Overview of AuthFilter Authentication Modes

Article
11/12/2009

When you implement AuthFilter, you can choose one of the following authentication modes:

Windows Authentication
Custom Authentication

Ee784132.note(en-US,CS.20).gif Note

Of these two methods, it is recommended that you use Windows Authentication, which is inherently more secure than Custom Authentication. Windows Authentication stores passwords in Active Directory, whereas Custom Authentication stores passwords in a database.

Windows Authentication

In this mode, AuthFilter uses Windows Authentication to control access to the site. User credentials, for example user IDs and passwords, are authenticated against Active Directory. When you use Windows Authentication, you can require login access for only certain pages and directories that you specify. To use Windows Authentication, see Enabling Windows Authentication.

AuthFilter uses Windows Authentication, through access control lists (ACLs), to control access to the site. Anonymous and registered users can access the site depending on the ACLs. For more information about this mode, see Windows Authentication Mode.

If the MSCSAuth ticket the user submitted is not valid when requesting access to a page or directory, AuthFilter requires the user to enter login credentials. The login page sends the credentials, provided by the user, to AuthFilter. AuthFilter then checks if the password exists in the AuthFilter password cache. If the password does not exist in the AuthFilter password cache, AuthFilter places the password (entered by the user on the login page) in the cache.

Do not confuse Windows Authentication mode with Windows Authentication (Kerberos) for your databases.

Custom Authentication

In this mode, user credentials, for example user IDs and passwords, are authenticated against a SQL Server database or other type of database.

When you use Custom Authentication, login access is required for every page and directory in the Commerce Server site. AuthFilter checks against the virtual directory for the Commerce Server site, and it checks the Commerce Server Administration database to determine whether Custom Authentication is enabled for that site.

If the MSCSAuth ticket the user submitted is not valid when access is requested to an page or directory, AuthFilter requires the user to enter login information. When a user submits credentials to the login page, the login page obtains verification of the credentials from a SQL Server database, or other type of data source.

In this mode, AuthFilter allows the site designer to provide a custom authentication process to control access to the site while still using the basic services of AuthFilter. For more information about this mode, see Custom Authentication Mode. To use Custom Authentication, see Enabling Custom Authentication.

Autocookie Mode

In this mode, Authfilter checks to see if the request contains a valid MSCSProfile ticket. If a valid MSCProfile ticket is not found, then the request is redirected to the autocookie.asp page where a MSCSProfile ticket is issued to the user. A user that accesses your site using an MSCSProfile ticket is identified as an anonymous user.

Issuing MSCSProfile tickets to users enables you to collect profile data about how anonymous users navigate and use your site, without forcing these users to first register with your site.

When anonymous users register, the user ID in the MSCSProfile ticket can be updated programmatically so you do not lose the profile data gathered when the user was anonymous. You use the AuthManager object to programmatically add the update functionality, used to change the userid in the MSCSProfile ticket. (The registration page must perform this update by getting the correct GUID or user ID from the registered profile and using the SetProfileTicket() method to set it. This logic is necessary because the process for moving anonymous users to registered users depends on your application. For example, it depends on whether the same profile or a different profile is used.)

If you select both Autocookie mode and No Filter mode, then there are no registered users for your site.

For more information about this mode, see Autocookie Mode.

No Filter Mode

In this mode, AuthFilter is not enabled. The Solution Sites for Commerce Server 2002, by default, use the No Filter mode, and implement an authentication scheme based on AuthManager.

If you want to change the sites to take advantage of AuthFilter, you must make changes to the Login.asp and other helper pages for the sites. For more information, see Enabling AuthFilter for the Retail Solution Site and Enabling AuthFilter for the Supplier Solution Site.

Combination of Modes

When you use AuthFilter, you can choose the following combination of authentication modes:

Windows Authentication with Autocookie mode. This combination of modes allows both registered and anonymous users access to the site, and uses persistent cookies to track anonymous users. For more information about this mode, see Windows Authentication with Autocookie Mode.
Custom Authentication with Autocookie mode. This combination of modes allows both registered and anonymous users access to the site, and uses persistent cookies to track anonymous users. Instead of controlling access to individual files and folders using Windows ACLs, the site developer can supply a custom authentication process. For more information about this mode, see Custom Authentication with Autocookie Mode.