Authentication
AuthFilter is implemented as an Internet Information Services (IIS) 5.0 Internet Server Application Programming Interface (ISAPI) filter. It calls the AuthManager object to obtain configuration information at initialization time from the Administration database (including authentication mode parameters and the encryption key). The only dependency for the AuthFilter is the Administration database.
When a user accesses a site with multiple Web servers, the request is directed to a particular server based on load balancing or a round-robin algorithm. When the request arrives at the server, the user is asked to log in.
If you are using the Active Directory directory service for authentication, the login is cached by the ISAPI filter and is specific to that server. Commerce Server also places a ticket cookie containing the user ID onto the client server.
To enable users to be seamlessly redirected to other Web servers in the cluster, you must ensure that sufficient information can be passed to the ISAPI filter on the other servers so that the user can be logged in. You must write custom code to hide this process from the user. To write the custom code, do the following:
Extend the Profiles store to store the password.
Capture the password in the Profiles store during login or site registration.
Modify the site registration or login page to check for the presence of the ticket cookie.
If the cookie exists, use the MSCSAuthManager object to get the user ID from the cookie and retrieve the user name and password from the Profiles store, then pass the user name and password back to the ISAPI filter.
To operate in a load-balanced cluster, you must store the passwords with reversible encryption. Because passwords are captured on the login page and written to the Profiles store, the login page also captures password changes. However, if Active Directory tools are used to change a password during a browser session, the user will be prompted for login and the new password will be captured.
Note
- You can address the previous authentication issue by deploying Application Center Request Forwarder, which can forward the request prior to authentication being assessed, and can then forward the user to the server that will recognize that user.
Copyright © 2005 Microsoft Corporation.
All rights reserved.