Versions Compared

Old Version 21

changes.mady.by.user Tom King

Saved on

compared with

New Version 22

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note
title

Missing VC runtime

If you encounter errors during the install or upgrade process that indicate the system can't start the shibd daemon/service process, it's likely that the installer is failing to install the Visual C++ runtime libraries for some reason, and you may have to pre-install those manually. At some point Microsoft is planning to make it impractical for us to redistribute these files with the installer, at which point this workaround is probably going to be universal.

These links may break at some point, but for now the 32-bit and 64-bit runtimes can be found at:

The top-level link to find them is https://visualstudio.microsoft.com/downloads/ via Other Tools.

Table of Contents

Installation

The SP is available for Windows with modules for all the supported web servers. There is an installer available for the supported Windows Server versions, 2008 and above.

...

Upgrading to new releases is handled automatically when the MSI installer is used. The system prevents configuration files from being overwritten and skips "initial install" tasks like generating keys. The Shibboleth daemon is restarted by the package but you will need to restart the web server you're using yourself.

Web Server Overview

title
Note

Restrictive ACL on the configuration file

New Installations place a restrictive file security ACL on the configuration directory. If you run your web server under a different user account (not a member of the Administrators group) you will need to adjust this ACL.

...

The following properties can be set

Property

Description

KEYGEN_EXTRAS

Allows extra parameters to be passed to the keygen command used during installation. For instance,

Code Block
msiexec /i shibboleth-sp-3.0.0-win64.msi KEYGEN_EXTRAS="-h newSP.department.univerity.edu"

allows the addition of a subjectAltName in the generated certificate.

ALWAYS_START_SERVICE

Set this to FALSE to prevent the installer from starting the shibd service. This can be useful to debug installations (see below).

Shibboleth Service

Once installation is complete, you'll need to run the Shibboleth daemon, shibd, at all times that the SP is in use. shibd is a console application that is usually installed as a Windows service.

  • To run the process in console mode for testing or to diagnose major problems, supply a -console parameter when running it.

  • If shibd won't start, use the -check option from the command line to echo most logging information to the console for debugging.

Other parameters can be used to install (or remove) shibd from the service database and subsequent control is generally via the Service Control Manager applet.

title
Tip

Monitoring the Service

Newer versions of Windows support automatic restart of failed services. We suggest using this feature to restart shibd when it fails. Although stability is good, maximum reliability will be achieved by monitoring the process.

...

The most common reason for the installation failing is that the Shibboleth service (above) does not start correctly. First, refer to the note at the top of this page and rule that out. If that doesn't bear fruit, in order to debug this you can instruct the installer to not try to start the service by specifying that the  ALWAYS_START_SERVICE property contain the value FALSE.  Do this from the command line:

...

Installing with no service start
Code Block
c:\> msiexec /i Installer.msi ALWAYS_START_SERVICE=FALSE

You can then use the -check option described above to debug why the service will not start. Usually the problem tends to be a DLL conflict with some existing copy of one of the libraries we ship, but we have generally worked around this risk by renaming all our libraries in ways that tend not to cause conflicts.

Once this is completed you can start the service manually.

...

Starting the Shibboleth Service from the command line
Code Block
c:\> sc start shibd_default

In some situations attempting the installer may appear to do nothing when double-clicked, and if invoked with msiexec /i on the command line may throw the error "This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package." If this occurs, a viable workaround has found to be to create a new .bat file containing the msi install command listed below, and then drag the downloaded msi onto it.

...

Windows batch file to run MSI installer by drag and drop
Code Block
msiexec /i %1

Source Builds

We do not recommend this option, but we have a description of the process.

Initial Testing

Include Page
InitialTesting
InitialTesting