HOW TO: Enable the Retail Solution Site for Proxy Authentication

This article discusses how to implement Proxy Authentication in the Commerce Server 2000 Retail Solution Site.

With Proxy Authentication, a site can use ACL-based security without the overhead of creating an account in Active Directory for each site user. A proxy account can be assigned to the site as a whole, or on a user-by-user basis.

This article provides the necessary steps to implement a global proxy account on the Retail Solution Site.

NOTE: Proxy Authentication works in conjunction with the Commerce Server Authentication Filter, which requires that clients have cookies enabled.

Unpackage Retail Site

Use the following procedure if you are going to make the computer a Web server and if you are going to place all of the database files on one Microsoft SQL Server-based server.

To unpack a site quickly while accepting most of the default settings:

1. Click Start, point to Programs, point to Microsoft Commerce Server 2000, and then click Commerce Server Site Packager.
2. In the Commerce Server Site Packager dialog box, select Unpack from a package file, and then click Next.
3. In the Unpack dialog box, click the Browse button next to the File to unpack box.
4. In the Open dialog box, navigate to the folder that contains the file that you want to unpack, click the file, and then click Open.
5. On the Unpack dialog box, select Quick unpack, and then click Next.
6. In the Quick Unpack dialog box, you have the following options:
   • Site name: Type the name for the site if you want to change it. Do not include special characters (such as #, @, %, and ') in the name and do not name your site "Commerce."
   • IIS Web site: Select the name of the IIS Web site where the applications will be installed.
   • SQL Server computer: Type the name of the SQL server that will contain the databases for the site.
   • SQL user name: Type the SQL logon name for the databases.
   • SQL user name: Type the SQL logon name for the databases.
   • SQL password: Type the SQL logon password.
7. If the Data Warehouse dialog box opens, you have the following options:
   • Name: Type a name for the global Data Warehouse resource.
   • Server: Type the name of the SQL Analysis online analytical processing (OLAP) computer.
   • Database: Type the name of the Analysis (OLAP) database to use.
8. Click Next.
9. If the first Profiling System dialog box opens, you have the following options:
   • Profile Schema Definition: Specify the profile schema definition to import.
   • Site Terms Definition: Specify the site terms definition to import.
   • Expression Definition: Specify the expression definition to import.
10. Click Next.
11. If the second Profiling System dialog box opens, you have the following options:
    • Profiling System Connection String: Specify the files to import into the OLEDB data store. Click Modify to specify a different database.
    • Schema definition scripts (*.sql, *.vbs): Specify the schema definition scripts to import.
    • Data population scripts (*.sql): Specify the data population scripts to import.
12. Click Next.
13. In the Unpacking is complete dialog box, review the list of SQL Server databases and IIS applications that were created. To review the list of events in the Site Packager log file, click View Log File.
14. To close Site Packager, click Finish.

Enable Windows Authentication

Enable the Windows Authentication mode of the Commerce Server Authentication filter in Commerce Server Manager:

1. Start Commerce Server Manager, click Commerce Server Manager, click Commerce Sites, click Retail, and then click Applications.
2. Right-click your retail application, and then click Properties.
3. In the Commerce Authentication Filter property group, set Authentication filter to Windows Authentication.
4. Click OK to accept the changes. For the changes to take effect, run iisreset. To do so, run it from a command prompt or click Start, click Run, type iisreset, and then click OK.
5. Expand Internet Information Services, right-click the site and then click Properties. On the Directory Security tab, in the Anonymous access and authentication control section, click Edit. In the Authentication Methods dialog, enable Basic authenticationonly.

Modify Login.asp to use Proxy Account

To enable the use of a Proxy Account, decide beforehand how and where to store and retrieve the proxy account information. To simplify this procedure, hard code the proxy account information into Login.asp:

1. Open Login.asp (from the AuthFiles directory under Retail Site) in an editor, such as Notepad.
2. The Login.asp page should look like the following code sample:
   
   NOTE: All of the modifications are in the following section:

   " if strSelect = "fromButton" then "
   					

   Modified Login.asp File

   <!-- #INCLUDE FILE="../include/header.asp" -->
   <!-- #INCLUDE FILE="../include/const.asp" -->
   <!-- #INCLUDE FILE="../include/html_lib.asp" -->
   <!-- #INCLUDE FILE="../include/form_lib.asp" -->
   <!-- #INCLUDE FILE="../include/std_access_lib.asp" -->
   <!-- #INCLUDE FILE="../include/std_profile_lib.asp" -->
   <!-- #INCLUDE FILE="../include/std_cookie_lib.asp" -->
   <!-- #INCLUDE FILE="../include/std_url_lib.asp" -->
   <!-- #INCLUDE FILE="../include/std_util_lib.asp" -->
   <!-- #INCLUDE FILE="../include/setupenv.asp" -->
   <%
   REM Microsoft Commerce Server 2000
   REM sample login-file for using with AuthFilter
   REM This file handles Login for user
   %>
   
   <%
            '*****Add the Main()*****
   	Sub Main()
   	'
   	End Sub
   	
   	Dim strSelect, strPassword, strPWD, strAuthErr, strSiteName, strUserID, strRetAsp, strGUID,sAuthUser 
   	Dim objAuth, objMSCSProfileService, objMSCSProfileObj
   
   	set objAuth = Server.CreateObject("Commerce.AuthManager")
   	strSiteName = CStr(Application("MSCSCommerceSiteName"))		'Get siteName, set in Global.asa in application scope
   	objAuth.Initialize(strSiteName)
   	
   	'check for Submit or not	
   	strSelect = Request.QueryString("realSubmit")
   	
   	'If users pressed the submit button
   	if strSelect = "fromButton" then
   		strUserID	= Request.QueryString("txtUsername")		' Get UserName from QueryString if this is GET request, this could be POST request also
   		strPassword	= Request.QueryString("txtPassword")		' Get Password from QueryString if this is GET request, this could be POST request also
   		
   		if (strUserID = "") or (strPassword = "") Or IsNull(strUserID) Or IsNull(strPassword)  then
   			Response.Redirect "Login.asp"
   		end If
                     '*****Changed From this line*****
   
   		'sAuthUser = strUserID
   		Set objMSCSProfileObj = GetUserProfileByLoginName(strUserID)
   				 
   		if (objMSCSProfileObj is nothing) then
   		   Response.Redirect "login.asp"
   		end if
   
   		strPWD = objMSCSProfileObj.Fields.Item("GeneralInfo").Value.Item("user_security_password")
   
                     '*****To this line*****
   		
   		' Get User-password: comment-out following line if you support Profiles
   		'strPWD = GetCurrentUserPassword(strUserID)
   		
   		' if profileSvc is not used for BlankSite:
   		'strPWD = strPassword	' remove this line if you have read the password from UserProfileSvc or some other obj/src, in clear text
   		
   		if (strPWD = strPassword) then	' if passwords are equal, not necessary in Windows-Auth-mode
                               '*****Changed From this line*****
                               Dim strUserGuid 
                               strUserGuid = ObjMSCSProfileObj.GeneralInfo.user_id
   			'objAuth.SetAuthTicket strUserID, True, 90				' set AuthTicket
   			objAuth.SetAuthTicket strUserGuid, True, 90				' set AuthTicket	
   			' For PROXY AUTHENTICTION:
   			strUserID = "domain\ProxyUser"      
   			strPassword = "password"
                              '*****To this line*****			
   
   			strRetAsp = Request.Cookies("MSCSFirstRequestedURL")	' First requested URL (even if there is no QueryString this URL contains '?' at the end
   			strRetAsp = strRetAsp + "&proxyuser="					' QS-separator '?' is added by filter, in case of no Querystring
   			strRetAsp = strRetAsp + strUserID						' userID submitted : "DomainName\LoginID"
   			strRetAsp = strRetAsp + "&proxypwd="					' UPDATE_NEEDED for password (may need to change it to: 'strPwd')
   			strRetAsp = strRetAsp + strPassword
   			''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   			' Distributed-Denial-Of-Service Attack (DDoS)
   			''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   			' this is to avoid DDos Attacks with known User login ID
   			''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
                               '*****Code Changed From this line*****			
                               Dim objGenID 
                               Set objGenID =  Server.CreateObject("Commerce.GenID") '$PERF: store one in Application scope in GLOBAL.ASA, Application("MSCSAuthGenID")
   			 'Set objGenID =  Server.CreateObject("Commerce.GenID") '$PERF: store one in Application scope in GLOBAL.ASA, Application("MSCSAuthGenID")
   			 strGUID = objGenID.GenGUIDString
   			 objAuth.SetProperty 2, "guid", strGUID ' after setting Ticket
   			 strRetAsp = strRetAsp + "&guid="
   			 strRetAsp = strRetAsp + strGUID
                               '*****To this line*****			
   			''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   				
   			' Go to the Original requested ASP which is stored in cookie "MSCSFirstRequestedURL" Or Default page
   			if ((strRetAsp = "") Or IsNUll(strRetAsp)) then
   				strRetAsp = strSiteName & "/default.asp"
   				Response.Redirect strRetAsp
   			end if			
   			Response.Redirect strRetAsp
   		else
   			Response.Redirect "Login.asp"	' Incorrect password & redirect back to Login page
   		end if
   	else
   		' $WEB_FARM scenario: Logging onto a new server in WebFarm Or FT/FailOver scenario
   		if objAuth.IsAuthenticated(30) Then		' for Web-Farm scenario <valid-Auth-Ticket Exist, but not cached in Filter>
   			Dim strProfileUserID				' in case, if you are using UserProfileSvc
   
   			strUserID = objAuth.GetUserID(2)	' Get LoginID <only in case of AD-Site>, from AuthTicket
   			if (strUserID = "") or (IsNull(strUserID)) then
   				Response.Redirect "Login.asp"
   			end If
   			
   			' Get User-password: comment-out following line if you support ProfileSvc
   			strPassword = GetCurrentUserPassword(strUserID)
   
   			strRetAsp = Request.Cookies("MSCSFirstRequestedURL") ' get the requested URL
   			strRetAsp = strRetAsp + "&proxyuser="
   			strRetAsp = strRetAsp + strUserID
   			strRetAsp = strRetAsp + "&proxypwd="
   			strRetAsp = strRetAsp + strPassword
   			
   			strGUID = objAuth.GetProperty(2, "guid")	' if this exists, you need to pass this also on Query string
   	
   			If Not IsNull(strGUID) Then
   			 	strRetAsp = strRetAsp + "&guid="
   			 	strRetAsp = strRetAsp + strGUID
   			 End If
   
   			Response.Redirect strRetAsp
   		Else	' $FIRST_TIME_LOGIN: First time logging on to the site/web-farm scenario
   			PrintLogin
   		End If	
   	End if
   	
   	Set objAuth = Nothing
   %>
   
   <%
   ' GetCurrentUserPassword -- wrapper function for getting a user profile/pwd...
   Function GetCurrentUserPassword(ByVal strUserID)
   	Dim strPWD
   	Dim objMSCSProfileService, objMSCSProfileObj
   	
   	''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   	' $PASSWORD: start 
   	'	To get Clear-Text-Password:
   	''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   	'get the Login name from Domain\LoginName format: in case of Windows-Auth mode
   	' strProfileUser = split(strUserID, "\", -1, 1)
   	' strProfileUserID = strProfileUser(1)
   
   	' Get Profile Service stored in Application-Scope
   	Set objMSCSProfileService = Application("MSCSProfileService")
   
   	' Get UserProfileObj for the user already Logged in (webFarm)
   	Set objMSCSProfileObj = objMSCSProfileService.GetProfile(strUserID, "UserObject")	' GetUserProfileByLoginName(strUsername)
   	if (objMSCSProfileObj is nothing) then
   		Response.Redirect "Login.asp"
   	end if
   
   	' if password-available: in clear-text
   	strPWD = objMSCSProfileObj.Fields.Item("GeneralInfo").Value.Item("user_security_password") ' objMSCSProfileObj.Fields("GeneralInfo.user_security_password").Value
   	Set objMSCSProfileObj = Nothing
   	GetCurrentUserPassword = strPWD
   End Function
   %>
   
   <%Sub PrintLogin() %>
   <HTML>
   <HEAD>
   <TITLE>Login</TITLE>
   </HEAD>
   <BODY>
   <FORM NAME="frmLogin" ACTION="Login.asp" METHOD="GET">
   <br>
   <br>
   <br>
   <H2 ID=L_LoginForm_HTMLText>CS2K-LoginForm</H2><ID Id=L_EnterCredential_ErrorMessage>
   To access authenticated content, please enter your UserID & Password</ID>
   <br>
   <br>
   <br>
   
   <H3 ID=L_UserName_HTMLText>Username:<INPUT TYPE="text" NAME="txtUsername" SIZE=32 MAXLENGTH=32><br><ID ID=L_UserPassword_HTMLText>
   Password :</ID><INPUT TYPE="password" NAME="txtPassword" SIZE=32 MAXLENGTH=32></H3><br>
   <br>
   
   <INPUT type=HIDDEN name="realSubmit" value="fromButton">
   <p align="left">
   	<input type="submit" name="action" id=L_Submit_Button value="Submit">	
   	<input type="reset" name="action" id=L_Reset_Button value="Reset"> 
   </p>
   </FORM>
   
   <H4>
   <br>
   <br>
   <%
   REM SOLUTION SITES: Retail
   REM 	need to add own registration file under '\AuthFiles\' sub-Dir Or Copy ..\Retail\login\newuser.asp to '\AuthFiles\newuser.asp'
   REM 	in global.asa update: 	dictPages.NewUser = "AuthFiles/newuser.asp"
   REM		You can update this to POST, instead of default GET
   %>
   <A HRef="newuser.asp" ID=L_RegisterIf_HTMLText>Register if you are a new user	(solution sites: need to add own registration file under '\AuthFiles\' sub-Dir Or Copy ..\Retail\login\newuser.asp & update NewUser-File in Global.asa)</A>
   <br>
   </H4>
   
   </BODY>
   </HTML>
   <%end sub%>
   					

Troubleshooting

If you see the Login page again after you type the credentials and submit the page, make sure that you have entered the credentials of the Web site user, and that the Proxy user account is in the "Domain\User" format.