|Applies To||Keon Certificate Authority 6.5.1|
Keon Certificate Authority OneStep 6.5.1
Microsoft Windows Server 2003
Microsoft Internet Information Server (IIS) 6.0
|Issue||How to install Keon OneStep on Microsoft Internet Information Services (IIS) 6.0 for Windows Server 2003|
Error: "HTTP 403 - You are not authorized to view this page, access denied" when accessing cgi-bin/onestep.exe
|Cause||This error may occur if the Microsoft Internet Information Services (IIS) 6.0 Application Pool is not configured to use a user with sufficient rights to execute CGI binaries. Error code "403.19 Forbidden: Cannot execute CGIs for the client in this application pool."|
See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/ee7a8c53-f9bc-4cd4-b954-e32066105cf1.asp for more information. This message indicates that the user account that the IIS application pool was running under did not have sufficient privileges to execute the CGI binaries.
|Resolution||Instructions to correctly set up Keon CA OneStep application on Microsoft Internet Information Services (IIS) 6.0 for Windows 2003|
The RSA Keon OneStep application consists of a series of web forms and application .DLL's that must be hosted by a web server. In this instance, the OneStep application was deployed on Microsoft IIS 6.0 running on Windows Server 2003. The installation documents for the OneStep application describe how to deploy the application by setting up a virtual directory to host the web pages in the \htdocs\ directory, and a separate subdirectory for the cgi-bin directory that contains the OneStep.exe executable. The instructions indicate that the cgi-bin directory must be configured for execute permissions, but specific instructions for how to do this are not listed for each possible web server.
The following instructions describe how to configure Microsoft Internet Information Services (IIS) 6.0 on Windows 2003 with the correct security settings required to execute this file:
1. Copy the contents of the \RSA_KeonCA\Webserver\OneStep\ directory to a suitable location on your server. Use the Microsoft Internet Information Services (IIS) Manager to make the following changes in your IIS server.
2. Right click the Web Site folder and select "New" --> "Virtual Directory". Name the directory OneStep, browse to the location above, and select the \htdocs\ directory. Select the default Virtual Directory Access Permissions.
3. From the Manger, right click on the OneStep directory created above and select "New" --> "Virtual Directory" again. Create a subfolder called "cgi-bin". Browse to the location of the cgi-bin directory in the OneStep path and select it. To set the Virtual Directory Access Permissions for this folder, select "Run Scripts and Executables".
4. Set up permissions so that the OneStep.exe may be executed as a CGI executable. Click the "Web Services Extensions" folder under the root server. Click the link "Add a new Web service extension", and give the extension a name such as "OneStep". Click the "Add" button, navigate to the /cgi-bin/ folder, and select the "onestep.exe" application. Check the "Set extension status to Allowed" checkbox, then click OK.
5. Ensure that the Application Pool (usually the default application pool) that services the OneStep cgi-bin virtual directory has sufficient rights to execute CGI scripts. Right click the "Default Application Pool" and select Properties. Select the Identity tab and choose a Service Account (default), or choose a configurable user account with sufficient privileges to execute CGI scripts. The predefined Network Service account or the configurable WAM user account for the local machine should have sufficient rights by default. If required, use the Local Security Policy Manger to assign at minimum the rights for "Replace a Process Level Token" and "Adjust Memory Quotas for a Process rights" (see http://www.informit.com/articles/article.asp?p=101750&seqNum=6). Then, confirm the permissions are correct by attempting to serve the OneStep/cgi-bin/onestep.exe file using your web browser.
NOTE: Keon CA 6.5.1 and Keon OneStep for 6.5.1 are not officially supported on Microsoft IIS 6.0 or Windows Server 2003
|Legacy Article ID||a27432|