NOTE: UC Davis no longer maintains the ISAPI CAS client. ISAPI is deprecated by Microsoft. Use at your own risk.
CASAuthN ISAPI Client
Section | |||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Download
Attachments |
---|
Installation Instructions
Include Page |
---|
...
|
...
|
Classlist / User File Configuration
The Distauth ISAPI client never supported the Classlist feature. However, the College of Letters and Science has provided an ODBC filter which can authorize users against a database. Please go to ODBCFilter for more information.
Passthrough / Gateway Configuration
The CAS ISAPI Module does not currently provide support for Gateway mode.
IP Restriction Configuration
IP Restriction can be configured via the IIS Administrator console:
- Open the IIS Adminsitrator Console
- Select your Web Site
- Right Click and Select Properties
- When the Properties Window Opens, select the Security Tab.
- Click Edit in the IP address and domain restrictions section
- Add the UC Davis IP ranges:
- 169.237.
- 128.120.
- 152.79.
- IP restrictions are now in effect.
...
Troubleshooting
The ISAPI module logs to the Windows Application Event log. Entries can be viewed using the Event View administration tool. The CAS log entries can be identified by a Source value of "CASAuthN". In its default configuration CAS will write entries on service start, stop, error conditions and cache cleanings.
The new module also comes with a debugging mode. To enable debugging, edit the /HKEY_LOCAL_MACHINE/SOFTWARE/CASAuthN/Debug registry key, setting the value to 1. After an IIS restart, you will see a marked increase in event log entries.
If the filter is not working correctly, you may want to check these items
...
:
- Red Arrow in IIS Administrator
- Access Permissions: Make sure the IIS group (whatever group the IWAM_MACHINENAME user belongs to) has read access to its location.
- Registry Keys: The CAS ISAPI module stores its configuration in the system registry during install. Check that the following keys exist and are populated:
- /HKEY_LOCAL_MACHINE/SOFTWARE/CASAuthN
- /HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/EventLog/Application/CASAuthN
- Isolation Mode: Try turning on IIS 5.0 Isolation mode. In the IIS Adminsistrator, Right Click on the 'Web Sites' folder and choose 'Properties'. In the properties window, select the 'Service' tab, and make sure the Checkbox labeled 'Run WWW service in IIS 5.0 Isolation mode' is checked. Then restart IIS.
- It's not redirecting
- Make sure the filter is loading. Under the Internet Information Services panel, look for the filter where you applied it earlier, and make sure there is a green arrow up next to it. Make sure the IIS group (whatever group the IWAM_MACHINENAME user belongs to) has read access to its location.
- Redirection Limit Exceeded Error
- Ensure that your links and/or users are accessing protected resources via a url with your site's domain name and not IP address. The ISAPI plugin requires that users access the protected website via its configured domain name. Additionally, domain names must be inside the ucdavis.edu domain.
- Unable to create an XML Document Instance
- If the CAS module is not working, and you see messages in the Application Log that reference "unable to create an XML Document Instance", try installing MSXML 4 Service Pack 2 or higher. This has been reported in some Windows Server 2008 installations.
- The CASAuthN Authentication filter was unable to validate the authentication cookie
This version of the ISAPI module cannot make https connections to cas servers that run with self-signed certificates. When using the UC Davis CAS service, always make sure the ServerURL parameter is set to https://cas.ucdavis.edu/cas - Other Problems
- Please contact
...
- websso@ucdavis.edu if you need additional assistance.