Install/Configuration/Run Errors

Cantor, Scott cantor.2 at
Thu Jan 12 17:09:30 GMT 2012

On 1/12/12 11:38 AM, "Johnson, Roger [BSD] - HSD" <rogermct at>

>I am unable to get Shibboleth configured on my IIS box.  I get as far as
>being sent to authenticate, and then I get IIS 500 errors.

If you get a 500 from the handler on the way back, that usually means the
SP isn't fully installed into IIS because the IIS APIs don't do what
they're asked to do by the installer. Usually it screws up the script
mapping from *.sso to the ISAPI extension DLL or fails to set the security
needed to allow it to run. The wiki includes all of the microsurgery steps
for each IIS version for integrating each piece into the server.

The main issue is that IIS requires the script mapping to be applied
either globally or at the site level, and doesn't appear to consistently
require this. Sometimes it's one and sometimes it's the other. It's also
often very difficult to figure out what script mappings are actually in
effect because of inheritance between the levels. I usually start by
creating the *.sso mapping globally and trying that. If that doesn't work,
I remove it, and try creating one on the site.

In addition, IIS sometimes hides detailed errors from the client and can
be told to provide more than just generic error messages.

Lastly, there's the possibility of a 32/64 bit mismatch but you wouldn't
get redirected to the IdP by the filter in that case, so it doesn't sound

>I am not sure what information I need to provide to get help with this

There's nothing you can provide. When it doesn't work, there's nothing you
can do but try applying the integration steps manually or at least
reviewing the IIS internals against what they need to be.

-- Scott

More information about the users mailing list