From Cosign Wiki
Cosign 3 filter validation URL returns "401 Not authorized"
The user authentications OK, but when being redirected back to the validation URL, they get a "401 Not authorized" error in their web browser and something similar to this appears in the web server error log:
[Mon Apr 06 16:13:40 2009] [error] [client 22.214.171.124] access to /cosign/valid failed, reason: verification of user id '<null>' not configured, referer: https://weblogin-test.itcs.umich.edu/ ?cosign-request-test.itcs&https://request-test.itcs.umich.edu/
The problem turned out to be a "
require valid-user" directive in the
stanza for the web site. Removing this directive solved the problem.
A better solution that preserves stronger security for the rest of the site is to keep the above directive and instead use the following configuration for the cosign URL valdiation handler:
<Location /cosign/valid> SetHandler cosign CosignProtected Off Allow from all Satisfy any </Location>
A program such as DebugView will display the CosignModule's verbose logging. Be sure to restart the application pool, if necessary, and then access a cosign-protected page to ensure the CosignModule is loaded.
The 3.1.0 and later versions of the CosignModule include a program database file. If you are encountering application pool crashes, this will help analyze the crash dump to find the offending code.
- Be sure Windows Error Reporting is enabled. WER can be disabled via a registry key and by group policy.
- Add this REG_EXPAND_SZ registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps]
- Download Windows Debugging Tools. You only need to select the debugging tools when installing, unless you really want the Windows SDK files installed.
- Start WinDBG then load the dump file.
- Run these commands:
.sympath SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;c:\path\to\cosignmoduledownload\x64;c:\path\to\cosignmoduledownload\x86 .reload !analyze -v
Assuming everything went well, and why wouldn't it, you'll see the dll function calls, and, in the case of the cosignmodule, the actual line number of the source code. The source code that is conveniently included with each cosignmodule release. The cosign project accepts patches.
If the IISCosign filter encounters an error, it will attempt to disable the web server. It does this by processing all requests with the response "The server is currently disabled."
Errors will be placed in the Event Viewer under the Application Log and be labeled "Cosign".
Cosign Event Viewer Application Log Messages
Event Type: Error Event Source: Cosign Event Category: None Event ID: 3 Date: 4/28/2009 Time: 12:33:16 PM User: N/A Computer: SERVER_NAME Description: Could not load the cosign config file C:\Program Files\iiscosign\cosign.dll.config.
- The name of the config file is probably misspelled. Either change the file name or change the value in the Registry for HKEY_LOCAL_MACHINE\SOFTWARE\University of Michigan\ITCS\Cosign\ConfigFile.
NOTE: This registry path may not be up-to-date. The IISCosign distributions come with a cosign.reg file with the most recent and correct registry paths.
- It's also possible that MSXML 4.0 SP2 is not installed. Install it.
Event Type: Error Event Source: Cosign Event Category: None Event ID: 4 Date: 4/21/2009 Time: 11:25:19 PM User: N/A Computer: SERVER_NAME Description: IISCosign does not have permission to access something. Please see the readme.txt file for information about setting file permissions for IISCosign. Here is what caused the error:
- Permissions to allow cosign.dll to access various parts of the file system are not set.
Event Type: Error Event Source: Cosign Event Category: None Event ID: 7 Date: 4/28/2009 Time: 12:36:39 PM User: N/A Computer: SERVER_NAME Description: An error occurred while IISCosign was loading. It is now running in a minimal state that will prevent your web site from serving content.
- This message almost never appears by itself, but is the result of another error state. Look for other Cosign-related events in the Event Viewer to determine what cause IISCosign to enter this state.
Event Type: Error Event Source: Cosign Event Category: None Event ID: 8 Date: 4/28/2009 Time: 12:33:16 PM User: N/A Computer: SERVER_NAME Description: Config file parsing error at line 213: Text is not allowed in this context according to DTD/Schema. Expecting: Protected, Unprotected, AllowPublicAccess. .
- Most likely an xml tag in the cosign.dll.config file is either misspelled, in the incorrect order, or a required xml tag is missing. You can compare the xml tags appearing at the reported line number against the iiscosign.xsd schema.
- The iiscosign.xsd schema file did not get updated. New xml tags are periodically added to the schema to allow new functionality and, sometimes, reordered or moved to more logical locations. Make sure the iiscosign.xsd schema file that is in the same directory as the cosign.dll is the one that was included with that distribution.
Event Type: Error Event Source: SideBySide Event Category: None Event ID: 59 Date: 7/21/2008 Time: 4:54:17 PM User: N/A Computer: SERVER_NAME Description: Generate Activation Context failed for C:\path\to\cosign.dll. Reference error message: The referenced assembly is not installed on your system.
- There are several versions of the Visual C++ run-time DLLs. To make sure the version needed by IISCosign installed, run the Visual C++ 2005 SP1 Redistributable Package
Event Type: Error Event Source: Application Error Event Category: (100) Event ID: 1000 Date: 4/28/2009 Time: 5:26:29 PM User: N/A Computer: SERVER_NAME Description: Faulting application inetinfo.exe, version 6.0.3790.3959, faulting module ntdll.dll, version 5.2.3790.4455, fault address 0x0002c873. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 46 61 69 6c ion Fail 0010: 75 72 65 20 20 69 6e 65 ure ine 0018: 74 69 6e 66 6f 2e 65 78 tinfo.ex 0020: 65 20 36 2e 30 2e 33 37 e 6.0.37 0028: 39 30 2e 33 39 35 39 20 90.3959 0030: 69 6e 20 6e 74 64 6c 6c in ntdll 0038: 2e 64 6c 6c 20 35 2e 32 .dll 5.2 0040: 2e 33 37 39 30 2e 34 34 .3790.44 0048: 35 35 20 61 74 20 6f 66 55 at of 0050: 66 73 65 74 20 30 30 30 fset 000 0058: 32 63 38 37 33 2c873
- Unfortunately, this is the result of a bug. When the IISCosign filter cannot connect to any weblogin servers, it enters an indeterminate state. See the troubleshooting connection errors section for correcting SSL misconfigurations.
These are only warnings. These will not prevent IISCosign from loading.
Event Type: Warning Event Source: Cosign Event Category: None Event ID: 4 Date: 5/5/2008 Time: 11:31:40 AM User: N/A Computer: SERVER_NAME Description: Connection pool is busy. Perhaps the current size is too low? This value can be changed in the cosign.dll.config file.
Congratulations! You have a very popular web service! In order to improve throughput of web pages, the size of the connection pool should be increased.
Event Type: Warning Event Source: Cosign Event Category: None Event ID: 9 Date: 4/28/2009 Time: 1:31:34 PM User: N/A Computer: SERVER_NAME Description: Could not initialize log file C:\Program Files\IISCosign\Logs.
- The directory does not exist.
- The permissions on the directory are incorrect.
- The IISCosign filter loaded before the previous instance unloaded and could not get write permission on the cosignlog.csl file.
- Another process has a lock on the file cosignlog.csl and is preventing IISCosign from getting write permissions.
If none of the above situations seem to resolve the issue, you can use cosigntrace.dll to create verbose logging. The log file is specified in the cosign.dll.config file under <Log><Path>. Usually, this is set to C:\Program Files\IISCosign\Logs.
It's also possible that IISCosign will encounter an error creating a log file. If this is a case, the logging output from cosigntrace.dll (and cosign.dll) can be captured with a program such as DebugView.