[pubcookie-users] IIS and Pubcookie 3.21a - incomplete
tsharpe at opentext.com
Thu Jun 15 06:06:39 PDT 2006
Thanks for the prompt reply, Nathan.
Since this is Win2K (not 2k3) I am using IIS 5 which does not require
that aspect of configuration, I believe, but please correct me if I have
Initially, the login server is not something I looked at because I
believed it to be properly configured. Having started to read the server
documentation, I suspect that my issue could be that the login server
does not trust the host sending the post because it is a self-signed
I noticed in the login server documentation that it can be configured to
trust untrusted keyclients. Since the keyclient was able to generate a
key for the host, is the implication that I don't need to worry about
"Working with untrusted keyclients:
An untrusted keyclient is one using a SSL certificate signed by a
Certificate Authority the keyserver doesn't trust. To allow such
keyclients to request host keys without having to obtain another
certificate, there's a workaround. The login server administrator can
cache the keyclient's SSL certificate (public key) in the keystore. The
keyserver can then use the public key itself to verify the keyclient. As
a result, an otherwise untrusted keyclient can request host keys without
changing the overall CA trust policy and configuration."
I made sure I used the same version of the client as the login server;
is it possible to use 3.3.0a isapi filter with a 3.21 login server?
Is there a likely spot that is misconfigured? The relay script on the
Thanks for the assistance.
From: Nathan Dors [mailto:dors at cac.washington.edu]
Sent: Wednesday, June 14, 2006 5:22 PM
To: Trevor Sharpe
Cc: pubcookie-users at u.washington.edu
Subject: Re: [pubcookie-users] IIS and Pubcookie 3.21a - incomplete
Picking things up at your first question here:
> Based on my reading, things looking complete, I attempt to access the
> webapplication and am re-directed to the pubcookie login server. I
> authenticate successfully, and then am redirected to a page (not the
> original resource I was attempting to access). First question: does
> this matter? Do I have to be re-directed to the original resource else
> the authentication scheme is interrupted and therefore incomplete?
The isapi filter since version 3.2 has used the 'post' login method
exclusively. This method employs an additional hop on the return trip
back from the login server, so, yes, we'd expect you to be redirect to a
different 'relay.pubcookie3' end-point on your server.
I'd verify that the .pubcookie3 extension is configured properly.
See the ISAPI extension note here:
(That's the 3.3 install guide. You should be using version 3.3.0a.)
If you're redirected to some other end-point or some other server, I
guess we'd want to understand why that was so. It wouldn't be the
More information about the pubcookie-users