Enabling Proxy Accounts

  • Article

To implement the use of proxy accounts for your site, you must do the following:

  • Unpack a solution site
  • Enable AuthFilter, in Windows authentication mode for your site
  • Create user accounts (proxy accounts) in Active Directory
  • Add new properties to the profile definition for your site
  • Create user accounts in SQL Server

Create Windows user accounts in Active Directory

Create Windows user accounts in Active Directory, one Windows user account for each role.

Add new properties to the profile definition for your site

Add two new properties to the profile definition for your site. One property is used to store the name of the proxy account (which is in Active Directory), and the other property is used to store the password of the proxy account in the SQL Server database so that it can be retrieved as clear text. The password property should be encrypted. For information about this procedure, see Adding Properties to a Profile Definition.

Ee784708.note(en-US,CS.20).gifNotes

  • Storing clear-text passwords is a security risk, because they are less secure than encrypted passwords.
  • The property that stores the name of the proxy account must be a string value, must map to data, and must be a required property.
  • The property that stores the password of the proxy account must be a string value, must map to data, is required, and must be configured for asymmetric encryption, so that the password is returned to the login page as clear text.
  • The proxy password in Active Directory and the proxy password are not synced. If you change the password for a proxy account in Active Directory, you must also change the proxy account password in SQL Server for each user.

Update Login.asp for your site. In addition to authenticating the user, the Login.asp page must be updated to do the following:

  • Retrieve the profile and obtain the proxy account and proxy password for the user.
  • Set the MSCSAuth ticket with the user ID for the user. However, the credentials passed to the filter via the query string are that of the proxy account. Note, you need to set the GUID property on the ticket and the query string so that Authfilter performs its lookup in its password cache based on the GUID and not on the Userid in the ticket.

For more information, see Configuring Login.asp to use a GUID.

For a code sample of Login.asp configured to use proxy accounts, see Code to Implement Proxy Accounts.

Ee784708.note(en-US,CS.20).gifNote

  • The password must be returned to the login page as clear text. This is the reason the password for the proxy account is stored in the profile.

For more information, see Clear Text Passwords.

Create user accounts in SQL Server

Map user accounts (in SQL) to proxy accounts (in Active Directory).

Ee784708.note(en-US,CS.20).gifNotes

  • When creating new users, you would enter the role of the user. For existing users, you must enter the role information for each user account.
  • The admin that adds users must also enter the proxy password for the user role. This is the property that was added to the profile.
  • When implementing proxy accounts for your site, every user account (stored in SQL Server) must be mapped to a proxy account (stored in Active Directory).

The Active Directory domain controller must have the logon locally configured for domain users.

See Also

Post Method

Adding Properties to a Profile Definition

AuthFilter and DDoS Attacks

BDSecurity Object

AuthManager Object

Clear Text Passwords

Copyright © 2005 Microsoft Corporation.
All rights reserved.