home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 1999 September
/
CHIPCD_9_99.iso
/
software
/
uaktualnienia
/
OptionPackPL
/
iis4_07.cab
/
HIWSiteAdmin.asp
< prev
next >
Wrap
Text File
|
1998-04-27
|
9KB
|
180 lines
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<!--META TAGS ARE RECOMMENDED FOR THE SEARCH ENGINE-->
<META NAME="DESCRIPTION" Content="How It Works Page">
<META NAME="KEYWORDS" CONTENT="help, code, source code, questions, explanation">
<META NAME="GENERATOR" CONTENT="Microsoft Visual InterDev 1.0">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso8859-1">
<!--END META TAGS-->
<TITLE>How This Page Works</TITLE>
</HEAD>
<BODY BGCOLOR=#FFFFFF TOPMARGIN=0 LEFTMARGIN=0 ALINK=#23238E VLINK=#808080 LINK=#FFCC00>
<BASEFONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=2>
<!--Change link color on mouseover
Only if running Internet Explorer 4.0 or later -->
<!--#include file=../libHighlight.inc-->
<!--BEGIN TOP TABLE HOLDING GRAPHIC, NAVIGATIONAL LINK, AND MAIN CONTENT-->
<TABLE WIDTH="100%" HEIGHT="100%" CELLPADDING=0 CELLSPACING=0 BGCOLOR="#000000" BORDER=0>
<TR>
<TD BGCOLOR="#000000" ALIGN=CENTER VALIGN=TOP WIDTH=170>
<BR>
<IMG SRC="../images/btslarge.jpg" HEIGHT=119 WIDTH=171 ALT="Behind the Scenes at Exploration Air" BORDER=0></A>
<BR>
<BR>
<BR>
<!--BACK BUTTON AND VARIABLE TO RETURN TO ORIGINATING PAGE-->
<A HREF="<%=Request.ServerVariables("HTTP_REFERER")%>"><IMG SRC="../images/barrowy.gif" HEIGHT=8 WIDTH=8 ALT="Return to Previous Page" BORDER=0></A>
<FONT SIZE=2 FACE="VERDANA, ARIAL, HELVETICA"><STRONG>
<A HREF="<%=Request.ServerVariables("HTTP_REFERER")%>">
B A C K </A>
</STRONG></FONT>
<BR>
<BR>
<!--JAVASCRIPT TO VIEW PAGE'S SOURCE CODE-->
<A HREF="JavaScript:openWindow('../SiteAdmin/Default.asp')">View Source</A>
<BR>
</TD>
<TD BGCOLOR="#FFFFFF" BACKGROUND="../images/btsbg.gif" VALIGN=top>
<BR CLEAR=ALL>
<TABLE WIDTH="100%" CELLPADDING=10 CELLSPACING=0 BORDER=0>
<TR>
<TD VALIGN=top>
<FONT FACE="VERDANA, ARIAL, HELVETICA" COLOR="#0000FF" SIZE=5>How The Site Administration Page Works</FONT>
<HR>
<FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE="2">
<H2>Functional Overview</H2>
The Site Administration page allows an administrator to set security properties for the Exploration Air sample site.
The possible settings relate to authentication and use of the Secure Sockets Layer protocol (SSL).
<P>
Changes are made by simply filling out a form and the results are posted back to <STRONG>default.asp</STRONG>
where the form data is analyzed and used to set the properties.
<P>
Four areas of the site are affected:
<DIR>
<LI>Site Administration</LI>
<LI>Benefits</LI>
<LI>Frequent Flyer</LI>
<LI>Business Partners</LI>
</DIR>
Site Administration and Benefits are affected as one administrative unit as they are both intranet scenarios.
The only setting is whether anonymous access is allowed or not. By default the site should use
Windows NT Challenge/Response authentication as it is the most secure.
<P>
As Frequent Flyer and Business Partners are Internet scenarios some form of privacy, tamper resistance
and/or authentication is required. Internet Information Server support these features by using SSL.
SSL supports privacy through data encryption, tamper resistance through message digests and authentication
using certificates. The following table explains this in greater detail:
<P>
<CENTER>
<TABLE ALIGN=CENTER BORDER=1 CELLPADDING=5 WIDTH=90%>
<TR>
<TH BGCOLOR="#C0C0C0">SSL Feature</TH>
<TH BGCOLOR="#C0C0C0">Comment</TH>
</TR>
<TR>
<TD ALIGN=CENTER><I>Privacy</I></TD>
<TD>
SSL supports automatic data encryption. Scrambling the data as it passes between the browser and the
server reduces the possibility of an eavesdropper working out what is being sent.
</TD>
</TR>
<TR>
<TD ALIGN=CENTER><I>Tamper Resistance</I></TD>
<TD>
SSL supports tamper resistance by using message digests. A message digest is a complex checksum of the
data. SSL generates a message digest of the data prior to sending, then recalculates the message digest
of the data on reciept. If the data has change (through tampering or communication failure),
the checksum will be different and SSL will reject the data.
</TD>
</TR>
<TR>
<TD ALIGN=CENTER><I>Authentication</I></TD>
<TD>
SSL can verify a server using Server Certificates and can verify a client using
Client Authentication Certificates. Servers and clients are issued certificates by a certificate
authority. Microsoft Certificate Server can behave as a certificate authority.
</TD>
</TR>
</TABLE>
</CENTER>
<H2>Components Used</H2>
The Active Directory Service API (ADSI) is used as the primary programmatic administration interface for Internet
Information Server. With ADSI most aspects of an IIS server can administered programmatically.
<P>
Use the following syntax to access the IIS ADSI object from an ASP page, VBScript or JScript:
<P>
<CENTER><STRONG>Set oAdminDir = GetObject("IIS://localhost/w3svc/1/Root/IISSamples/ExAir/SiteAdmin")</STRONG></CENTER>
<P>
Once we have the object properties may be set. For example use the folloing code
to set the <STRONG>SSL Client Certificate Required</STRONG> flag on the SiteAdmin object:
<P>
<CENTER><STRONG>oAdminDir.AccessSSLFlags = ACCESS_SSL + ACCESS_SSL_REQUIRE_CERT</STRONG></CENTER>
<P>
<H3>A Note On Security</H3>
A user must have administrator privileges to access the administration data. This is why the SiteAdmin
directory is marked as requiring Windows NT Challenge/Response Authentication, if the user is a Windows NT
administrator then this authentication method will preserve their credentials and hence they will be able to access
the administration data. If Allow Anonymous is turned on then all access will be attempted as though the user
was a member of the Guest group, in other words they will be always be denied access because IIS is
logging them on as a guest, not an administrator.
<H3>Delegation of User Credentials</H3>
Windows NT 3.x and 4.0 do not support credential delegation, in other words you cannot pass the authentication
information (called a token) from one application to another. This raises an interesting situation when running
out-of-process Web applications (marked as running in a separate address space) in IIS.
<P>
If an administrator accesses an IIS Web application and is authenticated using Windows NT Challenge/Response Authentication
but the application is marked as running in a separate address space the new Web application will not be running with
the same administrator privileges as the user because IIS cannot pass (delegate) the administrator's credentials
to the new process. The side effect of this is that if the IIS application is attempting to change IIS data
through ADSI it will always fail. The correct way to solve this problem is to make sure any Web application does
not run as a separate process.
<P>
Please note, because delegation is not supported at present, IIS starts all out-of-process Web applications
using the IWAM_<I>xxxxxxxx</I> Windows NT account which is added to Windows NT during setup.
</FONT>
</TD>
</TR>
</TABLE>
<!--END TOP TABLE HOLDING GRAPHIC, NAVIGATIONAL LINK, AND MAIN CONTENT-->
<BR>
<BR>
<CENTER>
<!--BEGIN LEGAL INFORMATION-->
<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0>
<TR>
<TD>
<FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE="1"><A HREF="../legal.htm">©1997 Microsoft Corporation. All rights reserved. Terms of Use.</A></FONT>
<P>
</TD>
</TR>
</TABLE>
</CENTER>
<!--END LEGAL INFORMATION-->
</TD>
</TR>
</TABLE>
</BODY>
</HTML>
<SCRIPT LANGUAGE=JavaScript>
function openWindow(SourceURL)
{
// Set some defaults
width=450;
height=450;
url = "code.asp?Source=" + SourceURL;
window.open(url,"Sample","resizable=yes,scrollbars=yes,width=" + width + ",height=" + height);
}
</SCRIPT>
