Last month, I introduced you to Microsoft Site Server 3.0 and its Personalization and Membership (P&M) feature. I also showed you how to create and view a Directory Service (DS), build a Membership server, and map that server to your IIS 4.0 Web site. You'll need the DS and Membership server you created last month (or their equivalents) for the tasks you'll learn this month. These tasks include customizing your authentication model, creating DS users, and storing and viewing persistent, personalized data for your IIS 4.0 Web site. I'm assuming that you mapped your Membership server to your default Web site on port 80 and that you configured the Membership Directory Manager (MDM) in the Site Server Service Admin Microsoft Management Console (MMC) to look at port 1003, where your Lightweight Directory Access Protocol (LDAP) server runs.
Customizing Your Authentication Model
The first task is to set Anonymous access and HTML Forms authentication on the default Web site. From the Start menu, select Programs, Microsoft Site Server, Administration, Site Server Service Admin (MMC). The system might prompt you to log on and authenticate. If it does, note the server text box at the bottom of the form.
This box uses the format SERVERNAME:PORTNUMBER to display the LDAP server and the port that communicates with your Membership server. Log on anonymously or with the DS's Administrator account.
In the MMC treeview, open the Internet Information Server folder. Right-click Default Web Site, and click Properties. Select the Membership Authentication tab. As Screen 1 shows, select Allow anonymous and HTML Forms Authentication. Click OK to apply Anonymous access to the entire Web site. Don't close the MMC because you'll need it later.
To test the Anonymous access setting, open a browser and navigate to http://localhost. The system lets you access the site without prompting you with an authentication input box asking for your username and password.
Anonymous access leaves your Web site unsecured. Fortunately, you can force authentication on those Web site resources (e.g., virtual directories, folders, files) that you need to protect. For example, you can force authentication on a virtual directory hosting an Active Server Pages (ASP) file that manipulates the DS. Here's how to create and protect that virtual directory:
1. Create the folder that will contain the ASP file. Open Windows Explorer. Create a folder called Membership under \inetpub\wwwroot.
2. Create the virtual directory that points to the Membership folder. Switch back to the MMC. In the treeview, open the Internet Information Server folder. Click the name of your server, then the plus sign (+) next to it to view the FTP, Web, and SMTP servers that your server hosts. Right-click Default Web Site. Select New, Virtual Directory to launch the New Virtual Directory Wizard. When the wizard prompts you to enter the name of the virtual directory you're creating, type Membership and click Next.
As Screen 2 shows, the wizard now prompts you for the virtual directory's physical path. Either type the path to the Membership folder you created in step 1 or click the Browse button to navigate to this folder. Click Next.
The wizard asks you to specify the access permissions for the virtual directory. By default, the wizard selects the Read and Script access check boxes. Leave these boxes checked. Select the Allow Directory Browsing check box so that when you browse the virtual directory, you can view its files. (The files are HTML links, so you can quickly execute them.) Click Finish to prompt the wizard to create the Membership virtual directory.
3. Force authentication on the Membership virtual directory. In the MMC treeview, open the Internet Information Server folder. Right-click the Membership virtual directory you created in step 2. (You might need to refresh the view.) Click Properties, and select the Membership Authentication tab. Clear the Allow anonymous check box, and click OK to apply the change.
Your default Web site now has Anonymous access, except for the Membership virtual directory and its contents. When a user browses to this virtual directory, the system forces an authentication.
Creating Users and Specifying User Data
Now that you have your Web site's authentication model set, you can create users in the DS, specify which data, or attributes, about the users (e.g., first name, last name, email address) you want to store, and specify the values of those attributes (e.g., Tim, Huckaby, email@example.com).
To begin, go to the MMC and expand the MDM to see its contents. Because DSs are hierarchical, not relational, the expanded MDM displays containers, which house DS objects. One such container is ou=Members (ou stands for organizational unit), which contains objects representing user accounts. For example, if you click the ou=Members container, you see the Administrator account you created last month when you created the DS.
To add a new user account, right-click ou=Members, and select New. Choose User to run the New User Wizard, and click Next. Enter the new user's username (or logon name). You can type any name (e.g., Tim). Click Next.
The wizard proceeds to the Add Attribute form. Click the Add Attribute button. A window containing about 50 default container attributes appears. As Screen 3 shows, each attribute has a Display Name, Common Name, and Description. In the attribute list, select the attribute you want to add, such as user-password, and click OK. You'll see a window similar to the one in Screen 4. In this window, type the user's password in the Value field. Click Add Attribute to return to the attribute list. Select another attribute that you want to add, such as Last Name, and click OK. Enter the user's last name in the Value field, and click Add Attribute. You repeat this process for all the default attributes you want to set for that user. After you've entered your last attribute value, choose Next rather than Add Attribute to continue to the next screen, which asks you to add the user to DS groups. In a future article, I'll show you how to create, use, and secure content with DS groups, but for now, click Finish to complete the process of adding the user.
If you look in the MDM treeview, the new user you just created appears under the Administrator account. If you double-click that user, you'll see the attributes and values you added.
Displaying User Data
Microsoft ships Site Server 3.0 with many COM objects that you can use to extend Site Server's functionality. For example, Site Server 3.0 comes with the Active User Object (AUO) interface. AUO is easy to implement and extremely robust. Because AUO is so robust, though, it's extremely slow. Despite its slow speed, AUO is still a great tool for learning how to use COM objects.
One of AUO's best features is that you can use it to identify the currently authenticated user and retrieve various attributes of that user. For example, you can use AUO to create the Web page in Screen 5. This page identifies Tim as the currently authenticated user and lists Tim's values for the first name, last name, and email address attributes.
Listing 1 contains the ASP file, AUOdisplay.asp, that created the Web page in Screen 5. The code at callout A in Listing 1 demonstrates how to use AUO. First, you use the CreateObject method to instantiate an AUO object and assign that instance to the variable objAUO. Next, you use an If...Then...Else loop to test whether the instantiation was successful (i.e., a user is currently authenticated). If no one is authenticated (which any value other than 0 specifies), you write the error number and error description to the Web page, then end the page. If a user is currently authenticated, you render the message Instantiated the AUO object to the browser. Finally, you use a series of Response.Write statements to write the authenticated user's attribute values to the Web page. Notice that the attributes of the authenticated user are simply properties of the AUO object.
I used Microsoft Visual InterDev to create AUOdisplay.asp, which you can download from the IIS Administrator Web site (http://www.winntmag.com/newsletter/iis). However, you can use any editor to edit this ASP file, as long as you name the file AUOdisplay.asp. Place the file in the Membership virtual directory. To test AUOdisplay.asp, follow these steps:
- In the MMC treeview, locate AUOdisplay.asp. (You might need to refresh the view.) Right-click AUOdisplay.asp, and click Properties. Select the Membership Authentication tab, and make sure the Allow anonymous check box is clear.
- Open a browser, and navigate to http://localhost/membership/auodisplay.asp. Authenticate as the user you created previously. A Web page similar to Screen 5 will appear that specifies your user as the currently authenticated user and the user's first name, last name, and email address.
- Close that Web page, and navigate again to http://localhost/membership/auodisplay.asp. This time, authenticate as an Administrator. The first name, last name, and email address entries will be blank because you haven't assigned values to those attributes for the Administrator account.
Using simple AUO code in ASP files is an easy and powerful way to customize your authentication model, create users, add default attributes, and display user data. Next month, I'll show you three additional tasks:
- How to add custom attributes to the Membership DS schema
- How to use the AUO object in ASP code to write values to user attributes
- How to use Microsoft Active Directory Service Interfaces (ADSI) in ASP to enumerate values in the member's container