Editor's Note: This column builds on my columns in the past three issues. This column assumes that you've built a Membership server, mapped that server to the default Web site on port 80, created a virtual directory called Membership, and configured the Membership Directory Manager (MDM) to look at port 1003, where your Lightweight Directory Access Protocol (LDAP) server is running.
Last month, I showed you some advanced configurations of Microsoft Site Server 3.0 and its Personalization and Membership (P&M) features. This month, I describe another common feature (and the latest rage) of a truly personalized e-commerce Web site—implementation of the architecture to support subscription-based (often called membership-based) access to your e-commerce Web site. You can use Site Server Membership Directory Service (DS) groups to implement this architecture. If Web site users authenticate in the DS and are members of a particular group in that DS, they can access special members-only or subscribers-only areas on the site.
Let me paint a scenario. Let's say that you're in charge of the IIS Administrator Web site for Duke Communications International. You want to create a subscribers-only area of the Web site. To create this area, you need to
- Create a group in your DS to house the subscribers
- Add the subscribers to that group
- Create home-page .asp files that display a link if the authenticated user (i.e., an IIS Administrator subscriber) is a member of the group
- Create Active Server Pages (ASP) and subscribers-only areas on your IIS Administrator e-commerce Web site
- Secure the subscribers-only area on the site by setting ACLs on the folder and files
Creating a Group in the Site Server Membership DS
You use the MDM in the Site Server Service Admin Microsoft Management Console (MMC) to add the Membership DS Group. To start the MMC, click Start, Programs, Microsoft Site Server, Administration.
Click Membership Directory Manager in the MMC. If you haven't secured the DS, you can log on anonymously or as the DS administrator. Expand the MDM by clicking the plus sign (+), then clicking ou=Groups—the Groups container. The ou=Groups container holds the four default groups, which you see in Screen 1. AdminGroup holds the DS administrators. Double-click AdminGroup, then click the Members tab: Notice that the DS administrator is a member of the AdminGroup. As Screen 2 shows, the administrator appears in the format cn=Administrator, ou=Members, o=InterKnowlogy. (The o= is the realm: Your realm will be different). This format is called the distinguished name (DN) format. The DN format is important for programming with Microsoft Active Directory Service Interfaces (ADSI) because it gives an absolute path to the DS entity (in this case, the administrator).
Notice the Expiration button at the bottom of the Members tab in the cn=AdminGroup Properties dialog box. In the MDM, you set expiration dates for group members. This feature makes it easy to have a subscription-based e-commerce Web site in which a user's subscription expires on a certain date. When that date arrives, the MDM automatically removes the subscription from the group. Click Cancel to close the cn=AdminGroup Properties dialog box, then highlight ou=Groups again by clicking it. Now you can add a group to the DS.
To add a group to the DS, follow these steps:
- Right-click ou=Groups, click New, then click Group to start the New Group Wizard. The wizard will guide you through the steps necessary to create a new group.
- Click Next on the wizard's opening dialog box. The wizard will ask you to name the group.
- Enter IIS Administrator, then click Next. Now you can add Group-level attributes to the group.
- Click Add Attribute, select Description, and click OK. The wizard will prompt you to add a value for the Description attribute.
- Enter Subscribers to IIS Administrator, then click Next. The wizard will now let you add members to the group. Add the user you created in the December issue (i.e., Tim).
- Click Add, select Tim, click Add, then click OK.
- Click Finish to complete the wizard.
You now have a Membership DS Group called IIS Administrator with one user. Now, let's create the site architecture to house the personalized content.
Creating the Subscribers-Only Area on the E-Commerce Web Site
In the December issue, I showed you how to create a virtual directory called Membership and force an authentication against it. Now, I show you how to create a subfolder of that virtual directory and call it IISAdmin.
- Use Windows Explorer to access your Site Server file system, and create a subfolder called IISAdmin. The subfolder path will look similar to D:\inetpub\wwwroot\membership\iisadmin. From the MMC view, the subfolder will look identical to Screen 3.
- Right-click the IISAdmin folder from the MMC, select Properties, then click the Membership Authentication tab. Notice that the new subfolder inherited the authentication properties of its parent (i.e., HTML Forms Authentication without Allowing Anonymous Access).
Look at the ASP code in Listing 1, page 10. Notice the instantiation of the Active User Object (AUO) and the four response.write statements. (If you're unfamiliar with AUO, see my columns in the January 2000 and December 1999 issues.) What's most interesting here, however, is the If...Then...Else statement at the end of the listing page. This statement tells the scripting engine to display a link to the SubscribersOnly page if the authenticated user is a member of the IIS Administrators Group. If you look closely, the expression is testing the value of an attribute called Groups and measuring that attribute against the group's DN format. I could have written ADSI code that iterated the Groups container, but groups function as member-level attributes. Thus, you can use the AUO to test for membership in a group. The trick here is that if a member belongs to more than one group, objauo.groups returns a variant array instead of a string. (The code in Listing 1 doesn't test for strings because I'm trying to keep the code examples as simple as possible. You can easily modify the code to run this test.)
Use the examples below to create two different .asp pages:
Creating Default.asp. Create an .asp page in an editor (e.g., Microsoft Visual InterDev, Microsoft Notepad) with the code in Listing 1. Call the page Default.asp, and place it in the Membership virtual directory. The page will inherit HTML Forms Authentication without Allowing Anonymous Access from the virtual directory properties. If you want to make sure of the access, follow these steps:
- Go to the MMC.
- Find the Internet Information Server snap-in from the MMC's treeview.
- From the Internet Information Server snap-in, locate Default.asp in the Membership virtual directory. (You might have to refresh the view.)
- Right-click Default.asp, then click Properties. Select the Membership Authentication tab.
Creating SubscribersOnly.asp. Create an .asp page with the code in Listing 2. Name the page Subscribers
Only.asp, and place it in the Membership virtual directory's IISAdmin folder.
Use your browser to navigate to http://localhost/membership/default.asp. Authenticate as the user you added to the IIS Administrator group (i.e., Tim). Screen 4 shows an example of the page results. Click the Subscribers Only link. Close that browser, and navigate to http://localhost/membership/default.asp again. This time, authenticate as Administrator. The Subscribers Only link is no longer present because the administrator doesn't belong to the IIS Administrator group. However, if you authenticate as Administrator and navigate directly to the URL of the SubscribersOnly.asp page, you can see the SubscribersOnly.asp page even though the administrator isn't a member of the IIS Administrator group. You have a security hole. Let's shore it up.
Setting ACLs on the Subscribers-Only Area of the E-Commerce Site
A great feature of Site Server 3.0 Membership Groups is that they have clones that exist as Windows NT 4.0 groups. These clones, or shadow groups, let you use file and folder permissions to secure Web content. Open NT's User Manager by clicking Start, Programs, Administrative Tools (Common), User Manager for Domains. Scroll down until you find the shadow group for the IIS Administrators Group (the Groups section) you created in the Membership DS. The shadow group name will be in the format
where realm is the name you gave your DS when you created it. Double-click the group, and refer to Screen 5. Notice that the description is Membership Server Group and that the group has no members. Because members in an NT group are domain or local server accounts, no members exist in this group. NT doesn't shadow Site Server Membership users in the DS mainly because you can technically have zillions of Site Server Membership users, far surpassing NT's scalability.
To access the IISAdmin folder and set the ACL, follow these steps:
- Close the Local Group Properties dialog box, and exit User Manager.
- Run your browser, and navigate to the IISAdmin folder that hosts SubscribersOnly.asp.
- Right-click the folder, click Properties, click the Security tab, then click Permissions, which you see in Screen 6.
- Select the Replace Permissions on Subdirectories and Replace Permissions on Existing Files check boxes.
- Click Add, then select the Membership shadow group Site_Realm_IIS Administrator, where Realm is the name of your realm.
- Click Add, then click OK. The shadow group will have Read access to the IISAdmin folder and the files the folder contains. Now you have to take away the permissions for the group Everyone.
- Select Everyone, then click Remove. (The Local Administrator in NT differs from the Administrator in your Site Server Membership DS.)
- Click OK. The Local Administrator will ask you to replace the security information on all existing subdirectories within the IISAdmin folder.
- Click Yes. The ACL setting process will start and finish quickly.
- Click OK to close the Properties sheet.
Now, open your browser and navigate to http://localhost/membership/iisadmin/subscribersonly.asp. Authenticate as Administrator. The site will immediately redirect you, and you'll receive the message Your membership has been verified, but you do not have permissions to access the URL you requested, which you see in Screen 7. Exit the browser, and try again. This time, authenticate as Tim. You're in!
You now have the foundation architecturally for a functional, powerful, and personalized e-commerce Web site authenticated in the Site Server Membership DS. Next month, I'll show you how to create, configure, and customize the DS with Window Scripting Host (WSH) scripts.