[pubcookie-users] IIS and Pubcookie 3.21a - incomplete authentication

[Trevor Sharpe]

Hi there,
 
I have spent some time reading and reviewing debug information, but am
no closer to a completely running configuration and so would appreciate
some help.
 
There is a working pubcookie environment here that I am duplicating in
test. The PubCookie login server is in place, and allows successful
authentication.
 
I have installed a self-signed certificate on a Win2K server with
multiple IPs and host/service names. When I install pubcookie isapi
filter, it works successfully, generates a granting cert
(pubcookie_granting.cert) and corresponding application key. I also
manually copied the pubcookie_session.cert and pubcookie_session.key
from the production environment since the instructions read "any
appropriately named key pair in PEM format will suffice for the session
key pair...". Previously I tried the same configuration sans session
keys, so neither state seems to be impacting how things are working.
 
Based on my reading, things looking complete, I attempt to access the
webapplication and am re-directed to the pubcookie login server. I
authenticate successfully, and then am redirected to a page (not the
original resource I was attempting to access).  First question: does
this matter? Do I have to be re-directed to the original resource else
the authentication scheme is interrupted and therefore incomplete? 
 
If I access the login page, I receive the page indicating that I have
authenticated with PubCookie and a count down timer indicating the
length of my session remaining (~8 hours).
 
If I attempt to access the resource again, I am re-directed to the login
page.
 
>From the event view, and in FireFox (by setting cookie to prompt each
time they are set) I can see that the application server sets
"pubcookie_pre_s", reads settings from the registry, and redirects to
the login server. The login server sets/confirms pubcookie_l (I do not
see pubcookie_g or pubcookie_g_req) and in its current configuration,
does not redirect me to the application server (instead it renders a
static page with a link to another site). 
 
However, by manually typing in the URL of the application, I am once
again prompted to accept the pubcookie_pre_s cookie and directed to the
login server url (which confirms that I am logged in and have 8 hours or
so left of my session).
 
So what happens to _g and _g_req cookies? I believe they are designed to
be transient, but expected to be prompted for them. And since the event
viewer shows that pubcookie isapi filter is  balking because it cannot
parse the cookie, I can only assume this is a login server issue? 
 
Can anyone comment?
 
Thx in advance.

T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman1.u.washington.edu/pipermail/pubcookie-users/attachments/20060614/61ccf8db/attachment.htm