Enabling AuthFilter for the Supplier Solution Site
These instructions explain how to enable the AuthFilter on the Supplier Solution Site.
For the Supplier Solution Site and for using AuthFilter in Windows Authentication mode, you need to set the security mode on your domain controller to log on locally. If you have not yet done so, see Setting the Security Mode on the Domain Controller.
Only Basic Authentication should be enabled on the Supplier Solution Site. Do not change any other security settings.
The AuthFiles subfolder and all pages in it should have anonymous access enabled.
If your domain controller and Web server are installed on different computers in the same domain, then AuthFilter must have an anonymous account on the Web server in order to execute the method ProfileService.GetUserProfileByKey() on the Login page successfully for any profile/user.
By default, an anonymous user account is IUSR_<servername>. In Internet Services Manager, IUSR_<servername> does not have enough permissions to execute this successfully in this scenario. In addition, if your Web server is different from your domain-controller server, you must add a user account from that domain as the anonymous account. To do this you first create on the domain a user account that has access to read the user properties from Active Directory. Then on the Web server, use IIS Manager to set up the same user account as the anonymous account for the AuthFiles subfolder and all the files in that subfolder.
To enable AuthFilter on the Supplier Solution Site
Important Information about Using AuthFilter
To enable AuthFilter on the Supplier Solution Site
Use Commerce Server Site Packager to unpack the Supplier Solution Site.
Expand Commerce Server Manager, expand Commerce Sites, and then click the site you want to administer.
Expand Applications, right-click the name of the application that you want to work with, and then click Properties.
In the Properties dialog box, in the General tab, in the Authentication filter box, select either Windows Authentication or Custom Authentication, and then click OK.
Expand Internet Information Services, right-click the Supplier site, and then click Properties.
In the Properties dialog box, in the Directory Security tab, in the Anonymous access and authentication control section, click Edit.
In the Authentication Methods dialog box, clear the Integrated Windows authentication box.
.gif "Ee811586.note(en-US,CS.10).gif")
Note
- Only Basic Authentication should be enabled on the Supplier Solution Site. Do not change any other security settings.
Use a text editor to open Authfiles\Login.asp for the Supplier site.
If you are using a Web farm, or if you require proxy account support, in Login.asp, update the code so it matches the code shown in the topic, Login.asp Code for Supplier Solution Site.
.gif "Ee811586.important(en-US,CS.10).gif")
Important
- If this is a single server that requires no support for proxy account, you do not need to update the Login.asp.
- For Windows Authentication, change the GetUserInfo() method in \SupplierAD\include\Std_access_lib.asp to the following:
Sub GetUserInfo()
Dim sAuthUser, mscsUser
Dim aName
If dictConfig.i_DelegatedAdminOptions = DELEGATED_ADMIN_SUPPORTED Then
sAuthUser = LoginName(Request.ServerVariables("LOGON_USER"))
End If
Rem Integrated Windows and basic auth take precedence over HTML form auth
If sAuthUser <> "" Then
m_UserAccessType = IIS_AUTH ' BASIC_AUTH
m_UserType = AUTH_USER
Set mscsUser = GetUserProfileByLoginName(sAuthUser)
If mscsUser Is Nothing Then
m_UserID = ""
Else
m_UserID = mscsUser.Fields(GetQualifiedName(GENERAL_INFO_GROUP, USER_ID)).Value
End If
Else
If mscsAuthMgr.IsAuthenticated() Then
sAuthUser = mscsAuthMgr.GetUserID(AUTH_TICKET)
Set mscsUser = GetUserProfileByLoginName(sAuthUser)
If mscsUser Is Nothing Then
m_UserID = ""
Else
m_UserID = mscsUser.Fields(GetQualifiedName(GENERAL_INFO_GROUP, USER_ID)).Value
End If
m_UserAccessType = TICKET_AUTH
m_UserType = AUTH_USER
Else
If Not IsNull(mscsAuthMgr.GetUserID(GUEST_TICKET)) Then
m_UserID = mscsAuthMgr.GetUserID(GUEST_TICKET)
m_UserAccessType = GUEST_VISIT
m_UserType = GUEST_USER
Else
m_UserID = ""
m_UserAccessType = ANON_VISIT
m_UserType = ANON_USER
End If
End If
End If
End Sub
Function LoginName(ByVal sUserName)
Dim aName
If (sUserName = "") Then
Exit Function
End IF
aName = Split (sUserName, "\")
LoginName = aName(UBound(aName))
End Function
For Windows Authentication, in the PrepareLoginSection method in \SupplierAD\template\menu.asp, change code in a Request.ServerVariables string that is referring to the "AUTH_USER" server variable to instead refer to the "LOGON_USER" server variable. For example:
Incorrect: sAuthUser = Request.ServerVariables("AUTH_USER")
Correct: sAuthUser = Request.ServerVariables("LOGON_USER")
Save and close the updated Login.asp and menu.asp pages.
Use Business Desk to create a new user for the Supplier site.
Important
- Create an Organization before adding any users or creating new users for it.
Use Internet Explorer to navigate to http://<computername>/SupplierAD.
At the login page, type the user name using DomainName\userID or User Principal Name (UPN) format. (You can add logic to Login.asp to add these to the userID/name). Type the password if you are a registered user, or choose to register by clicking the link at the bottom of the page. (You need to add your own registration page on which you can create accounts on Active Directory.)
The Login.asp page sets the MSCSAuth ticket for the registered user, retrieves the profile for the user, checks credentials if required, and the request populates the default Web page using the profile information it retrieved.
If the user name or password is not valid or if the profile could not be found, the Login.asp page is displayed again with an error message, and presents the same two options to log in as before.
Important Information about Using AuthFilter
If you unpack a site to the virtual directory on IIS with AuthFilter enabled, you must uncheck the application level property, Set cookie path to application. This property represents the path property set on cookies. By default the Flag is enabled to set this to the virtual directory of the site (for example, /retail). By unchecking the box the root (/) is set as the path property for your cookies. You must restart IIS after updating this property. For instructions, see Restarting IIS.
Verify that you use Anonymous Access for all include, .gif, or helper files that are used by Login.asp.
For Windows Authentication, the default login page uses the GET action in Login-Submit. The POST action is also supported with Login.asp. For information about supporting the POST action, see the comments in Login.asp and follow those instructions.
There is a known security issue if you are using GET with Login.asp. It is recommended that you tell users who visit your site to set their browser to automatically clear the browser history after they log off or have them clear the browser history manually.
In Windows Authentication, the following server variables are not set: AUTH_USER and AUTH_TYPE. The server variable LOGON_USER is set to the User ID, which is used for logging in.
To use Secure Sockets Layer (SSL), you must set the s_Login_Form property in CS Authentication to the full path. For instructions, see Configuring CS Authentication Resource.
See Also
Working with Site Security and Filters