https?:\/\/.*\.lancs\.ac\.uk(\/.*)?</ValidReference>
<ValidationErrorRedirect>https://weblogin.lancs.ac.uk/cosign/validation_error.html</ValidationErrorRedirect>
...
<!-- Need at least one Service -->
<!-- If more unique Service names are needed, add more Service tags! -->
<!-- If more web sites need to be protected, add a new Service tag. -->
<!-- Multiple web sites can share the same service name. -->
<Service>
<Name>cosign-https-domainname</Name><!-- use "cosign-http-domainname.lancs.ac.uk" if not using HTTPS-->
<Cookies><HttpOnly>false</HttpOnly></Cookies><!-- use "<HttpOnly>true</HttpOnly>" if not using HTTPS-->
<Website>domainname.lancs.ac.uk</Website>
<Protected>/TestSite</Protected>
</Service>
</Cosign>
- Amend the following settings in cosign.dll.config:
- Remove <SiteEntry> element, and all of the elements relating to multi-factor authentication.
For more information on how to use these please consult the ReadMe.txt file that is included in the Cosign Filter deployment.
- Set the <Protected>, <AllowPublicAccess> and <Unprotected> elements as appropriate depending
on which locations within your IIS website you want to use the Cosign filter for authentication.
For example <Protected>/TestSite</Protected>
- Open an explorer window and navigate to "C:\windows\system32". Check for the files "msxml4.dll" and "msxml4r.dll".
If they aren't there ask for help. Someone else with an IIS6 cosign filter installation will be able to provide the files.
- Open a command prompt and run the following command. You should see a dialog box confirming success.
regsvr32 msxml4.dll
- Open up the "Internet Information Services (IIS) Manager".
- Find the web site you would like to have protected by cosign, right-click on it and select "Properties".
- In the properties dialog
- Select the "ISAPI Filters" tab.
- Click "Add"
- Browse to or type the path for your cosign.dll file. This should be "C:\Program Files\IISCosign"
- Enter the filter name "IIS Cosign"
- Click "OK"
- The filter should now be listed in the dialog but with an unknown status. Restart the web site to load the filter.
- Try visiting your web site on your web server that you entered as <Protected> in the cosign.dll.config
- Make sure you're properly redirected to the weblogin server and are then redirected back with authenticated access.
- PLEASE NOTE: Some servers require you to Restart IIS for the filter to load properly.
Help!
All of the information for these instructions was taken from the ReadMe.txt file in the
Cosign Filter directory. For further information and help please read these files and use the URLs suggested at the end of each.
If you encounter problems it can be useful to load up the debug version (cosigndbg.dll) or trace version (cosigntrace.dll)
of the Cosign ISAPI filter which will enter information in the event log. You can also use these with DebugView
(free download from SysInternals) to capture the logging information.