CUWebAuth 1.4 README ------------------------------------- Complete documentation for CUWebAuth 1.4 can be found at http://identity.cit.cornell.edu/cuwebauth/doc_1.4/ . If you have additional questions or problems, you can contact us at aadssupport@cornell.edu. ******************* *SECURITY ADVISORY* ******************* CUWebAuth IIS will ignore any configuration lines starting with whitespace (tabs/spaces). This can result in a more permissive security policy than intended. Please double check your configuration file to ensure that you do not have tabs or spaces at the beginning of lines. This applies to all versions up to and including the current version. This behavior will change in 2.0. INSTALLATION --------------------- Detailled instructions are posted at http://identity.cit.cornell.edu/cuwebauth/doc_1.4/ For 1.4.2 we have switched to distributing a Zip file. Any reference to the installer may be ignored. Quick checklist: 1. Extract the zip file to C:\CUWebAuth\ (or other path). 2. Copy the file krb.con to the windows directory (usually c:\windows or c:\winnt) 3. Get a srvtab (http://aads.cit.cornell.edu/servicerequest/srvtabrequest/srvtabrequest.php) 4. Create a conf file (http://identity.cit.cornell.edu/cuwebauth/doc_1.4/sample_iis.html) 5. Make sure the user account used by IIS has write access to create the log file (in c:\cuwebauth). This is usually IUSER something 6. Add the CUWebAuth.dll filter to IIS (ISAPI Filter) CONFIGURATION ------------------------- A sample configuration file can be found at http://identity.cit.cornell.edu/cuwebauth/doc_1.4/sample_iis.html . For more details see http://identity.cit.cornell.edu/cuwebauth/doc_1.4/ . UNINSTALLATION ------------------------- Remove the ISAPI filter from your IIS configuration. Delete the files you extracted in 1. You might want to keep your srvtab and/or conf file. RELEASE NOTES -------------------------- 1.4.2: Installer replaced with a zip file. Some memory bugs fixed. Stability and reliability enhanced. 1.4.0 CURRENT-ENHANCEMENTS/FIXES: 1)Made casesensitive false by default & deprecated CUWAcasesensitive 2)Made change to getKerberosInstance function to return correct instance. This enables us to use @CORNELL.EDU in the conf file. This helps when there user uses multiple KDCs in their conf files for sidecar. 3)Disabled IP checking for SSL connections in verifying the cookie 4)Fixed the webport & webPortSSL bug , now IIS version supports the use of these two directives. 5)All http transactions to cuweblogin are now over ssl. 6)Changed the getkerberosRealm funtion to return the correct realm. 7)Changed the proxyIDAvailable function to respond correctly to direct requests. 8)Sensitive cussp transactions are encrypted. PREVIOUS/FIXES: 1) The default location directive in the CUWebAuth.conf file helps in reloading the changes in the configurations without restarting IIS. See the documentation for further details. 2) Aditional directive CUWAcookieTimeout, CUWAsslcookieTimeout, CUWAinactivityTimeout have been added. Please refer to the documentation for further information. 3) CUWebAuth cookies is no longer site specific. It has context associated with it. Please refer to the documentation for further information. 4) New Authtype "-forceonce" is introduced.Please refer to the documentation for further information. KNOWN ISSUES: 1) The documentation states that this version is for Windows 2000 / IIS 5.0.It has been pilot tested under Windows 2003 / IIS 6.0, but requires theserver to be run in compatibility mode. Consult the documentation for more details. It should still be backward compatible with Windows NT / IIS 4.0. 2) If you wish to run SideCar on the same machine, make sure you disable the "Any Kerberos use starts SideCar" option BEFORE installing and loading CUWebAuth. Otherwise you'll need to do this in the registry to prevent SideCar from running at the Services level and be inaccessible by desktop users. 3) Your web server must have a DNS name associated with it. If you do not ave a name in the .cornell.edu address space, CUWebLogin authentication will not work. 4) There is currently no way to distinguish between multiple virtual hosts in the CUWebAuth.conf file. Any URL rules specified there will apply to every web host you are running on your server.