Windows Authentication Mode
In Windows Authentication mode, a user is validated by setting a session cookie that contains an MSCSAuth ticket. No expiration date is specified for the cookie, and the cookie is deleted after the session expires. An MSCSAuth ticket contains a user ID, the last login time, and a time window specifying how long the ticket is valid after the last login time. A validated user does not automatically have access to a requested URL. The credentials of the user, once validated, are checked against the access rights of the URL that are maintained through access control lists (ACLs).
The following diagram shows how Windows Authentication works.
.gif "Windows Authentication")
For a figure that shows how Windows Authentication works with proxy accounts, see Proxy Accounts.
.gif "Ee784152.note(en-US,CS.20).gif")
Notes
- When Windows Authentication mode is enabled, the security of the site is automatically set to Internet Information Services (IIS) Basic authentication. Do not change this setting, because it enables AuthFilter to be notified of events by IIS.
- After unpacking a Solution Site for use with Commerce Server 2002, the files contained in the <sitename>\AuthFiles folder have anonymous access enabled. If these files are not used, they should be deleted. For more information about Solution Sites, see Commerce Server Solution Sites.
This section contains:
- Processing User Requests in Windows Authentication Mode
- Login Page: Get Method and Post Method
- Clear Text Passwords
- Enabling Windows Authentication
- AuthFilter and DDoS Attacks
- Proxy Accounts
Copyright © 2005 Microsoft Corporation.
All rights reserved.