Distauth: Windows and IIS

In this section

• Download
• Instructions
• Configuring ISAPI dll
• ODBC ISAPI dll
• Deploying multiple dlls
• Troubleshooting

Overview

This filter works with IIS 5 and 6 running under either Win2000 or Win2003. Examples of URLs protected by this filter:

• Protected: http://SERVER/path/secure_directory_name/file.html
• Not Protected: http://SERVER/path/file.html

Configuration

1. Download (and configure, if necessary) the correct filter zip file, which contains an example configuration files. Make sure to read ISAPI dll configuration options but don't forget to come back to this page and finish the filter installation!
   
   Note: If you are not using the configuration files, please make sure they are kept securely or removed from your system. They contain sensitive information regarding university security policies.
   
   Place the downloaded dll file in a secure directory on your machine, such as C:\WINDOWS\system32\inetsrv\.
   
   We suggest this directory because it is the inet service that loads the dll, and any security permissions implemented on the Web server will be inherited here (even though the dll is compiled and can not be edited, it could be replaced with a different file of the same name, so you don't want unauthorized users having any write access in that directory).
2. Install and Configure AFS on your Windows server.
   
   OpenAFS is now the recommended AFS client for IIS Distauth installations. You can get the OpenAFS client from the OpenAFS website.
   
   
   1. General instructions for installing an AFS client are located on the dafis site.
   2. Make a mount for the top level AFS directory as T:, which mounts the directory /afs. Under Windows 2000, this needs to be a global directory. To make it a global directory, go to the advanced tab and click "global drives" button.
      
      
      
      Global drive mounts are not visible under the "my computer" icon. If for some reason you would like to see the contents of the drive, you will need to also create a user-level drive mapping under the drive letters tab in the afs client configuration dialog box.
   3. Make sure you submit the IP address of your server to afs-setup@ucdavis.edu as described in the Acquiring and Using AFS Web page. This Distributed Authentication Filter will return a Web page with an error on it until you mail us your server's IP address.
3. Next, Configure IIS to use the Distributed Authentication Filter you downloaded in step 1 above:
   1. The Web Server and IIS Admin service must be stopped. Check the services dialog box and stop these services if they are running.
   2. Start the IIS Administrator Console
   3. Click on your Web server instance in your Console. The default title of your Web server instance is "Default Web Site", unless you changed it. It maybe hidden under "Console Root/Internet Information Server/NAME", where "NAME" is the name of your computer.
   4. Hold the right mouse button down on top of the line for your Web server instance and select "Properties" from the pop up menu.
   5. Select the Edit button for the correct Web server instance.
   6. When the new window appears, Click on the "ISAPI Filters" tab.
   7. Another new window will appear. Click on the "Add..." button on it.
   8. Enter "ucd-access" as the "Filter Name".
   9. Enter the path to the dll file that you saved in Step 1 above (Example C:\WINDOWS\system32\inetsrv\distauthV7.dll).
   10. Click the "Ok" button on the "Filter Properties" dialog box.
   11. Click the "Ok" button on the "Web Site Properties" dialog box.
   12. Restart the Web Services and IIS Admin services.
4. That's it! Test your new protection scheme by using a Web browser to try and access a URL on your Web server with "ucd-access" as one of the path components in the URL path. It should redirect you to the campus Web server if you do not yet have a Distributed Authentication cookie set in the browser. You can also verify that the dll was loaded correctly by following steps a-f above and checking the status of the recently entered filter. It should have a green arrow to the left pointing up. If not, something would not let the filter load. Check the configuration file and all relevant files listed therein, as well as the location of the dll.