Microsoft KB Archive/301277

= HOW TO: Enable the Retail Solution Site for Proxy Authentication =

Article ID: 301277

Article Last Modified on 10/27/2002

-

APPLIES TO


 * Microsoft Commerce Server 2000 Standard Edition

-



This article was previously published under Q301277



IN THIS TASK
SUMMARY
 * Unpackage Retail Site
 * Enable Windows Authentication
 * Modify Login.asp to use Proxy Account
 * Troubleshooting



SUMMARY
This article discusses how to implement Proxy Authentication in the Commerce Server 2000 Retail Solution Site.

With Proxy Authentication, a site can use ACL-based security without the overhead of creating an account in Active Directory for each site user. A proxy account can be assigned to the site as a whole, or on a user-by-user basis.

This article provides the necessary steps to implement a global proxy account on the Retail Solution Site.

NOTE: Proxy Authentication works in conjunction with the Commerce Server Authentication Filter, which requires that clients have cookies enabled.

back to the top

Unpackage Retail Site
Use the following procedure if you are going to make the computer a Web server and if you are going to place all of the database files on one Microsoft SQL Server-based server.

To unpack a site quickly while accepting most of the default settings:
 * 1) Click Start, point to Programs, point to Microsoft Commerce Server 2000, and then click Commerce Server Site Packager.
 * 2) In the Commerce Server Site Packager dialog box, select Unpack from a package file, and then click Next.
 * 3) In the Unpack dialog box, click the Browse button next to the File to unpack box.
 * 4) In the Open dialog box, navigate to the folder that contains the file that you want to unpack, click the file, and then click Open.
 * 5) On the Unpack dialog box, select Quick unpack, and then click Next.
 * 6) In the Quick Unpack dialog box, you have the following options:
 * 7) * Site name: Type the name for the site if you want to change it. Do not include special characters (such as #, @, %, and ') in the name and do not name your site &quot;Commerce.&quot;
 * 8) * IIS Web site: Select the name of the IIS Web site where the applications will be installed.
 * 9) * SQL Server computer: Type the name of the SQL server that will contain the databases for the site.
 * 10) * SQL user name: Type the SQL logon name for the databases.
 * 11) * SQL user name: Type the SQL logon name for the databases.
 * 12) * SQL password: Type the SQL logon password.
 * 13) If the Data Warehouse dialog box opens, you have the following options:
 * 14) * Name: Type a name for the global Data Warehouse resource.
 * 15) * Server: Type the name of the SQL Analysis online analytical processing (OLAP) computer.
 * 16) * Database: Type the name of the Analysis (OLAP) database to use.
 * 17) Click Next.
 * 18) If the first Profiling System dialog box opens, you have the following options:
 * 19) * Profile Schema Definition: Specify the profile schema definition to import.
 * 20) * Site Terms Definition: Specify the site terms definition to import.
 * 21) * Expression Definition: Specify the expression definition to import.
 * 22) Click Next.
 * 23) If the second Profiling System dialog box opens, you have the following options:
 * 24) * Profiling System Connection String: Specify the files to import into the OLEDB data store. Click Modify to specify a different database.
 * 25) * Schema definition scripts (*.sql, *.vbs): Specify the schema definition scripts to import.
 * 26) * Data population scripts (*.sql): Specify the data population scripts to import.
 * 27) Click Next.
 * 28) In the Unpacking is complete dialog box, review the list of SQL Server databases and IIS applications that were created. To review the list of events in the Site Packager log file, click View Log File.
 * 29) To close Site Packager, click Finish.

back to the top

Enable Windows Authentication
Enable the Windows Authentication mode of the Commerce Server Authentication filter in Commerce Server Manager:
 * 1) Start Commerce Server Manager, click Commerce Server Manager, click Commerce Sites, click Retail, and then click Applications.
 * 2) Right-click your retail application, and then click Properties.
 * 3) In the Commerce Authentication Filter property group, set Authentication filter to Windows Authentication.
 * 4) Click OK to accept the changes. For the changes to take effect, run iisreset. To do so, run it from a command prompt or click Start, click Run, type iisreset, and then click OK.
 * 5) Expand Internet Information Services, right-click the site and then click Properties. On the Directory Security tab, in the Anonymous access and authentication control section, click Edit. In the Authentication Methods dialog, enable Basic authenticationonly.

back to the top

Modify Login.asp to use Proxy Account
To enable the use of a Proxy Account, decide beforehand how and where to store and retrieve the proxy account information. To simplify this procedure, hard code the proxy account information into Login.asp:  Open Login.asp (from the AuthFiles directory under Retail Site) in an editor, such as Notepad.  The Login.asp page should look like the following code sample:

NOTE: All of the modifications are in the following section: &quot; if strSelect = &quot;fromButton&quot; then &quot;

Modified Login.asp File
<% REM Microsoft Commerce Server 2000 REM sample login-file for using with AuthFilter REM This file handles Login for user %>

<%        '*****Add the Main***** Sub Main '   End Sub Dim strSelect, strPassword, strPWD, strAuthErr, strSiteName, strUserID, strRetAsp, strGUID,sAuthUser Dim objAuth, objMSCSProfileService, objMSCSProfileObj

set objAuth = Server.CreateObject(&quot;Commerce.AuthManager&quot;) strSiteName = CStr(Application(&quot;MSCSCommerceSiteName&quot;))    'Get siteName, set in Global.asa in application scope objAuth.Initialize(strSiteName) 'check for Submit or not strSelect = Request.QueryString(&quot;realSubmit&quot;) 'If users pressed the submit button if strSelect = &quot;fromButton&quot; then strUserID  = Request.QueryString(&quot;txtUsername&quot;)        ' Get UserName from QueryString if this is GET request, this could be POST request also strPassword = Request.QueryString(&quot;txtPassword&quot;)       ' Get Password from QueryString if this is GET request, this could be POST request also if (strUserID = &quot;&quot;) or (strPassword = &quot;&quot;) Or IsNull(strUserID) Or IsNull(strPassword) then Response.Redirect &quot;Login.asp&quot; end If                 '*****Changed From this line*****

'sAuthUser = strUserID Set objMSCSProfileObj = GetUserProfileByLoginName(strUserID) if (objMSCSProfileObj is nothing) then Response.Redirect &quot;login.asp&quot; end if

strPWD = objMSCSProfileObj.Fields.Item(&quot;GeneralInfo&quot;).Value.Item(&quot;user_security_password&quot;)

'*****To this line***** ' Get User-password: comment-out following line if you support Profiles 'strPWD = GetCurrentUserPassword(strUserID) ' if profileSvc is not used for BlankSite: 'strPWD = strPassword  ' remove this line if you have read the password from UserProfileSvc or some other obj/src, in clear text if (strPWD = strPassword) then ' if passwords are equal, not necessary in Windows-Auth-mode '*****Changed From this line***** Dim strUserGuid strUserGuid = ObjMSCSProfileObj.GeneralInfo.user_id 'objAuth.SetAuthTicket strUserID, True, 90             ' set AuthTicket objAuth.SetAuthTicket strUserGuid, True, 90            ' set AuthTicket ' For PROXY AUTHENTICTION: strUserID = &quot;domain\ProxyUser&quot; strPassword = &quot;password&quot; '*****To this line*****

strRetAsp = Request.Cookies(&quot;MSCSFirstRequestedURL&quot;)   ' First requested URL (even if there is no QueryString this URL contains '?' at the end            strRetAsp = strRetAsp + &quot;&proxyuser=&quot;                   ' QS-separator '?' is added by filter, in case of no Querystring            strRetAsp = strRetAsp + strUserID                       ' userID submitted : &quot;DomainName\LoginID&quot;            strRetAsp = strRetAsp + &quot;&proxypwd=&quot;                    ' UPDATE_NEEDED for password (may need to change it to: 'strPwd')            strRetAsp = strRetAsp + strPassword            '            ' Distributed-Denial-Of-Service Attack (DDoS)            '            ' this is to avoid DDos Attacks with known User login ID             '*****Code Changed From this line***** Dim objGenID Set objGenID = Server.CreateObject(&quot;Commerce.GenID&quot;) '$PERF: store one in Application scope in GLOBAL.ASA, Application(&quot;MSCSAuthGenID&quot;) 'Set objGenID = Server.CreateObject(&quot;Commerce.GenID&quot;) '$PERF: store one in Application scope in GLOBAL.ASA, Application(&quot;MSCSAuthGenID&quot;) strGUID = objGenID.GenGUIDString objAuth.SetProperty 2, &quot;guid&quot;, strGUID ' after setting Ticket strRetAsp = strRetAsp + &quot;&guid=&quot; strRetAsp = strRetAsp + strGUID '*****To this line*****            ' Go to the Original requested ASP which is stored in cookie &quot;MSCSFirstRequestedURL&quot; Or Default page if ((strRetAsp = &quot;&quot;) Or IsNUll(strRetAsp)) then strRetAsp = strSiteName & &quot;/default.asp&quot; Response.Redirect strRetAsp end if                     Response.Redirect strRetAsp else Response.Redirect &quot;Login.asp&quot;  ' Incorrect password & redirect back to Login page end if   else ' $WEB_FARM scenario: Logging onto a new server in WebFarm Or FT/FailOver scenario if objAuth.IsAuthenticated(30) Then    ' for Web-Farm scenario  Dim strProfileUserID               ' in case, if you are using UserProfileSvc

strUserID = objAuth.GetUserID(2)   ' Get LoginID , from AuthTicket if (strUserID = &quot;&quot;) or (IsNull(strUserID)) then Response.Redirect &quot;Login.asp&quot; end If           ' Get User-password: comment-out following line if you support ProfileSvc strPassword = GetCurrentUserPassword(strUserID)

strRetAsp = Request.Cookies(&quot;MSCSFirstRequestedURL&quot;) ' get the requested URL strRetAsp = strRetAsp + &quot;&proxyuser=&quot; strRetAsp = strRetAsp + strUserID strRetAsp = strRetAsp + &quot;&proxypwd=&quot; strRetAsp = strRetAsp + strPassword strGUID = objAuth.GetProperty(2, &quot;guid&quot;)   ' if this exists, you need to pass this also on Query string If Not IsNull(strGUID) Then strRetAsp = strRetAsp + &quot;&guid=&quot; strRetAsp = strRetAsp + strGUID End If

Response.Redirect strRetAsp Else   ' $FIRST_TIME_LOGIN: First time logging on to the site/web-farm scenario PrintLogin End If     End if    Set objAuth = Nothing %>

<% ' GetCurrentUserPassword -- wrapper function for getting a user profile/pwd... Function GetCurrentUserPassword(ByVal strUserID) Dim strPWD Dim objMSCSProfileService, objMSCSProfileObj ''   ' $PASSWORD: start '  To get Clear-Text-Password: ''   'get the Login name from Domain\LoginName format: in case of Windows-Auth mode ' strProfileUser = split(strUserID, &quot;\&quot;, -1, 1) ' strProfileUserID = strProfileUser(1)

' Get Profile Service stored in Application-Scope Set objMSCSProfileService = Application(&quot;MSCSProfileService&quot;)

' Get UserProfileObj for the user already Logged in (webFarm) Set objMSCSProfileObj = objMSCSProfileService.GetProfile(strUserID, &quot;UserObject&quot;)  ' GetUserProfileByLoginName(strUsername) if (objMSCSProfileObj is nothing) then Response.Redirect &quot;Login.asp&quot; end if

' if password-available: in clear-text strPWD = objMSCSProfileObj.Fields.Item(&quot;GeneralInfo&quot;).Value.Item(&quot;user_security_password&quot;) ' objMSCSProfileObj.Fields(&quot;GeneralInfo.user_security_password&quot;).Value Set objMSCSProfileObj = Nothing GetCurrentUserPassword = strPWD End Function %>

<%Sub PrintLogin %>   Login    <H2 ID=L_LoginForm_HTMLText>CS2K-LoginForm</H2><ID Id=L_EnterCredential_ErrorMessage> To access authenticated content, please enter your UserID & Password</ID>

<H3 ID=L_UserName_HTMLText>Username:<INPUT TYPE=&quot;text&quot; NAME=&quot;txtUsername&quot; SIZE=32 MAXLENGTH=32> <ID ID=L_UserPassword_HTMLText> Password :</ID><INPUT TYPE=&quot;password&quot; NAME=&quot;txtPassword&quot; SIZE=32 MAXLENGTH=32></H3>

<INPUT type=HIDDEN name=&quot;realSubmit&quot; value=&quot;fromButton&quot;> <p align=&quot;left&quot;> <input type=&quot;submit&quot; name=&quot;action&quot; id=L_Submit_Button value=&quot;Submit&quot;> <input type=&quot;reset&quot; name=&quot;action&quot; id=L_Reset_Button value=&quot;Reset&quot;> </FORM>

<H4> <% REM SOLUTION SITES: Retail REM    need to add own registration file under '\AuthFiles\' sub-Dir Or Copy ..\Retail\login\newuser.asp to '\AuthFiles\newuser.asp' REM    in global.asa update:   dictPages.NewUser = &quot;AuthFiles/newuser.asp&quot; REM    You can update this to POST, instead of default GET %> <A HRef=&quot;newuser.asp&quot; ID=L_RegisterIf_HTMLText>Register if you are a new user (solution sites: need to add own registration file under '\AuthFiles\' sub-Dir Or Copy ..\Retail\login\newuser.asp & update NewUser-File in Global.asa)</A> </H4>

</BODY> </HTML> <%end sub%> </li></ol>

back to the top

Troubleshooting
If you see the Login page again after you type the credentials and submit the page, make sure that you have entered the credentials of the Web site user, and that the Proxy user account is in the &quot;Domain\User&quot; format.

back to the top

Keywords: kbhowto kbhowtomaster KB301277

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.