HOW TO: Enable the Retail Solution Site for Proxy Authentication (301277)
The information in this article applies to:
- Microsoft Commerce Server 2000
This article was previously published under Q301277 SUMMARY
This article discusses how to implement Proxy Authentication in the Commerce Server 2000 Retail Solution Site.
With Proxy Authentication, a site can use ACL-based security without the overhead of creating an account in Active Directory for each site user. A proxy account can be assigned to the site as a whole, or on a user-by-user basis.
This article provides the necessary steps to implement a global proxy account on the Retail Solution Site. NOTE: Proxy Authentication works in conjunction with the Commerce Server Authentication Filter, which requires that clients have cookies enabled.
back to the top
Unpackage Retail Site
Use the following procedure if you are going to make the computer a Web server and if you are going to place all of the database files on one Microsoft SQL Server-based server.
To unpack a site quickly while accepting most of the default settings:
- Click Start, point to Programs, point to Microsoft Commerce Server 2000, and then click Commerce Server Site Packager.
- In the Commerce Server Site Packager dialog box, select Unpack from a package file, and then click Next.
- In the Unpack dialog box, click the Browse button next to the File to unpack box.
- In the Open dialog box, navigate to the folder that contains the file that you want to unpack, click the file, and then click Open.
- On the Unpack dialog box, select Quick unpack, and then click Next.
- In the Quick Unpack dialog box, you have the following options:
- Site name: Type the name for the site if you want to change it. Do not include special characters (such as #, @, %, and ') in the name and do not name your site "Commerce."
- IIS Web site: Select the name of the IIS Web site where the applications will be installed.
- SQL Server computer: Type the name of the SQL server that will contain the databases for the site.
- SQL user name: Type the SQL logon name for the databases.
- SQL user name: Type the SQL logon name for the databases.
- SQL password: Type the SQL logon password.
- If the Data Warehouse dialog box opens, you have the following options:
- Name: Type a name for the global Data Warehouse resource.
- Server: Type the name of the SQL Analysis online analytical processing (OLAP) computer.
- Database: Type the name of the Analysis (OLAP) database to use.
- Click Next.
- If the first Profiling System dialog box opens, you have the following options:
- Profile Schema Definition: Specify the profile schema definition to import.
- Site Terms Definition: Specify the site terms definition to import.
- Expression Definition: Specify the expression definition to import.
- Click Next.
- If the second Profiling System dialog box opens, you have the following options:
- Profiling System Connection String: Specify the files to import into the OLEDB data store. Click Modify to specify a different database.
- Schema definition scripts (*.sql, *.vbs): Specify the schema definition scripts to import.
- Data population scripts (*.sql): Specify the data population scripts to import.
- Click Next.
- In the Unpacking is complete dialog box, review the list of SQL Server databases and IIS applications that were created. To review the list of events in the Site Packager log file, click View Log File.
- To close Site Packager, click Finish.
back to the top
Enable Windows Authentication
Enable the Windows Authentication mode of the Commerce Server Authentication filter in Commerce Server Manager:
- Start Commerce Server Manager, click Commerce Server Manager, click Commerce Sites, click Retail, and then click Applications.
- Right-click your retail application, and then click Properties.
- In the Commerce Authentication Filter property group, set Authentication filter to Windows Authentication.
- Click OK to accept the changes. For the changes to take effect, run iisreset. To do so, run it from a command prompt or click Start, click Run, type iisreset, and then click OK.
- Expand Internet Information Services, right-click the site and then click Properties. On the Directory Security tab, in the Anonymous access and authentication control section, click Edit. In the Authentication Methods dialog, enable Basic authenticationonly.
back to the top
Modify Login.asp to use Proxy Account
To enable the use of a Proxy Account, decide beforehand how and where to store and retrieve the proxy account information. To simplify this procedure, hard code the proxy account information into Login.asp:
- Open Login.asp (from the AuthFiles directory under Retail Site) in an editor, such as Notepad.
- The Login.asp page should look like the following code sample:
NOTE: All of the modifications are in the following section:
" if strSelect = "fromButton" then "
Modified Login.asp File
<!-- #INCLUDE FILE="../include/header.asp" -->
<!-- #INCLUDE FILE="../include/const.asp" -->
<!-- #INCLUDE FILE="../include/html_lib.asp" -->
<!-- #INCLUDE FILE="../include/form_lib.asp" -->
<!-- #INCLUDE FILE="../include/std_access_lib.asp" -->
<!-- #INCLUDE FILE="../include/std_profile_lib.asp" -->
<!-- #INCLUDE FILE="../include/std_cookie_lib.asp" -->
<!-- #INCLUDE FILE="../include/std_url_lib.asp" -->
<!-- #INCLUDE FILE="../include/std_util_lib.asp" -->
<!-- #INCLUDE FILE="../include/setupenv.asp" -->
REM Microsoft Commerce Server 2000
REM sample login-file for using with AuthFilter
REM This file handles Login for user
'*****Add the Main()*****
Sub Main()
End Sub
Dim strSelect, strPassword, strPWD, strAuthErr, strSiteName, strUserID, strRetAsp, strGUID,sAuthUser
Dim objAuth, objMSCSProfileService, objMSCSProfileObj
set objAuth = Server.CreateObject("Commerce.AuthManager")
strSiteName = CStr(Application("MSCSCommerceSiteName")) 'Get siteName, set in Global.asa in application scope
'check for Submit or not
strSelect = Request.QueryString("realSubmit")
'If users pressed the submit button
if strSelect = "fromButton" then
strUserID = Request.QueryString("txtUsername") ' Get UserName from QueryString if this is GET request, this could be POST request also
strPassword = Request.QueryString("txtPassword") ' Get Password from QueryString if this is GET request, this could be POST request also
if (strUserID = "") or (strPassword = "") Or IsNull(strUserID) Or IsNull(strPassword) then
Response.Redirect "Login.asp"
end If
'*****Changed From this line*****
'sAuthUser = strUserID
Set objMSCSProfileObj = GetUserProfileByLoginName(strUserID)
if (objMSCSProfileObj is nothing) then
Response.Redirect "login.asp"
end if
strPWD = objMSCSProfileObj.Fields.Item("GeneralInfo").Value.Item("user_security_password")
'*****To this line*****
' Get User-password: comment-out following line if you support Profiles
'strPWD = GetCurrentUserPassword(strUserID)
' if profileSvc is not used for BlankSite:
'strPWD = strPassword ' remove this line if you have read the password from UserProfileSvc or some other obj/src, in clear text
if (strPWD = strPassword) then ' if passwords are equal, not necessary in Windows-Auth-mode
'*****Changed From this line*****
Dim strUserGuid
strUserGuid = ObjMSCSProfileObj.GeneralInfo.user_id
'objAuth.SetAuthTicket strUserID, True, 90 ' set AuthTicket
objAuth.SetAuthTicket strUserGuid, True, 90 ' set AuthTicket
strUserID = "domain\ProxyUser"
strPassword = "password"
'*****To this line*****
strRetAsp = Request.Cookies("MSCSFirstRequestedURL") ' First requested URL (even if there is no QueryString this URL contains '?' at the end
strRetAsp = strRetAsp + "&proxyuser=" ' QS-separator '?' is added by filter, in case of no Querystring
strRetAsp = strRetAsp + strUserID ' userID submitted : "DomainName\LoginID"
strRetAsp = strRetAsp + "&proxypwd=" ' UPDATE_NEEDED for password (may need to change it to: 'strPwd')
strRetAsp = strRetAsp + strPassword
' Distributed-Denial-Of-Service Attack (DDoS)
' this is to avoid DDos Attacks with known User login ID
'*****Code Changed From this line*****
Dim objGenID
Set objGenID = Server.CreateObject("Commerce.GenID") '$PERF: store one in Application scope in GLOBAL.ASA, Application("MSCSAuthGenID")
'Set objGenID = Server.CreateObject("Commerce.GenID") '$PERF: store one in Application scope in GLOBAL.ASA, Application("MSCSAuthGenID")
strGUID = objGenID.GenGUIDString
objAuth.SetProperty 2, "guid", strGUID ' after setting Ticket
strRetAsp = strRetAsp + "&guid="
strRetAsp = strRetAsp + strGUID
'*****To this line*****
' Go to the Original requested ASP which is stored in cookie "MSCSFirstRequestedURL" Or Default page
if ((strRetAsp = "") Or IsNUll(strRetAsp)) then
strRetAsp = strSiteName & "/default.asp"
Response.Redirect strRetAsp
end if
Response.Redirect strRetAsp
Response.Redirect "Login.asp" ' Incorrect password & redirect back to Login page
end if
' $WEB_FARM scenario: Logging onto a new server in WebFarm Or FT/FailOver scenario
if objAuth.IsAuthenticated(30) Then ' for Web-Farm scenario <valid-Auth-Ticket Exist, but not cached in Filter>
Dim strProfileUserID ' in case, if you are using UserProfileSvc
strUserID = objAuth.GetUserID(2) ' Get LoginID <only in case of AD-Site>, from AuthTicket
if (strUserID = "") or (IsNull(strUserID)) then
Response.Redirect "Login.asp"
end If
' Get User-password: comment-out following line if you support ProfileSvc
strPassword = GetCurrentUserPassword(strUserID)
strRetAsp = Request.Cookies("MSCSFirstRequestedURL") ' get the requested URL
strRetAsp = strRetAsp + "&proxyuser="
strRetAsp = strRetAsp + strUserID
strRetAsp = strRetAsp + "&proxypwd="
strRetAsp = strRetAsp + strPassword
strGUID = objAuth.GetProperty(2, "guid") ' if this exists, you need to pass this also on Query string
If Not IsNull(strGUID) Then
strRetAsp = strRetAsp + "&guid="
strRetAsp = strRetAsp + strGUID
End If
Response.Redirect strRetAsp
Else ' $FIRST_TIME_LOGIN: First time logging on to the site/web-farm scenario
End If
End if
Set objAuth = Nothing
' GetCurrentUserPassword -- wrapper function for getting a user profile/pwd...
Function GetCurrentUserPassword(ByVal strUserID)
Dim strPWD
Dim objMSCSProfileService, objMSCSProfileObj
' $PASSWORD: start
' To get Clear-Text-Password:
'get the Login name from Domain\LoginName format: in case of Windows-Auth mode
' strProfileUser = split(strUserID, "\", -1, 1)
' strProfileUserID = strProfileUser(1)
' Get Profile Service stored in Application-Scope
Set objMSCSProfileService = Application("MSCSProfileService")
' Get UserProfileObj for the user already Logged in (webFarm)
Set objMSCSProfileObj = objMSCSProfileService.GetProfile(strUserID, "UserObject") ' GetUserProfileByLoginName(strUsername)
if (objMSCSProfileObj is nothing) then
Response.Redirect "Login.asp"
end if
' if password-available: in clear-text
strPWD = objMSCSProfileObj.Fields.Item("GeneralInfo").Value.Item("user_security_password") ' objMSCSProfileObj.Fields("GeneralInfo.user_security_password").Value
Set objMSCSProfileObj = Nothing
GetCurrentUserPassword = strPWD
End Function
<%Sub PrintLogin() %>
<FORM NAME="frmLogin" ACTION="Login.asp" METHOD="GET">
<H2 ID=L_LoginForm_HTMLText>CS2K-LoginForm</H2><ID Id=L_EnterCredential_ErrorMessage>
To access authenticated content, please enter your UserID & Password</ID>
<H3 ID=L_UserName_HTMLText>Username:<INPUT TYPE="text" NAME="txtUsername" SIZE=32 MAXLENGTH=32><br><ID ID=L_UserPassword_HTMLText>
Password :</ID><INPUT TYPE="password" NAME="txtPassword" SIZE=32 MAXLENGTH=32></H3><br>
<INPUT type=HIDDEN name="realSubmit" value="fromButton">
<p align="left">
<input type="submit" name="action" id=L_Submit_Button value="Submit">
<input type="reset" name="action" id=L_Reset_Button value="Reset">
REM need to add own registration file under '\AuthFiles\' sub-Dir Or Copy ..\Retail\login\newuser.asp to '\AuthFiles\newuser.asp'
REM in global.asa update: dictPages.NewUser = "AuthFiles/newuser.asp"
REM You can update this to POST, instead of default GET
<A HRef="newuser.asp" ID=L_RegisterIf_HTMLText>Register if you are a new user (solution sites: need to add own registration file under '\AuthFiles\' sub-Dir Or Copy ..\Retail\login\newuser.asp & update NewUser-File in Global.asa)</A>
<%end sub%>
back to the top
If you see the Login page again after you type the credentials and submit the page, make sure that you have entered the credentials of the Web site user, and that the Proxy user account is in the "Domain\User" format.
back to the top
Modification Type: | Major | Last Reviewed: | 10/27/2002 |
Keywords: | kbhowto kbHOWTOmaster KB301277 |