2. What are the system pre-requisites?
There are 5 basic pre-requisites:
- You should be running Windows Server 2003 x86, with the Application Server role activated. All applicable security patches should be applied. Later Windows Server OS releases are not supported, as the WebAuth for IIS ISAPI filter is unsuitable for use with 64-bit Windows Server releases.
- The WebAuth protocol should communicate securely, so IIS should be set up with a valid SSL certificate. Instructions for obtaining and setting up IIS 6.x with an SSL certificate are documented here.
- Email email@example.com, requesting a service principal for webauth/yourserver.subdomain.ox.ac.uk@OX.AC.UK (substituting your server details instead of yourserver.subdomain) requesting that your username/itss principal (where username is your SSO username) should be granted admin rights over the service principal. See Section 3.1 of this WebAuth wiki page entitled 'Obtaining your Webauth keytab' for more information about this process. See section 2.1. for more information about creating and installing the service principal locally.
- Ensure that your system clock is correct and that you are running some form of regular system time synchronisation. This is important for WebAuth and Kerberos. Configuring your Windows Server as an NTP client is beyond the scope of this document (See Microsoft's guide to the Windows Time Service for more information).
- Decide which web application directory you want to protect with the Webauth service if not the web root (the installer will request this directory location at installation time).
Once the service principal has been created by sysdev you can create the server keytab using the kadmin utility on a workstation that has been secured for this purpose. (since linux.ox.ac.uk is a shared service it is not recommended for this). An example of creating a keytab for a Webauth service principal webauth/hygmod.oucs.ox.ac.uk@OX.AC.UK on a linux workstation follows:
Once the keytab has been created you can securely transfer it to your WS2003 server. The putty download page offers psftp, a command-line SFTP client that will allow you to pull the client from the secure workstation to your Windows server over a secure connection. Alternatively if you prefer an SFTP GUI, WinSCP offers similar functionality and is available from the WinSCP download page.
It is important that you restrict access to the keytab file once it is transferred. Permissions to access the keytab file should only be granted to the accounts SYSTEM (full permission), the Administrators group (full permission), and IIS_WPG (read permission only).