Authenticating Users Separately For Each Virtual Server

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

If you are using the version of Microsoft FrontPage 2002 Server Extensions that ships with Microsoft Windows Server 2003, you can take advantage of a new feature that allows you to manage anonymous user access separately for Web sites on separate virtual servers. This is an advanced scenario, and is intended for use by Internet Service Providers (ISPs) and Web Presence Providers (WPPs) who allow users direct access to the file system of their Web sites through methods such as FTP, ASP, Perl, and so on.

The issue: allowing users to browse anonymously after authenticating

In previous versions of FrontPage Server Extensions, when a Web site is set to allow anonymous users to browse the site content, and a user authenticates to perform some other tasks, such as modifying a file, they can no longer browse any sites on that server anonymously. This is problematic when the user goes to browse a different Web site on the same virtual server. Because they have authenticated, they are no longer anonymous, and because their own credentials are not used by the new Web site, they may be blocked from browsing the new site.

For example, your server, SERVER1, hosts both https://www.example.com (a site that allows anonymous browsing) and https://www.example.com/subweb (a site that does not allow anonymous browsing) on the same virtual server. User1 is an author for www.example.com/subweb. Previously, when User1 accessed a file from the file system to make a change in www.example.com/subweb, and then browsed to www.example.com, the user was already authenticated. So, rather than browsing the site as an anonymous user, the user's credentials were checked and the user saw an access denied error.

The old solution: NETWORK/INTERACTIVE

To get around this issue, the FrontPage Server Extensions used the NETWORK/INTERACTIVE access control entries (ACE) to allow users with user accounts to browse content, even after they have authenticated. However, these general groups may allow more permissive behavior than is desired. For example, if a user is accessing the files by way of the FTP protocol, or by running server-side scripts, the NETWORK/INTERACTIVE ACEs will potentially allow users of other virtual servers on the same machine to view not only the HTML files, but potentially ASP source files or other scripting files. The content is safe when browsing with the HTTP protocol; it is only when a user is directly accessing the file system that there is a potential issue.

The new solution: using group accounts

The version of FrontPage 2002 Server Extensions that ships with Windows Server 2003 prevents such unauthorized access. You can use group accounts to separate anonymous access by virtual server, so that only anonymous users and registered users on the same virtual server have access to the source files. When you use the new feature, the users on one virtual server can no longer read source files on another virtual server. 

Using group accounts

To take advantage of this new feature, you must create a group account to track all user accounts that have access to a virtual server. This group account is used instead of NETWORK/INTERACTIVE for the Web site content's access control list (ACL).

To turn on this feature and to specify the name for the group account, you use the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports\anonusergroupprefix (or HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Shared Tools\Web Server Extensions\All Ports\anonusergroupprefix on x64-based computers)

    This registry key is set at the global level. It enables group accounts and specifies the prefix to use for group accounts for each virtual server. This registry key is required if you want to use group accounts.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\Ports\Port <instance number>\anonusergroup (or HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Shared Tools\Web Server Extensions\Ports\Port <instance number>\anonusergroup on x64-based computers)

    This registry key can be set for each virtual server that uses this feature and controls the specific group account used for that virtual server. You do not need to set this registry key if you want to use the global prefix to create names for group accounts automatically. You must set this registry key if you want to use a specific group account for a particular virtual server.

These registry keys are not created by default. They take a string value, and can be created after you install FrontPage 2002 Server Extensions.

At the global level, in the anonusergroupprefix registry key, you specify a prefix for the account (such as "FPSE"), and when the virtual server is extended, the IIS instance number is added to the prefix to make the group name for that virtual server. You can use any type of prefix you like, and the prefix can contain a UNC domain, such as "DOMAIN1\FPSE". For example, instead of using IUSR_SERVER1 for all anonymous access on that server, you would have the FPSE_1 account assigned to the www.example.com site. You can then manage access to Web site content using this group, rather than using NETWORK/INTERACTIVE.

Note   If you do not want to allow a domain group to be used, you can specify the machine name as part of the prefix. For example, to restrict groups to the MACHINE1 computer, you would use the prefix "MACHINE1\FPSE" rather than just "FPSE" or "DOMAIN1\FPSE". In order for this feature to work over UNC paths, however, domain names must be used.

At the virtual server level, you can let each virtual server inherit the prefix naming, or you can set the anonusergroup registry key to specify a particular group to use. If you specify a user group in the virtual server key, then that group is used. If the group does not exist, the ACE reverts to NETWORK/INTERACTIVE. If you do not specify a group in the anonusergroup registry key for the virtual server, the prefix from the anonusergroupprefix registry key is combined with the virtual server instance number to make a group name, and that group is used. If that group does not exist, the ACE again reverts to NETWORK/INTERACTIVE.

Enabling group accounts

You must create the All Ports registry key and populate it with a prefix before you extend any virtual server that uses this feature. When you extend a virtual server, it automatically gets the NETWORK/INTERACTIVE ACE unless you have entered a prefix in the All Ports\anonusergroupprefix registry key.

To enable group accounts

  1. Click Start, point to Run, type regedit, and then click OK.

  2. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports\

    Note On x64-based computers, the key is HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Shared Tools\Web Server Extensions\All Ports\.

  3. On the Edit menu, click New, and then click String value.

  4. Type anonusergroupprefix as the new value name.

  5. Right-click the new value and then click Modify.

  6. Type a prefix for the group name.

    For example, enter the prefix "FPSE". Do not include an underscore (_) with the prefix. FrontPage 2002 Server Extensions adds the underscore when it adds the IIS instance number to the prefix.

Configuring the virtual server group name

To configure a virtual server to use a group name, you have two choices:

  • You can use the automatically-generated group name from the anonusergroupprefix registry key. In this case, you do not have to configure anything at the virtual server level; you simply make sure that the group name exists on your server or domain.

  • You can modify the virtual server's registry key with a specific group name after you extend the virtual server and then run the server health feature to apply the new ACE entries.

If you do not set the anonusergroup registry key for a particular virtual server, and you have not enabled the global registry key, or the group name you specify at either level does not exist, then the NETWORK/INTERACTIVE ACE is applied by default.

To specify a group prefix before extending the virtual server

  1. Click Start, point to Run, type regedit, and then click OK.

  2. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\Ports\All Ports

    Note On x64-based computers, the key is HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Shared Tools\Web Server Extensions\Ports\All Ports.

  3. On the Edit menu, click New, and then click String value.

  4. Type anonusergroupprefix as the new value name.

  5. Right-click the new value and then click Modify.

  6. Type the group name prefix to use (for example, anonfp). Now you can create the group.

  7. Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.

  8. Click the plus sign next to Local Users and Groups.

  9. Right-click Groups, and then click New Group.

  10. In the Group name box, type prefix_instancenumber where prefix is the prefix you specified in the anonusergroupprefix registry key and instancenumber is the instance number for your virtual server.
    For example, if you specified anonfp as the prefix, and the virtual server instance number is 1786543459, then the group name would be anonfp_1786543459.

  11. Click Create.

  12. Click Close.

After you have created the group, you can extend the virtual server. The group is automatically applied to the virtual server.

Note: This process adds the new group to any new virtual servers you extend. When you extend a new virtual server, verify that the NETWORK/INTERACTIVE ACE has not been applied. Remove the NETWORK/INTERACTIVE ACE if it has been applied to the newly-extended virtual server.

If you have already extended the virtual server, you can still add a group name.

To specify a group name after extending the virtual server

  1. Click Start, point to Run, type regedit, and then click OK.

  2. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\ Ports\Port <instance number>

    Note On x64-based computers, the key is HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Shared Tools\Web Server Extensions\ Ports\Port <instance number>.

  3. On the Edit menu, click New, and then click String value.

  4. Type anonusergroup as the new value name.

  5. Right-click the new value and then click Modify.

  6. Type the group name to use.
    Now you can create the group.

  7. Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.

  8. Click the plus sign next to Local Users and Groups.

  9. Right-click Groups, and then click New Group.

  10. In the Group name box, type a group name to use. The group name must match the group name you specified in the anonusergroup registry key.

  11. Click Create.

  12. Click Close.

Note: This process adds the new group to an already-extended virtual server. Whenever you perform these steps, you should also verify that the NETWORK/INTERACTIVE ACE has not been applied, and remove that permission if it has been applied to the extended virtual server.

Next, you use the server health check operation to reapply the security settings and add the anonymous group name.

To run a server health check

  1. Open the Site Administration page for the virtual server you want to check.

  2. In the Server Health area, click Check server health.

  3. In the Detect and Repair area, select the Repair check box next to Reapply file security settings, and select the Detect and Repair check boxes next to Check roles configuration, Tighten security, and Check anonymous access.

  4. Click OK.

Note: Do not use the command line to run the server health check – it does not apply the anonymous user group. For more information about running server health checks, see Monitoring Server Health.

Maintaining the group accounts

Setting these registry keys does not create the group accounts. These registry keys simply allow FrontPage 2002 Server Extensions to use the group accounts. You must create and manage these group accounts yourself, using the Computer Management console for your server. If the group account you specify (using the prefix plus the IIS instance number method or by typing a specific group into the virtual server registry key) does not exist, the virtual server reverts to using NETWORK/INTERACTIVE.

Note   When you use the prefix and instance number to create the group, it may be difficult to see quickly which group corresponds to which virtual server. It is recommended that you fill in descriptions for the different accounts so that you can quickly find the ones you want.

To view local groups

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.

  2. Expand Local Users and Groups.

  3. Click Groups.

For information about adding new groups and adding members to the group, see the Help system for Computer Management.