University Of Cambridge Web Authentication System

Yüklə 58,23 Kb.

tarix	30.10.2017
ölçüsü	58,23 Kb.
	#22731

University of Cambridge Web Authentication System

IIS Authentication Agent

Version 0.5.1.7

1 Introduction 1

2 Installing the agent 1

3 Uninstalling the agent 2

4 Operating requirements 2

4.1 RSA Public Keys 2

4.2 Timekeeping 2

5 Configuration 2

5.1 Computer settings 3

5.1.1 UCam Web Auth Users sheet 3

5.1.2 UCam Web Auth Keys sheet 4

5.2 Virtual server settings 4

5.2.1 UCam Web Auth Config sheet 5

5.3 Virtual directory, directory and file settings 8

5.3.1 UCam Web Auth 8

5.3.2 Access rights dialog 11

5.3.3 Messages dialog 12

5.3.4 Logout settings dialog 13

6 Authentication information 14

7 Licencing 14

8 Build requirements 15

8.1 Installing Microsoft Visual C++ Express Edition 15

8.2 Installing Microsoft Platform SDK 15

8.3 Configuring Microsoft Visual C++ Express Edition 15

8.3.1 Update Platform SDK directories 15

9 Building the agent and utilities executable 15

1Introduction

The University of Cambridge Web Authentication System IIS Authentication Agent (UCam_WebAuth_IIS) allows IIS to use a Cambridge Web Authentication System (UCamWebauth) to identify users. Within the University, such a system is provided by Raven:

https://raven.cam.ac.uk/

The latest version of the module can be obtained from

http://raven.cam.ac.uk/project/iis/

The operation of UCam_WebAuth_IIS is quite complex (see the UCamWebauth documentation available at http://raven.cam.ac.uk/project/) but a common sequence goes:

An initial request for a protected document causes UCam_WebAuth_IIS to redirect the user's browser to a central authentication server
The authentication server and the user interact to establish the user's identity. This normally involves the user providing a user-id and password over a secure connection. The authentication server may set a session cookie so that it can respond to future authentication requests without needing to ask for the password again.
The central server redirects the user to the URL the user originally requested, including in the URL a cryptographically signed 'response' containing the user's identity and other information.
UCam_WebAuth_IIS intercepts this response and validates it. If this validation succeeds, UCam_WebAuth_IIS sets a local session cookie containing the user's identity.
The user's browser is then redirected to the original URL yet again, this time without the response message. This request, and all subsequent ones for URLs that are similarly protected, are processed based on the information from the session cookie.

The use of cookies may alarm some users. Sites that use ucam_webauth_iis should include a note about the local session cookie in their privacy policy or other suitable document. The cookie is set with no expiry date, which will prevent standards-compliant browsers from storing it on disk and will cause them to delete it at the end of the browser session. It is also set by default so that it will only be returned to the originating site. Sites can customise some of the behaviour of the session cookie – see section 5.3.1.

Because of the way that UCam_WebAuth_IIS is implemented, if a redirect to the authentication server is triggered by an HTTP POST request then any parameters submitted along with the POST request will be lost. This is particularly annoying if you e.g. submit a carefully constructed message to a bulletin board only to discover that your session cookie has expired while you were composing the message. A warning message is logged to the error log if a redirect is required when responding to a POST request.

2Installing the agent

Start the Component Services administrative tool
Browse to ‘IIS WAMREG admin service’ in ‘Component Services\Computers\My Computer\DCOM Config’ and open the properties window from the context menu
In the security tab, edit the ‘Launch and Activation Permissions’
Grant the user running the web service the ‘Local Launch’ and ‘Local Activation’ rights. This will typically be ‘NETWORK SERVICE’. Additionally, these rights may need to be granted to the users running application pools
Close the Component Services administrative tool
Copy UCam_WebAuth_IIS.dll and UCam_WebAuth_IIS_Utils.exe to C:\Windows\System32\InetSrv
Start a command prompt in this directory
Run the command ` UCam_WebAuth_IIS_Utils.exe -i`
Run the command `IISReset` - this will cause a restart of the web service
If the ‘Internet Information Services (IIS) Manager’ administrative tool is open, it will need to be restarted.

3Uninstalling the agent

Close the ‘Internet Information Services (IIS) Manager’ administrative tool
Close the ‘Event Viewer’ administrative tool
Start a command prompt
Change to C:\Windows\System32\InetSrv
Run the command `net stop w3svc` - this will stop the web service and all web sites.
To uninstall the agent and remove all configuration, run the command ` UCam_WebAuth_IIS_Utils.exe –ua`. To uninstall the agent, without removing users, groups and keys run the command ` UCam_WebAuth_IIS_Utils.exe –u`.
Run the command `net start w3svc` - this will restart the web service.
Remove the rights granted to IIS WAMREG during the installation

4Operating requirements

4.1RSA Public Keys

UCamWebauth uses RSA public key cryptography to verify that authentication responses are sent only by the trusted authentication server. The module needs access to the relevant RSA public keys. Within the University of Cambridge, the keys used by the Raven service are available from

https://raven.cam.ac.uk/project/keys/

Adding the keys to the configuration is covered in section 5.1.2. The agent uses the self-signed x509 certificate (.crt) file.

4.2Timekeeping

The protocol used to communicate between the module and the authentication server requires that both have access to accurate time values. UCamWebauth servers use NTP (Network Time Protocol) to set their clocks. Providing the server using the module has a clock synchronised by NTP or something similar then the default values for the time-related parameters in the module should be fine.

The Windows Time Service manages the time on a 2003 server. This can be configured with W32tm.exe. See the Microsoft documentation for help with this utility.

If the server clock can't be assumed to be accurate within a second or so then the Clock Skew server configuration item (see section 5.2.1) must be used to provide an estimate of the maximum possible error in the server's clock.

5Configuration

In this section, an object means either a directory or a file.

When the IIS MMC snapin is started after installation, new configuration sheets will have been added to the computer, virtual web server, virtual directory, and object property pages. The ‘UCam Web Auth’ filter will have been added to all web sites. Removing this filter will stop the agent from working.

5.1Computer settings

Two new sheets will have been added to the computer property page. Changes to the computer settings will take up to 5 minutes to be read by the agent. The agent can be made to reread the configuration by restarting the web service using the IISReset command.

5.1.1UCam Web Auth Users sheet

CamWebauth users need not be a user of the windows domain/server and hence they have to be added to the configuration before they can be granted access rights to the resources on the web servers.

Groups can be added to make the management of access rights easier. A user can be a member of zero, one or multiple groups. A user can have the same name as a group.

Typing a name into the text entry box and clicking the appropriate button creates a user or group.

Users can be deleted by selecting their name in the list box and clicking the delete user button. This will automatically clean up their group memberships.

A group can be deleted in a similar fashion.

Modifying a user will change their name without changing their group memberships. Modifying a group changes its name without changing the membership list.

Users can be made a member of a group by selecting the relevant user and group in the list boxes and then clicking the ‘Add >> ‘ button. They can be removed by selecting the group and group member and clicking the ‘Remove <<’ button.

Users and groups can be exported using the command ` UCam_WebAuth_IIS_Utils.exe –w` and imported using the command ` UCam_WebAuth_IIS_Utils.exe –r`. The IIS MMC snapin should be closed during these operations.

5.1.2UCam Web Auth Keys sheet

his property sheet allows the management of the RSA public keys used to verify responses are from the configured authentication server.

The server will automatically list all configured authentication URLs. If a server has not been configured, then the default URL (https://raven.cam.ac.uk/auth/authenticate.html) will be assumed. It also counts the number of servers using a URL and the number of keys configured for that URL.

Selecting an authentication URL in the top list view will display all the configured keys in the bottom list view. Keys can be removed by selecting them and clicking the ‘remove’ button, or by clicking the ‘remove all’ button.

To add a key, the Base64 encoded x509 certificate file will need to be copied onto the server. The full path to the file can then be entered into the ‘File name’ text entry box, or the file can be selected using the ‘browse’ button. A ‘key name’ will need to be entered and the ‘Add’ button can then be clicked.

The ‘key name’ is the value sent by the authentication server to identify the private key used to encrypt the validation token and will be specified by the authentication server administrator.

The SHA1 and MD5 hashes will be calculated for the certificate. If these do not match the expected values, the adding of the certificate can be cancelled.

The key name should match the string returned from the authentication server. For the raven implementation, this will be a number. The name should not include spaces.

For virtual servers that will not be using the default authentication URL, the virtual server will need to be configured before keys can be added.

5.2Virtual server settings

Two sheets are added to the virtual server property page. The first, ‘UCam Web Auth Config’, configures the virtual server. The second sheet is the settings sheet for the root virtual directory and is documented in section 5.3.

5.2.1UCam Web Auth Config sheet

his property sheet configures the UcamWebauth agent for the virtual server.

The check box at the top of the sheet enables or disables the agent for the virtual server.

Authentication URL	This parameter specifies the full URL of the authentication service to use. This URL is configured on a virtual server wide basis. It is not possible to configure different authentication URLs for different areas of the virtual web server. Apache equivalent: AAAuthService Default: https://raven.cam.ac.uk/auth/authenticate.html
Response timeout	Responses from the authentication service are time-stamped. This parameter sets the length of time for which these responses are considered valid Apache equivalent: AAResponseTimeout Default: 20 seconds
Clock skew	As discussed in section 4.2, the clocks on the Web Application Agent and the Web Login Server should be kept in sync with NTP. If this is not possible, this parameter can be used to specify the maximum difference between the two servers. Apache equivalent: AAClockSkew Default: 0 seconds
Session timeout	This parameter specifies the maximum period of time for which a session will be valid. This parameter can be overridden by the Web Login Service response. Once this time period has expired, the user will be redirected to the Web Login Service to reauthenticate. NOTE: this setting does not set the lifetime of the session cookie. Session cookies are always set without an expiry causing them to expire when the browser session finishes. Apache equivalent: AAMaxSessionLife Default: 2 hours
Inactive timeout	This parameter specifies the length of time after which an inactive session can be assumed to have expired. Setting this parameter to 0 disables the feature. Inactivity tracking is rather approximate thanks to various forms of caching. In particular, revisiting a page that hasn't change since you last visited it may not count as activity - setting Cache Control (see section 5.3.1) to 'paranoid' may help with this, at the expense of increased network traffic and delays. Apache equivalent: AAInactiveTimeout Default: 0 seconds
Logout page	This parameter allows the specification of a logout page. If the end user accesses the logout page on the virtual server, then their session will be terminated. Apache equivalent: ‘SetHandler AALogout’ for a location Default: /logout.html
Logout message	The message to display when the end user accesses the Logout page Apache equivalent: AALogoutMsg (this is not an exact equivalence as the IIS configuration does not allow for specifying a URL) Default: Logout Logout You have logged out of this site. If you have finished browsing, then you should completely exit your web browser. This is the best way to prevent others from accessing your personal information and visiting web sites using your identity. If for any reason you can't exit your browser you should first log-out of all other personalized sites that you have accessed and then logout from the central authentication service. Error - authentication cancelled Authentication has been cancelled at your request. Unfortunately this means you will not be able to access the resource that you requested. If you cancelled authentication because you do not have a suitable username and password then you should contact the authentication system administrator to see if you can be registered. If you cancelled because of privacy concerns then you should contact the administrator of this server to see if there are other ways for you to access this resource. Error - missing cookie The web resource you are trying to access is protected by a system that uses a browser cookie to track your authentication state. Your browser does not seem to be returning an appropriate cookie, probably because it has been configured to reject some or all cookies. To access this resource you must at least accept cookies from this server. This can also happen if you follow a bookmark pointing to a login page. This won't work - to create a shortcut to a protected resource you should bookmark the page you arrive at immediately after authenticating. This cookie will be deleted when you quit your web browser. It contains your identity and other information used to manage authentication. Logout You have logged out of this site. If you have finished browsing, then you should completely exit your web browser. This is the best way to prevent others from accessing your personal information and visiting web sites using your identity. If for any reason you can't exit your browser you should first log-out of all other personalized sites that you have accessed and then logout from the central authentication service.