Enabling AuthFilter for the Supplier Solution Site

Notes

• Before performing these steps, it is recommended that you read Important Information About AuthFilter for the Supplier Site.
• For the Login.asp page for AuthFilter for the Supplier Solution site, see Login.asp Code for the Supplier Solution Site.

To use the Supplier Solution Site with AuthFilter in Windows Authentication mode, you need to set the security mode on your domain controller to log on locally. For instructions, see Setting the Security Mode on the Web Server.

Only Basic Authentication should be enabled on the Supplier Solution Site. Do not change any other security settings. See the IIS online help for more information.

The AuthFiles subfolder and all pages in it should have only anonymous access enabled.

If your domain controller and Web server are installed on different computers in the same domain, then AuthFilter must have an anonymous account on the Web server in order to execute the method ProfileService.GetUserProfileByKey() on the Login page successfully for any profile/user.

By default, an anonymous user account is IUSR_<servername>. In Internet Services Manager, IUSR_<servername> does not have sufficient permissions to execute this successfully in this scenario. In addition, if your Web server is different from your domain-controller server, you must add a user account from that domain as the anonymous account. To do this you first create on the domain a user account that has access to read the user properties from Active Directory. Then on the Web server, use IIS Manager to set up the same user account as the anonymous account for the AuthFiles subfolder and all the files in that subfolder.

Note

• It is recommended that you use a separate Web server and domain controller server. With separate servers, the passwords stored in Active Directory on the domain controller remain secure even if your Web server is attacked. Also, using separate servers improves performance, because Web servers use most of the random access memory (RAM) for a file cache, and are CPU-intensive when ASP pages are used.

To enable AuthFilter on the Supplier Solution Site

1. Use Commerce Server Site Packager to unpack the Supplier Solution Site.

2. Expand Commerce Server Manager, expand Commerce Sites, and then click the site you want to administer.

3. Expand Applications, right-click the name of the application that you want to work with, and then click Properties.

4. In the Properties dialog box, on the General tab, in the Authentication filter box, select either Windows Authentication or Custom Authentication, and then click OK.

   Note

   • It is recommended that you use Windows Authentication, which is more secure than Custom Authentication. Windows Authentication stores passwords in Active Directory; Custom Authentication stores passwords in a database.

5. Expand Internet Information Services, right-click the Supplier site, and then click Properties.

6. In the Properties dialog box, on the Directory Security tab, in the Anonymous access and authentication control section, click Edit.

7. In the Authentication Methods dialog box, clear the Integrated Windows authentication box.

****Note

  - Only Basic Authentication should be enabled on the Supplier Solution Site. Do not change any other security settings.

8. Use a text editor to open Authfiles\Login.asp for the Supplier site.

9. If you are using a Web farm, or if you require proxy account support, in Login.asp, update the code so it matches the code shown in the topic, Login.asp Code for the Supplier Solution Site.

   Important

   • If this is a single server that requires no support for proxy accounts, you do not need to update the Login.asp page.

10. For Windows Authentication, change the GetUserInfo() method in \SupplierAD\include\Std_access_lib.asp to the following:

    Sub GetUserInfo()
        Dim sAuthUser, mscsUser
        Dim aName
    
        If dictConfig.i_DelegatedAdminOptions = DELEGATED_ADMIN_SUPPORTED Then
           sAuthUser = LoginName(Request.ServerVariables("LOGON_USER")) 
    Else
           sAuthUser = ""
    End If
            Rem Integrated Windows and basic auth take precedence over HTML form auth
            If sAuthUser <> "" Then
                m_UserAccessType = IIS_AUTH ' BASIC_AUTH
                m_UserType = AUTH_USER
                Set mscsUser = GetUserProfileByLoginName(sAuthUser)
                If mscsUser Is Nothing Then
                   m_UserID = ""
                Else
                   m_UserID = mscsUser.Fields(GetQualifiedName(GENERAL_INFO_GROUP, USER_ID)).Value
                End If
            Else
                If mscsAuthMgr.IsAuthenticated() Then
                  sAuthUser = mscsAuthMgr.GetUserID(AUTH_TICKET)
                  Set mscsUser = GetUserProfileByLoginName(sAuthUser)
                    If mscsUser Is Nothing Then
                       m_UserID = ""
                    Else
                      m_UserID = mscsUser.Fields(GetQualifiedName(GENERAL_INFO_GROUP, USER_ID)).Value
                    End If
                  m_UserAccessType = TICKET_AUTH
                  m_UserType = AUTH_USER
                Else 
                    If Not IsNull(mscsAuthMgr.GetUserID(GUEST_TICKET)) Then
                       m_UserID = mscsAuthMgr.GetUserID(GUEST_TICKET)
                       m_UserAccessType = GUEST_VISIT
                       m_UserType = GUEST_USER
                    Else
                       m_UserID = ""
                       m_UserAccessType = ANON_VISIT
                       m_UserType = ANON_USER
                    End If
                End If
            End If
    End Sub
    
      Function LoginName(ByVal sUserName)
        Dim aName
    
        If (sUserName = "") Then
          Exit Function
        End IF
        aName = Split (sUserName, "\")
        LoginName = aName(UBound(aName))
      End Function
    

11. For Windows Authentication, in the PrepareLoginSection method in \SupplierAD\template\menu.asp, change the code in a Request.ServerVariables string that is referring to the "AUTH_USER" server variable to refer to the "LOGON_USER" server variable. For example:

    Before: sAuthUser = Request.ServerVariables("AUTH_USER")

    After: sAuthUser = Request.ServerVariables("LOGON_USER")

12. Save and close the updated Login.asp and Menu.asp pages.

13. Use Business Desk to create a new user for the Supplier site.

    Important

    • You must create an Organization before adding any users or creating new users for it.

14. Use Internet Explorer to navigate to http://<computername>/SupplierAD.

15. At the login page, type the user name using DomainName\userID or User Principal Name (UPN) format. (You can add logic to Login.asp to add these to the userID/name).

    Note

    • If you have a partitioned Active Directory/SQL Server user profile, enter only <username>@ on the logon page,.where <username> is your userID. In this scenario, AuthFilter resolves the domain name from the username.

16. At the login page, type the password if you are a registered user, or choose to register by clicking the link at the bottom of the page. (You need to add your own registration page on which you can create accounts on Active Directory.)

The Login.asp page sets the MSCSAuth ticket for the registered user, retrieves the profile for the user, and checks credentials if required. The request populates the default Web page using the profile information it retrieved.

If the user name or password is not valid or if the profile could not be found, the Login.asp page is displayed again with an error message, and presents the same two options to log in as before.

Copyright © 2005 Microsoft Corporation.
All rights reserved.