Setting Metabase Properties for URL Authorization

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

To use URL authorization, you must set the required metabase properties on the application, virtual directory, or Web site where you want to authorize user access. You can either edit the metabase directly or run a script to set metabase properties.

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile/User:MyComputer\Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any parameters).

Procedures

To set metabase properties for URL authorization by editing the metabase directly

  • Edit the metabase directly to set the following metabase properties:

    • AzEnable Metabase Property: Enables URL authorization for the virtual directory, application, or URL that corresponds to the entry in the metabase.

    • AzStoreName Metabase Property: Associates an Authorization Manager store with the virtual directory, application, or URL.

    • AzScopeName Metabase Property: Associates the virtual directory, application, or URL with a scope. This scope will be the name of a scope in the IIS 6.0 URL authorization application in the Authorization Manager policy store referred to in the AzStoreName attribute. If no scope or an empty string is specified, the default scope of the IIS 6.0 URL authorization will be used.

    • AzImpersonationLevel Metabase Property: Determines the impersonation behavior for the application. This allows you to configure the Web application to impersonate the client user, the IIS worker process, or the IUSR_computername account for the worker process. Each setting significantly changes the environment and implied design of the Web application.

The sample script, written in Microsoft Visual BasicĀ® Scripting Edition (VBScript), marks the root of the first site as a URL in MyAZScope, which is defined in the MyAZStore.xml file. Users with URLAccess rights in this scope will be able to access the site.

To set metabase properties for URL authorization by using a script

  • Use the following sample script as a guide to setting the required metabase properties:

    var objVDir = GetObject("IIS://localhost/w3svc/1/root")

    objVDir.AzEnable = true

    objVDir.AZStoreName = "MSXML://d:\MyAZStore.xml"

    objVDir.AzScopeName = "MyAZScope"

    objVDir.AZImpersonationLevel = 0

    objVDir.SetInfo()