Enabling AuthFilter for the Supplier Solution Site
Notes
- Before performing these steps, it is recommended that you read Important Information About AuthFilter for the Supplier Site.
- For the Login.asp page for AuthFilter for the Supplier Solution site, see Login.asp Code for the Supplier Solution Site.
To use the Supplier Solution Site with AuthFilter in Windows Authentication mode, you need to set the security mode on your domain controller to log on locally. For instructions, see Setting the Security Mode on the Web Server.
Only Basic Authentication should be enabled on the Supplier Solution Site. Do not change any other security settings. See the IIS online help for more information.
The AuthFiles subfolder and all pages in it should have only anonymous access enabled.
If your domain controller and Web server are installed on different computers in the same domain, then AuthFilter must have an anonymous account on the Web server in order to execute the method ProfileService.GetUserProfileByKey() on the Login page successfully for any profile/user.
By default, an anonymous user account is IUSR_<servername>. In Internet Services Manager, IUSR_<servername> does not have sufficient permissions to execute this successfully in this scenario. In addition, if your Web server is different from your domain-controller server, you must add a user account from that domain as the anonymous account. To do this you first create on the domain a user account that has access to read the user properties from Active Directory. Then on the Web server, use IIS Manager to set up the same user account as the anonymous account for the AuthFiles subfolder and all the files in that subfolder.
Note
- It is recommended that you use a separate Web server and domain controller server. With separate servers, the passwords stored in Active Directory on the domain controller remain secure even if your Web server is attacked. Also, using separate servers improves performance, because Web servers use most of the random access memory (RAM) for a file cache, and are CPU-intensive when ASP pages are used.
To enable AuthFilter on the Supplier Solution Site
Use Commerce Server Site Packager to unpack the Supplier Solution Site.
Expand Commerce Server Manager, expand Commerce Sites, and then click the site you want to administer.
Expand Applications, right-click the name of the application that you want to work with, and then click Properties.
In the Properties dialog box, on the General tab, in the Authentication filter box, select either Windows Authentication or Custom Authentication, and then click OK.
Note
- It is recommended that you use Windows Authentication, which is more secure than Custom Authentication. Windows Authentication stores passwords in Active Directory; Custom Authentication stores passwords in a database.
Expand Internet Information Services, right-click the Supplier site, and then click Properties.
In the Properties dialog box, on the Directory Security tab, in the Anonymous access and authentication control section, click Edit.
In the Authentication Methods dialog box, clear the Integrated Windows authentication box.
****Note
- Only Basic Authentication should be enabled on the Supplier Solution Site. Do not change any other security settings.
Use a text editor to open Authfiles\Login.asp for the Supplier site.
If you are using a Web farm, or if you require proxy account support, in Login.asp, update the code so it matches the code shown in the topic, Login.asp Code for the Supplier Solution Site.
Important
- If this is a single server that requires no support for proxy accounts, you do not need to update the Login.asp page.
For Windows Authentication, change the GetUserInfo() method in \SupplierAD\include\Std_access_lib.asp to the following:
Sub GetUserInfo() Dim sAuthUser, mscsUser Dim aName If dictConfig.i_DelegatedAdminOptions = DELEGATED_ADMIN_SUPPORTED Then sAuthUser = LoginName(Request.ServerVariables("LOGON_USER")) Else sAuthUser = "" End If Rem Integrated Windows and basic auth take precedence over HTML form auth If sAuthUser <> "" Then m_UserAccessType = IIS_AUTH ' BASIC_AUTH m_UserType = AUTH_USER Set mscsUser = GetUserProfileByLoginName(sAuthUser) If mscsUser Is Nothing Then m_UserID = "" Else m_UserID = mscsUser.Fields(GetQualifiedName(GENERAL_INFO_GROUP, USER_ID)).Value End If Else If mscsAuthMgr.IsAuthenticated() Then sAuthUser = mscsAuthMgr.GetUserID(AUTH_TICKET) Set mscsUser = GetUserProfileByLoginName(sAuthUser) If mscsUser Is Nothing Then m_UserID = "" Else m_UserID = mscsUser.Fields(GetQualifiedName(GENERAL_INFO_GROUP, USER_ID)).Value End If m_UserAccessType = TICKET_AUTH m_UserType = AUTH_USER Else If Not IsNull(mscsAuthMgr.GetUserID(GUEST_TICKET)) Then m_UserID = mscsAuthMgr.GetUserID(GUEST_TICKET) m_UserAccessType = GUEST_VISIT m_UserType = GUEST_USER Else m_UserID = "" m_UserAccessType = ANON_VISIT m_UserType = ANON_USER End If End If End If End Sub Function LoginName(ByVal sUserName) Dim aName If (sUserName = "") Then Exit Function End IF aName = Split (sUserName, "\") LoginName = aName(UBound(aName)) End Function
For Windows Authentication, in the PrepareLoginSection method in \SupplierAD\template\menu.asp, change the code in a Request.ServerVariables string that is referring to the "AUTH_USER" server variable to refer to the "LOGON_USER" server variable. For example:
Before: sAuthUser = Request.ServerVariables("AUTH_USER")
After: sAuthUser = Request.ServerVariables("LOGON_USER")
Save and close the updated Login.asp and Menu.asp pages.
Use Business Desk to create a new user for the Supplier site.
Important
- You must create an Organization before adding any users or creating new users for it.
Use Internet Explorer to navigate to http://<computername>/SupplierAD.
At the login page, type the user name using DomainName\userID or User Principal Name (UPN) format. (You can add logic to Login.asp to add these to the userID/name).
Note
- If you have a partitioned Active Directory/SQL Server user profile, enter only <username>@ on the logon page,.where <username> is your userID. In this scenario, AuthFilter resolves the domain name from the username.
At the login page, type the password if you are a registered user, or choose to register by clicking the link at the bottom of the page. (You need to add your own registration page on which you can create accounts on Active Directory.)
The Login.asp page sets the MSCSAuth ticket for the registered user, retrieves the profile for the user, and checks credentials if required. The request populates the default Web page using the profile information it retrieved.
If the user name or password is not valid or if the profile could not be found, the Login.asp page is displayed again with an error message, and presents the same two options to log in as before.
Copyright © 2005 Microsoft Corporation.
All rights reserved.