We (LSAIT) already have the required exception for this particular server in
play.
I did find this piece of information from an earlier email. After performing
the cert deletion and renewal/import. Now the CoSoign enable sites are working
again on the lsa-websapps2 server for us.
On Jan 31, 2011, Jarod wrote:
The f_starttls: snet_starttls: error:00000000:lib(0):func(0):reason(0) error
has been recreated on one of ITS's test Windows 2008 servers. This error was
caused by removing the UMWeb CA certificate from the Windows Trusted Root
Certificates Store. Upon reinstalling the UMWebCA certificate authority file to
the Windows cert store, the CosignModule was able to function normally and
authenticate users properly. If need be, this certificate can be re-downloaded
from here <http://www.umich.edu/~umweb/umwebCA.pem>.
I recommend reinstalling the umwebCA.pem certificate into the lsa-webapps2
certificate store under the "trusted root certificate" node.
Jarod
Hope this helps for you also.
Sincerely,
Louis Englund
Humility is not thinking less of yourself but thinking of yourself less. --C.S.
Lewis
Database Administrator Senior - LSA Information Technology
734 647 8345-W | [email protected]<mailto:[email protected]>
University of Michigan | College of Literature, Science & Arts | 500 South
State St | Ann Arbor, MI 48109
From: Lee, Brian
Sent: Tuesday, March 15, 2011 9:57 AM
To: Voyk, Konstantin; Englund, Louis; [email protected]
Cc: Rolston, Timothy; [email protected]; Malestein, Jarod
Subject: RE: [Cosign-discuss] cosign module faulting
I'm thinking the service exception is the way to go.
I'll ask for that, but I don't think they can do it right away.
I asked for one on another (linux) server I run. They said they have
maintenance windows where they can put in exceptions on Thursdays and
Saturdays. They were, however, able to make a faster change to the test cosign
server. In this case though, I think I just need to wait for the real cosign
server, as I have plenty of real users authenticating to some of these sites
(using ugly domains for now.)
Thanks for your help Konstantin and Louis
From: Voyk, Konstantin
Sent: Tuesday, March 15, 2011 9:50 AM
To: Englund, Louis; Lee, Brian; [email protected]
Cc: Rolston, Timothy; [email protected]; Malestein, Jarod
Subject: RE: [Cosign-discuss] cosign module faulting
Hi Lois,
I asked Jarod ([email protected]<mailto:[email protected]>) about possible solution
for this problem and he told me that work around the issue is setting up
service exception or changes to IIS module. It may be a time to ask a Cosign
team to upgrade IIS module.
Thanks,
Konstantin.
From: Englund, Louis
Sent: Tuesday, March 15, 2011 9:32 AM
To: Voyk, Konstantin; Lee, Brian; [email protected]
Cc: Rolston, Timothy
Subject: RE: [Cosign-discuss] cosign module faulting
Konstantin,
I believe it may be just a case of semantics, but you are correct. I did not
notice if that was an issue for Brian, but I can say that with the LSAIT cosign
enabled IIS7 sites/webapps (which were working in the last 24 hours) are set up
as webapps/v-directories under the main "Default Web site" and the individual
apps/sub-sites that need CoSign enabled have the following in their web.config
file:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<cosign>
<protected status="on" />
<compatibilityMode mode="true" />
</cosign>
</system.webServer>
</configuration>
Parent sites/apps that do not need to be CoSign protected do not have this
CoSign insert.
Sincerely,
Louis Englund
Humility is not thinking less of yourself but thinking of yourself less. --C.S.
Lewis
Database Administrator Senior - LSA Information Technology
734 647 8345-W | [email protected]<mailto:[email protected]>
University of Michigan | College of Literature, Science & Arts | 500 South
State St | Ann Arbor, MI 48109
From: Voyk, Konstantin
Sent: Tuesday, March 15, 2011 9:24 AM
To: Englund, Louis; Lee, Brian; [email protected]
Cc: Rolston, Timothy
Subject: RE: [Cosign-discuss] cosign module faulting
You cannot to have two cosign protected web sites but you can have many web
apps protected within web site. Cosign module settings allow you specify one
service/certificate per iis in the applicationHost.config
Sincerely,
Konstantin Voyk
Law School Information Technology
From: Englund, Louis [mailto:[email protected]]
Sent: Tuesday, March 15, 2011 8:56 AM
To: Lee, Brian; [email protected]
Cc: Rolston, Timothy
Subject: Re: [Cosign-discuss] cosign module faulting
I am also getting this now on our lsa-webapps2 (QA) server.
Was there a solution/resolution sent out that I may have missed?
Sincerely,
Louis Englund
Humility is not thinking less of yourself but thinking of yourself less. --C.S.
Lewis
Database Administrator Senior - LSA Information Technology
734 647 8345-W | [email protected]<mailto:[email protected]>
University of Michigan | College of Literature, Science & Arts | 500 South
State St | Ann Arbor, MI 48109
From: Lee, Brian [mailto:[email protected]]
Sent: Monday, March 14, 2011 12:11 PM
To: [email protected]
Subject: [Cosign-discuss] cosign module faulting
Hi,
I have an IIS7 server running a cosign protected website successfully, but now
I'm trying to add a second cosign protected website (veterans_test_separated)
to the same webserver.
The second site works fine (correct SSL cert) until I turn on cosign
protection. With cosign protected status="on",visiting
https://veterans.onsp.umich.edu/test.html brings up a weblogin screen. After
correctly providing credentials, I get "Internet Explorer cannot display the
webpage." I also get the following error in the webserver event log:
Faulting application name: w3wp.exe, version: 7.5.7600.16385, time stamp:
0x4a5bd0eb
Faulting module name: CosignModule.dll, version: 0.0.0.0, time stamp: 0x4ce43995
Exception code: 0xc0000417
Fault offset: 0x000000000001d7d4
Faulting process id: 0x8d0
Faulting application start time: 0x01cbe2618d55bff0
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
Faulting module path: c:\windows\system32\inetsrv\CosignModule.dll
Report Id: cb2ad3e8-4e54-11e0-8f8f-00155d73e80a
I've been banging my head on this for a while and would really appreciate any
help.
--Brian
Here is my web.config file in the veterans_test directory:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<sessionState mode="InProc" timeout="6000" />
<compilation debug="true">
<assemblies>
<add
assembly="System.DirectoryServices,Version=1.0.3300.0,
Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a" />
</assemblies>
</compilation>
</system.web>
<system.webServer>
<cosign>
<webloginServer name="weblogin.umich.edu"
loginUrl="https://weblogin.umich.edu/?"; port="6663"
postErrorRedirectUrl="https://weblogin.umich.edu/post_error.html"; />
<crypto certificateCommonName="veterans.onsp.umich.edu" />
<cookieDb directory="C:\inetpub\temp\Cosign Cookie DB\"
expireTime="120" />
<proxyCookies directory="C:\inetpub\temp\Cosign Proxy DB" />
<validation validReference="https?://.*umich\.edu(/.*)?"
errorRedirectUrl="https://weblogin.umich.edu/cosign/validation_error.html"; />
<cookies secure="true" httpOnly="true" />
<service name="cosign-veterans.onsp" />
<protected status="on" />
</cosign>
<handlers>
<add name="Cosign Validation" path="/cosign/valid*" verb="*"
modules="Cosign" resourceType="Unspecified" />
</handlers>
<modules>
<add name="Cosign" />
</modules>
<httpErrors>
<error statusCode="503" path="/503.html" responseMode="ExecuteURL"
/>
</httpErrors>
<defaultDocument>
<files>
<add value="index.aspx" />
</files>
</defaultDocument>
</system.webServer>
<location path="veterans_test_separated/cosign/valid">
<system.webServer>
<cosign>
<protected
status="off" />
</cosign>
</system.webServer>
</location>
</configuration>
If it would be helpful, I can provide my applicationHost.config file as well.
--Brian
------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
