Installing and configuring CoSign on Windows Server 2003/IIS6

The instructions on this page cover installation and configuration of the CoSign software on an IIS6 web server running on Windows Server 2003.

Installation instructions for other types can be found using the following links:

• Apache
• Tomcat
• Windows Server2003/IIS6
• Windows Server2008/IIS7

If you simply want to use CoSign functionality on a server that already has CoSign installed and configured, you should read the instructions on using CoSign.

What is CoSign

CoSign is the Web Single Sign-On operated by ISS for use on central and departmental web servers and applications. Where possible, CoSign authenticates users (i.e. proves their identity) based on their existing credentials, so that no additional password prompts are necessary. Where this is not possible, either because there are no existing credentials, or because the browser is unable to pass them securely, the user will be prompted for his or her password just once per browser session, and the password will always be sent over a secure connection.

CoSign Web applications do not need to handle users' passwords; they are simply notified of the user's identity.

CoSign has been tested with a wide variety of browsers and operating systems, and is believed to operate correctly and securely in all circumstances.

How to install iiscosign on Windows Server 2003/IIS6

Pre-requisites

Before starting your cosign installation make sure you have the following installed/setup on your server:

• IIS6
• The domain name you wish to use
• An SSL certificate for the domain name

Notation

In these instructions the following notation is used:

• domainname - this is the root domain name for your web server which will be followed by ".lancs.ac.uk". For example "mydomain.lancs.ac.uk". The domain name must have the SSL certificat associated with it.
• servername - this is the name of the web server. For example "MIS-SPRING".

Obtaining the Cosign Windows Filter (IIS Cosign)

iiscosign is an ISAPI filter module for IIS that is required for participation in a CoSign Single Sign-On environment.

• Go to http://weblogin.org/ and download the zip file for:
  • Windows Filter
• Extract these files onto the desktop of the server. The folder will be called iiscosign-[version].
• Move the iiscosign-[version] into "C:\Program Files" and rename the folder "IISCosign".
• Within "C:\Program Files\IISCosign", create the following sub-folders:
  • SSL
  • Logs
  • CookieDB

Additional configuration required on Windows 2003

• For your entire \IISCosign\ folder update the permissions for IIS_WPG. It needs everything selected except for "Special Permissions". Make sure you select the option that applies these permissions to the folder contents and sub-folders.
• For the \CookieDB\ folder update the permissions for Internet Guest Account and IUSR_[machine name]. They need "Read" and "Write" selected.
• For the \Logs\ folder update the permissions for IUSR_[machine name]. It requires "Read & execute", "list folder contents", "Read", and "Write".

Request a certificate for use with CoSign

• Follow the general instructions for creatiing a certificate request at: http://www.lancs.ac.uk/iss/tsg/cosign/csr.html
• Alternatively use the instructions for Generating a Certificate Signing Request, suitable for use with CoSign on Windows

Configure IISCosign

• In the IISCosign folder make a copy of the file sample.cosign.dll.config and rename it to cosign.dll.config
• Amend the settings in cosign.dll.config:
  <Cosign xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="iiscosign.xsd">
      ...
      <ChainFilePath>C:\Program Files\IISCosign\SSL\domainname.lancs.ac.uk.cert</ChainFilePath>
      <PrivateKeyFilePath>C:\Program Files\IISCosign\SSL\domainname.lancs.ac.uk.key</PrivateKeyFilePath>
      ...
      <LoginServer>
          <DNSName>cosign.lancs.ac.uk</DNSName>
          <LoginURL>https://weblogin.lancs.ac.uk/?</LoginURL>
          <LoginPostErrorURL>https://weblogin.lancs.ac.uk/post_error.html</LoginPostErrorURL>
          ...
      </LoginServer>
      ...
      <ValidReference>^https?:\/\/.*\.lancs\.ac\.uk(\/.*)?</ValidReference>
      <ValidationErrorRedirect>https://weblogin.lancs.ac.uk/cosign/validation_error.html</ValidationErrorRedirect>
      ...
      <!-- Need at least one Service -->
      <!-- If more unique Service names are needed, add more Service tags! -->
      <!-- If more web sites need to be protected, add a new Service tag. -->
      <!-- Multiple web sites can share the same service name. -->
      <Service>
          <Name>cosign-https-domainname</Name><!-- use "cosign-http-domainname.lancs.ac.uk" if not using HTTPS-->
          <Cookies><HttpOnly>false</HttpOnly></Cookies><!-- use "<HttpOnly>true</HttpOnly>" if not using HTTPS-->
          <Website>domainname.lancs.ac.uk</Website>
          <Protected>/TestSite</Protected>
      </Service>
  </Cosign>
• Amend the following settings in cosign.dll.config:
  • Remove <SiteEntry> element, and all of the elements relating to multi-factor authentication. For more information on how to use these please consult the ReadMe.txt file that is included in the Cosign Filter deployment.
  • Set the <Protected>, <AllowPublicAccess> and <Unprotected> elements as appropriate depending on which locations within your IIS website you want to use the Cosign filter for authentication. For example <Protected>/TestSite</Protected>
• Open an explorer window and navigate to "C:\windows\system32". Check for the files "msxml4.dll" and "msxml4r.dll". If they aren't there ask for help. Someone else with an IIS6 cosign filter installation will be able to provide the files.
• Open a command prompt and run the following command. You should see a dialog box confirming success.
  regsvr32 msxml4.dll
• Open up the "Internet Information Services (IIS) Manager".
• Find the web site you would like to have protected by cosign, right-click on it and select "Properties".
• In the properties dialog
  • Select the "ISAPI Filters" tab.
  • Click "Add"
  • Browse to or type the path for your cosign.dll file. This should be "C:\Program Files\IISCosign"
  • Enter the filter name "IIS Cosign"
  • Click "OK"
• The filter should now be listed in the dialog but with an unknown status. Restart the web site to load the filter.
• Try visiting your web site on your web server that you entered as <Protected> in the cosign.dll.config
  • Make sure you're properly redirected to the weblogin server and are then redirected back with authenticated access.
  • PLEASE NOTE: Some servers require you to Restart IIS for the filter to load properly.

Help!

All of the information for these instructions was taken from the ReadMe.txt file in the Cosign Filter directory. For further information and help please read these files and use the URLs suggested at the end of each.

If you encounter problems it can be useful to load up the debug version (cosigndbg.dll) or trace version (cosigntrace.dll) of the Cosign ISAPI filter which will enter information in the event log. You can also use these with DebugView (free download from SysInternals) to capture the logging information.