Configuring the ISAPI dll filter for Distributed Authentication
If you would like to use the configurable options available in this filter, you may read the instructions on this page. If the following applies:
- you would like every user to authenticate, regardless of their IP Address
- you do not want to restrict access to a group of users
then you may simply install the filter and delete the additional files that come bundled in this package
(please do make sure the extra files are deleted from your system if this is the case - these are plaintext
files and do contain sensitive information concerning university security policies!)
The following fields with have the corresponding defaults WITHOUT the use of a configuration file:
- The default secure directory name -> ucd-access
- The default authorization location -> http://www.ucdavis.edu/cgi-bin/sendback-with-docs
- The default AFS authorization directory -> T:/ucdavis.edu/common/authinfo
- The default domain name -> ucdavis.edu
- The default logout interval -> 43200 (12 hours)
If you are still having problems, please see the troubleshooting area below.
Instructions
If you are using the configuration file, the following values may be set:
- IP_ADDRESS_DB: If set, points to a file with IP addresses to allow
- USER_LIST: If set, points to an authorization file with a list of authorized users
- DOCS_DIR: protected directory location
- AUTH_SENDBACK: the URL to point at when a cookie doesn't exist or is invalid
- AUTH_DIR: location of the security file in AFS space
- DOM_NAME: default domain name to append on the end of Web pages
- LOGOUT_INTERVAL: the number of seconds in which to consider a login credential valid (only valid when using form-based authentication)
- Due to the history of security problems with IIS, we only offer this ISAPI filter with the highest level of security available, which requires the installation of AFS . In addition, send a message to afs-setup@ucdavis.edu, requesting that your Web server be given read access to the AFS authentication directory. Include the IP address of your Web server in your message.
- Download Distauth.IIS.6.zip to a temporary directory and unpack the contents. The zip file contains a dll and its configuration file, ucddistauth.txt.
-
Customize the distauthV6.txt file for your site by changing the following variables, then move this copy to the following directory:
C:\WINDOWS\system32\inetsrv\
Note that there really are few changes that need to be made in most cases.-
IP_ADDRESS_DB: File containing IP addresses to allow, if ALLOW_BY_IP=1;
Default value: by default, this line is commented out (the # sign at the beginning of a line signifies a comment), you can uncomment (i.e. remove the # sign) and change to a different filename or location, although it is suggested that configuration files such as these are located in the inetsrv directory, so that they adhere to any security policies inherited by the inet service. #IP_ADDRESS_DB=c:\winnt\system32\inetsrv\ipaddressdb.txt -
USER_LIST: only allow access to a specific set of users who are listed in a file identified by this variable.
The content of a file in USER_LIST is UCDLoginID's, one per line. One can either construct this file, which should be placed in a secure directory on the Web server, or use a classlist file.In any case, if the user name submitted is not allowed according to your list, the filter is redirected to a default no-access page, located at: C:\InetPub\wwwroot\NoUserAccess.htm
If this page is inconvienent for your configuration, please contact distauth@ucdavis.edu.
A classlist file contains the UCDLoginID's of the students assigned to a particular class. The files are updated nightly and stored at: /afs/ucdavis.edu/common/authclass/Banner_quarter_or_semester_code
The classlist file names are in the format: three_letter_dept_course_#.section#
You must apply to be a member of a highly restricted group in order to read these classlists. In addition, the Web server that is used must be a secure system with only sys admin access.
This example uses a local file: USER_LIST=c:\winnt\system32\inetsrv\userdb.txt
Default value (No authorization file): #USER_LIST=c:\winnt\system32\inetsrv\userdb.txt
This example uses the class list in AFS space, where T: is the global drive assigned to AFS: USER_LIST=T:/ucdavis.edu/common/authclass/199810/eec05.1
For current faculty, staff and students: user-list=T:\\ucdavis.edu\\common\\authinfo\\SFSX -
DOCS_DIR: DOCS_DIR: protected directory location.
The use of this variable is essential for this filter to do any authentication. For every URL requested from the server, the filter checks for this directory in the file name, and then follows through with the authentication process, but only if the path contains this directory name!
Default (the DOCS_DIR variable is not specified): #DOCS_DIR=ucd-access -
AUTH_DIR: Specify the AFS directory that your server will be reading.
Use the setting corresponding to the drive where AFS is mounted. Example: AUTH_DIR=T:/ucdavis.edu/common/authinfo -
AUTH_SENDBACK: If no cookie is set in the user's browser, the local Web server will redirect it to the Web
page identified by AUTH_SENDBACK. We recommend using the following option. It provides a form-based web page for username and password entry, which does not cache the user's authentication credentials.
AUTH_SENDBACK=https://secureweb.ucdavis.edu:443/form-auth/sendback
The following option provides a documentation page before prompting for the UCDLoginID and Kerberos Password via a native dialog box:
AUTH_SENDBACK=https://securedocs.ucdavis.edu/cgi-auth/sendback
The following option does not provide a document page before prompting for the UCDLoginID and Kerberos Password via a native dialog box:
AUTH_SENDBACK=https://securedocs.ucdavis.edu/cgi-auth/sendback - DOM_NAME: This is the default domain name that is appended to URLs that do not include a fully qualified machine name. It is "ucdavis.edu" by default.
-
LOGOUT_INTERVAL: This setting will allow you to set an interval of time at which an authenticated user will be redirected back to the distauth website for authentication. This is only valid when using the default form-based AUTH_SENDBACK url. The default is twelve hours, which should be sufficient for most applications. If a shorter re-authentication interval is desired, set this value to the number of seconds an authentication should be valid.
You can convert seconds to hours via this simple formula: seconds = 60*60*hours.
-
IP_ADDRESS_DB: File containing IP addresses to allow, if ALLOW_BY_IP=1;
Examples
This is the default file, included in the zip archive. Notice there can be any number of comment lines or white space.
# this is a comment #this is the file for the IP Address Database #put the networks in here that SHOULD be allowed #IP_ADDRESS_DB=c:\windows\ipaddressdb.txt #this is the file to restrict ALL secure directories to #certain users - kerberos user names, not windows user names #USER_LIST=c:\windows\userdb.txt #this directory, in any web page path, will designate it as secure #To secure an entire site use #DOCS_DIR=/ #To secure a directory use DOCS_DIR=ucd-access #web page to send for authentication #Basic Auth page, with documentation #AUTH_SENDBACK=http://www.ucdavis.edu/cgi-bin/sendback-with-docs #Basic Auth page, without documentation #AUTH_SENDBACK=https://secureWeb.ucdavis.edu/cgi-auth/sendback #Form-Based Authentication page AUTH_SENDBACK=https://secureweb.ucdavis.edu:443/form-auth/sendback #local directory for AFS verification AUTH_DIR=t:\ucdavis.edu\common\authinfo #Domain name to append DOM_NAME=.ucdavis.edu #web page location for denied access ACCESS_DENIED=http://www.ucdavis.edu/authentication/denied.html #Automatic authentication logout interval (in seconds) #Only applicable for form-based authentication #Default Value (12 hours) #LOGOUT_INTERVAL=43200