	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IISCosign - one physical server more than 1 cosign-servicepossible?

To: Konstantin Voyk <kvoyk@xxxxxxxxx>
Subject: RE: IISCosign - one physical server more than 1 cosign-servicepossible?
From: jarod@xxxxxxxxx
Date: Fri, 12 Aug 2005 16:16:19 -0400
Cc: cosign-discuss@xxxxxxxxx
In-reply-to: <200508121939.j7CJdndL005746@wanderer.mr.itd.umich.edu>
References: <200508121939.j7CJdndL005746@wanderer.mr.itd.umich.edu>
User-agent: Internet Messaging Program (IMP) H3 (4.0.3)

Sorry, yes, I'm referring to the "Host Header Value." You do not need to assign a specific IP address. You can also select the "all unassigned" option.

What's not working? I thought we had it working just fine?

--Jarod

Quoting Konstantin Voyk <kvoyk@xxxxxxxxx>:

Jarod,
I want you clarify some definition. When you say host name does it mean the
same as "Host Header value" in IIS manager? And is binding mean assigning
this host name to specific IP?
With this configuration what I described above cosign filter does not work.
Konstantin.


-----Original Message-----
From: jarod@xxxxxxxxx [mailto:jarod@xxxxxxxxx]
Sent: Friday, August 12, 2005 3:19 PM
To: cosign-discuss@xxxxxxxxx
Cc: Konstantin Voyk; 'Townsend, Paul'; 'Asfaw-Kirby, Elias';
cosign@xxxxxxxxx; 'Lyle Whitney'
Subject: RE: IISCosign - one physical server more than 1
cosign-servicepossible?


If you are using the XML tag <Service website="host.institution.edu">
you should
also use the "Advanced Website Identification" settings in IIS Manager
(right-click on the web site, select Properties, then the Web Site tab, then
click on the Advanced... button) to locally 'bind' your hostname to your IP
address.  IIS does NOT do this automatically and, as Paul described,
leads to a
major security hole.

If you are using <Service IISDescription="Web site name here"> then the
above
does not apply.

--Jarod

Quoting Konstantin Voyk <kvoyk@xxxxxxxxx>:

Paul,
Is adding host name to web site in IIS management console covers this
security hole?
Konstantin.

-----Original Message-----
From: Townsend, Paul [mailto:townsend@xxxxxxxxxxxxx]
Sent: Friday, August 12, 2005 2:04 PM
To: Konstantin Voyk; Asfaw-Kirby, Elias; cosign-discuss@xxxxxxxxx
Subject: RE: IISCosign - one physical server more than 1 cosign-service
possible?

Do NOT use the website="ws1.umich.edu" syntax.

Use the IISDescription="ws1" syntax instead. i.e.
<Service IISDescription="ws1">

Reason? Anybody can put your server's ip address into their hosts file
and hit your site using a different dns.  If you use the website=""
syntax, the cosign filter won't recognize that  user-created dns, the
request sails right through, and the user is in.  BIG BIG security hole.

IIRC, the website="" syntax was supposed to be deprecated.  If you're
still using it, you should change it immediately.  Your site is
completely open to anybody who knows how to use a hosts file, or who
hits your server using the ip address.

The rest of what you say is correct.  Make sure you're using a recent
version of IIS cosign, since early versions didn't play nice with W2k3 &
multiple sites.  Long since fixed.

-Paul Townsend
Systems Analyst
Ross School of Business

________________________________

From: Konstantin Voyk [mailto:kvoyk@xxxxxxxxx]
Sent: Friday, August 12, 2005 1:45 PM
To: Asfaw-Kirby, Elias; cosign-discuss@xxxxxxxxx
Subject: RE: IISCosign - one physical server more than 1 cosign-service
possible?

Elias,

1. Apply cosign filter at 'Web Sites' level (where your multiple
websites are listed)

2. Modify your config file to protect multiple web sites

<Service website=" ws1.umich.edu ">cosign-SERVICE1

<Protected>/ </Protected>

</Service>

<Service website=" ws2.umich.edu ">cosign- SERVICE2

<Protected>/application1/page1.aspx</Protected>

<Protected>/application2/page2.aspx</Protected>

</Service>

Konstantin.

________________________________

From: Elias Asfaw-Kirby [mailto:eliasak@xxxxxxxxx]
Sent: Friday, August 12, 2005 1:28 PM
To: cosign-discuss@xxxxxxxxx
Subject: IISCosign - one physical server more than 1 cosign-service
possible?


Is it possible to have more than one cosign service running off one
physical server using IIS Cosign.
(OS - Windows Server 2003)

Ex.
Currently hosting website  ws1.umich.edu on iisserver.umich.edu and
cosign works great.
Is it possible to host host ws2.umich.edu on iisserver.umich.edu and use
cosign there also.

Thanks Team,
--
Elias Asfaw-Kirby | 734-615-6490
Web Developer     | eliasak@xxxxxxxxx

Follow-Ups:
- RE: IISCosign - one physical server more than 1cosign-servicepossible?
  - From: Konstantin Voyk

References:
- RE: IISCosign - one physical server more than 1 cosign-servicepossible?
  - From: Konstantin Voyk

Prev by Date: RE: IISCosign - one physical server more than 1 cosign-servicepossible?
Next by Date: Re: Where does cosign write its log(s)? <EOM>
Previous by thread: RE: IISCosign - one physical server more than 1 cosign-servicepossible?
Next by thread: RE: IISCosign - one physical server more than 1cosign-servicepossible?
Index(es):
- Date
- Thread