SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit Note: SecureAware version 3.7 and above contains all files and setup configuration needed to use Microsoft IIS as a front end web server. Installing the IIS web server... 2 Installing SecureAware... 4 Import AD users and groups... 5 Setting up the LDAP connection... 5 Connection... 5 Credentials... 6 Confirm... 6 Import users from the directory... 7 User Management:... 7 Setting up the redirector in IIS... 8 Restarting IIS web site... 12 Test the redirection... 14 Troubleshooting 403 Forbidden: Access is denied... 14 Single Sign On... 16 Troubleshooting SSO not working: SecureAware login prompt is displayed... 17 Troubleshooting SSO not working: Windows login prompt is displayed... 18 Troubleshooting SSO not working: Blank screen or IIS default web page is displayed... 18 1
Installing the IIS web server Installing the Microsoft Internet Information Server (IIS) is done by adding the web server role in the server configuration manager. If the web server role is already installed on the server that is hosting the SecureAware application, please ensure that the Role Services described below are included before continuing with the SecureAware installation. Start > Administrative Tools > Server Manager > Right click on Roles > Add Roles > (Click Next if you get the wizard) > Check the checkbox Web Server (IIS) 2
Click Role Services in the list on the left hand side > Select the role services > Application Development > ISAPI Extensions, ISAPI Filters and role services > Security > Windows Authentication Click on Next > Install 3
Installing SecureAware If your server is connected to the internet, you can install SecureAware by clicking on the SecureAware for Windows link and running the installation file. If the server is not connected to the internet, download the offline installation package containing four installation files. Place them on the server and run the file sainstallxxx.exe. When the installation is complete you will be logged in as system administrator and you will have to upload the license file that you have received from Neupart. Click the icon Licenses Upload the license file that you received from Neupart (the.lic file) at the bottom of the page You can now log out, and log in as a superuser: Login: su Password: snrt!32w 4
Import AD users and groups Setting up the LDAP connection Go to Settings > Directories > New directory Connection Fill out the fields: Directory server URL Active directory domain name Short domain name The following fields are optional Mail Field Name Mail Template Delayed AD lookup Follow AD referral to other servers Simple group search Click 5
Credentials You must now add an AD service user. This should be an administrative user whose password does not change. If you do NOT enter an AD service user, you can still validate users but you cannot use Single Sign- on (SSO) or import groups and organizational units Fill out the fields: AD service user AD service user password Test the connection before clicking Confirm Check and confirm your selections by clicking 6
Import users from the directory Go to Settings > Directories and click Refresh to the right of the domain. The users are now registered in SecureAware. This may take some time if the domain contains a large number of users, but you do not have to stay on the page while it refreshes. User Management: User management and roles management is not required for SSO, however if you need more information on user management please follow the guide at http://www.neupart.com/media/65046/secureaware user management en.pdf 7
Setting up the redirector in IIS You will now have to configure IIS to host the web site and use the ISAPI redirector filter. Stop the SecureAware service in Start > SecureAware Manager > Stop. Start the Microsoft IIS manager application in Start > Administrative Tools > Internet Information Services (IIS) Manager. Find the folder Sites in the tree on the left hand side and click on it > Click Add Web Sites in the right hand menu > Fill in Site name > in Physical path, browse and create a folder in C:\inetpub (you can name it what you want. In the example it is called SecureAware) > select the port number in the field Port. If you select a port which is already in use, you will have to fill in the field Host name. Click OK. 8
Expand the folder Sites in the left hand menu and select the web site you just created > Click View virtual directories in the right hand menu > Click Add virtual directory in the right hand menu > Alias must be Jakarta > In Physical path, browse for C:\Program Files\Neupart\SecureAware\iis Now fold out the SecureAware web site in the left hand tree structure and select the new Jakarta folder > double- click Handler Mappings 9
Select Edit Feature Permissions in the right hand menu > Make sure that Read, Script and Execute are checked > Click OK. Now we need to ensure that the ISAPI are enabled in the Handler Mappings list. Select the SecureAware web site in the left hand menu > double click ISAPI Filters 10
Click Add in the right hand menu to start the installation of the redirector > Type :Filter name: Jakarta > in the field Executable, browse for: C:\Program Files\Neupart\SecureAware\iis\isapi_redirect.dll > Click OK. The last step is to allow the redirector to execute, which is a global setting in IIS. Select the IIS server in the tree- view > double- click the ISAPI and CGI Restrictions icon. 11
Click Add in the right hand bar > Browse for C:\Program Files\Neupart\SecureAware\iis\isapi_redirector.dll > Type jakarta in the description field > Check the Allow extension path to execute box > Click OK. You have now set up IIS to use the redirector on the SecureAware web site. Restarting IIS web site To enable your changes you must restart the IIS as well as the SecureAware Service. It is important that you do this in the following order: 1. Make sure the SecureAware Service is stopped 12
2. Stop the IIS 3. Start the SecureAware Service 4. Start the IIS 13
Test the redirection Before continuing with setting up Single- Sign- On, you should check if the redirector is working. You should now be able to point a web browser to the web site you created in IIS and get a login prompt like the one shown below. Troubleshooting 403 Forbidden: Access is denied If the redirector is not working and you get an access denied message when trying to connect to the website, try one of the following: Or 1. Stop the SecureAware Service 2. Stop the IIS 3. Start the SecureAware Service 4. Start the IIS Make sure that the service configured in your IIS web server is allowed read and execute access to the SecureAware IIS folder you created: 14
Select the folder Jakarta in the left hand menu > Double click on Handler Mappings > Click Edit Feature Permissions in the right hand menu > Make sure Read, Script and Execute is checked > Click OK. 15
Single Sign On Before configuring single sign on, you need to ensure that the Web server is member of your Active Directory domain. If you want the web site to operate in a Single Sign On solution, you now need to disable Anonymous access to the web site in the IIS manager. Select the web site > double click Authentication Select Windows Authentication > select Enable in the right hand menu Select Anonymous Authentication > select Disable in the right hand menu. 16
Now close all instances of the browser and restart the IIS server Test the single sign on feature in a new Internet Explorer instance. Your name should be shown in the top right area. Troubleshooting SSO not working: SecureAware login prompt is displayed If you have sat up Single Sign On but the SecureAware login prompt is displayed when you access SecureAware, please try one of the following: Check if the SecureAware settings are correct (read the section: Communication with AD ) or Check that Anonymous Authentication is disabled and that Windows Authentication is enabled (read the section Single Sign On ). 17
Troubleshooting SSO not working: Windows login prompt is displayed If the Windows login is displayed, make sure that Internet Explorer has SecureAware as a trusted site from the intranet. You can do this in IE by clicking > Tools > Internet Options > Security > Local Intranet > Sites > Advanced. Troubleshooting SSO not working: Blank screen or IIS default web page is displayed Windows IIS 7 web site jakarta redirector will not redirect requests to SecureAware. The client is not redirected to SecureAware, and the client page is left blank or shows content from the web site folder, and the IIS log files shows 200 OK in the log files. When installing SecureAware on a 64bit Windows, the iis_redirect.dll is a 64- bit compiled file for optimal performance. 18
Each web site in IIS 7 uses an application pool and in the Advanced settings there is an option to select to Enable 32- bit Applications. If this is enabled (True), all processes are served through WOW64 (Windows on windows 64). Processes in WOW64 mode are 32- bit processes and will only load 32- bit applications. To solve this, you can either set 32 bit Applications to false in the Application Pool settings, or use the 32bit version of the isapi_redirect.dll that is provided with SecureAware in SecureAware/iis/32bit folder. 19