Using URL Authorization

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

IIS 6.0 does not provide graphical user interface (GUI) support for URL authorization. To use URL authorization in IIS 6.0, you must enable the wildcard script map, Urlauth.dll. In addition, you must set the following metabase properties on the application, virtual directory, or URL (Web site):

  • AzEnable. This property enables URL authorization for the virtual directory, application, or URL that corresponds to the entry in the metabase.

  • AzStoreName. This property associates an Authorization Manager store with the virtual directory, application, or URL.

  • AzScopeName. This property associates the virtual directory, application, or URL with a scope. This scope will be the name of a scope in the IIS 6.0 URL authorization application in the Authorization Manager policy store referred to in the AzStoreName property. If no scope or an empty string is specified, the default scope of the URL authorization is used.

  • AzImpersonationLevel. This property determines the impersonation behavior for the application, allowing you to configure the Web application to impersonate the client user, the IIS worker process, or the IUSR_ComputerName account for the worker process. Each setting significantly changes the environment and implied design of the Web application.

For more information about these metabase properties, see URL Authorization in IIS 6.0.

Although URL authorization controls access to other forms of authorization, such as settings for IIS directory security or ACL permissions, the application context still requires the correct IIS directory security and ACL permissions. URL authorization allows the IIS directory security and ACL permissions to be more easily maintained.

When URL authorization is configured, the AzStoreName property in the IIS metabase entry for the application, virtual directory, or URL identifies an Authorization Manager policy store. To manage the authorization policy, you must run Authorization Manager in Developer mode and use the Open Policy Store command from the Action menu. URL authorization is an application in this store. The AzScopeName property in the metabase entry is an Authorization Manager scope in URL authorization. Use this scope to manage access to the corresponding URL. When you configure an application, virtual directory, or URL for URL authorization, you must create a scope in the authorization policy store, a database that stores the authorization manager policies and that has the same name as the name that is specified in the AzScopeName property of the corresponding metabase entry.

Listing 5.3 provides a customizable text file, written in VBScript, that you can use to mark the root of the first site as a URL in MyAZScope, which is defined in the MyAZStore.xml file. Users with URLAccess rights in this scope will be able to access the site.

Listing 5.3   Sample Script for URL Authorization

var objVDir = GetObject("IIS://localhost/w3svc/1/root")
objVDir.AzEnable = true
objVDir.AZStoreName = "MSXML://d:\MyAZStore.xml"
objVDir.AzScopeName = "MyAZScope"
objVDir.AZImpersonationLevel = 0
objVDir.SetInfo()