Versions Compared

Old Version 16

changes.mady.by.user Brian Donnelly

Saved on

compared with

New Version 17

changes.mady.by.user Brian Donnelly

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Section
Column
width20%
Panel
borderColor#BF9900
bgColor#FFFFFF
titleBGColor#E5D699
titleIn this Section
borderStylesolid
Table of Contents
indent15px
stylenone
Column
Note
titleNew Module in Beta

A beta of the new CASAuthN 2.0 ISAPI module has been postedreleased. This The new module uses a filesystem cache for storing tickets and includes a number of new configuration parameters. Most important in the cache_path setting: this must be set to an empty directory on the web server that will be populated with cache files. Ensure this directory exists and is writable by IIS. Please pay close attention to the parameters when installing. Once the module is out of beta, we will post a new set of installation instructionsin-memory hash maps to store authentication credentials and avoids the issues found with the filesystem-based module.

Overview

Windows Internet Information (IIS) server is used to deliver web sites and applications for numerous departments. While the newest versions of IIS suppport .NET technology for which there is a well-supported CAS authentication module, older applications rely on ISAPI, the Information Server Application Programming Interface. Unfortunately, there is little or no support for an ISAPI CAS module. In order to support our IIS clients, we have created an ISAPI client module.

Alternatives

Ja-Sig provides links to several ISAPI modules developed by other organizations. If you encounter problems with the UC Davis ISAPI module, you can try the modules listed at http://www.ja-sig.org/wiki/display/CASC/ISAPI+Filter.

Download

Click here to download the CAS ISAPI Client Installer

Installation Instructions

Include Page
IETP:CAS ISAPI Installation
IETP:CAS ISAPI Installation

Classlist / User File Configuration

The Distauth ISAPI client never supported the Classlist feature. However, the College of Letters and Science has provided an ODBC filter which can authorize users against a database. Please go to ODBCFilter for more information.

Passthrough / Gateway Configuration

The CAS ISAPI Module does not currently provide support for Gateway mode.

IP Restriction Configuration

IP Restriction can be configured via the IIS Administrator console:

  1. Open the IIS Adminsitrator Console
  2. Select your Web Site
  3. Right Click and Select Properties
  4. When the Properties Window Opens, select the Security Tab.
  5. Click Edit in the IP address and domain restrictions section
  6. Add the UC Davis IP ranges:
    • 169.237.
    • 128.120.
    • 152.79.
  7. IP restrictions are now in effect.

Troubleshooting

If the filter is not working correctly, you may want to check these items.

  • Red Arrow in IIS Administrator
    • Access Permissions: Make sure the IIS group (whatever group the IWAM_MACHINENAME user belongs to) has read access to its location.
    • Registry Keys: The CAS ISAPI module stores its configuration in the system registry during install. Check that the following keys exist and are populated:
      • /HKEY_LOCAL_MACHINE/SOFTWARE/CASAuthN
      • /HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/EventLog/Application/CASAuthN
    • Isolation Mode: Try turning on IIS 5.0 Isolation mode. In the IIS Adminsistrator, Right Click on the 'Web Sites' folder and choose 'Properties'. In the properties window, select the 'Service' tab, and make sure the Checkbox labeled 'Run WWW service in IIS 5.0 Isolation mode' is checked. Then restart IIS.
  • It's not redirecting
    • Make sure the filter is loading. Under the Internet Information Services panel, look for the filter where you applied it earlier, and make sure there is a green arrow up next to it. Make sure the IIS group (whatever group the IWAM_MACHINENAME user belongs to) has read access to its location.
  • Redirection Limit Exceeded Error
    • Ensure that your links and/or users are accessing protected resources via a url with your site's domain name and not IP address. The ISAPI plugin requires that users access the protected website via its configured domain name. Additionally, domain names must be inside the ucdavis.edu domain.
  • Unable to create an XML Document Instance
    • If the CAS module is not working, and you see messages in the Application Log that reference "unable to create an XML Document Instance", try installing MSXML 4 Service Pack 2 or higher. This has been reported in some Windows Server 2008 installations.
  • Other Problems
    • Please contact distauth@ucdavis.edu if you need additional assistance.
Attachments