Skip navigation

STANFORD UNIVERSITY

INFORMATION TECHNOLOGY SERVICES

Installing WebAuth on Windows

This file contains the Windows-specific installation instructions. They are based upon installing Apache 2.0.47 using the standard Apache MSI file.

You should also read the Apache for Windows page.

NOTE: This port is unsupported. It is provided on an as-is basis in the hope that people will find it useful, and for Windows users to experiment with. We welcome feedback and contributions, but the Windows port is currently a low priority and we cannot provide installation help beyond the documentation. If you find this port useful and feel that we should fully support it, please let us know; if enough people request support, we may be able to find resources to do so.

WARNING: There is currently an Apache bug under Windows where stopping and/or restarting Apache causes a fatal exception. This happens when running Apache+mod_ssl (and no WebAuth code), and appears to be an Apache APR pool cleanup ordering issue. There are numerous bugs filed on this issue with the Apache Group.

  1. Install Apache 2.0.47 using the Apache MSI file:

        apache_2.0.47-win32-x86-no_ssl.msi
  2. Download the Windows binaries and extract the webauth-3.2.0.zip file into the same directory Apache was installed to, which by default is:

        C:\Program Files\Apache Group\Apache2\

    The .zip file contains the following files:

        file                             origin of file
        ------------------               ------------------
        bin/saslGSSAPI.dll               Cyrus SASL
        bin/libsasl.dll                  Cyrus SASL
        bin/krb5.ini                     MIT K5 (Stanford krb5.conf)
        bin/gssapi32.dl                  MIT K5
        bin/comerr32.dll                 MIT K5
        bin/krb5_32.dll                  MIT K5
        bin/libcurl.dll                  cURL
        bin/libeay32.dll                 OpenSSL
        bin/ssleay32.dll                 OpenSSL
        bin/libwebauth.dll               WebAuth
        modules/mod_webauth.so           WebAuth
        modules/mod_webauthldap.so       WebAuth
        modules/mod_ssl.so               Apache mod_ssl
        conf/stanford-webauth.conf       WebAuth
        conf/stanford-ldap.conf          WebAuth
        conf/webauth-ssl.conf            WebAuth
        conf/webauth/ca-bundle.crt       cURL
        conf/webauth/sasl.reg            WebAuth
    

    Note that stanford-webauth.conf is the standard stanford-webauth.conf file distributed with WebAuth with the following extra line added to it:

        # point to the cURL ca-bundle.crt file
        WebAuthWebKdcSSLCertFile conf/webauth/ca-bundle.crt
    

    This is needed for cURL to be able to locate it ca-bundle.crt file under Windows.

    Also note that the user that Apache is running as will need to write access to the conf/webauth/ directory to create the service_token_cache, keyring, and (if using mod_webauthldap) the krb5cc_ldap ticket file(s).

  3. Set location of SASL plugins in the Registry.

    Pick one of these three methods to update the registry so the SASL library can find the location of the GSSAPI plugin. This step can be skipped if you aren't going to run mod_webauthldap.

    1. Manually using regedit. Create the following key:

          [HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL Library]

      and add this key to it:

          "SearchPath"="C:\\Program Files\\Apache Group\\Apache2\\bin"
    2. From the command line, run:

          cd "C:\Program Files\Apache Group\Apache2\conf\webauth"
          regedit /s sasl.reg
      
    3. From a File Explorer window, navigate to:

          C:\Program Files\Apache Group\Apache2\conf\webauth

      and double-click on sasl.reg.

  4. Edit and/or update the Apache configuration files.

    1. Edit conf/httpd.conf to include stanford-webauth.conf and stanford-ldap.conf by adding the lines:

          Include conf/stanford-webauth.conf
          Include conf/stanford-ldap.conf
      

      If you aren't going to run mod_webauthldap, then don't include stanford-ldap.conf.

      Also, uncommong the LoadModule line for mod_ssl.so:

          LoadModule ssl_module modules/mod_ssl.so

    2. Edit conf/ssl.conf. If you have an existing conf/ssl.conf, then do the following: Comment out <IfDefine SSL> and </IfDefine> so that SSL is always started:

         #<IfDefine SSL>
         ...
         #</IfDefine>
      

      Change SSLMutex to be "default" if it isn't already:

          SSLMutex default

      Also update SSLCertificateFile and SSLCertificateKeyFile if need be after installing your certificate file and key.

      If you don't have an existing ssl.conf file (you won't if you've just installed Apache), copy conf/webauth-ssl.conf to ssl.conf:

          copy conf\webauth-ssl.conf conf\ssl.conf
  5. See the WebAuth installation guide for further instructions on installing a keytab and getting an SSL certificate.

    NOTE: leland_srvtab is only available from a Unix system, so for Stanford users, the keytab file needs to be generated from there and securely transferred to your Windows system.

Here is the version information for what is included in this package:

Apache 2.0.47
cURL 7.10.6
Cyrus SASL 2.1.15
OpenLDAP 2.1.22 (statically linked in mod_webauthldap.so)
OpenSSL 0.9.7b
MIT KRB5 1.2.8
WebAuth 3.2.0

Last modified Friday, 12-Dec-2014 02:31:11 PM

Stanford University Home Page