Internet Information Services 6.0 URL Authorization

  • Article

Applies To: Windows Server 2003 with SP1

Internet Information Services (IIS) 6.0, which comes with the Windows Server 2003 family, integrates with Authorization Manager to implement IIS 6.0 URL authorization. This provides Web application administrators with the ability to control access to URLs based on custom user roles, LDAP queries, and BizRules.

Authorizing user access to Web pages in IIS can require management of many DACLs on resources used by Web applications. Resources for Web applications may include Web page files, database records, registry keys, and so on. Maintaining DACLs requires administrators to know precisely what back-end permissions are needed on each object to perform meaningful tasks in the Web application. IIS 6.0 URL authorization allows administrators to simplify access management by authorizing user access to the URLs that comprise a Web application. When a client requests a URL, IIS 6.0 URL authorization validates the users access based on the user roles. This allows administrators to simplify access control management by controlling all user access to URLs instead of each DACL on each object. The Web application can further restrict access to resources and operations by using the Authorization Manager role-based framework.

IIS 6.0 URL authorization is implemented as an ISAPI interceptor .dll, which is configured as a wildcard extension for an application, virtual directory, or URL. When an application, virtual directory, or URL is configured to use IIS 6.0 URL authorization, each request to a URL is routed to the URL authorization ISAPI interceptor. The IIS 6.0 URL authorization ISAPI interceptor will use the Authorization Manager runtime to authorize access to the requested URL. To do this, the URL (application, virtual directory, or single URL) must be associated with an Authorization Manager policy store that contains the authorization policy for the URL. Once the client has been authorized to access the URL, the IIS 6.0 URL Authorization ISAPI passes the request to the appropriate handler for the URL, such as ASP, ASP.NET ISAPIs, or the static file handler.

Figure 6: IIS URL authorization

Art Image

Using IIS 6.0 URL authorization, an administrator can control access to URLs based on information that is only available at runtime. For example, if you had a Web page that is only viewable to employees in a given cost center or to employees of a certain age, you can assign roles to the correct users based on LDAP queries that check the cost center or age attributes on a users object. If employees can only access certain pages on certain days of the week or during a certain time of day, a BizRule can be created which grants access to the URL based on these values or any value that can be asserted at runtime, including IIS server variables.

Setting up IIS 6.0 URL authorization

To use IIS 6.0 URL authorization, set the following metabase attributes on the application, virtual directory, or URL:

  • AzEnable. Enables URL authorization for the virtual directory, application, or URL that corresponds to the entry in the metabase.

  • AzStoreName. Associates an Authorization Manager store with the virtual directory, application, or URL.

  • AzScopeName. Associates the virtual directory, application, or URL with a scope. This scope will be the name of a scope in the IIS 6.0 URL authorization application in the Authorization Manager policy store that the AzStoreName attribute refers to. If it specifies either an empty string or no scope at all, the default scope of the IIS 6.0 URL authorization is used.

  • AzImpersonationLevel. Determines the impersonation behavior for the application. This allows you to configure the Web application to impersonate the client user, the IIS worker process, or the IUSER_* account for the worker process. Each setting significantly changes the environment and implied design of the Web application. Set the value to 0, 1 or 2 corresponding to the desired impersonation style.

    0 Authenticated client is impersonated. Some applications require client impersonation, such as ASP 2.0 applications. Use this if you want to use URL authorization for applications that expect to run while impersonating the client, such as ASP 2.0 applications.

    1 The IIS worker process identity is impersonated. This is used when the application runs as a service account, authorizes each client request itself, and performs requested operations on behalf of the client in the trusted service context. For more information, see Trusted subsystem application model, earlier in this paper.

    2 The anonymous user account is impersonated. This allows you to use URL authorization to authorize the clients access to the URL while still running the Web application as the anonymous account to limit all access of the client through the Web application.

The following script uses ADSI to set these properties on the IIS metabase entry for an application, virtual directory, or URL.

'  SetUrlAuth.vbs 
'  Configuring UrlAuth with a Vdir. 
'  This script uses ADSI to configure a vdir in the IIS 6.0 metabase. 
to use 
'  IIS 6.0 URL authorization. 
' 
'  This script assumes that the IIS vdir corresponding to the 
application has 
'  already been created. 
' 
'  After running this script to verify the settings, use the Adsutil 
tool like so 
' 
'  inetpub\adminscripts\adsutil enum w3svc/1/root/MyApp 
'  (where MyApp is the app name) 
'  Use the Authorization Manager MMC snap-in to do the following: 
'     Create an application called "IIS 6.0 URL Authorization" 
'     Create an operation called "AccessURL" with an operation ID of 1 
'     Create a scope corresponding to the AzScopeName specified to this 
script. 
'       This scope name will be used to manage access to URLs in this 
Vdir 
'     Make sure that the IIS worker process has read access to the 
'       AzMan policy store. You can do this using the AzMan UI (right 
click 
'       store and select options and then the security tab 
Set objArgs = WScript.Arguments 
If objArgs.count < 4 then 
  wscript.echo "Usage: SetUrlAuth VDirPath AzScopeName AzStoreName AzEnable 
[ImpersonationLevel]" 
  wscript.echo "" 
  wscript.echo "Example:" 
  wscript.echo " SetUrlAuth w3svc/1/root/MyApp MyApp 
msxml://d:\inetpub\wwwroot\AzStore.xml True 1" 
  wscript.echo "" 
  wscript.echo "Run with 'cscript' command in cmd.exe to avoid msg 
boxes" 
Else 
wscript.echo objargs(0) 
' 
' Get interface to the Vdir object 
' 
DIM iis 
set iis = GetObject("IIS://localhost/" & objArgs(0)) 
' Set scope name - this scope will preside over URLs referring to this vdir 
' This scope must exist in the corresponding Authorization Manager store. 
' 
iis.AzScopeName = objArgs(1) 
' 
' Specify location of Authorization Manager policy store 
' 
iis.AzStoreName = objArgs(2) 
' 
' Enable urlauth for this Vdir 
' 
iis.AzEnable = objArgs(3) 
' 
' Set Impersonation Level 
' 
If objArgs.count > 4 then 
   iis.AzImpersonationLevel = objArgs(4) 
End if 
' 
' Write settings to Metabase 
' 
iis.SetInfo 
End if 

When Web pages are requested, URL authorization will authorize the client based on the Authorization Manager authorization policy, if the client is allowed to access the URL. The security context that is configured by the AzImpersonationLevel attribute to retrieve the URL data (such as an .htm file) requires the correct IIS directory security and NTFS permissions. IIS URL authorization allows the IIS directory security and NTFS permissions to be more easily maintained using the trusted subsystem model. For more information, see "Trusted Subsystem Application Model," earlier in this paper.

When IIS 6.0 URL authorization is configured, you can identify an Authorization Manager policy store by the AzStoreName attribute in the IIS metabase entry for the application, virtual directory, or URL. To manage the authorization policy, us the following procedure.

  1. Click the Start button, click Run, type Azman.msc, and then press ENTER.

  2. In the console tree, right-click Authorization Manager, and then click Open Authorization Store.

  3. In Store Name, type the path to the authorization store location, which is identified by the AzStoreName attribute, and then click OK.

For more information about opening an authorization store, see Authorization stores and applications in the Authorization Manager MMC Help.

IIS 6.0 URL authorization for this store is managed with the IIS 6.0 URL Authorization application. The AzScopeName attribute in the metabase entry will be an Authorization Manager scope in the IIS 6.0 URL Authorization application. Use this scope to manage access to the corresponding URL. When configuring an application, virtual directory, or URL for URL authorization, a scope must be created in the authorization policy store with the same name as that specified in the corresponding metabase entry's AzScopeName attribute.

The following figure shows the Authorization Manager MMC with an authorization policy store that is used to manage access to a Web Expense application and Web Application 2. This store also contains authorization policy for these applications.

Figure 7: Authorization Manager managing two Web applications

Art Image

Authorization policy for IIS 6.0 URL authorization is stored in an Authorization Manager policy store in either Active Directory or in an .xml file. IIS 6.0 URL authorization allows the authorization policy for URLs to be maintained in the same authorization policy store as that of Web applications that use Authorization Manager to control access to application tasks and operations. Maintaining the authorization policy in the same store allows administrators to manage access to URLs and Web application resources from the same Authorization Manager MMC or custom user interface. This provides a common point of access control administration for URLs and applications and allows for the same Authorization Manager groups and LDAP queries to be used to populate roles for both URL authorization and application authorization.

Configuring IIS 6.0 URL Authorization Step by Step

The following steps set up IIS 6.0 URL Authorization for a Web application called WebApp, which is installed and configured in IIS as an application in the Systemroot\InetPub\WWWroot\WebApp folder:

Note

Integrated Windows Authentication is required for URLs using IIS URL Authorization. By default, IIS Web applications and virtual directories enable Integrated Windows Authentication. For information about configuring Integrated Windows Authentication, see Integrated Windows Authorization in Internet Information Services online Help.

Set up IIS: Create your application folder under Default Web Site, and then disable anonymous access to the site.

  1. Click Start, click Run, type %systemroot%\System32\InetSrv\IIS.msc, and then press ENTER.

    You can also click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, double-click Internet Information Services, double-click the computer name, double-click Web Sites, double-click Default Web Site, right-click the folder corresponding to your Web application, click Properties, and then click Create.

  3. Click the Directory Security tab and then, in Authentication and Access Control, click Edit.

  4. Confirm that the Enable Anonymous Access check box is cleared, confirm that the Integrated Windows Authentication check box is selected, click OK, and then click OK again.

Set wildcard configuration properties to point to URLAuth.dll

  1. In Internet Information Services (IIS) Manager, right-click the folder for the Web application which you created, click Properties, and then click Configuration.

  2. In Wildcard application maps (order of implementation), click Insert.

  3. In Add/Edit Application Extension Mapping, click Browse and, in Files of type, select All files (*.*).

  4. Browse to the Systemroot\System32\InetSrv folder.

  5. Click URLAuth.dll, click Open, click OK, click OK, and then click OK again.

    If you get an error saying This executable path is already used then URLAuth.dll is already configured as a wildcard application extension mapping.

Add URLAuth.dll as a new Web service extension

  1. In the console tree, double-click Internet Information Services, double-click the computer name, and then click Web Service Extensions.

  2. In the details pane, click Add a new Web service extension.

  3. Click Add, click Browse, browse to Systemroot\System32\InetSrv\, click URLAuth.dll, click Open, and then click OK.

  4. In Extension Name, type URL Authorization.

  5. Select the Set extension status to Allowed check box, and then click OK.

Set up an authorization policy store in Authorization Manager

  1. Click the Start button, click Run, type Azman.msc, and then press ENTER.

  2. In the console tree, right click Authorization Manager, and then click Options.

  3. Confirm that Developer mode is selected, and then click OK.

    Now we will create a new store. For this example, we will put the store in C:\ and name the store "MyStore.xml."

  4. In the console tree, right-click Authorization Manager and click New Authorization Store.

  5. Click XML file and, in Store name, type C:\MyStore.xml.

  6. (Optional) In Description, type information about the new store.

  7. Click OK.

  8. In the console tree, right-click MyStore.xml and click New Application.

  9. In New Application, in Name, type IIS 6.0 URL Authorization.

  10. (Optional) In Description, type information about this usage of IIS URL Authorization.

  11. Click OK.

  12. In the console tree, double-click Authorization Manager, double-click the store name, double-click the application name, double-click Definitions, right-click Operation Definitions, and then click New Operation Definition.

  13. In New Operation Definition, in Name, type AccessURL, and then, in Operation number, type 1.

Set up the scope for the application

  1. In the console tree, right click IIS 6.0 URL Authorization, and click New Scope.

  2. In Name, type WebApp, and then click OK.

  3. In the console tree, double-click IIS 6.0 URL Authorization, double-click Definitions, right-click Role Definitions, and then click New Role Definition.

    This role definition could also be created in the WebApp scope.

  4. In Name, type Viewer, and then click OK.

  5. In the console tree, double-click Role Definitions.

  6. In the details pane, right-click Viewer, and then click Properties.

  7. Click the Definition tab, click Add, and then click the Operations tab.

  8. Select the AccessURL check box, click OK, and then click OK again.

  9. In the console tree, under IIS 6.0 URL Authorization, under WebApp, right click Role Assignments, and then click Assign Roles.

  10. Select the Viewer check box, and then click OK.

  11. In the details pane, right click the role assignment you created above, and then click Assign Windows Users and Groups.

  12. In Enter the object names to select (examples), type your user name, and then click OK.

Add the IIS worker process to the store's Readers role

By default, IIS runs in the Network Service account. You can configure an IIS worker process to run in a different account. For this sample, we will add Network Service to the Readers role.

Note

If you use a remote authorization store (such as Active Directory or a remote XML file based store) and run IIS in the default Network Service context, then the Active Directory account of the Web server running IIS must be added to the store's Readers role.

Add the IIS worker process to the store's Readers role

  1. If the Authorization Manager MMC is not already open, click Start, click Run, type Azman.msc, and then press ENTER.

  2. In the console tree, right-click Authorization Manager, click Open Authorization Store, click Browse, click C:\MyStore.xml (which, for this example, is the store you want to work with), click OK, and then click OK again.

  3. In the console tree, right-click the name of the store, and then click Properties.

  4. Click the Security tab and, in the Authorization manager user role list, click Reader, and then click Add.

  5. In the Enter the object names to select (examples) box, type Network Service, click OK, and then click OK again.

Configure the IIS Metabase to use URL Authorization for the Web Application

  1. Click Start, click Run, type Cmd, and press ENTER.

  2. Use the above script to create the SetUrlAuth.vbs file and save the file to \InetPub\AdminScripts directory. (By default the InetPub directory is in the root of the drive which IIS is installed on.)

  3. Type the below command and press ENTER.

  4. CScript SetUrlAuth.vbs VDirPathAuthMgrScopeNameAuthMgrStoreNameEnabledImpersonationLevel

    For example, you might type the following:

    Cscript SetUrlAuth.vbs W3svc\1\Root\WebApp WebApp msxml://C:\MyStore.xml true 1

    Now, IIS URL Authorization should be configured and running for the specified Web application. Users who are in the Viewer role should be able to browse to the pages within the application.

Important

You must append msxml:// if you are using an .xml file or msldap:// if you using the Active Directory Authorization Manager store.