IIS 6: The Complete Reference

IIS 6 can use Microsoft's .NET Passport to authenticate users requesting resources from a web site or a web site virtual directory. The benefit that this solution offers is that the credentials are stored and managed on another server that you are not responsible for building or maintaining. Users can authenticate using the .NET Passport service and then be allowed access to the web site hosted on your WS03 server. The service does not provide access control or site authorization, however. The .NET Passport server can only affirm that a web consumer representing himself or herself to be the person represented by the established profile in the .NET Passport server has successfully authenticated as that person represented by the established profile.

The .NET Passport system is free for the web consumer to register with and use. Web consumers log in and log out at the Passport server, and they are directed to your web site after a successful login event. The login and logout pages may be cobranded so that they appear to be related to the web site that the user is logging in to.

Passport provides a nice system for everyone involved in a web-based transaction, because users get the benefit of a single sign-on solution for any .NET Passport authenticated web site they encounter. The web host benefits because the hosting party does not have to build and support the credentials system or server, but they must pay a fee to the Microsoft .NET Passport service to establish an account with the Passport server. After an account is set up, the web host simply needs to build the web site to respond to users who authenticate. This is the same effort that any web site with an established membership and authentication mechanism would perform regardless of where the members' credentials are hosted, except that they now deal with only authenticated users.

The problem with the .NET Passport system, however, is that many web consumers have not responded quickly to the solution. The web consumer community is apprehensive about providing personal information to the .NET Passport service. Existing web-based vendors and portals have not adopted the use of .NET Passport with great enthusiasm because they generally already have their own authentication systems in place. The benefits of providing a web single login experience are greatly minimized when the web consumer may have to authenticate to other sites that they patronize. Without wide acceptance of the use of .NET Passport by web sites using it as an authentication system, the web single login system will not benefit the web consumer.

Establishing .NET Passport Service

Before you can use the .NET Passport service, you need to prepare your site for the service. Following is a review of the steps required for establishing a .NET Passport server setup:

  1. Register the web site through the .NET Passport service. Go to the following URL to begin the process: http://www.microsoft.com/net/services/passport/ developer.asp. Here, you'll fill out a comprehensive series of forms and complete a .NET Passport Wizard with information about yourself and your web site. Table 7-1 summarizes the information required to perform this step.

  2. On successful registration, your site is assigned an ID and registered with a pending status. Microsoft will attempt to replicate the site on its server and approve your site.

  3. Build the site. Microsoft provides a .NET Passport software development kit (SDK) that offers aid and support in your effort to build a .NET Passport web site. The SDK is available free for download from Microsoft's web site at http://msdn.microsoft.com/library/default.asp?url=/downloads/list/websrvpass.asp.

  4. Petition .NET Passport services for a compliance review of the site. If your site meets the standards, you will be required to enter into a contractual agreement with .NET Passport services.

  5. Launch the site. Obtain the encryption keys for the production site and roll in the production code required to support the .NET Passport integration.

    Table 7-1: .NET Passport Registration Information

    Item

    Description

    Your general contact information

    Name, phone, address, e-mail, and so on

    Name of the site

    Required-Name used to identify the site in the Passport portal

    Type of .NET Passport service

    Required-Choose one or more of the following: Kids Passport, .NET Passport Single Sign-In, .NET Passport Express Purchase

    Web Site Title

    Required-Title for the web site

    Domain Name

    Required-The top most domain name for the site; no subdomains should be included in the name

    Default Return URL

    Required-The URL where customers will be redirected from the Passport server in an error event

    Customer Support Phone Number

    Telephone number presented to customers if they need help or support

    Customer Support E-mail

    E-mail address presented to customers if they need help or support

    Customer Support URL

    URL presented to customers if they need help or support

    Privacy Policy URL

    Required-URL presented to customers for your privacy policy

    Cobrand URL

    URL for the cobranding file that contains the JavaScript cobranding variables

    Cobrand CSS URL

    URL for the cascading style sheet (.css) file that will be used by the .NET Passport pages to make them appear cobranded

    Cobrand Image URL

    Required-URL for the site's logo, which should be 468 × 60 pixels

    Cobrand Image2 URL

    Required-URL for the site's logo, which must be 2 × 80 pixels, and a .gif

    Cobrand Image HREF

    Link for the logo image

    Cobrand Instruction Text

    Required-Instructions that will appear at the top of the .NET Passport Credential dialog box

    Registration Return URL

    URL of the file that users will be redirected to after login by default

    Terms of Use URL

    URL for the terms of use

    Edit URL

    URL to the page on the web devoted to editing user's data on your site

    Disable Copyright

    Checkbox that will disable the Microsoft copyright link presented in each .NET Passport module

    Disable Help Text

    Checkbox that will disable the Microsoft help file link presented in each .NET Passport module

    Disable Member Services

    Checkbox that will disable the Microsoft Member Services file link presented in each .NET Passport module

    Disable Privacy Policy

    Checkbox that will disable the Microsoft privacy policy file link presented in each .NET Passport module

    Disable Terms of Use

    Checkbox that will disable the Microsoft Terms of Use file link presented in each .NET Passport module

    Expire Cookie URL

    Required-URL for a file that deletes the .NET Passport cookies; this URL is called when the user performs a logout function

    Logout URL

    URL for a file that the passport system will send customers when they sign out of .NET Passport by clicking the .NET Passport Sign Out button

The registration process identified in step 1 is rather comprehensive. You will also be presented with the .NET Passport Wizard, and you will be expected to establish a .NET Passport. After the wizard completes, you will see a series of web pages prompting you for information-some of which is mandatory to complete the process. The information requested during the registration processes is summarized in Table 7-1.

Setting Up the Site for .NET Passport

If you set up a web site or a web virtual directory to authenticate users via .NET Passport, the users will be presented with a .NET Passport login prompt when they request a file for the first time from the web site. The circumstances under which the user will be prompted for their credentials may vary, depending on the site application's use of the .NET Passport service. After the user enters a valid login and password, they are allowed to access the requested file.

To set up IIS to provide .NET Passport authentication, follow these steps:

  1. Open the IIS MMC snap-in and expand the Web Sites node in the left panel.

  2. Right-click the respective web site or virtual directory that should authenticate using .NET Passport. Select Properties.

  3. In the Properties window, select the Directory Security tab.

  4. Click the Edit button under the Authentication And Access Control section. The Authentication Methods window will open.

  5. Under the Authenticated Access section, check the .NET Passport Authentication checkbox. All other authentication methods will be disabled, since using .NET Passport authentication is a mutually exclusive option. Anonymous access can still be selected, however.

  6. If you want, type a domain name in the Default Domain text box. This is the domain to which usernames will be assumed to belong on the host server after the .NET Passport server authenticates them. Realm may be used to identify the organization or domain to which users should be assumed to belong if the server participates in a non-Microsoft system.

  7. Click the OK button to close the Authentication Methods window, and click the OK button to close the Properties window.

If the .NET Passport service is set properly, users will be presented with a .NET Passport prompt that looks like the window shown in Figure 7-2, except the configurations described in Table 7-1 will exist in place of the default values shown in Figure 7-2.

Figure 7-2: .NET Passport login prompt with the default configurations

Related

Категории