It is strongly recommended that you follow the best practices listed in this topic in order to ensure a secure Commerce Server installation.
- If Commerce Server is installed with Windows Authentication, you can use AuthFilter only if you enable SQL Server authentication to the Administration database.
When using AuthFilter in a Commerce Server deployment that uses Windows Authentication, you must change the connection string to the Administration database because the ISAPI filter (and hence AuthFilter) is running in the security context of the IIS process (inetinfo), known as LocalSystem. Therefore, AuthFilter tries to connect to the SQL Server on another computer, using credentials from LocalSystem, which are invalid; it does not have the rights to make connections across a network. (If the Administration database is local, the connection would work, but you should never locate the Administration database on the Web server.)
For instructions for using AuthFilter in this scenario, see Using Windows Authentication in a Distributed Deployment.
- Use AuthFilter in Windows Authentication mode to support single sign-on in a Web farm/multi-domain environment.
In a Web farm, AuthFilter enables an authenticated user who is logged on to one server to access a site on another server, without the user resubmitting login information.
.gif)
Note
However, if the request is sent with the Post method using non-sticky sessions, any information contained in the header body is lost during the required redirection. Only use the Post method with sticky sessions. If you use non-sticky sessions, always use the Get method and SSL (HTTPS) for increased security. For more information, see Authenticating Users in a Web Farm.
- After making a change to the AuthFiles folder (such as renaming the folder), or changing any files in the folder, check the security setting for the AuthFiles folder.
After you make a change to the AuthFiles folder, use Internet Services Manager to navigate to the virtual directory of the site and verify that the security property is set for anonymous access.
To set the property to anonymous access
- In Internet Services Manager, right-click AuthFiles, and then click Properties.
- On the Directory Security tab, in the Anonymous access and authentication control section, click Edit.
- Verify Anonymous access is selected, and then click OK.
- To track both authenticated users and anonymous users visiting your site, use AuthFilter in mixed mode (using either Windows authentication or Custom authentication mode together with Autocookie mode).
You can maintain some content that is served only to authenticated users, and other content that is available to anonymous users. This way, you can allow anonymous users to browse your site, while tracking their browsing tendencies.
When you use Custom Authentication mode, users must register, and therefore must access your site as an authenticated user. AuthFilter secures all files in the virtual directory that it protects, by allowing only authenticated users to access files in the virtual directory. You cannot configure the virtual directory to have both authenticated and anonymous content available simultaneously.
After the Login page validates the user credentials, all the content/pages are executed under the context of the Microsoft Internet Information Services (IIS) 5.0 Anonymous account, which is IUSR_computername by default, where computername is the name of the computer where your site is installed.
To maintain content that is accessible to anonymous users
- Add a link on the Login page. Users who are not registered and who do not want to register can access the anonymous content by clicking on that link.
- Make that URL another virtual directory that is separate from the original virtual directory. The URL cannot be nested within the original virtual directory.
- Specifying SSL/HTTPS for login pages when using AuthFilter.
To specify SSL/HTTPS for login pages, when using AuthFilter, use the CS Authentication Login Form property. You must specify the full path to the Login.asp page, for example, https://www.microsoft.com/authfilter/login.asp. For instructions about setting the Login Form property, see Configuring the CS Authentication Resource.
If you are using AuthManager, you do not need to configure the Login Form property. Instead, use Commerce Server Manager to configure two application properties: Enable HTTPS and Secure host name. AuthFilter does not use these properties. For instructions about setting these properties, see Configuring an Application.
- You cannot use host headers in a deployment of multiple sites that implement AuthFilter.
IIS does not support the use of host headers with SSL. However, for basic security AuthFilter requires the use of SSL when passing login credentials to the server.
- Use SSL with AuthFilter, Active Directory, and ACLs, rather than using mutual authentication with client certificates.
With mutual authentication, the client verifies the identity of your server using certificates. Likewise, your server verifies the identity of clients using certificates. However, using certificates to validate users requires an investment in public key infrastructure, such as certificates, certificate servers, and a certificate authority. Additionally, verifying certificates requires additional server resources, such as CPU time. It is easier to use SSL with AuthFilter, Active Directory, and Access Control Lists (ACLs), than to configure your system to issue and verify certificates. For more information about certificates, see the IIS online documentation.
- When adding multiple Commerce sites (protected by AuthFilter) on a single Web server, unpack each Commerce site to a separate directory.
Do not install one Commerce site in the subdirectory of another site. You can install multiple sites to the same virtual directory if they are contained by separate directories within the virtual directory.
- When using AuthFilter, all Commerce sites must have dissimilar names.
For example, do not call one site "Retail" and another "retail2." Doing so may cause IIS to send cookies to the wrong site.