home *** CD-ROM | disk | FTP | other *** search
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
- <HTML>
- <HEAD>
- <!--META TAGS ARE RECOMMENDED FOR THE SEARCH ENGINE-->
- <META NAME="DESCRIPTION" Content="How It Works Page">
- <META NAME="KEYWORDS" CONTENT="help, code, source code, questions, explanation">
- <META NAME="GENERATOR" CONTENT="Microsoft Visual InterDev 1.0">
- <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso8859-1">
- <!--END META TAGS-->
-
- <TITLE>How This Page Works</TITLE>
- </HEAD>
-
- <BODY BGCOLOR=#FFFFFF TOPMARGIN=0 LEFTMARGIN=0 ALINK=#23238E VLINK=#808080 LINK=#FFCC00>
- <BASEFONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=2>
-
- <!--Change link color on mouseover
- Only if running Internet Explorer 4.0 or later -->
- <!--#include file=../libHighlight.inc-->
-
- <!--BEGIN TOP TABLE HOLDING GRAPHIC, NAVIGATIONAL LINK, AND MAIN CONTENT-->
- <TABLE WIDTH="100%" HEIGHT="100%" CELLPADDING=0 CELLSPACING=0 BGCOLOR="#000000" BORDER=0>
- <TR>
- <TD BGCOLOR="#000000" ALIGN=CENTER VALIGN=TOP WIDTH=170>
- <BR>
- <IMG SRC="../images/btslarge.jpg" HEIGHT=119 WIDTH=171 ALT="Behind the Scenes at Exploration Air" BORDER=0></A>
- <BR>
- <BR>
- <BR>
- <!--BACK BUTTON AND VARIABLE TO RETURN TO ORIGINATING PAGE-->
- <A HREF="<%=Request.ServerVariables("HTTP_REFERER")%>"><IMG SRC="../images/barrowy.gif" HEIGHT=8 WIDTH=8 ALT="Return to Previous Page" BORDER=0></A>
- <FONT SIZE=2 FACE="VERDANA, ARIAL, HELVETICA"><STRONG>
- <A HREF="<%=Request.ServerVariables("HTTP_REFERER")%>">
- B A C K </A>
- </STRONG></FONT>
- <BR>
- <BR>
- <!--JAVASCRIPT TO VIEW PAGE'S SOURCE CODE-->
- <A HREF="JavaScript:openWindow('../SiteAdmin/Default.asp')">View Source</A>
- <BR>
- </TD>
-
- <TD BGCOLOR="#FFFFFF" BACKGROUND="../images/btsbg.gif" VALIGN=top>
- <BR CLEAR=ALL>
- <TABLE WIDTH="100%" CELLPADDING=10 CELLSPACING=0 BORDER=0>
- <TR>
- <TD VALIGN=top>
- <FONT FACE="VERDANA, ARIAL, HELVETICA" COLOR="#0000FF" SIZE=5>How The Site Administration Page Works</FONT>
- <HR>
- <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE="2">
- <H2>Functional Overview</H2>
- The Site Administration page allows an administrator to set security properties for the Exploration Air sample site.
- The possible settings relate to authentication and use of the Secure Sockets Layer protocol (SSL).
- <P>
- Changes are made by simply filling out a form and the results are posted back to <STRONG>default.asp</STRONG>
- where the form data is analyzed and used to set the properties.
- <P>
- Four areas of the site are affected:
- <DIR>
- <LI>Site Administration</LI>
- <LI>Benefits</LI>
- <LI>Frequent Flyer</LI>
- <LI>Business Partners</LI>
- </DIR>
-
- Site Administration and Benefits are affected as one administrative unit as they are both intranet scenarios.
- The only setting is whether anonymous access is allowed or not. By default the site should use
- Windows NT Challenge/Response authentication as it is the most secure.
- <P>
- As Frequent Flyer and Business Partners are Internet scenarios some form of privacy, tamper resistance
- and/or authentication is required. Internet Information Server support these features by using SSL.
- SSL supports privacy through data encryption, tamper resistance through message digests and authentication
- using certificates. The following table explains this in greater detail:
- <P>
- <CENTER>
- <TABLE ALIGN=CENTER BORDER=1 CELLPADDING=5 WIDTH=90%>
- <TR>
- <TH BGCOLOR="#C0C0C0">SSL Feature</TH>
- <TH BGCOLOR="#C0C0C0">Comment</TH>
- </TR>
- <TR>
- <TD ALIGN=CENTER><I>Privacy</I></TD>
- <TD>
- SSL supports automatic data encryption. Scrambling the data as it passes between the browser and the
- server reduces the possibility of an eavesdropper working out what is being sent.
- </TD>
- </TR>
- <TR>
- <TD ALIGN=CENTER><I>Tamper Resistance</I></TD>
- <TD>
- SSL supports tamper resistance by using message digests. A message digest is a complex checksum of the
- data. SSL generates a message digest of the data prior to sending, then recalculates the message digest
- of the data on reciept. If the data has change (through tampering or communication failure),
- the checksum will be different and SSL will reject the data.
- </TD>
- </TR>
- <TR>
- <TD ALIGN=CENTER><I>Authentication</I></TD>
- <TD>
- SSL can verify a server using Server Certificates and can verify a client using
- Client Authentication Certificates. Servers and clients are issued certificates by a certificate
- authority. Microsoft Certificate Server can behave as a certificate authority.
- </TD>
- </TR>
- </TABLE>
- </CENTER>
-
- <H2>Components Used</H2>
- The Active Directory Service API (ADSI) is used as the primary programmatic administration interface for Internet
- Information Server. With ADSI most aspects of an IIS server can administered programmatically.
- <P>
- Use the following syntax to access the IIS ADSI object from an ASP page, VBScript or JScript:
- <P>
- <CENTER><STRONG>Set oAdminDir = GetObject("IIS://localhost/w3svc/1/Root/IISSamples/ExAir/SiteAdmin")</STRONG></CENTER>
- <P>
- Once we have the object properties may be set. For example use the folloing code
- to set the <STRONG>SSL Client Certificate Required</STRONG> flag on the SiteAdmin object:
- <P>
- <CENTER><STRONG>oAdminDir.AccessSSLFlags = ACCESS_SSL + ACCESS_SSL_REQUIRE_CERT</STRONG></CENTER>
- <P>
- <H3>A Note On Security</H3>
- A user must have administrator privileges to access the administration data. This is why the SiteAdmin
- directory is marked as requiring Windows NT Challenge/Response Authentication, if the user is a Windows NT
- administrator then this authentication method will preserve their credentials and hence they will be able to access
- the administration data. If Allow Anonymous is turned on then all access will be attempted as though the user
- was a member of the Guest group, in other words they will be always be denied access because IIS is
- logging them on as a guest, not an administrator.
- <H3>Delegation of User Credentials</H3>
- Windows NT 3.x and 4.0 do not support credential delegation, in other words you cannot pass the authentication
- information (called a token) from one application to another. This raises an interesting situation when running
- out-of-process Web applications (marked as running in a separate address space) in IIS.
- <P>
- If an administrator accesses an IIS Web application and is authenticated using Windows NT Challenge/Response Authentication
- but the application is marked as running in a separate address space the new Web application will not be running with
- the same administrator privileges as the user because IIS cannot pass (delegate) the administrator's credentials
- to the new process. The side effect of this is that if the IIS application is attempting to change IIS data
- through ADSI it will always fail. The correct way to solve this problem is to make sure any Web application does
- not run as a separate process.
- <P>
- Please note, because delegation is not supported at present, IIS starts all out-of-process Web applications
- using the IWAM_<I>xxxxxxxx</I> Windows NT account which is added to Windows NT during setup.
- </FONT>
- </TD>
- </TR>
- </TABLE>
- <!--END TOP TABLE HOLDING GRAPHIC, NAVIGATIONAL LINK, AND MAIN CONTENT-->
- <BR>
- <BR>
-
- <CENTER>
- <!--BEGIN LEGAL INFORMATION-->
- <TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0>
- <TR>
- <TD>
- <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE="1"><A HREF="../legal.htm">©1997 Microsoft Corporation. All rights reserved. Terms of Use.</A></FONT>
- <P>
- </TD>
- </TR>
- </TABLE>
- </CENTER>
- <!--END LEGAL INFORMATION-->
- </TD>
- </TR>
- </TABLE>
-
- </BODY>
- </HTML>
-
- <SCRIPT LANGUAGE=JavaScript>
- function openWindow(SourceURL)
- {
- // Set some defaults
- width=450;
- height=450;
-
- url = "code.asp?Source=" + SourceURL;
- window.open(url,"Sample","resizable=yes,scrollbars=yes,width=" + width + ",height=" + height);
- }
- </SCRIPT>
-
