000022226 - How to deploy Keon OneStep on Microsoft Internet Information Server (IIS) 6.0 for Microsoft Windows 2003 Server

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022226
Applies ToKeon Certificate Authority OneStep
Keon Certificate Authority 6.5.1
Microsoft Internet Information Server (IIS) 6.0
Microsoft Windows Server 2003
IssueHow to deploy Keon OneStep on Microsoft Internet Information Server (IIS) 6.0 for Microsoft Windows 2003 Server
Which permissions are required to run CGI scrips under Microsoft Internet Information Server (IIS) 6.0 for Microsoft Windows 2003 Server?
Keon OneStep CGI bin not executing. The Microsoft Internet Information Server (IIS) 6.0 log file indicated that the OneStep.exe was returning an error code "403.19 Forbidden: Cannot execute CGIs for the client in this application pool."
CauseError: "403.19 Forbidden: Cannot execute CGIs for the client in this application pool." (see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/ee7a8c53-f9bc-4cd4-b954-e32066105cf1.asp for more information). This message indicates that the user account that the IIS application pool was running under does not have sufficient privileges to execute the CGI binaries. The account was set to use the "Network Services" account.
ResolutionRSA Keon Certificate Authority OneStep 6.5.1 has never been validated for use against Microsoft Internet Information Server (IIS) 6.0 on Microsoft Windows 2003 Server. Official support for this platform will occur with the next major release of Keon Certificate Authority (KCA), now called RSA Certificate Manager as of version 6.6.

The following solution describes the steps required to deploy OneStep on IIS 6.0 for Windows 2003 (note that IIS 6.0 is not an officially supported platform in this release).

The RSA Keon OneStep application consists of a series of web forms and applications .DLLs that must be hosted by a web server. The Installation documents for the OneStep application describe how to deploy the application by setting up a virtual directory to host the web pages in the htdocs directory and a separate sub directory for the cgi-bin directory that contains the OneStep.exe executable. The instructions indicate that the cgi-bin directory must be configured for execute permissions, but specific instructions for how to do this are not listed for each possible web server.  The following instructions describe how to configure IIS 6.0 on Windows 2003 with the correct security settings required to execute this file.

1. Copy the contents of the RSA_KeonCA\Webserver\OneStep directory to a suitable location on your server. Use the Microsoft Internet Information Services (IIS) Manager to make the following changes in your IIS server.

2. Right click on the Web Site folder and select "New" "Virtual Directory". Name the directory OneStep, and browse to the location above and select the htdocs directory. Select the default Virtual Directory Access Permissions.

3. From the Manger, right click on the OneStep directory created above and select "New" "Virtual Directory" again, and create a sub folder called cgi-bin. Browse to the location of the cgi-bin directory in the OneStep path and select it. For the Virtual Directory Access Permissions for this folder select "Run Scripts and Executables".

4. Set up permissions so that the OneStep.exe may be executed as a CGI executable. Click on the "Web Services Extensions" folder under the root server. Click on the link " Add a new Web service extension". Give the extension a name such as OneStep. Click the "Add" button and navigate to the /cgi-bin/ folder and select the "OneStep.exe" application. Check the "Set extension status to Allowed" check-box. Click OK.

5. Ensure that the Application Pool (usually the default application pool) that services the OneStep cgi-bin virtual directory has sufficient rights to execute CGI scripts. Right Click on the "Default Application Pool" and select Properties. Select the Identity tab and choose a Service Account (default), or a configurable user account with sufficient privileges to execute CGI scripts.. The predefined Network Service account or the configurable WAM user account for the local machine should have sufficient rights by default. If required, use the Local Security Policy Manger to assign at minimum the rights for "Replace a Process Level Token" and "Adjust Memory Quotas for a Process rights". (see <http://www.informit.com/articles/article.asp?p=101750&seqNum=6> note RSA Security can not be held responsible for the content of external sites). Confirm the permissions are correct by attempting to serve the OneStep/cgi-bin/onestep.exe file using your web browser.
Notes

List of permissions for built in accounts:

 

User Right

ASPNET

Local Service

Network System

IUSR

IWAM

IIS_WPG

Access computer from the network

X

X

X

X

X

X

Adjust memory quota for a process

 

X

X

 

X

 

Allow log on locally

 

 

 

X

 

 

Bypass traverse checking

 

X

X

X

X

 

Generate Security Audit

 

X

X

 

 

 

Impersonate a client after authentication

X

 

 

 

 

X

Log on as a batch job

X

X

 

X

X

X

Log on as a service

X

 

X

 

 

 

Deny Log on through terminal services

X

 

 

 

 

 

Replace a process-level token

 

X

X

 

X

 

Deny log on locally

X

 

 

 

 

 


Legacy Article IDa27445

Attachments

    Outcomes