Shibboleth ISAPI Filter warning message
Franchuk, Vlad
vlad.franchuk at ubc.ca
Fri Nov 3 18:22:21 EDT 2017
Thank you Scott. I'll go through services/accounts/permissions.
All the best,
Vlad
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: November 03, 2017 3:10 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth ISAPI Filter warning message
On 11/3/17, 5:32 PM, "users on behalf of Franchuk, Vlad" <users-bounces at shibboleth.net on behalf of vlad.franchuk at ubc.ca> wrote:
> Thank you for your quick response. The "Shibboleth 2 Daemon (Default)" service is running under Local System account.
It doesn't write to native.log, it writes to shibd.log.
> Should I grant Full control or Modify permission for some other
> accounts (like IIS_IUSRS user group) for the same folder/subfolders on the web application server?
You should grant control over native.log to all of the accounts that the module/filter happens to run as, and that's not in the same folder used by shibd for its logs, and you definitely shouldn't give those accounts read access to the private key in etc/
On a normal Windows box, all of this is pretty automatic, so there's something not normal about the IIS app account(s).
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list