Windows Authentication Mode
In Windows Authentication mode, a user is validated by setting a session cookie that contains an MSCSAuth ticket. No expiration date is specified for the cookie, and the cookie is deleted after the session expires. An MSCSAuth ticket contains a user ID, the last login time, and a time window specifying how long the ticket is valid after the last login time. A validated user does not automatically have access to a requested URL. The credentials of the user, once validated, are checked against the access rights of the URL which are maintained through access control lists (ACLs).
.gif "Ee799206.note(en-US,CS.10).gif")
Notes
When Windows Authentication mode is enabled, the security of the site is automatically set to Internet Information Services (IIS) Basic authentication. This must not be changed, as it allows the AuthFilter to be notified of events by IIS.
After unpacking a Solution Site for use with Commerce Server 2000, the files contained in the <SiteName>\AuthFiles folder have anonymous access enabled. If these files are not used, they should be deleted. For more information about Solution Sites, see Commerce Server Solution Sites.
This section contains:
URL Request Outcomes. Describes the possible outcomes when a user requests a URL: the user is sent the requested URL, is sent to a login page, or is redirected to a support page announcing cookies must be enabled. All this is transparent to the site developer.
Login Page. Describes the contents of the login page that must be supplied by the site developer.
Variations. Describes the various scenarios beyond that depicted in URL Request Outcomes, including proxy accounts, Web farms, cookie sharing, and distributed denial of service (DDOS) attacks.