Controlling who has access to your web site can be complicated with the regular NT tools unless you use the Dynamic Authentication Filter. The NT tools require you to have physical access to the machine. If your web site is hosted by an Internet Service Provider (ISP), how does the ISP allow you to control user and group access to your web site? If you have more than one web site on a single server, how do you differentiate access permission between users and groups of different sites? DAF solves both of these problems.
DAF is a set of tools that allows you to manage web user access. These tools include an ISAPI filter that awaits for authentication requests, a configuration tool to help tie web user authentication to NT user authentication, a web-based administration interface and server-side component to manage your site's users and groups (DAFTools ASP component), and a Software Development Kit (SDK) to let you extend DAF.
Controlling who has access to your web site can be complicated with the regular NT tools unless you use the Dynamic Authentication Filter. The NT tools require you to have physical access to the machine. If your web site is hosted by an Internet Service Provider (ISP), how does the ISP allow you to control user and group access to your web site? If you have more than one web site on a single server, how do you differentiate access permission between users and groups of different sites? DAF solves both of these problems.
DAF is a set of tools that allows you to manage web user access. These tools include an ISAPI filter that awaits for authentication requests, a configuration tool to help tie web user authentication to NT user authentication, a web-based administration interface and server-side component to manage your site's users and groups (DAFTools ASP component), and a Software Development Kit (SDK) to let you extend DAF.
In order to manage user access to a web site with the usual NT tools , you have to have NT network access to the physical server. You typically control access with the NT User Manager application coordinated with the NT File System (NTFS) access permissions. This is a great system if you have access to these tools.
Types of Authentication
There are typically two types of access to a web site. The first is anonymous access. This is the most common and is can be used to inform the general public of your company's products and services. The second type of access is a membership-based access where a user has to provide a name and password to the site.
Yahoo uses the name and password to allow you to customize "My Yahoo". Amazon uses the name and password to remember previous purchase information. Some companies have both their internal and external web sites accessible from a single location. By verifying the user name and password, the web site can determine if you are accessing the internal web site (such as your payroll records) or the external web site (such as business-to-business billing invoices).
Authentication can help your web site deliver great features in a variety of ways. However, managing the authenticated users and groups can become a problem. Managing content is as easy as using an FTP tool to upload your content, why can't managing authentication be just as easy?
With DAF, it is that easy. Once DAF has been installed on the web server, you can easily create, manage, and delete users and groups on both files and directories by uploading a file. For an even easier interface, use to web-based management tools provided in the DAF Web User Manager. There are typically two authentication scenarios where NT's authentication is not good enough to complete the task.
The First Authentication Scenario
The first scenario can arise when you site is hosted by and Internet Service Provider (ISP). If your site is hosted by an ISP, you probably will have to work out a policy of how you request changes to directories and files. Internet Service Providers typically do not give individuals on the ISP's web servers permission to modify the NTML database. Since many web sites may be on the same server, the ISP prohibits one individual from modifying all the permissions on the machine. The ISP will implement the changes on your request to the permissions. By placing the process in the hands of the ISP, you take the risk of communication and implementation errors.
The Second Authentication Scenario
The second scenario arises if you are hosting more than one site on a server. If you are managing more than one site on a single server, you still have only one NT User Manager database. The only way to differentiate users and groups between different sites is to use a naming convention for each user and group. While naming conventions are practical, they are prone to error when they are not followed.
How DAF Provides Access To Your Content
Controlling access to your content consists of two steps. The first step is to define the users and groups in the DAF database. The second step is to tie the DAF database users and groups to the content with the DAFAUTH.INI file. The DAFAUTH.INI (discussed later) controls what groups have access to what files in a specific directory.
The DAF Database
The DAF database can be any ODBC database or a text file. The database has a single table that defines the DAF users and passwords, their corresponding DAF groups, and their corresponding NT users (this is optional). In the database, you can also control when the account expires. The table also has two other columns that DAF writes to: count of visits and last visit date. When a user accesses your site, DAF will insert the date of that visit as well as increment the count of visits to the site for that user.
The Example
This example will be as simple as possible to illustrate DAF's ease-of-use and flexibility. As an example, assume my web site is on an ISP's machine. The ISP will have a location on the web server ('Folder1') where I can transfer my content files. I'll assume that the drive is NTFS but has the default access permissions of Everyone|Read. I want to control the access myself with DAF instead of NTFS so this default access permission is fine. The ISP will have to install DAF and use the DAF Config tool (discussed later) to create a database associated with my IP address. Once this is done, I can use the DAF User Manager web application to manage users and groups. When I want to change access permissions, I will upload a new DAFAUTH.INI file for each directory.
Once the ISP has installed DAF and configured DAF (discusses later) to give me a User database, the ISP doesn't do anything else. I do the rest of the work via web pages and FTP upload. I'm not using any NTFS permissions in order to make sure that all access control is done by DAF. It is possible to define (with a manual registry setting) a default NT user, this way the site owner doesn't need to know the NT user name and password. This is described in the FAQ question Q2.1.3. For the purposes of this example, the web site will have Anonymous and Basic Authentication. "Basic Authentication" must be ENABLED and "NTLM authentication" must be DISABLED for DAF to work.
Web Site Owner Step 1: The Example Users and Groups
The first step is to define your users and groups. For the following examples, these users and groups will be defined:
Assume that the passwords are the same as the user names.
Note: While DAF can handle many databases on a single machine, each representing a different site, this example will examine just one site with one database.
Web Site Owner Step 2: The Example Content
The second step is to tie the DAF database users and groups to the content with the DAFAUTH.INI file. The content will consist of one directory (for simplicity) with several files.
Now that we have both the user/group information for the database and the types of access for the DAFAUTH.INI file, we need to implement this.
Web Site Owner: The DAF User Manager Web Application
In order to use the DAF User Manager, the ISP needs to register a server-side control that communicates with the DAF database and gives you access to the User Manager Web Application. Once this is done, you can use the DAF Manager (provided with DAF) to add the users from Table 1. The User Manager lets you add, delete, or edit user information. Figure 1 is the DAF User Manager. The first thing you need to do is get to the right database. In order to do this, you need to choose "SELECT IP" from the left-side menu. Once you have done this, you can manage your users.
Figure 1: User Manager Web Application
In order to add the users from Table 1, I need to choose "Add User" from the left-side menu. Figure 2 shows how to enter the user information for Joe.
Figure 2: Filling in Joe's user information
Web Site Owner: The DAFAUTH.INI File
Now that Joe's DAF user account is created, I need to create the rest of the users from Table 1. This will finish the first step of creating the users and groups. Then I need to finish the second step of connecting the DAF database with the web site content. Listing 1 shows the DAFAUTH.INI file that I have uploaded. The permissions correspond to Table 2. Since each file is explicitly mentioned, directory browsing will not be available and no other files in the directory will be available.
In order to test out DAF, I'll access the site as Joe. Joe currently has access to page1.htm and page3.htm. The first test is to access page1.htm as Joe. The second test is to access page 2.htm as Joe. Joe should be allowed to see page1.htm but should get "401.2 Unauthorized: Logon Failed due to server configuration" for page2.htm. When I attempt to access page1.htm, I'll be presented with an Authentication box shown in figure 3. The browser is Microsoft Internet Explorer. Once I enter the name "Joe" and the password "Joe", I can see the page. DAF has worked correctly in that Joe can see page1.htm.
Figure 3: Basic Authentication for Joe to access page1.htm
In order to test page2.htm, I enter the new address in the address bar. This time, I get a login failure as shown in figure 4.
Figure 4: Joe is denied access to page2.htm
At this point, DAF has worked correctly for Joe. The access was entirely controlled without the aid of the ISP. Since DAF has logged how many times Joe has accessed the site and the last access date and time, I'll use the DAF User Manager to check that. Figure 5 shows the result of looking for Joe.
Figure 5: Joe's last visit date/time and total visit count
In the previous Web User Admin pages, all databases have been available. This is probably not how an ISP would set this up because I would have access to all DAF databases on the server. Figure 6 shows the User Manager web page set for just this database.
Figure 6: Web User Admin Pages for This Database
When a user comes into your web site, the DAF ISAPI filter handles the authentication request. DAF finds the user and corresponding groups in the DAF database. Then the DAF ISAPI filter checks the authentication in the DAFAUTH.INI file for that directory. Diagram 1 illustrates DAF authentication.
Diagram 1: DAF Authenication
Configuring the DAF Database
Up to this point, the web site owner (and not the ISP) has been the point of view. Now we need to see what work the ISP has to do to get DAF up and running. For the following steps to work, I downloaded DAF Filter 3.5, Config.exe, the DAFTools, and the DAF Web User Manager.
ISP Step 1: Create the DAF Database
The first step for the ISP is to create the DAF database. This can be any ODBC-compliant database or a text file. I chose to use a Microsoft Access 97 database called "user1". From the DAF documentation, I created a single table called "user" (the documentation explains the columns and datatypes). I then created a system DSN that is associated with the "user1" database.
ISP Step 2: Configure with DAF Config Tool
The next step is to use the DAF config tool (config.exe) to associate the database with the IP address of my website. I can also set some options with the config tool. Since DAF can manage more than one database, I need to create an entry in DAF for my "user1" database as shown in figure 7. The next step is to associate the new DAF database with an IP. In the far-right side of figure 7, the IP addresses for this server are listed (currently just 1 address). I need to select that IP address and "Attach" it to database.
Figure 7: New Daf Database in Config Tool
The next step is to configure the database and log files options, shown in figure 8 on the "Database Type & IP Address" tab. For this Access 97 database, I chose an ODBC database instead of a text database. I want to capture everything in the log files so all those log file options are checked. While all DAF information is logged to a private log file for this database, I can also examine the "Live Log" which is available in the far-left buttons. The live log lets me examine what is currently happening on any of the databases on the server.
Figure 8: Configure Database and Log file in Config Tool
Note: You may notice in figure 8 that the far-left dialog mentions three data sources. I purchased three data sources so I could support three web sites on this server. I currently only have one configured.
The next step is to give DAF information about the database on the "ODBC Settings" tab shown in figure 9 as the "ODBC Source" sub-tab. DAF needs to know if there is a user name and password to user in order to connect to the database.
Figure 9: Configure the ODBC Connection
The next sub-tab ("Update Mode"), shown in figure 10, is where I set what kind of update for the entire user list. It's important to select the right mode based on your site's traffic. Since my site is a low-traffic sit, I've selected "real-time".
Figure 10: Configuring Update Mode
The last sub-tab ("IP Addresses & Tables & Fields"), shown in figure 11, is where I associate the table's columns with DAF information. The left box lists all tables found in the database. Since I only have one table, only "user" is listed. In the right box, the attached IPs are listed (I currently have only one). The middle text boxes are the coordination between DAF and the table. Each text box is a column name from the table. Since I'm not using NT Authenication, I don't need to fill those columns in. I can use the "Try to read ODBC source" button at the center bottom to make sure that DAF found all the columns. At this point, DAF has all the information it needs to work on the machine.
Figure 11: Associating Table's columns for DAF
The last major tab is "E-mail Notification" shown in figure 12. This is how the you and the ISP can be sure that DAF is working correctly and that DAF can connect to the database.
Figure 12: Email Notification
ISP Step 3: Installing and Registering DLLs
When I downloaded DAF 3.5, I received the Config tool and the ISAPI filter. I installed the ISAPI filter according to the documentation that came with DAF 3.5. When I downloaded DAFTools, I received the server-side component that Web User Manager uses to connect to DAF.
ISP Step 4: Web User Manager
When I downloaded DAF Web User Manager, I created a virtual directory. This gives me the ability to manage users and groups in the DAF database via web pages. At this point, the ISP work is done.
DAF Tools and SDK
DAF comes with a two sets of tools. The first is a ASP component that you can use to build ASP pages to control DAF. The second is a Software Development Kit to build your own ISAPI filter.
DAF Tools ASP component
The User Manager is built on top of the DAF Tools ASP component. The ASP component lets you:
Explore and manage all DAF databases installed (TEXT or ODBC)
Retrieve all information regarding a ODBC or text users list
Add, find, Remove or Change any DAF user from any DAF database
List all virtual IP addresses/all DAF DB on the server
Send a e-mail
Security features to isolate each database administrator/developer if needed
You can user this component to build a registration page for your users. The user can enter a password or you can generate a random password for the user. Once the information is in the DAF database, you can also e-mail the information to this new user. The best sample code of the ASP component is the DAF Web User Manager.
DAF Software Development Kit (SDK)
Another feature of DAF is the ability to develop your own custom ISAPI filter with DAF's SDK. All settings made with the DAF configuration Tool will be used with each custom DAF filter. The SDK is targeted toward C++ developers that are also experienced ISAPI developers. The SDK documentation takes you through creating a new Microsoft Visual C++ project, necessary functions of the ISAPI filter, and debugging your custom DAF filter. Some examples of custom ISAPI filters are controlling authentication via HTML instead of the usual pop-up dialog, and implementing cookies to store the login and password in the browser.
Web Farms
For sites hosted on more than one machine, the DAF database can be hosted on a separate SQL Server. Each web server can then validate all users against a single database. Each server's configuration of DAF could use non-real time updating to get great performance because each server will have a temporary copy of the DAF database.
Summary
DAF is a great product for controlling access to your web site. It allows web site owners to control access to their content without having to control ACLs on the server (or have other physical access to the server). The web site owner configures users and groups through the User Manager web pages and controls the access for the files through the DAFAUTH.INI file. The DAF ISAPI filter is installed by the ISP in IIS 3.0 or IIS 4.0 and the server-side control for the User Manager web pages is registered. The DAF Config tool allows the ISP to configure many DAF databases, one for each IP address. DAF's SDK allows you to develop your own custom filters.
Mailing List
Want to receive email when the next article is published? Just Click Here to sign up.
