Microsoft KB Archive/291783

= How to deploy data access pages over the Internet =

Article ID: 291783

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Access 2002 Standard Edition
 * Microsoft Office Access 2003

-



This article was previously published under Q291783



Advanced: Requires expert coding, interoperability, and multiuser skills.

This article applies to a Microsoft Access database (.mdb) and to a Microsoft Access project (.adp).



For a Microsoft Access 2000 version of this article, see 264080.



IN THIS TASK

 * SUMMARY
 * New Features for Deployment in Access 2002 or Later
 * Create a User for Anonymous Access
 * Configure Folder Permissions and Configure File Permissions
 * Configure the Web Server
 * Modify the Msdfmap.ini File
 * Where to Put the Database Page and the Data Access Pages
 * Modify the Data Access Pages
 * REFERENCES



SUMMARY
Data access pages permit you to create data-bound Web pages that can be viewed in Microsoft Internet Explorer 5 or later. These Web pages are typically intended for Intranet use. However, with special considerations, these Web pages can be deployed successfully over the Internet.

Note Microsoft Office Web Components (OWC) must be installed on the computer that accesses the data access pages. By default, the components are installed with any Microsoft Office installation.

This article discusses considerations for deploying data access pages over the Internet without addressing possible security issues. This article is intended to help you deploy data access pages over the Internet and to outline the steps that you must follow to make data access pages work correctly. If you are interested in learning about methods that you can use to add possible security enhancements to your data access pages, see the &quot;References&quot; section of this article.

Because the majority of the steps in this article must be performed on the server, this article assumes that you have a correctly configured Web server on the NTFS file system partition for deployment. If you are not hosting the Web site that houses the data access pages, you must work with your Internet Service Provider (ISP) to correctly configure the Web server.

back to the top

New Features for Deployment in Access 2002 or Later
To make it simpler for you to deploy multiple pages over the Internet, the ConnectionFile property is added to the DataSourceControl object in Office XP and later. ConnectionFile permits you to maintain connection information for multiple pages in an Office Data Connection (ODC) file. ConnectionFile also permits you to make changes to the connection string in the ODC file instead of making changes to each page.

ConnectionFile may contain the relative path of the ODC file. Therefore, you can develop your pages locally, you can deploy your pages and the ODC file to a Web server, and then you can edit the ODC file on the Web server for the updated location of the database without editing the data access pages.

To set the ConnectionFile property, follow these steps:
 * 1) Start Access. Open your page in Design view.
 * 2) Right-click the page, and then click Page Properties.
 * 3) Click the Data tab on the property sheet.
 * 4) Click in the ConnectionFile property, and then click the builder (...) button to move to an existing ODC file.

Note In the Select Data Source dialog box, you can also click New Source to use the Data Connection Wizard to create a new ODC file.

Create a User for Anonymous Access
Web servers are different based on whether you are using Microsoft Windows NT 4.0, Microsoft Windows 2000, or Microsoft Windows Server 2003. On the Web server where the data access pages are located, follow these steps:

Windows NT 4.0

 * 1) Click Start, point to Programs, point to Administrative Tools (Common), and then click User Manager for Domains.
 * 2) On the User menu, click Select Domain.
 * 3) Enter the computer name of the Web server, and then click OK.

Note This name is not the HTTP address of the server.
 * 1) On the User menu, click New User.
 * 2) In the User name box, type DAPInternetAccount.
 * 3) Click to clear the User Must Change Password at Next Logon check box, click to select the User Cannot Change Password check box, and then click to select the Password Never Expires check box.
 * 4) Click Add, and then click Close to close the dialog box.

Windows 2000

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Computer Management.
 * 2) Double-click Local Users and Groups, and then click the Users folder.
 * 3) On the Action menu, click New User.
 * 4) In the User name box, type DAPInternetAccount.
 * 5) Click to clear the User must change password at next logon check box, click to select the User cannot change password check box, click to select the Password never expires check box, and then click Create.
 * 6) Click Close to close the New User dialog box, and then close the Microsoft Management Console.

Windows Server 2003

 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.
 * 2) Double-click Local Users and Groups, and then click the Users folder.
 * 3) On the Action menu, click New User.
 * 4) Type DAPInternetAccount in the User name box.
 * 5) Click to clear the User must change password at next logon check box, click to select the User cannot change password check box, click to select the Password never expires check box, and then click Create.
 * 6) Click Close to close the New User dialog box, and then close the Microsoft Management Console.

back to the top

Configure Folder Permissions and Configure File Permissions
The user who interacts with your data access pages over the Internet must have Windows NT file permissions to the database to work with the locking (.ldb) file that is created when the user works with an Access database. Therefore, you must grant the appropriate permissions to the user who you created in the &quot;Create a User for Anonymous Access&quot; section of this article. Also, user must have read permission for the folder where the Remote Data Service (RDS) components are located. To configure folder permissions and to configure file permissions, follow these steps:

Note The following steps must be performed on the Web server.

Note If you are deploying a page in an Access project (.adp), you can skip the following steps. The following steps do not apply to Microsoft SQL Server.

Windows NT 4.0

 * 1) On the desktop, double-click My Computer.
 * 2) Move to the C:\Program Files\Common Files\System folder.

Note If your operating system is installed on a different logical drive, use that drive letter.
 * 1) Right-click the MSADC folder, click Properties, and then click the Security tab in the MSADC Properties dialog box.
 * 2) Click Permissions, and then click Add.
 * 3) Type  \DAPInternetAccount in the Add Names box (where   is the computer name of the Web server), and then click OK to close the dialog boxes.
 * 4) Assign Read permissions for DAPInternetAccount to the MSADC folder, close MSADC Properties, and then close the MSADC folder.
 * 5) Repeat step 1 through step 6, but select the folder where the database is located. Assign Full Control permissions to this folder.
 * 6) Repeat step 1 through step 6 again, but select the database file. Assign Full Control permissions to this file.

Note If the Replace Permissions on Existing Files option is selected for the folder, the database file inherits the permissions from the folder that it is in.

Windows 2000

 * 1) On the desktop, double-click My Computer.
 * 2) Move to the C:\Program Files\Common Files\System folder.

Note If your operating system is installed on a different logical drive, use that drive letter.
 * 1) Right-click the MSADC folder, click Properties, click the Security tab in the Msadc Properties dialog box, and then click Add.
 * 2) Replace <> with  \DAPInternetAccount (where   is the computer name of the Web server), and then click OK to close the dialog box.
 * 3) Make sure DAPInternetAccount is selected, and then click to clear the List Folder Contents check box for the MSADC folder.

Read permissions are assigned to the subdirectory.
 * 1) Click OK to close the Msadc Properties dialog box, and then close the MSADC folder.
 * 2) Repeat step 1 through step 6, but select the folder where the database is located, and then assign Full Control permissions to this folder.
 * 3) Repeat step 1 through step 6 again, but select the database file, and then assign Full Control permissions to this file.

Note If the Allow inheritable permissions from parent to propagate to this object option is selected for the file, the database file inherits the permissions from the folder that the database file is in.

Windows Server 2003

 * 1) Click Start, and then click My Computer.
 * 2) Move to the C:\Program Files\Common Files\System folder.

Note If your operating system is installed on a different logical drive, use that drive letter.
 * 1) Right-click the MSADC folder, click Properties, click the Security tab in the Msadc Properties dialog box, and then click Add.
 * 2) Replace <> with  \DAPInternetAccount (where   is the computer name of the Web server), and then click OK to close the dialog box.
 * 3) Make sure DAPInternetAccount is selected, and then click to clear the List Folder Contents check box for the MSADC folder.

Read permissions are assigned to the subdirectory.
 * 1) Click OK to close the Msadc Properties dialog box, and then close the MSADC folder.
 * 2) Repeat step 1 through step 6, but select the folder where the database is located, and then assign Full Control permissions to this folder.
 * 3) Repeat step 1 through step 6 again, but select the database file, and then assign Full Control permissions to this file.

By default, in Windows Server 2003, permissions that are assigned to a folder automatically propagate to the files that are in that folder. Therefore, the DAPInternetAccount has inherited Full Control permissions for the database file.

back to the top

Configure the Web Server
To return data to data access pages over the Internet, you must configure remote data services (RDS) on the Web server by using the MSADC virtual directory on the server. For additional information about how to configure RDS to run on a site other than the default Web site, click the following article number to view the article in the Microsoft Knowledge Base:

184606 HOWTO: Use RDS From an IIS 4.0 Virtual Server

Important Microsoft does not recommend running IIS on a domain controller, a backup domain controller (BDC), or a primary domain controller (PDC) if you are running Microsoft Windows NT Server 4.0. IIS performance is severely degraded because of the networking load and the processor load that is imposed by authentication and other roles that the domain controllers perform. Therefore, Microsoft does not test data access pages on a domain controller that runs IIS, and Microsoft does not support this configuration.

The following steps describe how to configure RDS if your data access pages are deployed under the default Web site in Internet Information Services (IIS).

Windows NT 4.0 and Windows 2000
 Open Internet Services Manager on the Web server. In Windows NT Server 4.0, click Start, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Service Manager.

In Windows 2000, click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager. Expand the default Web site. Right-click the MSADC virtual directory, and then click Properties. Click the Directory Security tab in the Msadc Properties dialog box.</li> Under Anonymous Access and Authentication Control, click Edit.</li> Make sure that the Allow Anonymous Access check box is selected, and then click Edit next to Account used for Anonymous Access.</li> Type DAPInternetAccount .</li> In Windows NT 4.0, click to select the Enable Automatic Password Synchronization check box.

In Windows 2000, click to select the Allow IIS to Control Password check box.</li> Click OK to close the dialog boxes and to return to Internet Services Manager.

Windows 2000 Server Only

On a clean installation of Windows 2000 Server, the MSADC virtual directory is set to deny access for all IP addresses and all domain names. For additional information about how to configure RDS on Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

250536 HOWTO: Configure RDS for Windows 2000

</li></ol>

Windows Server 2003

 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
 * 2) Expand   (local computer) (where   is the actual computer name that is assigned to your Web server), and then expand Web Sites.
 * 3) Right-click Default Web Site, point to New, and then click Virtual Directory.
 * 4) In the Virtual Directory Creation Wizard, click Next. In the Alias box, type MSADC, and then click Next. In the Path box, type C:\Program Files\Common Files\System\msadc , and then click Next two times. Click Finish.
 * 5) Right-click the new MSADC virtual directory, and then click Properties.
 * 6) Move to the Execute Permissions drop-down list in the MSADC Properties dialog box, and then select Scripts and Executables.
 * 7) Click the Directory Security tab. Under Authentication and access control, click Edit.
 * 8) Click to select the Enable anonymous access check box. Next to the User name box, click Browse.
 * 9) In the Select User dialog box in the Enter the object name to select box, type DAPInternetAccount, and then click OK.
 * 10) Click OK to close the Authentication Methods dialog box.
 * 11) Under IP address and domain name restrictions, click Edit.
 * 12) In the IP Address and Domain Name Restrictions dialog box, click the Granted Access option, and then click OK.
 * 13) Click OK to close the MSADC Properties dialog box, and then close IIS Manager.

Additional Configuration Settings for Windows Server 2003
If you do not apply the following configuration settings, you may receive the following error message:

Error: Safety settings on this computer prohibit accessing a data source on another domain.


 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
 * 2) Expand   (local computer) (where   is the actual computer name that is assigned to your Web server), and then expand Web Server Extensions.
 * 3) Click the Add a new Web service extension hyperlink.
 * 4) When the New Web Service Extension dialog box appears, type MSADC, and then click Add.
 * 5) When the Add file dialog box appears, in the Extension name box, type C:\Program Files\Common Files\System\msadc\msadcs.dll, and then click OK.
 * 6) Click to select the Set extension status to Allowed check box, and then click OK.
 * 7) Close IIS Manager.

back to the top

Modify the Msdfmap.ini File
You can use the Msdfmap.ini file on the Web server to permit data connections to the server. You can modify this file in several ways to permit data connection or to limit connections to a particular database. <ol> On the Web server, open the Msdfmap.ini file in Notepad.

This file is in the \WINNT folder.</li>  In the &quot;[connect default]&quot; section, change: Access=NoAccess -to- Access=ReadWrite This permits a read connection and a write connection to all the data connections on the server. </li>  In the &quot;[sql default]&quot; section, change: sql=&quot; &quot; -to- ;sql=&quot; &quot; This permits any SQL statement to run against any data source on the Web server. </li> Save the Msdfmap.ini file, and then close the file.</li></ol>

back to the top

Where to Put the Database Page and the Data Access Pages
If you store the database on the Web server with the data access pages, deployment is simple. However, to enhance security, put the database in a folder other than the Web site folder. By default, the Web site folder is C:\Inetpub\wwwroot when you install IIS. Because the wwwroot folder is typically open to the public, a malicious user may potentially download the database. To enhance security, put the database in a different folder on the Web server, such as C:\Inetpub.

back to the top

Modify the Data Access Pages
Because data access pages search the client-side computer to find the data source, routine deployment of data access pages does not work over the Internet. Instead, you must configure three-tier data access pages by using the UseRemoteProvider property of the page. While certain steps of this article may be modified based on the security settings that you select, you must complete this section to successfully deploy three-tier data access pages.
 * 1) Open a data access page in Design view.
 * 2) Right-click the data access page, and then click Page Properties.
 * 3) On the Data tab, change the UseRemoteProvider property to True.
 * 4) Click the Build (...) button in the ConnectionString property, and then verify that the connection string is pointing to a path that can be seen from the Web server.
 * 5) Close the data access page, and then save the data access page.

Important If you are not hosting the Web site, you may not be able to save changes to data access pages that are opened directly in Access by using the URL for the data access page. Instead, open the page in Microsoft FrontPage 2002 or later, and then edit the connection string manually as follows:

Note Make sure that you change the UseRemoteProvider property to true in Access before you open the data access page in FrontPage.
 * 1) Start FrontPage. On the File menu, click Open.
 * 2) Type the URL for your data access page on the Web server, and then click OK.
 * 3) In the lower-right corner of the screen, click the HTML tab.
 * 4) On the Edit menu, click Find.
 * 5) Type ConnectionString, and then click Find Next.
 * 6) Edit the Data Source portion of the connection string to the path of the database on the Web server.

To test the deployment, open the URL for the data access pages in Internet Explorer 5 or later.

back to the top

<div class="references_section">