Custom Authentication Mode

When you use Custom Authentication, login access is required for every ASP page and directory in the Commerce Server site. AuthFilter checks against the virtual directory for the Commerce Server site, and it checks the Commerce Server Administration database to determine whether Custom Authentication is enabled for that site.

If the MSCSAuth ticket the user submitted is not valid when requesting access to an ASP page or directory, AuthFilter requires the user to enter login information. When a user submits credentials to the login page, the login page obtains verification of the credentials from a SQL Server database, or other type of database.

Note

• Storing credentials in a database is inherently less secure than storing credentials in Active Directory. For better security for user credentials, it is recommended that you use Windows Authentication mode with Active Directory rather than Custom Authentication mode and a database.

After the user has been authenticated, the Login.asp page issues an MSCSAuth ticket. The MSCSAuth ticket is what is checked when the AuthFilter authenticates the request to determine whether or not to allow the request to be fulfilled.

In this mode, AuthFilter allows the site designer to provide a custom authentication process to control access to the site while still using the basic services of AuthFilter.

This section contains:

• Processing User Requests in Custom Authentication Mode
• Enabling Custom Authentication

Copyright © 2005 Microsoft Corporation.
All rights reserved.