trouble with iis 7.5 windows sever 2008 r2

Roger Reynolds rreynolds at axiomepm.com
Sat Jun 1 15:16:38 EDT 2013


Hello group.
I'm new to shibboleth and saml in general and am trying to figure out many things at once.

Mostly, my goal is to configure an existing asp.net/mvc application as an SP that uses an existing IP for authentication.

Conceptually, I think I get it.

-          Install the shibboleth SP service and isapi filter on my web server

-          Configure shibboleth to use some specified IP

-          When requests make it to my application, examine some headers to determine the user id set during authentication

Problem is, I can't get off the ground, so I'm a little vague on what step 3 there would look like exactly, but that should be the easy part once I get shibboleth configured.
I want to use a test IP at http://testshib.org/ for my development.

My development box is windows  7 pro, IIS 7.
On that box, I was able to install shibboleth 2.5 and after a little mucking around to get the 32/64 bit stuff straight, I can send a request to my sever such as
http://myserver/Shibboleth.sso/Metadata
and a nice bunch of XML goo spits out.
Problem is, that machine is not publicly visible, so I think it doesn't do me much good as far as trying to register that metadata with the test IP.

So, I move to a publicly visible test server that we have set up for this.  This machine is Windows Server 2008 R2 with IIS 7.5, and certificates for SSL.
The IIS configuration has one Web Site, ID=1 with bindings for both http and https, but not requiring https.
Again, installed shibboleth and have the appropriate looking handlers present.
Here, when I do http://shibtest.mycompany.com/Shibboleth.sso/Metadata    (or if on that box just the computer  name)
I get the error page with a message:
Shibboleth Error
ISAPI extension can only be invoked to process Shibboleth protocol requests.Make sure the mapped file extension doesn't match actual content.

I am sure that the isapi filter is up and running and processing requests.
I cranked up the native.logging to debug, and I see this for an incoming request:
2013-06-01 11:11:58 DEBUG Shibboleth.ISAPI [3968] isapi_shib: mapped http:// shibtest.mycompany.com /Shibboleth.sso/Metadata to default
2013-06-01 11:11:58 DEBUG Shibboleth.ISAPI [3968] isapi_shib_extension: mapped http:// shibtest.mycompany.com /Shibboleth.sso/Metadata to default

Whereas, on my windows 7 box, where the metadata is retrieved, I get similar mapping entries, as well as some additional entries indicating that the message is being sent to the shibd service:
2013-06-01 10:43:27 DEBUG Shibboleth.ISAPI [3344] isapi_shib: mapped http://rreynolds/Shibboleth.sso/Metadata to default
2013-06-01 10:43:27 DEBUG Shibboleth.ISAPI [3344] isapi_shib_extension: mapped http://rreynolds/Shibboleth.sso/Metadata to default
2013-06-01 10:43:27 DEBUG Shibboleth.Listener [3344] isapi_shib_extension: sending message (default/Metadata)
2013-06-01 10:43:27 DEBUG Shibboleth.Listener [3344] isapi_shib_extension: trying to connect to listener
2013-06-01 10:43:27 DEBUG Shibboleth.Listener [3344] isapi_shib_extension: socket (880) connected successfully
2013-06-01 10:43:27 DEBUG Shibboleth.Listener [3344] isapi_shib_extension: send completed, reading response message

Also, note that if I stop the shibd service, it makes no difference.  By that I conclude that the ISAPI filter is not recognizing the request as being something that it wants to handle.

I have tried configuring my shibboleth2.xml file's host name entries (/ISAPI/site/@name, and RequestMap/Host/@name, as both my computer name (as it is in the working windows 7 dev machine case)  and with the official DNS name. Makes no difference.

I'm about out of ideas, and sure would appreciate if anyone can clue me in on what to try next.

Also, an unrelated question -   is Shibboleth supported, or can it be manually configured, for Windows Server 2012 and IIS 8?  It doesn't appear to be listed as such, and there are no ISAPI Filters in IIS8, so my assumption is that it is not possible.  Is that correct?


Thanks
Roger Reynolds.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130601/fc4148a3/attachment.html 


More information about the users mailing list