Check out www.weblogin.org for more information on CoSign, read on for URL Authorization.
Overview
URL Authorization is functionality included with IIS6 on Win2003. URL Authorization is implemented on a website in the form of an ISAPI interceptor, urlauth.dll, and works in conjunction with Windows 2003 Authorization Manager to provide URL-based authorization. Authorization Manager can implement what it calls Authorization Scripts - VB or J scripts that return either a true or a false value for authorization... I've created a custom VBScript that will query the CoSign-delivered username variable, match it up a database, and either allow or deny access based on the results (more on that in a minute)
MS documentation on URL Authorization is scarce at best. This was a really good find, and explains most of the basic concepts of Authorization Manager, as well as its implementation in URL Authorization:
Also of note, a general introduction to URL Authorization, although it doesn't provide much technical depth...
Configuring URL Authorization for use with CoSign authentication
Overall configuration:
1. Enable ISAPI Interceptor (URL Auth) (from bottom of second document listed above.)
a. In IIS Manager, expand the local computer, expand the Web Sites folder, right-click the Web site that you want, and then click Properties.
b. Click the Home Directory tab, and then in the Application settings section, click Configuration.
c. Click the Mappings tab, and then in the Wildcard application maps section, click Insert.
d. In the Add/Edit Application Extension Mapping box, click Browse and browse to the Windows\system32\inetsrv directory.
e. Click urlauth.dll, click Open, and then click OK.
2. Install the AzPolicy.xml file (this file defined URL Auth filter behavior):
a. Click here to download the AzPolicy.xml file.
b. Place the AzPolicy.xml file at c:\Program Files\CoSign
3. Configure the AzPolicy.xml file for your web server:
a. Start - Run - azman.msc
b. Right-click "Authorization Manager" in the left pane and "Open Authorization Store..."
c. Open XML File c:\Program Files\CoSign\AzPolicy.xml installed above.
d. AzPolicy.xml - IIS 6.0 URL Authorization - CoSign - Role Assignments - Viewer
e. In the right pane, remove the unrecognized account and add your IIS Anonymous user and
any other Windows user or group that should be subject to the URL Authorization rules based on CoSign logon.
f. In the "ViewAlways" Role Assignment, add any users or groups who should always be allowed to
view URL Auth-protected content. In a similar fashion, "ViewNever" Role Assignment for those who should be denied access. (the default is denied, but this explicility defines).
4. Install the database and web-based interface for defining authorized users
a. URL Auth Interface 0.2.2 - install these files in a directory on the website.
b. URLAuthorization database - install in a location where the anon IIS user can have read/write permissions
c. URLAuth-top.inc is where environment-specific constants (file locations, etc) are defined, and will need to be edited for your
environment.
d. Authorization Script will need to be updated via azman.msc to reflect database path
(azman.msc - IIS 6.0... - CoSign - Role Assignments - Viewer
- right-click - Properties - show definition - Definition - Authorization Script...
- set DBQ to database file used (may be necessary to first copy-and-paste script to a file,
edit the file, and re-import the file))
Configuration for each directory protected
1. Define the directory in CoSign as protected via a protected tag in the service section of the cosign.dll.config file.
(eg. <Service website="my.website.umich.edu">cosign-mySite
<Protected>/mydir1</Protected>
<Protected>/mydir2</Protected>
</Service>
2. Add an entry for the directory in the IIS Metabase:
- Metbase is stored by default at c:\windows\system32\inetsrv\metabase.xml
- If not already done, enable direct editing of the metabase:
- From IIS Manager, right-click the (local computer) and select "Properties"
- Check "Enable Direct Metabase Edit"
- Either find the IIsWebDirectory tag for the directory of interest or, if the tag does not exist, create it as below.
<IIsWebDirectory Location ="/LM/W3SVC/1/ROOT/mydir1"
AccessFlags="AccessRead | AccessScript"
DirBrowseFlags="EnableDefaultDoc"
>
</IIsWebDirectory>
3. Configure the directory to use URL Authorization by adding the following attributes to the IIsWebDirectory tag:
AzEnable="TRUE"
AzImpersonationLevel="1"
AzScopeName="CoSign"
AzStoreName="msxml://c:\Program Files\CoSign\AzPolicy.xml"
4. Use the web-based interface to define the protected directory, define users, deifne groups, and assign access.
Notes:
- DB Table AccessErrors logs access errors processed by the Authorization VB Script. - good for troubleshooting, but disable prior to larger usage
- The Access DB works good for small volume, but something more robust/secure is recommended for larger volumes
- For troubleshooting purposes, move the IIS user to the ViewerAlways or ViewerNever groups - these bypass the database lookup and simply either always allow or always deny access. This is useful to localize potential issues to URL Authorization ISAPI install or Auth database configuration.
- If only anonymous user has access to a directory (as defined in IIS Metabase/IIS Manager) a "You are not authorized..." web page will be displayed on unauthorized access. If other forms of authentication are defined (Integrated Windows, Basic, .NET Passport, etc) the appropriate logon box will be presented if URL Authorization denies access.
- If other forms of authentication will be used, those user principals will need to be defined as appropriate in Authorization Manager for the directory in question, without the Authorization Script (since that only works for CoSign-based logons).
- If the AzMan Policy store (xml) is not set up correctly, web requests can just hang on load - with response in browser being page just seems to keep loading, and loading...
Comments, questions, or suggestions for future updates, e-mail me - dsweetma at umich dot edu. Hope you find this useful.
Last updated December 10, 2003