Microsoft KB Archive/326020

= How to configure IIS 6.0 URL Authorization =

Article ID: 326020

Article Last Modified on 12/3/2007

-

APPLIES TO

 Microsoft Internet Information Services 6.0, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86) 

-



This article was previously published under Q326020





SUMMARY
''Microsoft Internet Information Services 6.0 works with Authorization Manager in Microsoft Windows Server 2003 to provide IIS 6.0 URL Authorization. IIS 6.0 URL Authorization simplifies the administration of user access to Web objects. In IIS 6.0 URL Authorization, you maintain access control by using metabase attributes that control URL authorization. These metabase attributes are the following:''


 * AzEnable
 * AzStoreName
 * AzScopeName
 * AzImpersonate

''You can set these metabase attributes by using of a script. Authorization policy for IIS 6.0 URL Authorization is stored in an Authorization Manager policy store either in Active Directory or in an .xml file.

To configure IIS 6.0 URL Authorization, you must create your program folder under the Default Web Site folder in IIS Manager and then disable anonymous access to the site. You must then set the wildcard configuration properties to point to the URLAuth.dll file. You must also add URLAuth.dll as a new Web service extension. Next, you must set up an authorization policy store in Authorization Manager, set up the scope for the program, add the IIS worker process to the store's Readers role, and then configure the IIS metabase to use IIS 6.0 URL Authorization for the Web program.''



IN THIS TASK

 * INTRODUCTION
 * Metabase attributes that IIS 6.0 URL Authorization uses
 * Script to set the attributes on the IIS metabase
 * The AzImpersonationLevel attribute
 * The AzStoreName attribute
 * The AzScopeName attribute
 * How to configure IIS 6.0 URL Authorization
 * Create your program folder under the Default Web Site folder, and then disable anonymous access to the site
 * Set the wildcard configuration properties to point to the URLAuth.dll file
 * Add the URLAuth.dll file as a new Web service extension
 * Set up an authorization policy store in Authorization Manager
 * Set up the scope for the program
 * Add the IIS worker process to the store's Readers role
 * Configure the IIS metabase to use IIS 6.0 URL Authorization for the Web program
 * REFERENCES

<div class="summary_section">

INTRODUCTION
Microsoft Internet Information Server (IIS) 6.0 is included with Microsoft Windows Server 2003. IIS 6.0 works with Authorization Manager to provide IIS 6.0 URL Authorization. As a Web program administrator, you can use IIS 6.0 URL Authorization to control access to URLs based on custom user roles, on LDAP queries, and on BizRules.

To authorize user access to Web pages in IIS, you may have to manage many Discretionary Access Control Lists (DACLs) on resources that the Web programs use. Resources for Web programs may include Web page files, database records, registry keys, and more.

A task is a collection of low-level operations. An operation is a low-level permission that a resource manager uses to identify security procedures. Frequently, operations are not exposed or meaningful to administrators. For example, an operation may be WriteAttributes or ReadAttributes. The purpose of the task is to determine which low-level operations are required to do some unit of work that is meaningful to administrators. Several operations may be required to perform a meaningful task. To maintain DACLs, you must know which back-end permissions are required on each object to perform meaningful tasks in the Web program.

IIS 6.0 URL Authorization simplifies access management by letting you authorize user access to the URLs that make up a Web program. When a client requests a URL, IIS 6.0 URL Authorization validates the user's access based on the user roles. By using IIS 6.0 URL Authorization, you can control all user access to URLs instead of maintaining a DACL on each object. Additionally, the Web program can restrict access to resources and to operations by using the Authorization Manager role-based framework.

IIS 6.0 URL Authorization is implemented as an Internet Server API (ISAPI) interceptor DLL that is configured as a wildcard extension for a program, for a virtual directory, or for a URL. When a program, a virtual directory, or a URL is configured to use IIS 6.0 URL Authorization, each request to a URL is routed to the IIS 6.0 URL Authorization ISAPI interceptor.

The IIS 6.0 URL Authorization ISAPI interceptor then uses the Authorization Manager runtime to authorize access to the requested URL. For the Authorization Manager runtime to authorize access, the program location, the virtual directory location, or the URL must be associated with an Authorization Manager policy store that contains the authorization policy for the URL that is requested. After the client is authorized to access the URL, the IIS 6.0 URL Authorization ISAPI passes the request to the appropriate handler for the URL. For example, the IIS 6.0 URL Authorization ISAPI passes the request to ASP, to ASP.NET ISAPIs, or to the Static File Handler.

You can use IIS 6.0 URL Authorization to control access based on information that is only available at run time. For example, if you have a Web page that only employees in a specific cost center or employees of a specific age can view, you can assign roles to the correct users based on LDAP queries. The LDAP queries verify the cost center attribute or the age attribute on a user object at run time. If employees can access some pages only on specific days of the week or only during a specific time of day, you can create a BizRule that grants access to the URL based on these values. You can create a BizRule on any value that can be asserted at run time, including IIS Server Variables.

back to the top

Metabase attributes that IIS 6.0 URL Authorization uses
IIS 6.0 URL Authorization uses the metabase attributes in the following table to set authorization on a URL, on a virtual directory, or on a program.

back to the top

Script to set the attributes on the IIS metabase
The following script uses ADSI to set the metabase attributes on the IIS metabase entry for a program, for a virtual directory, or for a URL.

Note This script assumes that you have already created the IIS virtual directory that corresponds to the program. For additional information about how to create an IIS virtual directory, click the following article number to view the article in the Microsoft Knowledge Base:

816568 How to manage Web sites and Web virtual directories by using command-line scripts in IIS 6.0

' SetUrlAuth.vbs ' Configuring UrlAuth with a virtual directory ' This script uses ADSI to configure a virtual directory in the IIS 6.0 metabase to use ' IIS 6.0 URL Authorization. ' ' This script assumes that you have already created the IIS virtual directory '  that corresponds to the program. ' ' After you run this script to verify the settings, use the Adsutil tool in '  the following way: ' ' inetpub\adminscripts\adsutil enum w3svc/1/root/MyApp ' (where MyApp is the application name) ' Use the Authorization Manager MMC snap-in to: '    Create an application that is named IIS 6.0 URL Authorization. '    Create an operation that is named AccessURL and that has an operation ID of 1. '    Create a scope that corresponds to the AzScopeName that is specified to this script. '      This scope name is used to manage access to URLs in this virtual directory. '    Make sure that the IIS worker process has read access to the '      AzMan policy store. To do this, right-click the AzMan store, click Options, '      and then click the Security tab. Set objArgs = WScript.Arguments If objArgs.count < 4 then wscript.echo &quot;Usage: SetUrlAuth VDirPath AzScopeName AzStoreName AzEnable [ImpersonationLevel]&quot; wscript.echo &quot;&quot; wscript.echo &quot;Example:&quot; wscript.echo &quot; SetUrlAuth w3svc/1/root/MyApp MyApp msxml://d:\inetpub\wwwroot\AzStore.xml True 1&quot; wscript.echo &quot;&quot; wscript.echo &quot;Run with 'cscript' command in cmd.exe to avoid msg boxes&quot; Else wscript.echo objargs(0) ' ' Get the interface to the virtual directory object. ' DIM iis set iis = GetObject(&quot;IIS://localhost/&quot; & objArgs(0)) ' Set the scope name. This scope will preside over URLs that refer to this virtual directory. ' This scope must exist in the corresponding Authorization Manager store. ' iis.AzScopeName = objArgs(1) ' ' Specify location of Authorization Manager policy store ' iis.AzStoreName = objArgs(2) ' ' Enable IIS 6.0 URL Authorization for this virtual directory. ' iis.AzEnable = objArgs(3) ' ' Set the Impersonation Level property. ' If objArgs.count > 4 then iis.AzImpersonationLevel = objArgs(4) End if ' ' Write the settings to the metabase. ' iis.SetInfo End if back to the top

The AzImpersonationLevel attribute
When a client requests a Web page, IIS 6.0 URL Authorization authorizes the client access based on the Authorization Manager authorization policy. The security context that the AzImpersonationLevel attribute configures to retrieve the URL data, such as an .htm file, requires the correct IIS directory security permissions and the correct NTFS file system permissions. IIS 6.0 URL Authorization makes it easier for you to maintain the IIS directory security permissions and the NTFS permissions because IIS 6.0 URL Authorization uses the trusted subsystem model.

back to the top

The AzStoreName attribute
When IIS 6.0 URL Authorization is configured, you can identify an Authorization Manager policy store through the AzStoreName attribute in the IIS metabase entry for the program, for the virtual directory, or for the URL.

To manage the authorization policy, follow these steps:
 * 1) On the computer that is running IIS 6.0, click Start, click Run, type Azman.msc, and then click OK.
 * 2) In the console tree, right-click Authorization Manager, and then click Open Authorization Store.
 * 3) In the Store Name box, type the path of the authorization store location that the AzStoreName attribute identifies, and then click OK.

For more information about how to open an authorization store, see the &quot;Authorization stores and applications&quot; topic in the Authorization Manager Microsoft Management Console (MMC) Help.

back to the top

The AzScopeName attribute
The IIS 6.0 URL Authorization program manages IIS 6.0 URL authorization for the store that the AzStoreName attribute identifies. The AzScopeName attribute in the metabase entry is an Authorization Manager scope in the IIS 6.0 URL Authorization program. You can use this scope to manage access to the corresponding URL. When you configure a program, a virtual directory, or a URL for IIS 6.0 URL Authorization, you must crate a scope in the authorization policy store. This scope must have the same name as the name that is specified in the corresponding metabase entry's AzScopeName attribute.

Authorization policy for IIS 6.0 URL Authorization is stored in an Authorization Manager policy store either in Active Directory or in an .xml file. When you use IIS 6.0 URL Authorization, you can maintain the authorization policy for URLs in the same authorization policy store as the authorization policy of Web programs that use Authorization Manager to control access to program tasks and operations. Therefore, you can manage access to URLs and to Web program resources from the same Authorization Manager MMC or from the same custom user interface.

This behavior provides a common point for access control administration of URLs and of programs. Therefore, you can use the same Authorization Manager groups and the same LDAP queries to populate roles for both URL authorization and program authorization.

back to the top

How to configure IIS 6.0 URL Authorization
This section describes how to set up IIS 6.0 URL Authorization for a Web program by using an example URL. The example URL is named WebApp and is installed and configured in IIS as a program in the Systemroot\InetPub\WWWroot\WebApp folder.

Note Integrated Windows Authentication is required for URLs that use IIS 6.0 URL Authorization. By default, IIS Web programs and virtual directories turn on Integrated Windows Authentication. For information about how to configure Integrated Windows Authentication, see the &quot;Integrated Windows Authorization&quot; topic in the IIS online Help file.

back to the top

Create your program folder under the Default Web Site folder, and then disable anonymous access to the site

 * 1) Click Start, click Run, type %systemroot%\System32\InetSrv\IIS.msc, and then click OK.
 * 2) In the console tree, double-click Internet Information Services, double-click the name of your computer that is running IIS, double-click Web Sites, double-click Default Web Site, right-click the folder that correspond to your Web program, and then click Properties.
 * 3) Click the Virtual Directory tab, and then click Create.
 * 4) Click the Directory Security tab, and then click Edit in the Authentication and Access Control area.
 * 5) Click to clear the Enable Anonymous Access check box.
 * 6) Click to select the Integrated Windows Authentication check box, click OK, and then click OK again.

back to the top

Set the wildcard configuration properties to point to the URLAuth.dll file
<ol> In IIS Manager, right-click the folder for the Web program that you created, and then click Properties.</li> In the Properties dialog box, click the Virtual Directory tab, and then click Configuration.</li> In the Wildcard application maps (order of implementation) area, click Insert.</li> In the Add/Edit Application Extension Mapping dialog box, click Browse.</li> In the Files of type list, click All files (*.*).</li> Locate the  \System32\InetSrv folder.</li> Click URLAuth.dll, and then click Open</li> Click OK three times.

Note You may receive an error message that is similar to the following:

This executable path is already used

If you receive this error message, the URLAuth.dll file is already configured as a wildcard program extension mapping.</li></ol>

back to the top

Add the URLAuth.dll file as a new Web service extension

 * 1) Start IIS Manager.
 * 2) In the console tree, double-click Internet Information Services, double-click the name of your computer that is running IIS, and then click Web Service Extensions.
 * 3) In the Task list in the details pane, click Add a new Web service extension.
 * 4) Click Add, and then click Browse.
 * 5) Locate  \System32\InetSrv\, click URLAuth.dll, click Open, and then click OK.
 * 6) In the Extension Name box, type URL Authorization.
 * 7) Click to select the Set extension status to Allowed check box, and then click OK.

back to the top

Set up an authorization policy store in Authorization Manager
In this example, you put an authorization policy store that is named MyStore.xml in the C folder.
 * 1) Click Start, click Run, type Azman.msc, and then click OK.
 * 2) In the console tree, right-click Authorization Manager, and then click Options.
 * 3) Click Developer mode, and then click OK.
 * 4) In the console tree, right-click Authorization Manager, and then click New Authorization Store.
 * 5) Click XML file, and then type C:\MyStore.xml in the Store name box.
 * 6) In the Description box, you may type information about the new store. This step is optional.
 * 7) Click OK.
 * 8) In the console tree, right-click MyStore.xml, and then click New Application.
 * 9) In the Name box, type IIS 6.0 URL Authorization.
 * 10) In the Description box, you may type information about this usage of IIS 6.0 URL Authorization. This step is optional.
 * 11) Click OK.
 * 12) In the console tree, double-click Authorization Manager, double-click MyStore.xml, double-click IIS 6.0 URL Authorization, and then double-click Definitions.
 * 13) Right-click Operation Definitions, and then click New Operation Definition.
 * 14) In the Name box, type AccessURL.
 * 15) In the Operation number box, type 1, and then click OK.

back to the top

Set up the scope for the program

 * 1) In the Authorization Manager console tree, right-click IIS 6.0 URL Authorization, and then click New Scope.
 * 2) In the Name box, type WebApp, and then click OK.
 * 3) In the console tree, double-click IIS 6.0 URL Authorization, double-click Definitions, right-click Role Definitions, and then click New Role Definition.

Note You can also create this role definition in the WebApp scope.
 * 1) In the Name box, type Viewer, and then click OK.
 * 2) In the console tree, double-click Role Definitions.
 * 3) In the details pane, right-click Viewer, and then click Properties.
 * 4) Click the Definition tab, click Add, and then click the Operations tab.
 * 5) Click to select the AccessURL check box, click OK, and then click OK again.
 * 6) In the console tree, double-click WebApp, right -click Role Assignments, and then click Assign Roles.
 * 7) Click to select the Viewer check box, and then click OK.
 * 8) In the details pane, right-click Viewer, and then click Assign Windows Users and Groups.
 * 9) In the Enter the object names to select (examples) box, type your user name, and then click OK.

back to the top

Add the IIS worker process to the store's Readers role
By default, IIS runs in the Network Service account. You can configure an IIS worker process to run in a different account. This example adds Network Service to the Readers role.

Note If you use a remote authorization store such as Active Directory or a remote XML file-based store, and you run IIS in the default Network Service context, you must add the Active Directory account of the Web server that is running IIS to the store's Readers role.
 * 1) Click Start, click Run, type Azman.msc, and then click OK.
 * 2) In the console tree, right-click Authorization Manager, and then click Open Authorization Store.
 * 3) Click Browse, click C:\MyStore.xml, click OK, and then click OK again.
 * 4) In the console tree, right-click the name of the store, and then click Properties.
 * 5) Click the Security tab, click Reader in the Authorization manager user role list, and then click Add.
 * 6) In the Enter the object names to select (examples) box, type Network Service, click OK, and then click OK again.

back to the top

Configure the IIS metabase to use IIS 6.0 URL Authorization for the Web program
<ol> Click Start, click Run, type Cmd, and then click OK.</li> Use the script in the &quot;Script to set the attributes on the IIS metabase&quot; section to create the SetUrlAuth.vbs file. Save the file to the \InetPub\AdminScripts directory. By default, the InetPub directory is in the root of the drive where IIS is installed.</li> Type the following command, and then press ENTER:

CScript SetUrlAuth.vbs     [ ]

For example, you might type the following:

Cscript SetUrlAuth.vbs W3svc\1\Root\WebApp WebApp msxml://C:\MyStore.xml true 1

</li></ol>

IIS 6.0 URL Authorization is now configured and running for the specified Web program. Users who are in the Viewer role can locate the pages in the program.

Important If you are using an .xml file, you must append msxml:// to the command. If you are using the Active Directory Authorization Manager store, you must append msldap:// to the command.

back to the top

<div class="references_section">