go to  ForumEasy.com   
LdapPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » Web Service -- DSML & SPML » Installing and Configuring DSML Services for Windows
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: Installing and Configuring DSML Services for Windows
SteveHB
member
offline   
 
posts: 113
joined: 05/31/2006
from: Mountain View, CA
  posted on: 07/19/2006 02:39:14 PM    Edit  |   Quote  |   Report 
Installing and Configuring DSML Services for Windows
System Requirements

DSML Services for Windows uses a three-tiered architecture that requires the following components:

            Client  --> IIS --> LDAP Server


Client: Client computers running applications that use DSML V2
These clients must be able to send HTTP requests and accept HTTP responses. Computers running Windows 95, Windows 98, Windows Millennium Edition, Windows 2000, Windows XP, and Windows Server 2003 can act as a client for applications using DSML V2.

IIS: DSML Services for Windows, running on Microsoft Internet Information Services (IIS) 5.0 or later
MSXML 4.0 Service Pack 1 or later must be installed on the IIS server.

LDAP Server: Active Directory or Active Directory Application Mode (AD/AM) running on Windows 2000 Server or Windows Server 2003

Both DSML Services for Windows and Active Directory must be in the same Active Directory forest.

If using DSML Services for Windows with Active Directory Application Mode (AD/AM) instead of Active Directory, DSML Services for Windows and AD/AM do not have to be in the same forest, or even be joined to a domain. However, if they are not in the same forest, then both DSML Services for Windows and AD/AM should be run on the same computer, because IIS will use local accounts for authentication and would not be able to authenticate to AD/AM using those local accounts if AD/AM were on a separate computer.

All of these components can be installed on a single computer if the computer satisfies the system requirements for each of the components.

Note: All those constraints are due to the authentication between IIS and LDAP. There are two models can be chosen from: trusted or delegation.
  • Trusted Model: A trustee or agent with predifined name IUSR_<Computer NetBIOS name> is used to SASL bind against LDAP via Kerberos Authentication Protocol;
  • Delegation Model: Client's credentials estabished between Client --> IIS will be used to SASL bind against LDAP via Kerberos Authentication Protocol;

    As we can see, no matter what models is selected and what authentication methods for client to be authenticated to IIS, the Kerberos Authentication Protocol will be tried first for IIS --> LDAP binding. If Kerberos failed, NTLM will be used as the default back-up authentication protocol.

    In that sense, for Microsoft DSML services to work on IIS, the third tier LDAP Server must support Kerberos or/and NTLM. Definitely, AD/AM is the best candidate.

    Another Note:
  • For NTLM to work, IIS and LDAP must be in the same domain;
  • For Kerberos to work, IIS and LDAP must be in forests which have trusted relationship.

    •  Profile | Reply Points Earned: 0
    SteveHB
    member
    offline   
     
    posts: 113
    joined: 05/31/2006
    from: Mountain View, CA
      posted on: 07/19/2006 02:45:14 PM    Edit  |   Quote  |   Report 
    Installing DSML Services for Windows

  • Download the DSML Services for Windows files to a temporary directory on the IIS server system.
  • Run the DSfW.msi installer. This starts the DSML Services for Windows Setup Wizard. On the first page of the wizard, click Next.
  • Read the license agreement, click I Agree, and then click Next.
  • The default install folder is C:\DSFW\.
    You can install DSML Services for Windows for the current user, but it is recommended that you install it for all users on the computer. To do this, select Everyone, and then click Next.
  • Click Next on the Confirm Installation page to begin installing the DSML Services for Windows files.
  • Read the Congratulations! page, and then click Next.
  • The Installation Complete page will display when the setup is complete. Click Close to exit the Setup Wizard.

    •  Profile | Reply Points Earned: 0
    SteveHB
    member
    offline   
     
    posts: 113
    joined: 05/31/2006
    from: Mountain View, CA
      posted on: 07/19/2006 02:59:50 PM    Edit  |   Quote  |   Report 
    Configuring DSML Services for Windows
    DSML Services for Windows can be configured manually, and is usually performed to support multiple installations of DSML Services for Windows on the same IIS server.

    Configure IIS and Active Directory
    Configure the server to support IIS if this has not already been done. You should also have an Active Directory domain controller or an Active Directory Application Mode (AD/AM) server running before continuing.

    Create the DSML virtual directory
  • Start IIS services and create a new virtual directory named dsml (alias) on the Web server under the Default Web Site node, with the path to directory set to C:\DSFW\bin (or to the directory you created during the setup process).
  • Set the Execute Permissions of the virtual directory to Scripts and Executables.
    This creates the new virtual directory.

    Configure the DSML virtual directory
  • Right-click the virtual directory, and then select Properties.
  • From the Directory Security property page, click on Edit in the Anonymous Access and Authentication control group box. Disable Enable Anonymous Access.
  • Configure the virtual directory to support Basic authentication and Integrated Windows authentication.
    Note It is recommended that you enable SSL if you select Basic authentication. This prevents passwords from being transmitted in plaintext.
  • From the Virtual Directory property page, click on Configuration button.
  • From the Mappings tab of the Application Configuration dialog box, click on Add button. Set the Executable to c:\dsfw\bin\adssoap.dll (or the path to adssoap.dll where it was copied).
  • Set the Extension to .dsmlx, and then set the Verbs to Limit To: POST.
  • This step is optional. From the Virtual Directory property page, set the Application Protection to High or Medium isolation.

    Modify the DSML configuration file
    Modify the dsmlv2.config configuration file found in the %SystemRoot%\system32 directory. The generic template for the configuration file is shown below.
    <extensionConfiguration>
  <virtualDirectory url="virtualDirURL">
    <server>serverName</server>
    <port>portNumber</port>
    <useSSL>enableSSL</useSSL>
    <useSigning>enableLDAPSigning</useSigning>
    <useSealing>enableLDAPSealing</useSealing>
    <readonly>enableReadOnlyMode</readOnly>
    <connectTimeout>connTime</connectTimeout>
    <operationTimeout>operTime</operationTimeout>
    <maxConnections>numberOfConnections</maxConnections>
    <maxRequestsPerBatch>maxReqsPerBatch</maxRequestsPerBatch>
    <chaseReferrals>chaseReferralsType</chaseReferrals>
    <sessionsMax>totalSessions</sessionsMax>
    <sessionsMaxPerIP>sessionPerIP</sessionsMaxPerIP>
    <sessionsIPMatch>useIPMatching</sessionsIPMatch>
    <sessionsAuthMatch>useCredentialMatching</sessionsAuthMatch>
    <sessionsTTL>timeToLive</sessionsTTL>
  </virtualDirectory>

  <virtualDirectory url="virtualDirURL">
       ... another node
  </virtualDirectory>

</extensionConfiguration>

    virtualDirURL should be filled in with the URL to the extension, without the Web server name. For example, if you create an IIS virtual directory named dsml, which allows the extension to be accessed as http://mywebserver.microsoft.com/dsml/adssoap.dsmlx, set virtualDirURL as /dsml/adssoap.dsmlx.

    All of the element tags inside the <virtualDirectory> element are optional. To omit one, omit the entire line, including the surrounding XML elements. For example, to omit serverName, omit <server>serverName</server>:

  • serverName specifies the DNS name of the Active Directory server or domain against which to perform LDAP operations. If serverName is omitted, DSML Services for Windows connects to a domain controller for the domain to which the Web server’s computer account belongs. If a domain name is specified, it connects to a DC for that domain. If a server name is specified, it connects to that specific server.
  • portNumber specifies the port number on the Active Directory server to which to connect. The default is port 389.
  • enableSSL specifies whether SSL encryption will be used when connecting to the Active Directory server. The default value is false.
  • enableLDAPSigning specifies whether the LDAP connection between the DSML Services for Windows server and the Active Directory server will use certificate signing. This option does not affect the connection between the client application and the DSML Services for Windows server. The default value is false, meaning digital signing is not used.
  • enableLDAPSealing specifies whether the LDAP connection between the DSML Services for Windows server and the Active Directory server will use data encryption. This option does not affect the connection between the client application and the DSML Services for Windows server. The default value is false, meaning encryption not used.
  • enableReadOnlyMode specifies whether read-only mode is enabled. If enabled, the DSML Services for Windows server will only process <searchRequest> and <compareRequest> operations. Other requests, for example, requests to add to, delete from, or modify the directory, will fail. The default value is false.
  • connTime specifies how many seconds to wait when trying to establish a LDAP connection to the Active Directory server. The default setting is no timeout period. It is recommended that you specify a timeout period.
  • operTime specifies how many seconds to wait for an individual LDAP operation to complete. The default is no timeout period. It is recommended that you specify a timeout period.
  • numberOfConnections specifies the maximum number of simultaneous LDAP connections to keep open to the Active Directory server. The default number is five. The higher this number, the greater the number of incoming DSML requests that can be simultaneously processed.
  • maxReqsPerBatch specifies the maximum number of operations that the DSML Services for Windows server will accept in a single DSML <batchRequest>. Requests which contain more than that number of operations will not be processed, and an error will be returned. The default value is 1000. For optimal performance, it is recommended not to set this option to a value greater than 4000.
  • chaseReferralsType specifies the type of referral chasing used by the Active Directory server when a referral is generated. The allowable values are never, always, subordinate, and external. The default value is never, meaning referral chasing is not used.
  • totalSessions specifies the total number of outstanding active sessions allowed. If the total number reaches the maximum, and a client requests a new session, the server will reject all subsequent new session requests until the number of outstanding active sessions is less than the maximum number specified. The default value is 100 sessions.
  • sessionsPerIP specifies the number of sessions allowed for a given IP address. The default value is five (5) sessions.
  • useIPMatching specifies whether the server should check to determine if the IP address matches the original creator of the session when the client requests a session ID. The default value is true.
  • useCredentialMatching specifies whether the server should check to determine if the user credentials match those of the original creator of the session when the client requests a session ID. The default value is true.
  • timeToLive specifies the number of seconds the session should live before it is declared to be expired. Each client request with the session ID revitalizes the TTL. If there is no activity beyond the TTL, the session is considered to be dead. The default value is 600 seconds.

    For example, using the dsml virtual directory example given previously, the following dsmlv2.config would specify that the IIS virtual directory should process requests for an Active Directory server named testdc-01.fabrikam.com. It should connect on port 389, with connection and operation timeouts of 30 seconds. It should keep up to 10 connections open simultaneously.
    <extensionConfiguration>
   <virtualDirectory url="/dsml/adssoap.dsmlx">
        <server>testdc-01.fabrikam.com</server>
        <port>389</port>
        <connectTimeout>30</connectTimeout>
        <operationTimeout>30</operationTimeout>
        <maxConnections>10</maxConnections>
   </virtualDirectory>
</extensionConfiguration>


    It is possible to create multiple IIS virtual directories on the Web server that use the adssoap.dsmlx extension. This can be used, for example, for sending requests to different Active Directory servers. All virtual directories on an IIS server share the same dsmlv2.config file. The IIS virtual directories must be created and configured with the proper permissions (using the steps listed previously in this topic) before the DSML Services for Windows configuration file is modified.

    To configure a multiple virtual directory installation, create a separate virtualDirectory section for each virtual directory in the configuration file. For example, if you want to extend the example above to include a second virtual directory named dsml2 that sends LDAP operations to an Active Directory server named testdc-02.fabrikam.com (also on port 389, but with no connect or operation timeout, and using the default number of connections), you could create a dsmlv2.config file similar to the following.
    <extensionConfiguration>
   <virtualDirectory url="/dsml/adssoap.dsmlx">
        <server>testdc-01.fabrikam.com</server>
        <port>389</port>
        <connectTimeout>30</connectTimeout>
        <operationTimeout>30</operationTimeout>
        <maxConnections>10</maxConnections>
   </virtualDirectory>
   <virtualDirectory url="/dsml2/adssoap.dsmlx">
       <server>testdc-02.fabrikam.com</server>
   </virtualDirectory>
</extensionConfiguration>

    The dsmlv2.config file should have its file access permissions set so that all authenticated users have read access, and only administrators and IIS administrators have read/write access. This enables the DSML Services for Windows to read the configuration file while impersonating a user, yet prevents the configuration file from being subject to either accidental or malicious changes.

    •  Profile | Reply Points Earned: 0
    SteveHB
    member
    offline   
     
    posts: 113
    joined: 05/31/2006
    from: Mountain View, CA
      posted on: 07/19/2006 07:50:02 PM    Edit  |   Quote  |   Report 
    Security -- Authentication Methods Involved
    1) Anonymous access
               Client        -->          IIS        -->      LDAP Server
                 HTTP Anonymous           Kerberos + NTLM
                                          user: CN=IUSR_<IIS_NetBIOS Name>



    2) Basic authentication
               Client        -->          IIS        -->      LDAP Server
     www-Authenticate: Basic realm=".."          Kerberos + NTLM



    3) Digest authentication
               Client        -->          IIS        -->      LDAP Server
 www-Authenticate: Digest qop=".." ..            Kerberos + NTLM


    4a) Integrated Windows Authentication -- Kerberos
               Client        -->          IIS        -->      LDAP Server
   www-Authenticate: Negotiate ".."              Kerberos + NTLM


    4b) Integrated Windows Authentication -- NTLM
               Client        -->          IIS        -->      LDAP Server
       www-Authenticate: NTLM ".."               NTLM


     Profile | Reply Points Earned: 0

     
    Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.