CoSign: Collaborative Single Sign-On  
AnnouncementsDiscussion
 

cosign-discuss at umich.edu
general discussion of cosign development and deployment
 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IISCosign - one physical server more than 1 cosign-service possible?




If you are using the XML tag <Service website="host.institution.edu"> you should
also use the "Advanced Website Identification" settings in IIS Manager
(right-click on the web site, select Properties, then the Web Site tab, then
click on the Advanced... button) to locally 'bind' your hostname to your IP
address. IIS does NOT do this automatically and, as Paul described, leads to a
major security hole.


If you are using <Service IISDescription="Web site name here"> then the above
does not apply.

--Jarod

Quoting Konstantin Voyk <kvoyk@xxxxxxxxx>:

Paul,
Is adding host name to web site in IIS management console covers this
security hole?
Konstantin.

-----Original Message-----
From: Townsend, Paul [mailto:townsend@xxxxxxxxxxxxx]
Sent: Friday, August 12, 2005 2:04 PM
To: Konstantin Voyk; Asfaw-Kirby, Elias; cosign-discuss@xxxxxxxxx
Subject: RE: IISCosign - one physical server more than 1 cosign-service
possible?


Do NOT use the website="ws1.umich.edu" syntax.


Use the IISDescription="ws1" syntax instead. i.e.
<Service IISDescription="ws1">

Reason? Anybody can put your server's ip address into their hosts file
and hit your site using a different dns.  If you use the website=""
syntax, the cosign filter won't recognize that  user-created dns, the
request sails right through, and the user is in.  BIG BIG security hole.

IIRC, the website="" syntax was supposed to be deprecated.  If you're
still using it, you should change it immediately.  Your site is
completely open to anybody who knows how to use a hosts file, or who
hits your server using the ip address.

The rest of what you say is correct.  Make sure you're using a recent
version of IIS cosign, since early versions didn't play nice with W2k3 &
multiple sites.  Long since fixed.

-Paul Townsend
Systems Analyst
Ross School of Business

________________________________

From: Konstantin Voyk [mailto:kvoyk@xxxxxxxxx]
Sent: Friday, August 12, 2005 1:45 PM
To: Asfaw-Kirby, Elias; cosign-discuss@xxxxxxxxx
Subject: RE: IISCosign - one physical server more than 1 cosign-service
possible?



Elias,

1. Apply cosign filter at 'Web Sites' level (where your multiple
websites are listed)

2. Modify your config file to protect multiple web sites

<Service website=" ws1.umich.edu ">cosign-SERVICE1

<Protected>/ </Protected>

</Service>

<Service website=" ws2.umich.edu ">cosign- SERVICE2

<Protected>/application1/page1.aspx</Protected>

<Protected>/application2/page2.aspx</Protected>

</Service>

Konstantin.





________________________________

From: Elias Asfaw-Kirby [mailto:eliasak@xxxxxxxxx]
Sent: Friday, August 12, 2005 1:28 PM
To: cosign-discuss@xxxxxxxxx
Subject: IISCosign - one physical server more than 1 cosign-service
possible?




Is it possible to have more than one cosign service running off one physical server using IIS Cosign. (OS - Windows Server 2003)

Ex.
Currently hosting website  ws1.umich.edu on iisserver.umich.edu and
cosign works great.
Is it possible to host host ws2.umich.edu on iisserver.umich.edu and use
cosign there also.

Thanks Team,
--
Elias Asfaw-Kirby | 734-615-6490
Web Developer     | eliasak@xxxxxxxxx










 
Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010