Commerce Server Authentication Methods

Commerce Server 2000 extends the authentication methods supported by Internet Information Services (IIS) 5.0 in two ways. First, it adds granular access control for dynamic content through AuthFilter, an Internet Server API (ISAPI) filter. Second, it provides a way to use Windows Authentication or Custom Authentication in an Internet environment where you need to address a wide range of browsers. Commerce Server provides this support for Windows and Custom Authentication.

When you use AuthFilter, you can choose the following authentication modes:

• No Filter mode. AuthFilter is not enabled.

• Windows Authentication. AuthFilter uses Windows Authentication to control access to the site. It checks the user login and password against Active Directory (or a local Security Access Manager account). When you use Windows Authentication, you can require login access for only certain Active Server Pages (ASP) pages and directories that you specify. To use Windows Authentication, see Enabling Windows Authentication.

• Custom Authentication. AuthFilter checks the user login and password (MSCSAuth ticket) against a SQL Server database or other type of database. Login access is required for every ASP page and directory in the Commerce Server site. AuthFilter checks against the virtual directory for the Commerce Server site, and it checks the Commerce Server Administration database to determine whether Custom Authentication is enabled for that site. If the MSCSAuth ticket is not valid, AuthFilter requires the user to enter login information.

  When you use Custom Authentication, login access is required for every ASP page and directory in the Commerce Server site. To use Custom Authentication, see Enabling Custom Authentication.

• Autocookie mode. You can automatically generate cookies, which store tickets, for guest users. (When an anonymous user gets an MSCSProfile ticket, the user becomes a guest user.) MSCSProfile tickets enable you to collect profile data about how guest users navigate and use your site.

  If you select Autocookie mode and No Filter mode, then there are no registered users.

  If you are using Autocookie and either Windows Authentication mode or Custom Authentication mode, known as mixed mode, then when guest users register, their persistent cookies can be updated, and you do not lose the profile data gathered when the user was a guest. To use Autocookie mode, see Enabling Autocookie Generation.

If you enable mixed mode, AuthFilter generates the following tickets:

• The first time the user logs in to the site, it generates an MSCSProfile ticket.

• If the user is authenticated, it generates the MSCSAuth ticket, which will contain the user ID. You can use the MSCSAuth ticket for access control.

• If the user is not authenticated (no MSCSAuth ticket), the MSCSProfile ticket will indicate that the user is anonymous.

For more information about tickets, see Authentication Tickets.

See Also

Planning for Security

Working with Site Security and Filters

Site Security Objects

Managing the CS Authentication Resource

Commerce Server Security Checklist

Securing Your Site

All rights reserved.