Article ID: 326020 - Last Review: June 26, 2008 - Revision: 3.0

How to configure IIS 6.0 URL authorization

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q326020

On This Page

Expand all | Collapse all

SUMMARY

For more information about URL authorization in Internet Information Services 7.0, visit the following Microsoft Web site:
http://learn.iis.net/page.aspx/142/understanding-iis-7-url-authorization/ (http://learn.iis.net/page.aspx/142/understanding-iis-7-url-authorization/)
Microsoft Internet Information Services 6.0 works with Authorization Manager in Microsoft Windows Server 2003 to provide IIS 6.0 URL Authorization. IIS 6.0 URL Authorization simplifies the administration of user access to Web objects. In IIS 6.0 URL Authorization, you maintain access control by using metabase attributes that control URL authorization. These metabase attributes are the following:
  • AzEnable
  • AzStoreName
  • AzScopeName
  • AzImpersonate
You can set these metabase attributes by using of a script. Authorization policy for IIS 6.0 URL Authorization is stored in an Authorization Manager policy store either in Active Directory or in an .xml file.

To configure IIS 6.0 URL Authorization, you must create your program folder under the Default Web Site folder in IIS Manager and then disable anonymous access to the site. You must then set the wildcard configuration properties to point to the URLAuth.dll file. You must also add URLAuth.dll as a new Web service extension. Next, you must set up an authorization policy store in Authorization Manager, set up the scope for the program, add the IIS worker process to the store's Readers role, and then configure the IIS metabase to use IIS 6.0 URL Authorization for the Web program.
Back to the top

INTRODUCTION

Microsoft Internet Information Server (IIS) 6.0 is included with Microsoft Windows Server 2003. IIS 6.0 works with Authorization Manager to provide IIS 6.0 URL Authorization. As a Web program administrator, you can use IIS 6.0 URL Authorization to control access to URLs based on custom user roles, on LDAP queries, and on BizRules.

To authorize user access to Web pages in IIS, you may have to manage many Discretionary Access Control Lists (DACLs) on resources that the Web programs use. Resources for Web programs may include Web page files, database records, registry keys, and more.

A task is a collection of low-level operations. An operation is a low-level permission that a resource manager uses to identify security procedures. Frequently, operations are not exposed or meaningful to administrators. For example, an operation may be WriteAttributes or ReadAttributes. The purpose of the task is to determine which low-level operations are required to do some unit of work that is meaningful to administrators. Several operations may be required to perform a meaningful task. To maintain DACLs, you must know which back-end permissions are required on each object to perform meaningful tasks in the Web program.

IIS 6.0 URL Authorization simplifies access management by letting you authorize user access to the URLs that make up a Web program. When a client requests a URL, IIS 6.0 URL Authorization validates the user's access based on the user roles. By using IIS 6.0 URL Authorization, you can control all user access to URLs instead of maintaining a DACL on each object. Additionally, the Web program can restrict access to resources and to operations by using the Authorization Manager role-based framework.

IIS 6.0 URL Authorization is implemented as an Internet Server API (ISAPI) interceptor DLL that is configured as a wildcard extension for a program, for a virtual directory, or for a URL. When a program, a virtual directory, or a URL is configured to use IIS 6.0 URL Authorization, each request to a URL is routed to the IIS 6.0 URL Authorization ISAPI interceptor.

The IIS 6.0 URL Authorization ISAPI interceptor then uses the Authorization Manager runtime to authorize access to the requested URL. For the Authorization Manager runtime to authorize access, the program location, the virtual directory location, or the URL must be associated with an Authorization Manager policy store that contains the authorization policy for the URL that is requested. After the client is authorized to access the URL, the IIS 6.0 URL Authorization ISAPI passes the request to the appropriate handler for the URL. For example, the IIS 6.0 URL Authorization ISAPI passes the request to ASP, to ASP.NET ISAPIs, or to the Static File Handler.

You can use IIS 6.0 URL Authorization to control access based on information that is only available at run time. For example, if you have a Web page that only employees in a specific cost center or employees of a specific age can view, you can assign roles to the correct users based on LDAP queries. The LDAP queries verify the cost center attribute or the age attribute on a user object at run time. If employees can access some pages only on specific days of the week or only during a specific time of day, you can create a BizRule that grants access to the URL based on these values. You can create a BizRule on any value that can be asserted at run time, including IIS Server Variables.

Back to the top

Metabase attributes that IIS 6.0 URL Authorization uses

IIS 6.0 URL Authorization uses the metabase attributes in the following table to set authorization on a URL, on a virtual directory, or on a program.
Collapse this tableExpand this table
AttributeAuthorization
AzEnableThis attribute enables IIS 6.0 URL Authorization for the virtual directory, for the program, or for the URL that corresponds to the entry in the metabase.
AzStoreNameThis attribute associates an Authorization Manager store with the virtual directory, the program, or the URL.
AzScopeNameThis attribute associates the virtual directory, the program, or the URL with a scope that the AzStoreName attribute refers to in the Authorization Manager policy store in IIS 6.0 URL Authorization. If this attribute specifies either an empty string or no scope at all, the default scope of IIS 6.0 URL Authorization is used.
AzImpersonateThis attribute determines the impersonation behavior for the program. You can use this attribute to configure the Web program to impersonate the client user, the IIS worker process, or the IUSER_* account for the worker process. Each setting significantly changes the environment and the implied design of the Web program. Set the value to 0, to 1, or to 2. These values correspond to the impersonation style.

0 The authenticated client is impersonated. Some programs require client impersonation, such as ASP 2.0 programs. Use this value if you want to use IIS 6.0 URL Authorization for programs that expect to run while impersonating the client, such as ASP 2.0 programs.

1 The IIS worker process identity is impersonated. Use this value when the program runs as a service account, authorizes each client request itself, and performs requested operations on behalf of the client in the trusted service context.

2 The anonymous user account is impersonated. Use this value if you want to use IIS 6.0 URL Authorization to authorize client access to the URL while still running the Web program as the anonymous account. This configuration limits all client access through the Web program.
Back to the top

Script to set the attributes on the IIS metabase

The following script uses ADSI to set the metabase attributes on the IIS metabase entry for a program, for a virtual directory, or for a URL.

Note This script assumes that you have already created the IIS virtual directory that corresponds to the program. For more information about how to create an IIS virtual directory, click the following article number to view the article in the Microsoft Knowledge Base:
816568  (http://support.microsoft.com/kb/816568/ ) How to manage Web sites and Web virtual directories by using command-line scripts in IIS 6.0 
'  SetUrlAuth.vbs 
'  Configuring UrlAuth with a virtual directory 
'  This script uses ADSI to configure a virtual directory in the IIS 6.0 metabase to use 
'  IIS 6.0 URL Authorization. 
' 
'  This script assumes that you have already created the IIS virtual directory 
'   that corresponds to the program. 
' 
'  After you run this script to verify the settings, use the Adsutil tool in
'  the following way: 
' 
'  inetpub\adminscripts\adsutil enum w3svc/1/root/MyApp 
'  (where MyApp is the application name) 
'  Use the Authorization Manager MMC snap-in to: 
'     Create an application that is named IIS 6.0 URL Authorization. 
'     Create an operation that is named AccessURL and that has an operation ID of 1. 
'     Create a scope that corresponds to the AzScopeName that is specified to this script. 
'       This scope name is used to manage access to URLs in this virtual directory. 
'     Make sure that the IIS worker process has read access to the 
'       AzMan policy store. To do this, right-click the AzMan store, click Options,
'       and then click the Security tab. 
Set objArgs = WScript.Arguments 
If objArgs.count < 4 then 
  wscript.echo "Usage: SetUrlAuth VDirPath AzScopeName AzStoreName AzEnable [ImpersonationLevel]" 
  wscript.echo "" 
  wscript.echo "Example:" 
  wscript.echo " SetUrlAuth w3svc/1/root/MyApp MyApp msxml://d:\inetpub\wwwroot\AzStore.xml True 1" 
  wscript.echo "" 
  wscript.echo "Run with 'cscript' command in cmd.exe to avoid msg boxes" 
Else 
wscript.echo objargs(0) 
' 
' Get the interface to the virtual directory object. 
' 
DIM iis 
set iis = GetObject("IIS://localhost/" & objArgs(0)) 
' Set the scope name. This scope will preside over URLs that refer to this virtual directory. 
' This scope must exist in the corresponding Authorization Manager store. 
' 
iis.AzScopeName = objArgs(1) 
' 
' Specify location of Authorization Manager policy store 
' 
iis.AzStoreName = objArgs(2) 
' 
' Enable IIS 6.0 URL Authorization for this virtual directory. 
' 
iis.AzEnable = objArgs(3) 
' 
' Set the Impersonation Level property. 
' 
If objArgs.count > 4 then 
   iis.AzImpersonationLevel = objArgs(4) 
End if 
' 
' Write the settings to the metabase. 
' 
iis.SetInfo 
End if
Back to the top

The AzImpersonationLevel attribute

When a client requests a Web page, IIS 6.0 URL Authorization authorizes the client access based on the Authorization Manager authorization policy. The security context that the AzImpersonationLevel attribute configures to retrieve the URL data, such as an .htm file, requires the correct IIS directory security permissions and the correct NTFS file system permissions. IIS 6.0 URL Authorization makes it easier for you to maintain the IIS directory security permissions and the NTFS permissions because IIS 6.0 URL Authorization uses the trusted subsystem model.

Back to the top

The AzStoreName attribute

When IIS 6.0 URL Authorization is configured, you can identify an Authorization Manager policy store through the AzStoreName attribute in the IIS metabase entry for the program, for the virtual directory, or for the URL.

To manage the authorization policy, follow these steps:
  1. On the computer that is running IIS 6.0, click Start, click Run, type Azman.msc, and then click OK.
  2. In the console tree, right-click Authorization Manager, and then click Open Authorization Store.
  3. In the Store Name box, type the path of the authorization store location that the AzStoreName attribute identifies, and then click OK.
For more information about how to open an authorization store, see the "Authorization stores and applications" topic in the Authorization Manager Microsoft Management Console (MMC) Help.

Back to the top

The AzScopeName attribute

The IIS 6.0 URL Authorization program manages IIS 6.0 URL authorization for the store that the AzStoreName attribute identifies. The AzScopeName attribute in the metabase entry is an Authorization Manager scope in the IIS 6.0 URL Authorization program. You can use this scope to manage access to the corresponding URL. When you configure a program, a virtual directory, or a URL for IIS 6.0 URL Authorization, you must crate a scope in the authorization policy store. This scope must have the same name as the name that is specified in the corresponding metabase entry's AzScopeName attribute.

Authorization policy for IIS 6.0 URL Authorization is stored in an Authorization Manager policy store either in Active Directory or in an .xml file. When you use IIS 6.0 URL Authorization, you can maintain the authorization policy for URLs in the same authorization policy store as the authorization policy of Web programs that use Authorization Manager to control access to program tasks and operations. Therefore, you can manage access to URLs and to Web program resources from the same Authorization Manager MMC or from the same custom user interface.

This behavior provides a common point for access control administration of URLs and of programs. Therefore, you can use the same Authorization Manager groups and the same LDAP queries to populate roles for both URL authorization and program authorization.

Back to the top

How to configure IIS 6.0 URL Authorization

This section describes how to set up IIS 6.0 URL Authorization for a Web program by using an example URL. The example URL is named WebApp and is installed and configured in IIS as a program in the Systemroot\InetPub\WWWroot\WebApp folder.

Note Integrated Windows Authentication is required for URLs that use IIS 6.0 URL Authorization. By default, IIS Web programs and virtual directories turn on Integrated Windows Authentication. For information about how to configure Integrated Windows Authentication, see the "Integrated Windows Authorization" topic in the IIS online Help file.

Create your program folder under the Default Web Site folder, and then disable anonymous access to the site

  1. Click Start, click Run, type %systemroot%\System32\InetSrv\IIS.msc, and then click OK.
  2. In the console tree, double-click Internet Information Services, double-click the name of your computer that is running IIS, double-click Web Sites, double-click Default Web Site, right-click the folder that correspond to your Web program, and then click Properties.
  3. Click the Virtual Directory tab, and then click Create.
  4. Click the Directory Security tab, and then click Edit in the Authentication and Access Control area.
  5. Click to clear the Enable Anonymous Access check box.
  6. Click to select the Integrated Windows Authentication check box, click OK, and then click OK again.

Set the wildcard configuration properties to point to the URLAuth.dll file

  1. In IIS Manager, right-click the folder for the Web program that you created, and then click Properties.
  2. In the Properties dialog box, click the Virtual Directory tab, and then click Configuration.
  3. In the Wildcard application maps (order of implementation) area, click Insert.
  4. In the Add/Edit Application Extension Mapping dialog box, click Browse.
  5. In the Files of type list, click All files (*.*).
  6. Locate the Systemroot\System32\InetSrv folder.
  7. Click URLAuth.dll, and then click Open
  8. Click OK three times.

    Note You may receive an error message that is similar to the following:
    This executable path is already used
    If you receive this error message, the URLAuth.dll file is already configured as a wildcard program extension mapping.

Add the URLAuth.dll file as a new Web service extension

  1. Start IIS Manager.
  2. In the console tree, double-click Internet Information Services, double-click the name of your computer that is running IIS, and then click Web Service Extensions.
  3. In the Task list in the details pane, click Add a new Web service extension.
  4. Click Add, and then click Browse.
  5. Locate Systemroot\System32\InetSrv\, click URLAuth.dll, click Open, and then click OK.
  6. In the Extension Name box, type URL Authorization.
  7. Click to select the Set extension status to Allowed check box, and then click OK.
Back to the top

Set up an authorization policy store in Authorization Manager

In this example, you put an authorization policy store that is named MyStore.xml in the C folder.
  1. Click Start, click Run, type Azman.msc, and then click OK.
  2. In the console tree, right-click Authorization Manager, and then click Options.
  3. Click Developer mode, and then click OK.
  4. In the console tree, right-click Authorization Manager, and then click New Authorization Store.
  5. Click XML file, and then type C:\MyStore.xml in the Store name box.
  6. In the Description box, you may type information about the new store. This step is optional.
  7. Click OK.
  8. In the console tree, right-click MyStore.xml, and then click New Application.
  9. In the Name box, type IIS 6.0 URL Authorization.
  10. In the Description box, you may type information about this usage of IIS 6.0 URL Authorization. This step is optional.
  11. Click OK.
  12. In the console tree, double-click Authorization Manager, double-click MyStore.xml, double-click IIS 6.0 URL Authorization, and then double-click Definitions.
  13. Right-click Operation Definitions, and then click New Operation Definition.
  14. In the Name box, type AccessURL.
  15. In the Operation number box, type 1, and then click OK.

Set up the scope for the program

  1. In the Authorization Manager console tree, right-click IIS 6.0 URL Authorization, and then click New Scope.
  2. In the Name box, type WebApp, and then click OK.
  3. In the console tree, double-click IIS 6.0 URL Authorization, double-click Definitions, right-click Role Definitions, and then click New Role Definition.

    Note You can also create this role definition in the WebApp scope.
  4. In the Name box, type Viewer, and then click OK.
  5. In the console tree, double-click Role Definitions.
  6. In the details pane, right-click Viewer, and then click Properties.
  7. Click the Definition tab, click Add, and then click the Operations tab.
  8. Click to select the AccessURL check box, click OK, and then click OK again.
  9. In the console tree, double-click WebApp, right -click Role Assignments, and then click Assign Roles.
  10. Click to select the Viewer check box, and then click OK.
  11. In the details pane, right-click Viewer, and then click Assign Windows Users and Groups.
  12. In the Enter the object names to select (examples) box, type your user name, and then click OK.

Add the IIS worker process to the store's Readers role

By default, IIS runs in the Network Service account. You can configure an IIS worker process to run in a different account. This example adds Network Service to the Readers role.

Note If you use a remote authorization store such as Active Directory or a remote XML file-based store, and you run IIS in the default Network Service context, you must add the Active Directory account of the Web server that is running IIS to the store's Readers role.
  1. Click Start, click Run, type Azman.msc, and then click OK.
  2. In the console tree, right-click Authorization Manager, and then click Open Authorization Store.
  3. Click Browse, click C:\MyStore.xml, click OK, and then click OK again.
  4. In the console tree, right-click the name of the store, and then click Properties.
  5. Click the Security tab, click Reader in the Authorization manager user role list, and then click Add.
  6. In the Enter the object names to select (examples) box, type Network Service, click OK, and then click OK again.

Configure the IIS metabase to use IIS 6.0 URL Authorization for the Web program

  1. Click Start, click Run, type Cmd, and then click OK.
  2. Use the script in the "Script to set the attributes on the IIS metabase" section to create the SetUrlAuth.vbs file. Save the file to the \InetPub\AdminScripts directory. By default, the InetPub directory is in the root of the drive where IIS is installed.
  3. Type the following command, and then press ENTER:
    CScript SetUrlAuth.vbs Path of virtual directory AzScopeName value AzStoreName AzEnable value [ImpersonationLevel value]
    For example, you might type the following:
    Cscript SetUrlAuth.vbs W3svc\1\Root\WebApp WebApp msxml://C:\MyStore.xml true 1
IIS 6.0 URL Authorization is now configured and running for the specified Web program. Users who are in the Viewer role can locate the pages in the program.

Important If you are using an .xml file, you must append msxml:// to the command. If you are using the Active Directory Authorization Manager store, you must append msldap:// to the command.


Back to the top

REFERENCES

For more information about Authorization Manager and role-based access control for multi-tier applications, see the "Internet Information Services 6.0 URL Authorization" section of the following Microsoft TechNet Web site:
http://technet2.microsoft.com/WindowsServer/en/Library/72b55950-86cc-4c7f-8fbf-3063276cd0b61033.mspx (http://technet2.microsoft.com/WindowsServer/en/Library/72b55950-86cc-4c7f-8fbf-3063276cd0b61033.mspx)
For information about URL authorization in IIS 7.0, visit the following Microsoft Web site:
http://learn.iis.net/page.aspx/142/understanding-iis-7-url-authorization/ (http://learn.iis.net/page.aspx/142/understanding-iis-7-url-authorization/)
Back to the top
APPLIES TO
  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 6.0, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Back to the top
Keywords: 
kbhowtomaster kbhowto KB326020
Back to the top