Managing Resource Access Permissions

• DAF Authentication Overview
• Access Permission Strategy

DAF Authentication Overview

When DAF is installed, each HTTP authentication is processed through four main steps (detailed under the DAF Authentication Process):

• The Web user is searched for in the DAF user list
• Access permissions for the requested resource are checked against file DAFAUTH.INI (if present)
• Mapped NT user is logged (if any)
• NT user rights are checked against NT permissions for the requested resource (for NTFS drive only)

To be granted, each HTTP request must successfully pass each one of the following steps:

• A. The Web user is searched for in the DAF user list

The Web user login and password must be found in DAF (and not have expired). If not, access will be denied.

• B. Access permissions for the requested resource are checked against file DAFAUTH.INI (if present)

DAF will search to see if a file DAFAUTH.INI is located in the directory containing the requested resource. If one is present, permission rights are evaluated by comparing DAF Groups which belong to the Web user to DAF groups rights defined in file DAFAUTH.INI.

Detailed instructions:  Access Permissions Using DAF Groups and DAFAUTH.INI.

• C. Mapped NT user is logged (if any)

If a mapped NT user is attached to the Web user, it will be logged now.

If empty strings are used as the mapped NT user, IIS default NT user (IUSR_XXXX) will be used.

If NT user is invalid:

- With IIS 3.0: access will be denied
- With IIS 4.0: IIS default NT user (IUSR_XXXX) will be used

For an ODBC source with columns name defined to specify mapped NT user login and password, IIS default NT user (IUSR_XXXX) will be used.

In a TEXT user list, if no mapped NT user login and password is specified, IIS default NT user (IUSR_XXXX) will be used.

• D. NT user rights are checked against NT permissions for the requested resource (for NTFS drive only) .

This step is processed as any win32 application. NT user rights are compared to access permissions attached to the requested resource.

If the requested resource is located on FAT hard drive, this step is ignored.

Access Permission Strategy

Web access permissions can be managed with:

• DAFAUTH.INI Only
• NT Security Only
• DAFAUTH.INI and NT Security

DAFAUTH.INI Only

To manage access permission using only the DAFAUTH.INI file, steps C and D above must always be passed successfully. The easiest is:
- for all web users, specify empty strings for mapped NT user login and password
- for all web resources give "Everyone|Read" NT permissions

Regarding IIS, "Anonymous login" must be granted for the web site.

NT Security Only

To manage access permission using only NT Security, step B above must always be passed successfully. The easiest is to:
- make sure that no DAFAUTH.INI files are present in all web directories
- make sure that all mapped NT users have NT access rights to all needed web resources

DAFAUTH.INI and NT Security

To use this mixed mode, you need to:
- specify mapped NT user to each Web user
- copy DAFAUTH.INI file in each protected directory
- set NT access permissions for web resource

The mixed mode is the most difficult to troubleshoot because "Access Denied" can have several mixed causes. In case a problem becomes to difficult to solve, it is recommended you troubleshoot with the following steps:

1. configure Access permissions to work with DAFAUTH.INI file only.
2. remove DAFAUTH.INI files, and configure Access permissions to work with NT Security only.
3. copy DAFAUTH.INI file created in step 1.

Last update: Thursday, August 31, 2000 07:12