|Applies To||Keon Certificate Authority OneStep|
Keon Certificate Authority 6.5.1
Microsoft Internet Information Server (IIS) 6.0
Microsoft Windows Server 2003
|Issue||How to deploy Keon OneStep on Microsoft Internet Information Server (IIS) 6.0 for Microsoft Windows 2003 Server|
Which permissions are required to run CGI scrips under Microsoft Internet Information Server (IIS) 6.0 for Microsoft Windows 2003 Server?
Keon OneStep CGI bin not executing. The Microsoft Internet Information Server (IIS) 6.0 log file indicated that the OneStep.exe was returning an error code "403.19 Forbidden: Cannot execute CGIs for the client in this application pool."
|Cause||Error: "403.19 Forbidden: Cannot execute CGIs for the client in this application pool." (see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/ee7a8c53-f9bc-4cd4-b954-e32066105cf1.asp for more information). This message indicates that the user account that the IIS application pool was running under does not have sufficient privileges to execute the CGI binaries. The account was set to use the "Network Services" account.|
|Resolution||RSA Keon Certificate Authority OneStep 6.5.1 has never been validated for use against Microsoft Internet Information Server (IIS) 6.0 on Microsoft Windows 2003 Server. Official support for this platform will occur with the next major release of Keon Certificate Authority (KCA), now called RSA Certificate Manager as of version 6.6.|
The following solution describes the steps required to deploy OneStep on IIS 6.0 for Windows 2003 (note that IIS 6.0 is not an officially supported platform in this release).
The RSA Keon OneStep application consists of a series of web forms and applications .DLLs that must be hosted by a web server. The Installation documents for the OneStep application describe how to deploy the application by setting up a virtual directory to host the web pages in the htdocs directory and a separate sub directory for the cgi-bin directory that contains the OneStep.exe executable. The instructions indicate that the cgi-bin directory must be configured for execute permissions, but specific instructions for how to do this are not listed for each possible web server. The following instructions describe how to configure IIS 6.0 on Windows 2003 with the correct security settings required to execute this file.
1. Copy the contents of the RSA_KeonCA\Webserver\OneStep directory to a suitable location on your server. Use the Microsoft Internet Information Services (IIS) Manager to make the following changes in your IIS server.
2. Right click on the Web Site folder and select "New" "Virtual Directory". Name the directory OneStep, and browse to the location above and select the htdocs directory. Select the default Virtual Directory Access Permissions.
3. From the Manger, right click on the OneStep directory created above and select "New" "Virtual Directory" again, and create a sub folder called cgi-bin. Browse to the location of the cgi-bin directory in the OneStep path and select it. For the Virtual Directory Access Permissions for this folder select "Run Scripts and Executables".
4. Set up permissions so that the OneStep.exe may be executed as a CGI executable. Click on the "Web Services Extensions" folder under the root server. Click on the link " Add a new Web service extension". Give the extension a name such as OneStep. Click the "Add" button and navigate to the /cgi-bin/ folder and select the "OneStep.exe" application. Check the "Set extension status to Allowed" check-box. Click OK.
5. Ensure that the Application Pool (usually the default application pool) that services the OneStep cgi-bin virtual directory has sufficient rights to execute CGI scripts. Right Click on the "Default Application Pool" and select Properties. Select the Identity tab and choose a Service Account (default), or a configurable user account with sufficient privileges to execute CGI scripts.. The predefined Network Service account or the configurable WAM user account for the local machine should have sufficient rights by default. If required, use the Local Security Policy Manger to assign at minimum the rights for "Replace a Process Level Token" and "Adjust Memory Quotas for a Process rights". (see <http://www.informit.com/articles/article.asp?p=101750&seqNum=6> note RSA Security can not be held responsible for the content of external sites). Confirm the permissions are correct by attempting to serve the OneStep/cgi-bin/onestep.exe file using your web browser.
List of permissions for built in accounts:
|Legacy Article ID||a27445|