Processing User Requests in Windows Authentication Mode

In Windows Authentication mode, when a user requests a URL there are a number of possible outcomes. Internet Information Services (IIS) detects the request sent by the browser and notifies AuthFilter of the SF_NOTIFY_PREPROC_HEADERS event. At this point, AuthFilter takes control of processing the request and performs the following actions:

  1. It checks for site configuration properties in the local site configuration cache and, if not found, reads the site configuration properties from the Administration database using a SiteConfig object and stores them in the local site configuration cache.
  2. It checks whether the URL is correct, automatically correcting for the case sensitivity of the IIS virtual directory roots.
  3. It checks for session-cookie support on the browser.

At this point, three actions are possible, depending on whether cookies are enabled or disabled on the browser. The user is redirected to either a support page or a login page, or the user is sent the requested URL.

Case 1: Redirect to a Support Page

Case 2: Send the Requested URL

Case 3: Redirect to a Login Page

Case 1: Redirect to a Support Page

In this case, cookies are disabled. When AuthFilter discovers that session-cookies are disabled, it redirects the user to a support page that notifies the user that cookies are required and that the user should resubmit the request after cookies are enabled.

To accomplish this, AuthFilter performs the following steps in the background after being notified by IIS that an SF_NOTIFY_PREPROC_HEADERS event has occurred:

  1. It checks for site configuration properties in the local site cache and, if not found, it reads the site configuration properties from the Administration database using a SiteConfig object.
  2. It checks for session-cookie support on the browser. If session-cookies are not supported, the user is redirected to the Active Server Pages (ASP) page specified in the No-Cookie form property in the Commerce Server Manager user interface property of the CS Authentication resource. Usually this page notifies the user that cookies are required and that the user should resubmit the request after cookies are enabled. By default, an ASP page, named Nocookie.asp, is supplied for this purpose. This file is located in the AuthFiles folder in the Commerce Server installation directory.

Case 2: Send the Requested URL

In this case, cookies are enabled. The requested URL is returned to the user in either of these scenarios:

  • The request contains a valid MSCSAuth ticket and the user has access rights to the requested URL.
  • The request does not contain an MSCSAuth ticket, but the requested URL has anonymous access rights.

To accomplish this, AuthFilter performs the following steps in the background after being notified by IIS that an SF_NOTIFY_PREPROC_HEADERS event has occurred:

  1. It checks for site configuration properties in the local site cache and, if not found, reads the site configuration properties from the Administration database using a SiteConfig object.
  2. It sets a cookie with an MSCSFirstRequestedURL property set to the originally requested URL.
  3. If the request does not contain an MSCSAuth ticket, the request is redirected to the Login.asp page.
  4. If the requested URL has anonymous access rights, the URL is returned.
  5. If the cookie contains an MSCSAuth ticket, AuthFilter checks the local password cache for an entry matching the user ID contained in the cookie.
  6. On finding a matching entry, AuthFilter checks the current time against the last login time set on the ticket to see if it is within the time window specified in the ticket. If the current time is within five minutes of the last login time plus the time window, the last login time on the ticket is changed to the current time so an active user can remain browsing.
  7. Since the current time is within the time window, the ticket is considered valid, and the user ID and password are submitted to IIS for access to the requested URL.
  8. Since the user has access rights to the requested URL, IIS returns the page.

Case 3: Redirect to a Login Page

In this case, cookies are enabled. AuthFilter redirects the user to a login form for any of these scenarios:

  • The request does not contain an MSCSAuth ticket and the requested URL does not have anonymous access rights.
  • The request contains an invalid MSCSAuth ticket.
  • The request contains a valid MSCSAuth ticket but the user does not have access rights to the requested URL. The Active Server Pages (ASP) page to which the user should be redirected is specified in the Login Form property of the CS Authentication resource.
  • The request contains a valid MSCSAuth ticket but the credentials for the user are not contained in the AuthFilter password cache (when the request is sent to a new Web server in a Web farm scenario).

To accomplish this, AuthFilter performs the following steps in the background after being notified by IIS that an SF_NOTIFY_PREPROC_HEADERS event has occurred:

  1. It checks for site configuration properties in the local site cache and, if not found, reads the site configuration properties from the Administration database using a SiteConfig object.
  2. It sends a cookie with an MSCSFirstRequestedURL property set to the originally requested URL.
  3. If the request does not contain an MSCSAuth ticket, the request is redirected to the Login.asp page.
  4. If the requested URL does not have anonymous access rights, IIS signals AuthFilter of the SF_NOTIFY_ACCESS_DENIED event, and the user is redirected to either a login page or an error page, as required.
  5. If the cookie does contain an MSCSAuth ticket, AuthFilter checks the password cache for an entry matching the user ID contained in the cookie.
  6. If a matching entry is not found, the user is redirected to the login page.
  7. If a matching entry is found, AuthFilter checks the current time against the login time to see if it is within the time window specified in the ticket.
  8. If the current time is past the time window specified in the ticket, the user is redirected to the login page.
  9. If the current time is within the time window, the ticket is considered valid, and the user ID and password are submitted to IIS for access to the requested URL.
  10. If the user does not have access rights to the requested URL, IIS issues a SF_NOTIFY_ACCESS_DENIED notification, and AuthFilter redirects the user to a login page.

For information about the events on the login page, see Login Page: Get Method and Post Method.

See Also

Enabling Windows Authentication

Processing User Requests in Custom Authentication Mode

Processing User Requests in Autocookie Mode

Copyright © 2005 Microsoft Corporation.
All rights reserved.