CoSign: Collaborative Single Sign-On  
AnnouncementsDiscussion
 

cosign-discuss at umich.edu
general discussion of cosign development and deployment
 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IISCosign - one physical server more than 1cosign-servicepossible?



Jarod,
Cosign service works fine when cosign protects pages accessed with dns name.
In our configuration cosign is calling by protected application with dns
name only (protected application uses preset up reference to cosign
protected site). If ever there are somehow cosign protected site will be
called with IP address, then our authentication application just break
because it relays on server variable created by cosign. I think that this
security flaw do not affect us but I will set cosign configuration file with
IIS description in order to avoid any hidden problems. 
I think, it would be helpful if this and other discussions about cosign
setting could be summarized and added to readme file. I forget about some
tricks after several months :-).
Thank you,
Konstantin.

-----Original Message-----
From: jarod@xxxxxxxxx [mailto:jarod@xxxxxxxxx] 
Sent: Friday, August 12, 2005 4:16 PM
To: Konstantin Voyk
Cc: cosign-discuss@xxxxxxxxx
Subject: RE: IISCosign - one physical server more than
1cosign-servicepossible?


Sorry, yes, I'm referring to the "Host Header Value."  You do not need 
to assign
a specific IP address.  You can also select the "all unassigned" option.

What's not working?  I thought we had it working just fine?

--Jarod

Quoting Konstantin Voyk <kvoyk@xxxxxxxxx>:

> Jarod,
> I want you clarify some definition. When you say host name does it mean
the
> same as "Host Header value" in IIS manager? And is binding mean assigning
> this host name to specific IP?
> With this configuration what I described above cosign filter does not
work.
> Konstantin.
>
>
> -----Original Message-----
> From: jarod@xxxxxxxxx [mailto:jarod@xxxxxxxxx]
> Sent: Friday, August 12, 2005 3:19 PM
> To: cosign-discuss@xxxxxxxxx
> Cc: Konstantin Voyk; 'Townsend, Paul'; 'Asfaw-Kirby, Elias';
> cosign@xxxxxxxxx; 'Lyle Whitney'
> Subject: RE: IISCosign - one physical server more than 1
> cosign-servicepossible?
>
>
> If you are using the XML tag <Service website="host.institution.edu">
> you should
> also use the "Advanced Website Identification" settings in IIS Manager
> (right-click on the web site, select Properties, then the Web Site tab,
then
> click on the Advanced... button) to locally 'bind' your hostname to your
IP
> address.  IIS does NOT do this automatically and, as Paul described,
> leads to a
> major security hole.
>
> If you are using <Service IISDescription="Web site name here"> then the
> above
> does not apply.
>
> --Jarod
>
> Quoting Konstantin Voyk <kvoyk@xxxxxxxxx>:
>
>> Paul,
>> Is adding host name to web site in IIS management console covers this
>> security hole?
>> Konstantin.
>>
>> -----Original Message-----
>> From: Townsend, Paul [mailto:townsend@xxxxxxxxxxxxx]
>> Sent: Friday, August 12, 2005 2:04 PM
>> To: Konstantin Voyk; Asfaw-Kirby, Elias; cosign-discuss@xxxxxxxxx
>> Subject: RE: IISCosign - one physical server more than 1 cosign-service
>> possible?
>>
>>
>> Do NOT use the website="ws1.umich.edu" syntax.
>>
>> Use the IISDescription="ws1" syntax instead. i.e.
>> <Service IISDescription="ws1">
>>
>> Reason? Anybody can put your server's ip address into their hosts file
>> and hit your site using a different dns.  If you use the website=""
>> syntax, the cosign filter won't recognize that  user-created dns, the
>> request sails right through, and the user is in.  BIG BIG security hole.
>>
>> IIRC, the website="" syntax was supposed to be deprecated.  If you're
>> still using it, you should change it immediately.  Your site is
>> completely open to anybody who knows how to use a hosts file, or who
>> hits your server using the ip address.
>>
>> The rest of what you say is correct.  Make sure you're using a recent
>> version of IIS cosign, since early versions didn't play nice with W2k3 &
>> multiple sites.  Long since fixed.
>>
>> -Paul Townsend
>> Systems Analyst
>> Ross School of Business
>>
>> ________________________________
>>
>> From: Konstantin Voyk [mailto:kvoyk@xxxxxxxxx]
>> Sent: Friday, August 12, 2005 1:45 PM
>> To: Asfaw-Kirby, Elias; cosign-discuss@xxxxxxxxx
>> Subject: RE: IISCosign - one physical server more than 1 cosign-service
>> possible?
>>
>>
>>
>> Elias,
>>
>> 1. Apply cosign filter at 'Web Sites' level (where your multiple
>> websites are listed)
>>
>> 2. Modify your config file to protect multiple web sites
>>
>>      <Service website=" ws1.umich.edu ">cosign-SERVICE1
>>
>>            <Protected>/ </Protected>
>>
>>      </Service>
>>
>>      <Service website=" ws2.umich.edu ">cosign- SERVICE2
>>
>>            <Protected>/application1/page1.aspx</Protected>
>>
>>            <Protected>/application2/page2.aspx</Protected>
>>
>>      </Service>
>>
>> Konstantin.
>>
>>
>>
>>
>>
>> ________________________________
>>
>> From: Elias Asfaw-Kirby [mailto:eliasak@xxxxxxxxx]
>> Sent: Friday, August 12, 2005 1:28 PM
>> To: cosign-discuss@xxxxxxxxx
>> Subject: IISCosign - one physical server more than 1 cosign-service
>> possible?
>>
>>
>>
>>
>> Is it possible to have more than one cosign service running off one
>> physical server using IIS Cosign.
>> (OS - Windows Server 2003)
>>
>> Ex.
>> Currently hosting website  ws1.umich.edu on iisserver.umich.edu and
>> cosign works great.
>> Is it possible to host host ws2.umich.edu on iisserver.umich.edu and use
>> cosign there also.
>>
>> Thanks Team,
>> --
>> Elias Asfaw-Kirby | 734-615-6490
>> Web Developer     | eliasak@xxxxxxxxx
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
>






 
Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010