The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

Troubleshooting IIS Configurations

IIS7 and later only

This page is based on a "nature study" of working IIS/ISAPI configuration. It should not be considered as definitive guidance, rather as a hint for configuration and pointers towards further research.

The way in which IIS was configured changed fundamentally in II7 and this document reflects only these later versions.

Background

The Shibboleth IIS integration consists of two parts and ISAPI filter and an ISAPI Handler map. The latter deals with the Shibboleth end points under {{\Shibboleth.sso\}} and the former with 'all the rest'.  The Shibboleth installer uses a small script in visual basic to configure the module, this calls legacy (IIS6 and earlier) WMI APIs and these APIs are often missing in more modern installations.  This results in a successful installation, but with the message {{Could not locate IIS adaptor}} in the log.

This page is intended to answer the question "What next"?

IIS7

AFAICS, the basis of IIS7 configuration is a cascade of xml files.  

  • At the "bottom of the stack", the are files in C:\Windows\System32\inetsrv\config\ with the most notable being applicationHost.config which define global settings and defaults.
  • For each website or virtual folder there is a file web.config which over rides and settings below it in the stack.

There are various mechanisms available for configuring IIS;

  • Just editing the files directly.  Searching for appropriate terms on the Microsoft website (and its companion site https://www.iis.net) will yield some documentation for the schema, but an understanding of how IIS is put together is assumed.
  • Using the command line tool c:\Windows\System32\insetsrv\appcmd.exe.  This too has documentation if you search for it.  It is slightly less of a handful than editing the xml directly.  My undestanding thus far is that it only affects the applicationHost.config file.
  • The iis manager (inetmgr.exe) allow graphical setting of the various options.  It appears that depending on what is selected in the left hand side pain the change is made to the appropriate file.  This is the easiest mechanism to "just use", and armed with an understanding of how the configuration files cascade it does much of what is needed.  On the other hand in at least Server2016/IIS10 it does not appear to allow the addition of ISAPI filters.
  • There are various WMI APIs available, depending on the exact installation these may or may not work.

Shibboleth ans ISAPI and IIS

tbd