Microsoft KB Archive/296323

= AuthFilter Allows Unrestricted Access in Custom Authentication Mode If Admin Database Is Unavailable =

Article ID: 296323

Article Last Modified on 10/21/2002

-

APPLIES TO


 * Microsoft Commerce Server 2000 Standard Edition

-



This article was previously published under Q296323



SYMPTOMS
In Microsoft Commerce Server 2000, the AuthFilter component may not require authentication on an application that is protected by the AuthFilter.



CAUSE
This can occur if the mscs_admin database is unavailable or offline. The AuthFilter does not protect sites if it is unable to access the mscs_admin database. This occurs because the AuthFilter ISAPI filter is only configurable at the Web site level, and not at the ASP application level where the Global.asa file resides.



WORKAROUND
Start the SQL Server Service for the SQL Server computer that houses the mscs_admin database, and make sure that the database is accessible.



RESOLUTION
To resolve this problem, obtain the latest service pack for Commerce Server 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

297216 INFO: How to Obtain the Latest Commerce Server 2000 Service Pack



STATUS
Microsoft has confirmed that this is a problem in Microsoft Commerce Server 2000. This problem was first corrected in Commerce Server 2000 Service Pack 1.



MORE INFORMATION
Commerce Server 2000 allows unrestricted access to a Web site in order to avoid denying access to other ASP applications that are not intended to be protected by the AuthFilter.

When you use Windows Authentication mode, this behavior has no negative impact, because security is controlled by ACLs at the file level.

When you use Custom Authentication mode, this behavior may have a negative impact on security, because the administrative database must be running and available to the AuthFilter at all times. Protected content is not restricted if the AuthFilter cannot contact the mscs_admin database. However, a Commerce Server Site is not usually affected by this issue because sites are designed to access resources that are stored in the administrative database. Therefore, if the administrative database is unavailable, the site is usually unavailable as well. Static content is at risk however.

To make sure that this issue does not occur, the mscs_admin database must be online at all times. If it has to be shut down for any reason, the Web sites that are running applications protected by the AuthFilter should be stopped before doing so.

Additional query words: plutonium

Keywords: kbbug kbfix kbcommserv2000presp1fix kbcommserv2000sp1fix KB296323

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.