About the CS Authentication Resource
The CS Authentication resource is a Commerce Server resource with global-level properties, and is managed through Commerce Server Manager. You use CS Authentication resource to configure authentication modes and to determine how cookies will be implemented on your site. For example, using the CS Authentication resource you can enable autocookie generation, set cookies to be shared among applications on the same site, or determine how long the persistent cookie is valid.
You set CS Authentication properties in two places:
At the global level, you set properties in the CS Authentication global resource. These properties are used by all Commerce Server sites.
At the application level (right-click the application in Commerce Server Manager), you set authentication properties that are used only by the one application.
For each site, CS Authentication includes a global resource pointer. No properties are set at the site level. Two or more sites can share the same global CS Authentication resource.
If you are developing a site using a Commerce Server Solution Site, you also set authentication properties in the App Default Config resource. These properties are not used by CS Authentication. For information about configuring the App Default Config properties, see Configuring App Default Config Resource Properties.
Authentication Components
Authentication Modes
Multi-Domain, Single Login Capability
Authentication Components
Commerce Server provides two tools to manage user authentication and identification: the AuthManager object and the AuthFilter.
AuthManager. A Component Object Model (COM) object that exposes methods for identifying users and controlling access to dynamically generated content. For example, a site developer could invoke the GetUserID method of AuthManager to identify a user based on a cookie or a query string. For more information, see Configuring CS Authentication Resource Properties.
AuthFilter. An ISAPI filter that is used at the IIS Commerce Server application level. It can be applied to all users visiting the application. You configure AuthFilter at the application level. For more information, see Configuring an Application.
Authentication Modes
When you use AuthFilter, you can choose the following authentication modes:
No Filter mode. AuthFilter is not enabled.
Windows Authentication. AuthFilter uses Windows Authentication to control access to the site. It checks the user login and password against Active Directory (or a local Security Access Manager account). When you use Windows Authentication, you can require login access for only certain Active Server Pages (ASP) pages and directories that you specify. To use Windows Authentication, see Enabling Windows Authentication.
Custom Authentication. AuthFilter checks the user login and password (MSCSAuth ticket) against a SQL Server database or other type of database. Login access is required for every ASP page and directory in the Commerce Server site. AuthFilter checks against the virtual directory for the Commerce Server site, and it checks the Commerce Server Administration database to determine whether Custom Authentication is enabled for that site. If the MSCSAuth ticket is not valid, AuthFilter requires the user to enter login information.
When you use Custom Authentication, login access is required for every ASP page and directory in the Commerce Server site. To use Custom Authentication, see Enabling Custom Authentication.
Autocookie mode. You can automatically generate cookies, which store tickets, for guest users. (When an anonymous user gets an MSCSProfile ticket, the user becomes a guest user.) MSCSProfile tickets enable you to collect profile data about how guest users navigate and use your site.
If you select Autocookie mode and No Filter mode, then there are no registered users.
If you are using Autocookie and either Windows Authentication mode or Custom Authentication mode, known as mixed mode, then when guest users register, their persistent cookies can be updated, and you do not lose the profile data gathered when the user was a guest. To use Autocookie mode, see Enabling Autocookie Generation.
If you enable mixed mode, AuthFilter generates the following tickets:
The first time the user logs in to the site, it generates an MSCSProfile ticket.
If the user is authenticated, it generates the MSCSAuth ticket, which will contain the user ID. You can use the MSCSAuth ticket for access control.
If the user is not authenticated (no MSCSAuth ticket), the MSCSProfile ticket will indicate that the user is anonymous.
Multi-Domain, Single Login Capability
The CS Authentication resource provides multi-domain, single login capability. To provide multi-domain, single login, you need to share cookies between domains with their domain property. This works only if the domains have a common sub-domain name. For example, premier.microsoft.com and msn.microsoft.com can share cookies with the microsoft.com domain name.
However, two domains such as microsoft.com and microsoft.uk cannot support single-login capability; they cannot share cookies because the subdomain name is not common. In this scenario, the user will be required to login again when switching domains. For more information about Passport integration, see Integrating with Passport.
To use multi-domain single login, you set two authentication properties at the site level: Set cookie path to application and Number of shared domain levels. You must set Number of shared domain levels to at least two, and use domains that share the same top level name, for example, msn.microsoft.com and premier.microsoft.com. For information about setting these authentication properties, see Configuring an Application.
See Also
Working with Site Security and Filters
Enabling Windows Authentication
Enabling Custom Authentication