This documentation is archived and is not being maintained.

Windows Authentication Mode

Commerce Server 2002

In Windows Authentication mode, a user is validated by setting a session cookie that contains an MSCSAuth ticket. No expiration date is specified for the cookie, and the cookie is deleted after the session expires. An MSCSAuth ticket contains a user ID, the last login time, and a time window specifying how long the ticket is valid after the last login time. A validated user does not automatically have access to a requested URL. The credentials of the user, once validated, are checked against the access rights of the URL that are maintained through access control lists (ACLs).

The following diagram shows how Windows Authentication works.

Windows Authentication

For a figure that shows how Windows Authentication works with proxy accounts, see Proxy Accounts.

Ee784152.note(en-US,CS.20).gif Notes

  • When Windows Authentication mode is enabled, the security of the site is automatically set to Internet Information Services (IIS) Basic authentication. Do not change this setting, because it enables AuthFilter to be notified of events by IIS.
  • After unpacking a Solution Site for use with Commerce Server 2002, the files contained in the <sitename>\AuthFiles folder have anonymous access enabled. If these files are not used, they should be deleted. For more information about Solution Sites, see Commerce Server Solution Sites.

This section contains:

Copyright © 2005 Microsoft Corporation.
All rights reserved.