Discussion:
Problem with IIS 7.5 and latest Shibboleth SP installation utility (after uninstall/reinstall)
Haer, Neelam
2014-08-11 17:49:59 UTC
Permalink
Hi All,

I'm having an issue I'm hoping someone here can help with.

First, a bit of background: I'm running IIS 7.5 on Windows Server 2008. Someone had previously installed to this server a Shibboleth 64-bit SP provider (latest version), however this was not working correctly. I believe this is because IIS was missing the IIS 6 management compatibility mode. So I uninstalled this SP, installed the SP again.

The first re-installation of the SP to IIS 7.5 was successful, in the sense that the installation utility successfully installed the filter and Handler Mappings to IIS. However, when I tried to navigate to my secured pages, IIS reported an error that there were duplicate filter entries with the same name ("Shibboleth") - and this was due to the previous installation that was there before. The only way to fix this issue it seemed, was to remove the filters from the IIS management console, uninstall the first re-installation of the SP, and then re-install once again.

The second re-installation did not install the filters to IIS, and manually adding the filters has no effect (ie, the Shibboleth SP filter is not kicking in upon access to my secured pages). The Handler Mapping was installed automatically though. I have tried a few times to uninstall/re-install but to no avail.

Basically: the problem is that no matter how many times I uninstall/re-install the Shibboleth SP, it does not install the filter to IIS and manually adding the filter has NO effect (ie, pages are not secured).

Has anyone experienced this issue before? And is there a resolution for this?

Thanks
Cantor, Scott
2014-08-11 18:31:12 UTC
Permalink
On 8/11/14, 1:49 PM, "Haer, Neelam" <nklhaer-cZbHFfHSJIksA/***@public.gmane.org> wrote:

>The second re-installation did not install the filters to IIS, and
>manually adding the filters has no effect (ie, the Shibboleth SP filter
>is not kicking in upon access to my secured pages). The Handler Mapping
>was installed automatically though. I have
> tried a few times to uninstall/re-install but to no avail.

Well, I can't say what it's doing, but IIS is like this, it's a horrible
little troll of a web server. You have to keep poking it to get the filter
installed, basically. The main problem is when you don't have familiarity
with the IIS internals, but if you understand the filter and handler
pages, that's mostly what you need, it's just a matter of twisting it into
submission.

>Basically: the problem is that no matter how many times I
>uninstall/re-install the Shibboleth SP, it does not install the filter to
>IIS and manually adding the filter has NO effect (ie, pages are not
>secured).

I suspect that the metabase layer is maybe trashed at this point. Maybe it
will help to uninstall the IIS 6 piece and work on manually configuring it
at that point. There really is nothing much to configure, just the filter
and the handler.

You should also note that many IIS servers will simply NOT work with the
filter installed globally. It often has to be installed per-site to work.
The fact that this situation is completely non-deterministic is one of
IIS' charms.

>Has anyone experienced this issue before? And is there a resolution for
>this?

I have run into many IIS servers that are a horrible pain to configure in
various ways because their admin tools are simply broken. The only real
resolution is Apache. I did the best I can do given the need, at the time,
to be compatible back to IIS 4. It's possible that a module specific to
IIS 7 will be more well behaved, but there are no resources to work on
that right now.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Haer, Neelam
2014-08-11 23:14:52 UTC
Permalink
HI Scott,

Thanks for your response.

At this point I've tried just about everything I can think of. The manual registration of the filter and/or mapping does not appear to work. I will try what you suggested - uninstall the IIS 6 management compatibility mode and install the filters and mapping manually. However, this is how it was setup in the beginning and was not working. This is for a client and they have several web sites already installed to this machine, so I am limited as to what I can do. I also have to be very careful not to prevent access to all of their other sites unintentionally.

Any other suggestions you might have are most welcome.

Thanks.



________________________________________
From: users-bounces-***@public.gmane.org [users-bounces-***@public.gmane.org] on behalf of Cantor, Scott [cantor.2-ZbGKxL/***@public.gmane.org]
Sent: August-11-14 11:31 AM
To: Shib Users
Subject: Re: Problem with IIS 7.5 and latest Shibboleth SP installation utility (after uninstall/reinstall)

On 8/11/14, 1:49 PM, "Haer, Neelam" <nklhaer-cZbHFfHSJIksA/***@public.gmane.org> wrote:

>The second re-installation did not install the filters to IIS, and
>manually adding the filters has no effect (ie, the Shibboleth SP filter
>is not kicking in upon access to my secured pages). The Handler Mapping
>was installed automatically though. I have
> tried a few times to uninstall/re-install but to no avail.

Well, I can't say what it's doing, but IIS is like this, it's a horrible
little troll of a web server. You have to keep poking it to get the filter
installed, basically. The main problem is when you don't have familiarity
with the IIS internals, but if you understand the filter and handler
pages, that's mostly what you need, it's just a matter of twisting it into
submission.

>Basically: the problem is that no matter how many times I
>uninstall/re-install the Shibboleth SP, it does not install the filter to
>IIS and manually adding the filter has NO effect (ie, pages are not
>secured).

I suspect that the metabase layer is maybe trashed at this point. Maybe it
will help to uninstall the IIS 6 piece and work on manually configuring it
at that point. There really is nothing much to configure, just the filter
and the handler.

You should also note that many IIS servers will simply NOT work with the
filter installed globally. It often has to be installed per-site to work.
The fact that this situation is completely non-deterministic is one of
IIS' charms.

>Has anyone experienced this issue before? And is there a resolution for
>this?

I have run into many IIS servers that are a horrible pain to configure in
various ways because their admin tools are simply broken. The only real
resolution is Apache. I did the best I can do given the need, at the time,
to be compatible back to IIS 4. It's possible that a module specific to
IIS 7 will be more well behaved, but there are no resources to work on
that right now.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-08-11 23:38:58 UTC
Permalink
On 8/11/14, 7:14 PM, "Haer, Neelam" <nklhaer-cZbHFfHSJIksA/***@public.gmane.org> wrote:
>
>Any other suggestions you might have are most welcome.

There should be event log records every time a process starts or stops
that indicate whether the filter is being initialized or not. It's not
impossible that your config is bad and it's just not loading.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Ortner Nikolaus
2014-08-12 09:15:56 UTC
Permalink
> At this point I've tried just about everything I can think of.

Have you tried using the 32 bit version (even on a 64 bit Windows)?

Kind regards.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Dave Perry
2014-08-12 09:35:06 UTC
Permalink
I think I had to do a 32-bit install on 64-bit Server 200) the last time I deployed an SP, as doing the 64-bit install stopped the system it was running working (Cirqa from IS Oxford - the server part of it is front-ended by IIS).

I didn't install any of the IIS6 management gubbins either.

HTH

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org *

-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Ortner Nikolaus
Sent: 12 August 2014 10:16
To: 'Shib Users'
Subject: AW: Problem with IIS 7.5 and latest Shibboleth SP installation utility (after uninstall/reinstall)

> At this point I've tried just about everything I can think of.

Have you tried using the 32 bit version (even on a 64 bit Windows)?

Kind regards.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-08-12 13:38:05 UTC
Permalink
On 8/12/14, 5:35 AM, "Dave Perry" <Dave.Perry-NOSDTyrR4+***@public.gmane.org> wrote:

>I think I had to do a 32-bit install on 64-bit Server 200) the last time
>I deployed an SP, as doing the 64-bit install stopped the system it was
>running working (Cirqa from IS Oxford - the server part of it is
>front-ended by IIS).

Well, you have to use whatever is required by the IIS app configuration.
But there are pretty clear messages if the app pool is trying to load the
wrong type of DLL.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Goggins, Patrick
2014-08-12 13:39:34 UTC
Permalink
32-bit Java install was needed for us. If UAC is enabled, try installing with the built-in local admin account.


~Patrick

-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Dave Perry
Sent: Tuesday, August 12, 2014 4:35 AM
To: Shib Users
Subject: RE: Problem with IIS 7.5 and latest Shibboleth SP installation utility (after uninstall/reinstall)

I think I had to do a 32-bit install on 64-bit Server 200) the last time I deployed an SP, as doing the 64-bit install stopped the system it was running working (Cirqa from IS Oxford - the server part of it is front-ended by IIS).

I didn't install any of the IIS6 management gubbins either.

HTH

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org *

-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Ortner Nikolaus
Sent: 12 August 2014 10:16
To: 'Shib Users'
Subject: AW: Problem with IIS 7.5 and latest Shibboleth SP installation utility (after uninstall/reinstall)

> At this point I've tried just about everything I can think of.

Have you tried using the 32 bit version (even on a 64 bit Windows)?

Kind regards.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

**********************************************************************
This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise us of any errors in transmission. Any views expressed in this message are solely the views of the individual and do not represent the views of the College. Nothing in this message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Peter Schober
2014-08-12 13:47:09 UTC
Permalink
* Goggins, Patrick <gogginsp-aCsjvbD8/***@public.gmane.org> [2014-08-12 15:40]:
> 32-bit Java install was needed for us.

This thread is about the Shibboleth SP, which is not written in Java
and so shouldn't need any type/version of a JVM.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Haer, Neelam
2014-08-18 21:09:45 UTC
Permalink
I will try to 32-bit install - hopefully that will work.

Among other things, there are numerous "modes" in which an application server can run (i.e., Application Pool settings) - e.g. integrated versus classic. I'm hoping that I'll find the right combo....

Regards,

________________________________________
From: users-bounces-***@public.gmane.org [users-bounces-***@public.gmane.org] on behalf of Dave Perry [Dave.Perry-NOSDTyrR4+***@public.gmane.org]
Sent: August-12-14 2:35 AM
To: Shib Users
Subject: RE: Problem with IIS 7.5 and latest Shibboleth SP installation utility (after uninstall/reinstall)

I think I had to do a 32-bit install on 64-bit Server 200) the last time I deployed an SP, as doing the 64-bit install stopped the system it was running working (Cirqa from IS Oxford - the server part of it is front-ended by IIS).

I didn't install any of the IIS6 management gubbins either.

HTH

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org *

-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Ortner Nikolaus
Sent: 12 August 2014 10:16
To: 'Shib Users'
Subject: AW: Problem with IIS 7.5 and latest Shibboleth SP installation utility (after uninstall/reinstall)

> At this point I've tried just about everything I can think of.

Have you tried using the 32 bit version (even on a 64 bit Windows)?

Kind regards.

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-08-18 22:21:02 UTC
Permalink
On 8/18/14, 5:09 PM, "Haer, Neelam" <nklhaer-cZbHFfHSJIksA/***@public.gmane.org> wrote:

>I will try to 32-bit install - hopefully that will work.

There is no 32-bit install, both are installed. You have to determine
which has to be used, and change the IIS filter and extension paths to
match.

There's no guessing here. If the DLL size doesn't fit, the app pool
doesn't start, period. If that's not the case, then this isn't the issue.

This software reacts very, very badly to the "try anything and see what
works" style of deployment. You understand it, or you don't, but there is
no guessing.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Loading...