SUMMARY

Data access pages permit you to create data-bound Web pages that you can view in Microsoft Internet Explorer 5.0 or later. These Web pages are typically intended for intranet use. However, with special considerations, data access pages can be deployed successfully over the Internet. Office Web Components must be installed on the computer that views the data access pages. By default, the components are installed with any Microsoft Office 2000 installation.

This article describes considerations that you must be aware of before you can deploy data access pages over the Internet. These considerations do not address possible security issues. If you have possible security issues, or if you want additional information about possible methods that you may use to enhance security for data access pages, see the "References" section.

Because the majority of the steps that are involved are performed on the server, this article assumes that you have a correctly configured Web server on the NTFS file system partition for deployment. If you are not hosting the Web site to house the data access pages, you must be able to work with your Internet Service Provider (ISP) to correctly configure the Web server.

back to the top

Create a User for Anonymous Access

Depending on whether you use Microsoft Windows NT 4.0, Microsoft Windows 2000, or Microsoft Windows Server 2003, the steps that you must follow to create a user for anonymous access may vary. On the Web server where the data access pages are located, follow these steps:

Windows NT 4.0

1. Click Start, point to Programs, point to Administrative Tools (Common), and then click User Manager for Domains.
2. On the User menu, click Select Domain.
3. Enter the computer name of the Web server, and then click OK.
   

Note The computer name is not the HTTP address of the server.

1. On the User menu, click New User.
2. Type DAPInternetAccount in the User name box.
3. Click to clear the User Must Change Password at Next Logon check box, click to select the User Cannot Change Password check box, and then click to select the Password Never Expires check box.
4. Click Add, and then click Close to close the dialog box.

Windows 2000

1. Click Start, point to Programs, point to Administrative Tools, and then click Computer Management.
2. Expand Local Users and Groups, and then click the Users folder.
3. On the Action menu, click New User.
4. In the User name box, type DAPInternetAccount.
5. Click to clear the User must change password at next logon check box, click to select the User cannot change password check box, click to select the Password never expires check box, and then click Create.
6. Click Close to close the New User dialog box, and then close the Microsoft Management Console.

Windows Server 2003

1. Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.
2. Expand Local Users and Groups, and then click the Users folder.
3. On the Action menu, click New User.
4. In the User name box, type DAPInternetAccount.
5. Click to clear the User must change password at next logon check box, click to select the User cannot change password check box, click to select the Password never expires check box, and then click Create.
6. Click Close to close the New User dialog box, and then close the Microsoft Management Console.

back to the top

Configure Folder and File Permissions

The user who interacts with your data access pages over the Internet must have Windows NT file permissions to the database to work with the locking (.ldb) file. This file is created when the user works with an Access database. Therefore, you must grant the appropriate permissions to the user who you created in the previous section. Additionally, the user must have read permission for the folder where the Remote Data Service (RDS) components are located. The following steps must be performed on the Web server:

Note If you deploy data access pages in an Access project (.adp), you can omit these steps. These steps do not apply to Microsoft SQL Server.

Windows NT 4.0

1. On the desktop, double-click My Computer.
2. Move to the C:\program files\common files\system folder.
   

Note If your operating system is installed on a different logical drive, use that drive letter.

1. Right-click the MSADC folder, click Properties, and then click the Security tab in the MSADC Properties dialog box.
2. Click Permissions, and then click Add.
3. In the Add Names box, type <ServerName>\DAPInternetAccount, and then click OK to close the dialog box.
   

Note<ServerName> is the computer name of the Web server.

1. Assign read permissions for DAPInternetAccount to the MSADC folder, and then close the MSADC Properties folder.
2. Repeat step 1 through step 6. This time select the folder where the database is located. Assign Full Control permissions to this folder.
3. Repeat step 1 through step 6 again. This time select the database file itself. Assign Full Control permissions to this file.

Note If the Replace Permissions on Existing Files option is selected for the folder, the database file inherits the permissions from the folder where the database file resides.

Windows 2000

1. On the desktop, double-click My Computer.
2. Move to the C:\program files\common files\system folder.
   

Note If your operating system is installed on a different logical drive, use that drive letter.

1. Right-click the MSADC folder, click Properties, click the Security tab in the MSADC Properties dialog box, and then click Add.
2. Replace <<Type names separated by semicolons or choose from list>> with <ServerName>\DAPInternetAccount, where <ServerName> is the computer name of the Web server. Click OK to close the dialog box.
3. Make sure that DAPInternetAccount is selected, and then click to clear the List Folder Contents check box for the MSADC folder.
   

This makes sure that read permissions are assigned to the subdirectory.

Click OK to close the MSADC Properties dialog box, and then close the folder.

1. Repeat step 1 through step 5. This time select the folder where the database is located, and then assign Full Control permissions to this folder.
2. Repeat step 1 through step 5 again. This time select the database file itself, and then assign Full Control permissions to this file.

Note If the Allow inheritable permissions from parent to propagate to this object option is selected for the file, the database file inherits the permissions from the folder where the database file resides.

Windows Server 2003

1. Click Start, and then click My Computer.
2. Move to the C:\program files\common files\system folder.
   

Note If your operating system is installed on a different logical drive, use that drive letter.

1. Right-click the MSADC folder, click Properties, click the Security tab in the MSADC Properties dialog box, and then click Add.
2. Replace <<Type names separated by semicolons or choose from list>> with <ServerName>\DAPInternetAccount, where <ServerName> is the computer name of the Web server. Click OK to close the dialog box.
3. Make sure DAPInternetAccount is selected, and then click to clear the List Folder Contents check box for the MSADC folder.
   

This results in read permissions being assigned to the subdirectory.

1. Click OK to close the Msadc Properties dialog box, and then close the MSADC folder.
2. Repeat step 1 through step 6, but select the folder where the database is located, and then assign Full Control permissions to this folder.
3. Repeat step 1 through step 6 again, but select the database file, and then assign Full Control permissions to this file.
   

By default, Windows Server 2003 permissions that are assigned to a folder automatically propagate to the files that are in that folder. Therefore, the DAPInternetAccount may have already inherited Full Control permissions on the database file.

back to the top

Configure the Web Server

To return data to data access pages over the Internet, you must configure remote data services (RDS) on the Web server. You can configure RDS by using the MSADC virtual directory on the server.

For additional information about how to configure RDS to run on a site other than the default Web site, click the following article number to view the article in the Microsoft Knowledge Base:

Important Microsoft does not recommend that you run Internet Information Services (IIS) on a domain controller (or on a BDC, or on a PDC if you run Microsoft Windows NT Server 4.0) because IIS performance is severely degraded because of the network load and the processor load that is imposed by authentication and other roles that are performed by domain controllers. Therefore, Microsoft does not test data access pages on a domain controller that runs IIS and does not support this configuration.

Windows NT 4.0 and Windows 2000

1. Open Internet Services Manager on the Web server. In Windows NT Server 4.0, click Start, point to Programs, point to Windows NT 4.0 Option Pack, point to Microsoft Internet Information Server, and then click Internet Services Manager.
   
   In Windows 2000, click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
2. Expand Default Web Site.
3. Right-click the MSADC virtual directory, and then click Properties.
4. In the MSADC Properties dialog box, click the Directory Security tab.
5. Under Anonymous Access and Authentication Control, click Edit.
6. Make sure that the Allow Anonymous Access check box is selected, and then click Edit that is next to Account used for Anonymous Access.
7. Type DAPInternetAccount.
8. In Windows NT 4.0, click to select the Enable Automatic Password Synchronization check box.
   
   In Windows 2000, click to select the Allow IIS to Control Password check box.
9. Click OK to close the dialog box, and then return to Internet Services Manager.
   
   Windows 2000 Server Only
   
   On a clean installation of Windows 2000 Server, the MSADC virtual directory always uses access denied for all IP addresses and all domain names. For additional information about configuring RDS in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

   250536 HOWTO: Configure RDS for Windows 2000

   
   

Windows Server 2003

1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. Expand WebServer (local computer), and then expand Web Sites.
   

Note WebServer is the actual computer name that is assigned to your Web server.

1. Right-click Default Web Site, point to New, and then click Virtual Directory.
2. In the Virtual Directory Creation Wizard, click Next, type MSADC in the Alias box, click Next, type C:\Program Files\Common Files\System\msadc in the Path box, click Next two times, and then click Finish.
3. Right-click the new MSADC virtual directory, and then click Properties.
4. Move to the Execute Permissions drop-down list in the MSADC Properties dialog box, and then click Scripts and Executables.
5. Click the Directory Security tab, and then click Edit under Authentication and access control.
6. Click to select the Enable anonymous access check box, and then click Browse that is next to the User name box.
7. In the Select User dialog box, move to the Enter the object name to select box, type DAPInternetAccount, and then click OK.
8. Click OK to close the Authentication Methods dialog box.
9. Under IP address and domain name restrictions, click Edit.
10. In the IP Address and Domain Name Restrictions dialog box, click Granted Access, and then click OK.
11. Click OK to close the MSADC Properties dialog box, and then close IIS Manager.

Additional Configuration Settings for Windows Server 2003

You must apply the following configuration settings, or you may receive the following error message:

1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. Expand WebServer (local computer) (where WebServer is the actual computer name that is assigned to your Web server), and then expand Web Server Extensions.
3. Click the Add a new Web service extension hyperlink.
4. When the New Web Service Extension dialog box appears, enter MSADC in the Extension name box, and then click Add.
5. When the Add file dialog box appears, type C:\Program Files\Common Files\System\msadc\msadcs.dll, and then click OK.
6. Click to select the Set extension status to Allowed check box, and then click OK.
7. Close IIS Manager.

back to the top

Modify the Msdfmap.ini File

You can use the Msdfmap.ini file on the Web server to permit data connections to the server. You can modify this file in a variety of ways to permit data connections or to limit connections to a particular database.

1. On the Web server, open the Msdfmap.ini file in Notepad.
   
   This file is found in the \WINNT folder.

2. In the "[connect default]" section, change:

   Access=NoAccess
                           

   -to-

   Access=ReadWrite
                           

   You make this change to permit read connections and to permit write connections to all data connections that are on the server.

3. In the "[sql default]" section, change:

   sql=" "
                           

   -to-

   ;sql=" "
                           

   You make this change to permit you to use any SQL statement against any data source on the Web server.

4. Save and then close the Msdfmap.ini file.

back to the top

Where to Put the Database and the Data Access Pages

Although not required, you can store the database on the Web server with the data access pages. However, to enhance security, put the database in a folder other than the Web site folder. By default, when you install IIS, the Web site folder is c:\inetpub\wwwroot. Because the wwwroot folder is typically open to the public, a malicious user may potentially download the database. To enhance security, put the database in a different folder on the Web server, such as c:\inetpub.

back to the top

Modify the Data Access Pages

Because data access pages look on the client side to find the data source, routine deployment of data access pages does not work over the Internet. Instead, you must configure three-tier data access pages by using the UseRemoteProvider property of the page. While certain steps in this article may be modified depending on the security settings that you select, this section must be completed to successfully deploy three-tier data access pages.

1. Open the data access page in Design view.
2. On the View menu, if the property sheet does not appear, click Properties.
3. On the Edit menu, click Select Page.
4. On the Data tab, change the UseRemoteProvider property to True.
5. On the View menu, if the field list does not appear, click Field List.
6. Right-click the name of the database that is at the top of the field list, and then click Connection.
7. Verify that the connection string points to a path that can be seen from the Web server.
8. Click OK to close the Data Link Properties dialog box.
9. Close and then save the data access page.

Important If you are not hosting the Web site, you may not be able to save changes to data access pages that are opened directly in Access 2000 by using the URL for the data access pages. Instead, open the data access pages in Microsoft FrontPage 2000, and then edit the connection string manually as follows:

Note You must change the UseRemoteProvider property to true in Access before you open the data access pages in FrontPage 2000.

1. Start FrontPage 2000.
2. On the File menu, click Open.
3. Type the URL for your data access page on the Web server, and then click OK.
4. On the lower-right side of the screen, click the HTML tab.
5. On the Edit menu, click Find.
6. Type ConnectionString, and then click Find Next.
7. Edit the "Data Source" section of the connection string so that it points to the path of the database on the Web server.
8. Open the URL for the data access page in Internet Explorer 5.0 or later to test the deployment.

back to the top