DAF User Database and Web Host Configuration
A DAF User Database is a DAF specific object that groups all information needed to use the "real" database which contains all the users names and passwords. A DAF User Database can be attached to one or several Web Hosts. In this case, all HTTP authentication requests received for this Web Host will be check against the attached DAF User Database.
1. Creation of a DAF database
To create a DAF User Database
2. Set Database Type and attached Web Host
Database Type:
Define the type of the "real" database (Text or ODBC) linked to the DAF
database.
Web Host Address attached:
Specify for which Web Host or IP address this database should be used to process HTTP
authentication requests.
In the above window, DAF User Database "SQLServer" is selected and ten IP addresses are attached to it.
--------- 
Important! ------------------------------------
IIS Authentication Scheme Configuration requirement
DAF does not support "Windows NT Challenge/Response" Authentication scheme. A Web Site attached to a DAF User Database MUST have the following IIS authentication settings. If this is not the case DAF will not handle web authentication correctly:
- "Basic Authentication" scheme MUST be ENABLED
- "Windows NT Challenge/response" scheme MUST be DISABLED.
- "Allow Anonymous Access" should be ENABLED. If needed, anonymous access should be denied using only NT or DAF permissions.
For instructions, refer to section IIS Authentication Scheme Configuration.
Error: Connection with the DAF Engine refused
The DAF Configuration Tool will communicate with the DAF Engine using a TCP/IP connection (for more information, click here). This error message will be reported when the connection is refused. It may happen in three cases:
- DAF Filter is NOT loaded.
- Connection with the IP Address and Port Number is refused by the server for security reasons.
- There is an IP Address/Port Number conflict with another application.
--------------------------------------------------------------------
3. For an ODBC User database, configure the ODBC settings of the new DAF User Database
The purpose of this step is to configure all ODBC settings needed to use an ODBC database.
To access ODBC settings, select a DAF database and in the top button bar choose tab ODBC Settings.
3.1 Tab "ODBC Settings/ODBC Source"
This window will allow you to set all general ODBC settings.
Once you have made all your settings in this window, I strongly recommend to test them by pressing the button Test Connection. If it reports an error, DAF authentication will not work for all IP Addresses attached to this database.
System Data Source:
With the Combo box choose an ODBC data source.
User Name:
If needed to access the ODBC source, enter a user name.
User Password:
If needed to access the ODBC source, enter a user password.
ODBC Cursor Type:
Advanced ODBC setting, 0 recommended.
If, in the log file there is the following error (with which DAF can run correctly):
ODBC Error: (01S02) [Microsoft][ODBC SQL Server Driver] Cursor type changed
you can try another cursor type. The best choice depends on your ODBC driver.
ODBC connection Time Out:
Advanced ODBC setting, 0 recommended (= unlimited connection time).
Specify the ODBC connection time out value in seconds.
This option is handled by the ODBC driver, but not all ODBC drivers support this feature.
SQL Server ODBC drivers support it, and ACCESS ODBC drivers do not.
ODBC Query Time Out:
Advanced ODBC setting, 30 recommended.
Specify the ODBC query time out value in seconds.
This option is handled by the ODBC driver, but not all ODBC drivers support this feature.
SQL Server ODBC drivers support it, and ACCESS ODBC drivers do not.
Check ODBC Connection:
If checked, DAF will periodically check the status of the ODBC connection. If the
connection is detected broken and if option Enable Automatic reconnection is
enabled, DAF will try to reconnect to the ODBC source.
If this option is unchecked DAF will detect a broken ODBC connection only when it tries to
authenticate a WEB user.
Check Database Name:
SQL Server only. With ODBC SQL Server drivers older then 3.0, in some cases an ODBC
connection can be established with the master database instead of the requested database.
If this is the case with this option checked, DAF will detect it and attempt to reconnect
to the correct database.
Enable Automatic reconnection:
Recommended.
With a remote database server, if the connection is broken, or the database server is
down, DAF must reconnect to the database to run correctly. With this option checked, each
time the ODBC connection is detected as broken, DAF will try to reconnect. A broken
connection can be detected periodically with the option "Check ODBC connection"
and/or with each request sent to the database system.
When used with an MS-Access database, this option does not have any utility.
When used with a SQL Server, this option is recommended even if SQL Server is on the
same PC as IIS.
(If SQL Server is stopped and restarted, the connection is broken.)
Enable Parallel Requests:
NOT RECOMMENDED. Advanced ODBC setting.
DAF is able to manage parallel authentication requests with ODBC. However, this is
possible only if the used ODBC driver can manage parallel SQL requests with one
connection. (ODBC SQL Server drivers cannot; ODBC ACCESS drivers can).
If your ODBC Driver cannot manage parallel SQL requests, uncheck this option. If your ODBC Driver can manage parallel SQL requests, check this option.
Of course, with this option enabled or disabled, IIS can manage simultaneous HTTP requests for protected or non-protected files. When disabled, DAF establishes a queue with all waiting authentication requests and processes them one by one. When enabled, all authentication requests are processed in parallel as fast as possible. Note that with a single processor system, there should not be a big difference between these two modes.
If you choose "enable" and if your ODBC driver does not support this feature, you will have authentication problems with simultaneous authentication requests and with protected HTML files that include several images. In this case, the error messages in the log file will be similar to:
ODBC Error: (S1000) [Microsoft][ODBC SQL Server Driver] Connection is busy with results
for another hstmt
ODBC Error: (S1010) [Microsoft][ODBC Driver Manager] Function sequence error
Log SQL requests:
If checked, all SQL requests sent to the ODBC source are logged. For performance reasons,
this option should be deactivated in production.
Button Test Connection:
With this button you can make sure the current configuration is valid.
Of course if this test reports an error, DAF authentication will not work for the IP
Address attached to this database.
Very Important note for SQL Server database!
If you use a SQL Server database located on a remote computer, you must make sure your mapped NT user has the NT right and SQLServer right to access the database.
Here is a Microsoft note about this issue for IIS:
I can not seem to access my Microsoft SQL Server if it is located on
a different computer from my web server. Is this a configuration
problem?
You will need to create an IUSR_MachineName guest account on the SQL
Server computer that corresponds to the account used by the Microsoft
Internet Information Server (IIS). If this account exists, then make sure it
has rights to log onto the SQL Server computer. The connection to the
SQL Server would use the account that is logged in via your web
connection. If the connection is Anonymous, then it would typically use the
IUSR_MachineName account. If you are using NT/Challenge Response,
then the user authenticated would be the user connecting to the SQL.
Microsoft.
(Remember that DAF cannot work with the NT/Challenge Response authentication scheme.)
3.2 Tab "ODBC Settings/Update mode"
This window will allow you to specify the update mode to use.
Real-time:
With this choice, each time there will be an authentication request, DAF will generate an
ODBC request to validate the WEB user and obtain the NT account to be mapped to it.
Note that once a WEB server has asked for an authentication, the browser will send the login and password for each following request to this same WEB server (each time, DAF will have to generate an ODBC request). Depending on your network, an ODBC request can be very slow and too many ODBC requests can generate performance problems.
Also, note that if you use a remote database system, and if it is too busy or not available your WEB users will not be authenticated.
If you have accessibility or performance problems with "real-time" mode, you should use one of the other modes.
With this mode, I strongly recommend to create (with your
database system) and use an index for the columns DAFUser and DAFPass. If you do not,
response time will probably be terrible.
Every day at:
With this mode, the ODBC table will be read once a day at the specified time and all the
logins will be stored in a temporary file.
Note the time must be specified using the format 0:00-23:59 and not with HH:MM AM or PM.
Every:
This mode is almost like the preceding mode except that the update will occur periodically
with the specified period.
Try real-time mode when user is not found:
This option can be used only with none real-time mode.
If it is checked, for each authentication request, DAF will try first to find the user in
the temporary file, and if it is not found, DAF will send a request to the ODBC source to
check if the user was recently created. If the user is found in the ODBC source, the cache
mechanism is used to store it so the next authentication request will not have to generate
a new ODBC request. (Cache size can be set through a registry entry.)
Note:
- Without this option checked, all modifications in the user table will not be in use
before the next update.
- With this option checked, new users will be authenticated, but deleted users will be
authenticated until the next update.
3.3 Tab "ODBC Settings/Web Hosts & Tables & Fields"
This window will let you specify what tables should be used and what IP Addresses or Web Hosts should be attached to them.
This window shows DAF database "SQLServer," with several tables used by DAF (dafview, dbo_weblogins, weblogins2, weblogins3 and weblogins4). Table "dbo_weblogins" is selected and addresses 192.168.0.10,6,5,4,3,2 and 1 are attached to it.
Setup related to this window should be executed in the following order:
Table attached to DAF:
If this window is empty:
To complete the "Table attached to DAF" window the DAF
Configuration Tool needs to connect to the ODBC source defined in tab "ODBC
Settings/ODBC Source." If DAF cannot access the ODBC source, this window will
remain empty and this configuration screen will not be usable.
This window will allow you to specify what table should be used, and what IP Address should be attached to it (for the selected database only!).
To attach a table, select its name and press "Attach."
Select a Table:
Only an attached table has a button on this button bar.
If it is empty, it means you have not attached a table to the
selected database.
You MUST attach at least one table.
All column name and IP Addresses entered on this screen refer to the selected table on this button bar.
... col.:
Refers to the selected Table. Specify what columns should be used by
DAF to process HTTP authentication.
| DAF User col. | Name of the column in which DAF should look to find the WEB user name received. |
| DAF Password col. | Name of the column in which DAF should look to find the WEB password received. |
| NT User col. | Name of the column in which DAF should read the NT user name mapped to the WEB user received. |
| NT Password col. | Name of the column in which DAF should read the NT password mapped to the WEB password received. |
| DAF Groups col. | Name of the column in which DAF should read the the DAF groups to which the current user belongs. |
| Date Last Visit | Name of the column in which DAF should write the date of last visit for each authentication processed. This column must have the type DATE. |
| Number of visit | Name of the column in which DAF should write the number of visits. This column must have the type number. |
| Expiration Date | Name of the column in which DAF reads the expiration date for each account. This column must have the type DATE. |
| Acc.Disabled | Name of the column in which DAF read the Enabled/Disabled state for each account. This column must have the type number. 0 for Account Enabled. 1 for Account Disabled. |
Count as registered:
Specify if the selected table should be counted as a registered data
source extension. If it is unchecked this data source will be limited to the first 10 web
users requesting an HTTP authentication.
Remarks
Tip: If you press "Try to read ODBC Source" an ODBC error will be reported, but a list of all tables found in the database will be displayed in the "ODBC configuration" window.
These columns must
have a "string" type. For an MS Access file choose type "Text" and for
SQL Server "VARCHAR." With SQL Server, type "CHAR" will not work. You
MUST use "VARCHAR."
More information on ODBC data source.
Attached IP & Web Hosts:
Specify which IP Addresses and Web Hosts should be used in the
selected Table.
To attach an IP Address or Web Host, select it and press "Attach."
Note that this window will list only IP addresses and Web Hosts
attached to this DAF database, and NOT all IP addresses found or all Web Hosts created on
the server.
Try to read ODBC Source:
With this button you can make sure the current configuration is valid.
Of course if this test reports an error, DAF authentication will not work for the IP
Address attached to this database.
4. For a TEXT User database, configure the new DAF User Database
As with an ODBC database, a TEXT database is used by DAF to assign several properties (NT account, DAF Groups, Expiration Date) to WEB users. The name of a text users list should be specified in window "Database Type & Web Hosts."
More information on Text data source
Last update: Friday, April 02, 1999 08:05