Frequently Asked Questions
|
| GENERAL | INSTALLATION | ODBC | E-COMMERCE | TUTORIALS | |
|---|---|---|---|---|---|
| REMOTE ADMIN | FRONT PAGE |
COOKIE (Forms) |
MISC | VideoQuota | ASP /.NET RESOURCES |
NOTE:To search this FAQ by keyword, press CONTROL and F simultaneously.
The Windows FIND box will appear. Type in the keyword, and click FIND NEXT until you
find the topic that addresses your question.
Individual FAQ items are numbered for reference, beginning here.
"I've installed the Red Worm patch. My IIS system restarts every 15 minutes (OR every 30 minutes OR every hour OR once per day). In the event log I see a message about AuthentiX starting up"
Q. Beginner's Step by Step with the internal database.
A. If you are running the software for the first time, here are the steps you need to take to protect a directory using the internal Database:
First make sure you can access the directory you wish to protect freely (via http://...),
without any IIS/NTFS protections.
Use Netscape for this, since IE will sometimes
log you in with your current login without telling you.
Make sure the directories
you are trying to access have Read (and execute) Permissions for Everyone with NTFS.
Make sure Basic Authentication is
turned OFF in IIS5 (and above) Management console,
otherwise it will conflict with AuthentiX Basic Authentication.
Make sure
Allow Anonymous is ON. NTCR can be ON or OFF.
Q. Beginner's Step by Step with ODBC.
A. If you are running the software for the first time, here are the steps you need to take to protect a directory using an ODBC datasource: First make sure you can access the directory you wish to protect freely (via http://...), without any IIS/NTFS protections. Use Netscape for this, since IE will sometimes log you in with your current login without telling you. Make sure Basic Authentication is turned OFF in IIS Management console, otherwise it will conflict with AuthentiX Basic Authentication. Make sure Allow Anonymous is ON. NTCR (Integrated Windows Authentication in Windows 2000) can be ON or OFF.
Note: You can administer and setup ODBC via a webbrowser
using the remote administration. However you need to know
the structure of the database, and the exact form of the Connect String for the System DSN.
Selecting the Connect String from the console is conveniently easy and
straightforward.
Set up the DSN from the console, or have your ISP do it for you.
Q. How do I protect individual files?
A.
You can use the following tip:
Hi,
Downloaded your software and it looks great. I will be
purchasing it today. By the way, I typed in the full
pathname of a filename into the Browse edit box in
the Authorization dialog - and guess what - it
protects just that file!
--Jon
Thanks Jon! The software adds a slash to the end of the filename, aside from that it works just like you say!
Q. I have the MMC/IIS5 (and above) Properties/Home-Directory application protection set to Medium, or High (IIS5 and above) or NOT "running in its own application space" (IIS4). Then strange things happen with remote administration. I cannot see who is currently logged in as I should be able to. Sometimes the remote administration tool clears the configuration. and I have to restore the adb file.
A. Go to MMC/IIS and right click on the website and select Properties. In the Home Directory tab, make sure the Application protection level is set to Low (IIS Process). You should be able to set this value on the aspAdmin directory itself.
Because the software is implemented as an ISAPI filter, ASP programs accessing the AuthentiX OCX module need access to the datastructures in the IIS process itself. If application protection is set to one of the ASP debugging levels (Medium or High), then this access will be unavailable.
Q.
I'm having problems with ASP remote admin,
A.
Check out the
OCX/ASP Component Problem solver
Q. When I have set up protection for a directory, I can get in with Internet Explorer when it prompts me for the Username and Password. However when I use Netscape, I type in the Username and Password, then it gives me another dialog to type in the username/password, this time with no Realm. When I cancel out it says "Error - access denied".
A. Looks like the directory is protected with NTFS. IE will use your login name behind your back (especially if you are on the same machine or local network) to let you in. Use Netscape Navigator and try to access the directory without any protection with the software. Free up the permissions on that directory so that Netscape can get in. Then put the software protection back. That should fix you up.
Q. ODBC and Windows 2003
A.
You will be pleased to note that Windows 2003's is locked down much more than Window 2000.
You won't be so pleased to learn that this can make it harder to create DSN strings, and harder to successfully
connect to the database.
One user found that everything was working on Windows 2000 but when moved to W2K3 the AuthentiX filter was not able to gain access to the database, with the following message in the Event Log:
General Error: [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. - 28000
In the second dialog for setting up System DSN, he was using Network Logon for Trusted Connection. Changing this to using SQL Server Mixed Authentication (SQL2000) with a matching account in SQL Security, solved the issue.
Adding the NT Authority\network service (s-1-5-20) user to the admin group may help.
Also, see here.
Q. The test button works fine, but I cannot login. I turned on "Show Reason in Access Denied Message" and it just says "Bad Password" :-(
A.
Make sure that the DSN you are using is a System DSN. Other DSN's are
not accessible to system processes such as IIS.
Also note that
the "Test ODBC" button may
work properly with non-text or multiple-word fields, but the
web authentication may fail. Make sure you are using text fields and
that the field names do not contain spaces.
The Test ODBC button differs from using the ODBC connection from the filter in the following ways:
1) The Test ODBC executes in the permission context of the logged in user.
So if that user has permissions, all will go well for the Test button.
However the ISAPI filter logs in as the system account,
which usually will not have permission to access resources not on the local machine.
If you need to access a database on another machine, try using the
"Impersonate User when Accessing Database" settings.
2) The statement executed, does not include the where clause for the username. So it only executes
Select password from tablename
and comes back with a count of all users.
As opposed to the ISAPI filter, which will execute
Select password from tablename where username='suppliedUsername',
and will come back with one entry, if there is a match for the username.
Then the filter compares the returned password with the supplied password.
Q. I just installed MDAC, and now I cannot modify my ODBC database with Access 2000 via the ASP remote admin pages.
A. With newer versions of drivers and databases, permissions can become an issue where there was no issue before.
Make sure you grant Change permissions for IUSR_MachineName (and IWAM_MachineName where appropriate) ,where MachineName is the name of your machine, to the directory containing your database, and everything within and below that directory, including the database itself.
Q. Single user name, multiple passwords with ODBC database?
A. It is normally best to have the username as a unique key. However, if you have multiple users with the same name but different passwords, then you can set a switch in the registry to tell the AuthentiX to add " AND passwordField='passwordEntered' at the end of the select statement (standard or custom select).
To make this happen, using regedt32.exe, add a value in the registry
HKEY_LOCAL_MACHINE /Software /Flicks Software /AuthentiX /1.0 /AuthentiXConfigof type REG_DWORD with the name addPasswordToSelect.
Note: the software caches successfully logged in ODBC usernames
and passwords for performance reasons. If a username logs in with
one password and another tries to login with that username using
a different password (while the first is still in the cache), then the
second will not be able to get in, because the
ODBC database will not be queried again.
To turn off this caching,
go to the options dialog/ ODBC options, and set relevant checkbox.
This will disable the cache and query the database for every request.
This may have a performance impact.
Then stop IIS Admin Service (IIS4 and above) or World Wide Web Publishing Service (IIS3) from the control panel and restart.
This really isn't recommended because of the performance issue.
It will not work if for example you are using cookie-based login, where the passwords
need to be decrypted and/or hash-matched first.
NB: This ability is intended to help ease the transition to a database with single username/password combinations. It works for the most common scenarios, but may not be fully supported for all functionality, for example cookie-based login with ODBC. Additional custom upgrades may be required, if you wish to persist in using multiple passwords with a single username.
Alternatively:
You could use the "By COM" option (with the Extensibility SDK), and specify the Option: "Call On Every Request". This option will bypass the built-in username/password caching, and you can check usernames passwords etc with any scheme you wish.
Q.
How are ODBC and Internal Database groups related?
How do I setup using groups with my ODBC database?
A. ODBC users and Internal Database Groups are not related at all!
If you are using ODBC and you want groups, then make groups a part of your database, and the use the custom select statement for each directory
Add a field to the usertable indicating the access priviledges for that users. This could be a hierarchical priority level ("A", "B", "C") or group membership ("Vendors", "Wholesalers", "Customers").
Then use the
custom select statement
on each directory you want to protect, setting the select statement to reflect the group, eg
Select Password from Users Where AccessLevel='Customers' AND user= etc.
Q. I am using the ODBC interface with Oracle, and when I hit the Test button it doesn't work :-(
A.
The DSN setup does not automatically add the password field to the DSN string.
Try adding
PWD=password
after the last semicolon in the DSN string, where password is
the password you use to access the database.
Also note that with Oracle, all variable names must be capitalized.
Q. I get into the the protected area, but it keeps re-prompting me with multiple prompts for a username and password.
A. Always make sure that Basic Authentication in IIS/MMC is turned off.
If you are including images, make sure the images are in a sub-directory of the protected area.
If you are using frames, make sure that all the frame components are in the same directory, and that it is the same protected directory.
When you are prompted the second and third time, what is the realm indicated in the prompt dialog? If it is not the same as the one set by AuthentiX, there is a file being protected by IIS/NTFS. When you escape out of the prompt, you should see an Access Denied message. If this is not the one you set with AuthentiX, there is a file being protected by IIS/NTFS.
If you are using ODBC to validate users, and you are getting reprompts that cannot otherwise be explained, try setting the "Impersonate NT User" in the ODBC settings for that directory's protection, to an NT account that has valid access to the database.
Windows2000
With Windows 2000,
Everyone has only list permissions within the
inetpub directory by default, even though the advanced properties say they
have read and execute, they are not inherited by default like in IIS4/5.
AuthentiXISP / WebQuotaISP
If you are protecting content on several drives using Basic Authentication, make sure that the realm is the same for each.
HTTP Keep-Alives
Try turning off HTTP Keep-Alives, some filetypes (eg pdf files) will multiple prompt,
because the browser asks for information in 1mb chunks (or thereabouts), but only
supplies the username and password for the 1st chunk,
which will cause multiple prompting. Sometimes quitting out of the 2nd and subsequent prompts,
allows you to see the file anyway, which is what you want, but is somewhat disconcerting.
You turn off HTTP Keep-alives by going to the master properties for the website (In IIS/MMC) and
turning off the corresponding checkbox.
See also here.
Q. The software keeps prompting me (three times or more!) on the page in the protected directory. It is a terrific page, it's got stylesheets, framesets, a whole bunch of cool gifs, all the latest stuff and more. Why am I having problems?
A.
Likely you are including something outside of the protected area,
the browser is sending the credentials (username/password) to the
non-protected area, and IIS thinks it should authenticate the
request, but it doesn't recognise the AuthentiX username/password.
This is why you are seeing the pop-up dialog with a different realm than
the
realm specified in AuthentiX.
[NB, see also here]
Alternatively, you could be using a complex set of html/asp features, that
is confusing the browser, so that the browser is sending authentication information
in the http header when it should not be, or failing to send authentication information
when it should be.
Create a directory with just one simple htm file in it. Protect it with AuthentiX and see what happens. If all is well, add a graphic and an <img src> tag. If all is well, keep adding things from the page that is not working right, one by one, until you get the problem. The last thing you added after the last edition that was working right is what is causing the problem.
Additional info:
If you are using ASP server object features such as MapPath, then check this FAQ.
You could also try turning on NT Security Auditing for the directories and files in question, and check the event log for more information.
One user reported that turning on logging would stop reprompts (!). As far as
we know there is no possible relation between logging (which happens right at the
end of a request) and authorization (which happens right at the start). We have only
heard of this one time, but if it happens for you, let us know...
Another user reported this (Windows 2000/IIS5), and turning on logging fixed it! (10/1/04)
And a third (Windows 2000/IIS5/SP4).
An additional workaround (particularly useful for users experiencing problems with Excel, PDF, and Word files) is the following:
If you are reprompted for excel files, but not for jpg s in the same directory, then it is most likely an issue of how the excel file handles the authentication.
For those files that reprompt, you could get the current username:
http://www.flicks.com/fbeta/q_and_a.htm/TechnicalSupport/who_is_the_current_user.asp
then populate the link using the following formula:
http://username:password@www.website.com/directory
(but see here).
where username is the username variable and password is the password variable.
Q. I have been able to protect Real streaming files with WebQuota by saving them as .rm files .... but my visitors receive a double prompt for a username and password the first time they log in. How can I fix this?
A.
This is a fairly easy solution. To eliminate the double prompt, you will need to create a redirect page.
This redirect page will get the current username, form a link
with the username and password hard coded within
it (user the format http://username:password@www.website.com/filename - but see here),
and redirect the user to that link.
Instead of linking directly to the .rm file, link to the redirect. You members will not know the difference!
Link to trace failures
TRACE FAILURES (trace access denied)
New in 5.2d2 there is a debug mode that you can enable as follows: In
HKEY_LOCAL_MACHINE /Software /Flicks Software /AuthentiX /1.0 /AuthentiXConfigcreate a value called traceAccessDenied, of type DWORD, and set it to be 1. Stop and restart IIS Admin Service (IIS4/5 and above) or World Wide Web Publishing Service (IIS3) from the control panel. You have to stop IIS Admin from the control panel/services, not just a subweb in Internet Manager.
Try logging into the page again. When it fails, check out the application event log.
You should see various extra entries and they should say things like this:
The description for Event ID ( 0 ) in Source ( Flicks Denied ) could not be found.
It contains the following insertion string(s):
Denying *Empty user name* for F:\x1\x2\graphics\index.gif, protecting path is f:\x1\x2\
or
Denying Raxer for F:\dir1\dir2\graphics\index.gif, protecting path is f:\dir1\dir2\
Inspect all the values and output generated, they should give extra clues as to what is going on.
Q. 2. I understand that I can use ASP to let the user create his own UID and Password. Can you point me where I can get the sample code :-) ?
A.
There are several samples in the aspocxsamples subdirectory of the installation directory. More are being added over time.
The aspAdmin directory contains a comprehensive ASP working example of remote administration.
If you have some ASP files working with that you are proud of and would like to share, let us know and we'll see if we can get them in the next release.
If you want the samples, and your website is hosted at an ISP, you can always downlaod the free trial, and get the samples that way.
Q. What happens if I use AuthentiX to protect a directory, then use it to protect a sub- directory of that directory?
A.
The protection associated with the lowest (longest) path name takes priority.
Q. How can I import a bunch of usernames and passwords from a text file to the internal database, without having to type them all in again?
A. Create a group and import to it.
Q. Do you do consulting or/and custom coding?
A. We are always very busy. If your project is consistent with our development goals, we do consider taking on custom work.
We are always happy to provide technical support for our products:
Q. How do I change the access denied message and the realm?
A. Use this dialog.
Q. What kind of performance hit is there with the software loaded?
A.
Performance statistics for IIS Website with 600,000 hits per day. 12 Virtual Directories. Mostly static pages. Your mileage may vary. System: Pentium 90 with 64 Mb Ram. IDE Hard disk drives. Without the software Processor time 27% Bytes Total/Sec 60000 Anon Users 160 With the software Processor time 35% Bytes Total/Sec 60000 Anon Users 160
Q.
Single user name, multiple passwords with the Internal Database?
A. Currently, there can be only 1 unique user name across all groups. However, group 'sale' can have user 'win', group 'support' can have user 'win' too.
AuthentiX ISP has separate adb files.
http://www.flicks.com/authentix_isp/
Q. I want to protect pages and sell access to them automatically.
A.
First you need to setup your website, either on your own machine with your own dedicated internet connection, or with one of our recommended ISP's. Create a directory containing the content to which you want to sell access.
You need to be able to accept online payments. You can either setup your own merchant account and connect this up to one of our recommended credit card clearers or discuss your requirements with one of our recommended credit card clearers and use their merchant credit card account.
Protect your saleable content directory with AuthentiX and an AuthentiX internal database group. This group should match the group coded in the free script mentioned below.
Use one of the free Credit-card-clearer AuthentiX integration scripts (each credit-card clearer has a slightly different version). Work with your selected Credit-card-clearer to make sure this is setup right for your environment and works for you.
Use the html order form supplied by your selected Credit-card-clearer to let customers order access to your protected content.
The combination of the free integration script, your credit card clearer, your ISP (if appropriate), and the order form will allow you to automatically sell access to protected pages.
Other notes:
Q. Ordinal 6571 (or 6883, etc) could not be located in the dynamic link library
or
server object error 'ASP0177:800401f3 the call to Server.CreateObject failed. the requested object instance cannot be created[Note: if you get this error, it is worth doing
or
regsvr32 <module>.ocx returns "Get last error returns 0x000000b6"or
Installation attempted to update the file MFC42.dll but failed.
A.
Note Flicks Software products require Windows NT/2000 and above.
Flicks Software products as of 12/16/98 use the latest version of the mfc42.dll support file from Microsoft.
The products come with and require the latest version of the
mfc42.dll dated 9/26/98, size 995,383 (File Manager - winfile.exe) 973k
(Explorer), File version 6.00.8267.0, product version 6.0.100.
Installation should update mfc42.dll. However if it is being used by other programs, the older version will remain locked in place.
Q.
Office2000 and IE Basic Authentication
- inconsistent behaviour.
A. Several customers have reported that Office2000 does not work properly with Basic Authentication, whether it be AuthentiX Basic Authentication, or the Basic Authentication provided by Microsoft in IIS.
Office2000 will prompt for Basic Authentication username and password even though this has already been supplied for the requested directory. It may prompt a second time.
If you have already supplied a username and password to get access to the contents of the directory, then it doesn't matter whether the username and password are entered again (ie you can escape out of the pop-up prompt) and you will be able to view the document.
If you enter the URL of the document directly, it will require a valid username and password, however IE will present the document as a stream of binary data.
Needless to say, this is a less than satisfactory user experience. Contact Microsoft to ask when they will provide a fix.
See also here.
See also here.
NOTE:
Q. How to setup SQL database on a different machine, not on the webserver itself. (Can also help with a W2K3 SP2 permissions issue)
A. Hopefully the following will help set this up. Configurations vary so widely it is not possible to document them all here. Sometimes patience is needed (!)
7/7/2005:
With W2K3 and SP1, two new groups have been added:
Distributed COM Users
IIS_WPG
When you impersonate an NT user when making the ODBC call (usually with an Administrator account), make sure
this account is a member of these two groups.
You will need to use the SQLOLEDB driver, instead of the default SQL driver normally presented in the ODBC control panel. The SQLOLEDB driver will not be visible here, and it shouldn't be.
The SQLOLEDB driver is available in the MDAC (Microsoft Data Access Components) package.
Create an SQLOLEDB connection string (see below).
Driver{SQL Server};Server=ServerName;Database=databaseName;UID=sa;PWD=;
eg ConnectionString="Provider=SQLOLEDB.1;Password=WebUser1; Persist Security Info=True;User ID=WebUser1; Initial Catalog=VideoQuota;Data Source=MMS-ITVMEDIA; Integrated Security=SSPI"Here is a recent working sample:
Driver={SQL Server};SERVER=MACHINE_NAME;Provider=SQLOLEDB.1;
Password=user1;Persist Security Info=True;User ID=WebUser1;
Initial Catalog=CATALOG1;Data Source=MACHINE_NAME
And another:
Driver={SQL Server};SERVER=servername;Persist Security Info=True;
Database=dbname;UID=userid;PWD=password
Carefully match up the parameters on your connection string with the above example.
You may need to set up the appropriate SQL user/pass to access the database, as well as an NT user/pass that matches and is good for both machines. Make sure your SQL account has permissions to access all the relevant tables and procedures etc.
How to get it right every time:
Here's the final version:
Driver={SQL Server};SERVER=206.xxx.234.xxx;Persist Security Info=True;Database=dev;UID=xx;PWD=xxxxx;
A few things I experienced went against the FAQ page, and I thought I'd make note of:
1. Your FAQ #94 needs an equal sign after the "driver" in the first example, as in "Driver={SQL Server};".
2. SQLOLEDB would never work, even though several combinations of the connection string worked in ASP.
3. It wasn't clear that integrated NT security was not required.
4. While I was trying to get integrated NT security to work, I kept getting "A required privilege
is not held by the client", even though the user I was using had both "act as operating system"
and "log on locally rights", and also had full control of all databases, which was all set up
prior to installing AuthentiX.
Thanks Cory!
Q. SQLOLEDB connection string, and useful MS articles
A. Should be of the form:
ConnectionString="Provider=SQLOLEDB.1;Password=WebUser1; Persist Security Info=True;User ID=WebUser1; Initial Catalog=VideoQuota;Data Source=MMS-ITVMEDIA; Integrated Security=SSPI"Also see this useful article from Microsoft:
Q. I have some questions about ODBC caching. I understand that the ODBC user requests are cached and there are settings to control expiration etc. If the request is authenticated from the cache does it look it up again real-time? (i.e. if a currently logged-on user changes password and the user id is located in the cache, will it re-validate or what will happen?
A. From the windows help file:
If you have set up and enabled an ODBC authorization database (see Set Up ODBC), you can adjust the following options:
You can use the ODBCRemoveUserFromCache OCX method to force a user to be removed from the cache,
Q. Are there any log files generated by the software?
A.
The software notifies IIS of the username of each authenticated request, and
then IIS will place this info in the IIS configured logfile.
Note that with IIS4,
by default you will be using
W3C extended logging format by default,
and you must click on the Properties button, go
to the extended properties tab, and enable the Username checkbox.
Otherwise usernames will not appear in the log.
Refer
to your IIS documentation for more details.
See also the Options/Audit button, to have AuthentiX create an audit log in the text file you specify.
Q. Migration, ASP, .NET and integration.
Our company, like so many, is rushing to migrate all of our existing web applications from ASP to ASP .NET. However, this process is taking time as we strive to manage our new project development and still migrate old development.
With that said, we need to put an authentication process in place that will work with our new .net web applications and old ASP applications.
Our hope is to create a single portal that will authenticate a web user and then give them links to access all of our different online applications (both ASP & ASP.net).
All of our applications are running on a single server. (Windows 2003, SQL Server 7, IIS 6) The applications are however running under different websites. We have approximately 5 different websites. We are currently working to combine all of the applications and sites into a single website as we migrate everything to .NET. However, that currently isn't the case.
Our Need: We need to authenticate the user one time and then allow them to move between the different applications. Again, some of the applications are setup within different web sites and some are ASP others .NET.
A. This is an excellent question.
I suggest that you use AuthentiX with cookie-based authentication.
set this up per the instructions and note how the easyloginnow.asp works - it receives the username and password from the login form, and creates the AXCOOKIELOGIN.
You can modify easyloginnow.asp so that it also sets up session variables etc that are required for your other mechanisms. Or you can take another .NET login aspx file, and modify that to create the AXCOOKIELOGIN as is done in easyloginnow.asp.
Please let me know if you need further help.
Q.
I am using
MS Proxy 2
and IIS. We can get to the member area from our
internal network, but not from the internet.
I am prompted, and a valid supply username and password is supplied, then I am
asked a couple more times, and eventually it is as though an incorrect
A. Hi Kevin!
I have finally solved the problem. It was the Proxy server that caused
the problem.
As I mentioned before we access our webserver through a proxy which is
on a different domain. This is why everything worked internally, since
the proxy is never used for internal traffic. This is what happens.
When trying to access the protected directory, AunthentiX displays the
login dialog.
When the user clicks OK the web service on the proxy tries to login with
the username and password entered. This will of course not work, since
no such NT user exists. What you must do is to uncheck the Basic (Clear
Text) and NT Challenge Response in the web service on the proxy server
(the proxy server uses the web service to authenticate users). Once this
is set, all authentication is forwarded to the real web server. This
regards IIS and MS Proxy 2.0 I don't know if it would work in the same
way with IIS 3 or Proxy 1.
Q. The REMOTE_USER environment variable is not being set for CGIs if a directory is protected by the software. How do I get the login name?
A. This is to be expected. If REMOTE_USER was set, then IIS would try to authenticate against NTFS, which would disallow all entry. Instead, you can use the OCX component to find out who is logged in, http://www.flicks.com/authentix/currentusername.htm You should be able to add the component to your cgi program. or you can get it out of HTTP_AUTHORIZATION and then base64 decode it.
Q. When I start the program, I get "Could not CreateDispatch (21434), did you regsvr32 on the dll containing FlicksIISInstall.Install"
A.
The automated IIS filter install (which is not working for you), requires a vbruntime dll MSVBVM60.DLL, which is missing from your machine. The required vb runtimes are included any machine that has IIS4 (and above) installed, however they must have been removed since the IIS4 (and above) was installed.
You can download the
zipfile containing the dll here.
Unzip it into your system32 directory and reinstall the software.
This dll is included in Flicks Software versions 5.1f and above.
(Thanks go to Tom Kelleher).
If this still does not work,try manually installing, according to the instructions given in the dialogs on installation.
Q. I am going to upgrade and I want to make sure that installation will not overwrite my existing setup and configuration.
A.
The setup and configuration information is stored in authxdb.adb in
the installation directory (authxISPData/*.adb for ISP versions).
Make sure you backup these files at regular intervals and before you
upgrade.
So long as you uninstall and reinstall to the original installation directory, your configuration will be preserved.
If you are using WebQuota and have set additional IP Addresses in Options/AOL-Limit-Logins,
you need to copy the machine's list of IP Addresses out of the registry, using regedt32.exe, here:
HKEY_LOCAL_MACHINE
/Software
/Flicks Software
/AuthentiX
/1.0
/AuthentiXConfig
/mzAOLData
and paste them back in after the install.
Also see upgrading
Q. AuthentiX and AuthentiX ISP - what is the difference between AuthentiX ISP and AuthentiX with a license for multiple DSN's?
A.
First, see here.
AuthentiX ISP is for Internet Service Providers who need to support multiple customers each with their own community of users. Each customer is able to remotely administer access to their subdirectories (and only their own subdirectories)
Each customers database of usernames is separate and private from others. Customers are distinguished either by their domain's IP address, or by their host-header domain name.
If you have multiple customers, and you administer their username/passwords yourself, you could use AuthentiX with the unlimited DSN license.
However if you want them to do their own administration and it is important to you (or your customers) that each customer is unable to edit another customers usernames/passwords/configuration, then you would use AuthentiX ISP.
Q. I have heard a lot about AuthentiX and it sounds great! Our website hosted at an ISP/WPP (internet service provider/web presence provider). Can we use it on our website hosted at the ISP?
A.
Certainly. You need to discuss your specific requirements
with your provider. They will need to agree to install AuthentiX on their server for you.
(Note for the ISP: AuthentiX and its variants are based on
an ISAPI filter, and need to be installed via the console on
the IIS machine your website is running on. Also see the note below about Sharing)
If your ISP is unwilling or unable to install AuthentiX, then
many other ISP providers already offer an AuthentiX plan. Here is
a
list of approved providers that offer AuthentiX/WebQuota ISP.
If you have a dedicated IIS server machine (your website is the only website on the machine), then purchase the AuthentiX (Standard) or WebQuota (Standard) software and have your provider install the software. If you have a remote access program like PC-Anywhere, you may be able to install the software yourself.
Sharing: If your website is sharing the IIS machine with several other
of your provider's customers, the ISP version of the software
will be more appropriate. Essentially, the ISP version places
firewalls between each customer so they do not have access to, and
cannot modify, each others AuthentiX configurations. Also you
can only protect directories on your own website
(and not other people's websites on the same machine!).
Consequently, your provider may not permit you
to use AuthentiX, and may require you to
purchase AuthentiX ISP 5-pak.
Q. Also what is the proper way to uninstall Authentix?
A. Go to control-panel, Add-Remove Programs, and select the software from there. (look for Membership Systems or AuthentiX)
Do not run uninstall.exe in the flicks installation directory.
Q. On installing, I get a weird dialog box with dlgcacwinname and ins0432 in it. Then the install fails. What do I do?
A.
It sounds like there are some old InstallShield files hanging around from another vendors installation procedures.
Remove everything from the temp directory (reboot first if necessary), then try the install again.
Someone also mentioned a security lockdown setting that makes long filesnames and or filenames with spaces in them fail. It could be related to this.
Try installing to c:\flicks\authx (with no spaces and 8.3 compatible filenames) rather than c:\program files\Flicks Software\AuthentiX
Q. I tried that, but it won't let me uninstall.
A. Try running flicksUninstall.exe in the installation directory. If it complains that it cannot find mfc42d.dll, then you need to download the latest flicksUninstall.exe Overwrite the one in the installation directory. Then try uninstalling from the control-panel again.
Q. I have tried to install the latest version of the software, however it still comes up with the old version!
A. Are you sure you installed the correct zipfile? If you have just purchased the software and are installing over the trial version, are you sure you are installing the software sent to you?
If you are sure you are installing the correct version,
then perhaps the old files are still 'hanging' around.
There are several reasons this could happen, for example you
may have forgotten to stop IIS before the installation procedure,
or the Windows console GUI app was still running.
Try the following to reinstall:
Stop IIS from the control-panel/Services. Make sure you stop IISAdmin service
and say yes to stopping all sub-services (including IIS).
Make sure the AuthentiX/WebQuota Windows user interface is closed.
Make sure no other programs are using any AuthentiX/WebQuota OCX/COM component.
Uninstall from the Control-Panel/Add-Remove Programs.
Install the software again, making sure you use the correct zipfile.
If this still does not work, then
to make sure you have a clean re-install, copy the
manualdelete.bat
from the installation directory to a separate
directory, stop IIS and the console app, and uninstall from the control panel.
Modify the manualdelete.bat file to reflect the directories of
your installation/machine configuration, and run it.
If any of the files fail to be deleted,
then they are still being held open by another process.
Rename the offending files, and reboot.
This should guarantee that the old files are gone.
Then install the software.
In the last resort, make a backup of any/all adb files in the installation directory, delete the entire installation directory, and in the system32 directory delete the following files:
If you are still having problems email support@flicks.com
Q. I'm using IIS6 and I get "An attempt was made to load the filter but it requires the SF_NOTIFY_READ_RAW_DATA filter notification and this notification is not supported in Worker Process Isolation Mode."
A.
HKEY_LOCAL_MACHINE /Software /Flicks Software /AuthentiX /1.0 /AuthentiXConfigcreate a value called ENABLE_SUBWEB, of type DWORD, and set it to be 1. Stop and restart IIS Admin Service. You should then get a message in the event log saying "SF_NOTIFY_READ_RAW_DATA turned off", rather than the above message. (This is the default in 5.5k2 and above).
If you have not upgraded to 6.0 or above, you need to now.
Q. IIS6 - it doesn't seem to be working (when in fact it is).
A.
The worker processes that indicate to the system that IIS6 are running are not activated until an actual http call is made. If, on installation, it doesn't seem to be working, try protecting a directory and seeing if it is protected by making a request. It should be fine.
Q. Windows 2000 and aspAdmin remote administration Error: 50;
A.
Assuming that the software has not expired:
With Windows 2000 (not Windows NT 4.0), the default registry permission settings do not
give access to IWAM_machineName or IUSR_machineName.
Using regedt32, in the registry, HKEY_LOCAL_MACHINE, the SOFTWARE key, Flicks Software: set the permissions to grant IWAM_machineName and IUSR_machineName Read Control and Full Control.
Additionally, in the Flicks Installation directory, grant IWAM_machineName and IUSR_machineName Full Control on the directory containing all the .adb files.
Version 5.1 will not need this permission to be set at the top SOFTWARE key level, and the necessary permissions will be set automatically on installation.
If you believe you have a registered version, please let us know the serial number.
Q. I change the user's info via the Windows GUI, but I have to restart IISAdmin to see the changes!
A.
You should be able to make changes via the Browser-based administration, use this as a temporary
workaround.
We have found that this can occur when using Terminal Services to remotely access the server machine. Version 5.5b2 and above eliminate this glitch. For prior versions you may continue to use the Browser-based administration aspAdmin, or use alternate remoting software such as PCAnywhere or Remotely Possible.
The issue is normally related to permissions issues, depending on the security regimen implemented on the machine, either by corporate policy, or by any of the many service packs. Each of the latter seems to make undocumented modifications to the security structure, and vary between service packs.
The problem is caused by one of two things:
1) The Windows GUI does not have permission to update the authx.adb file. This is relatively easy to fix by making sure the authx.adb file and its parent directories have the permissions necessary to update the file.
2) The global mutex that signals all applications (particularly the AuthentiX ISAPI filter plugin which runs as a part of IIS) is not having the desired effect. This is most always caused by permission issues for the global mutex and the permissions of the processes involved (IIS, AuthentiX GUI). Because the remote admin uses the AuthentiX OCX, which itself runs as part of IIS, the permissions issue is sidestepped.
A customer observed this behaviour:
We were able to restart all IISAdmin services except the http SSL service while being remote into the server. After restarting those services and making a change through the GUI, the change showed up in remoteAdmin.
Permissions could be an issue here. Make sure you are logged in as an Administrator
with
"Act as part of the Operating System"
and
"Log on locally"
advanced user rights/privileges.
To add privileges: Control Panel, Administrative Tools, Local Security Policy, Local
Policies, User Rights Assignment.
See also here.
Q.
In the Event Log I am seeing
[5] Access is denied
with message ID's 8729991 and 883762
Is this a problem?
A.
This should have no negative effect on operations.
Likely you are installing on Windows 2003 using Terminal Services.
See this interesting (but very technical) article here:
http://www.brianmadden.com/content/content.asp?ID=480
In brief, the software attempts to open the Registry Key
HKEY_LOCAL_MACHINE\SOFTWARE\Flicks Software\AuthentiX\1.0
but fails the permission check, which generates the Event Log message.
However the system then automatically tries again with higher permissions, which succeeds.
If you do in fact have problems that are related to this please let us know.
Q. Lots of IIS startup messages! Authentix is filling our Application Event Log with entries. They are mostly Informational events, such as the one I pasted below. How can I turn these off?
A.
These messages are normal startup messages. Every time the AuthentiX ISAPI plug-in filter starts, it outputs these messages.
The AuthentiX ISAPI plug-in filter starts up when IIS starts up.
If the AuthentiX ISAPI plug-in filter starts up frequently it is because IIS starts up frequently.
Assuming auto-recovery is on (and it must be here) IIS will startup frequently if it crashes frequently.
It will crash frequently if it running an application that crashes frequently.
You are seeing AuthentiX messages frequently and so you are assuming the problem is caused by AuthentiX. Instead, the messages are a symptom of another issue.
100% of the times I have seen frequent startup messages like this from AuthentiX it is because of another application crashing IIS.
For example, one customer who was using a (rather rare) IIS programming language found that when he moved to IIS6 he got these frequent messages. It turned out the programming language interpreter crashed IIS at the end of each page it was called from, although the page itself would actually be served (the last one before crash and recovery). It worked ok under IIS5.
Try turning off auto-recovery and observe IIS failing. Then check the Event Log for clues.
If enough people ask, I will add a registry switch so that you can turn these messages off.
That way, AuthentiX will not fill up your Event Log with startup messages (always annoying!)
and the actual cause of IIS restarting will remain
hidden until your system crashes and burns later and you will be none the wiser why.
AuthentiX is just the messenger here.
Q. By referrer issues.
A.
Yes, there are cases where the http-header referrer information is not correctly passed to the server.
It could be because of an option in a browser, a firewall or proxy stripping out the header, a browser not even having the capability.
One common example is the WMP browser, which standalone does not pass the referrer to the server, however if embedded in IE or Firefox it does. See here.
In the AuthentiX installation directory there are some copies of debug.asp.
Take one of these and put it in an unprotected directory on the target machine. Use the browser method in question to access this file via http. If there is no referrer information there, then none is being passed to the server.
If the referrer information is required for access, but the referrer information is not passed to the server, then the browser will be blocked by referrer.
Q. I really like being able to see who is currently logged in with the aspAdmin remote admin module. It is in the Access List, where it says "Who's on now" and a link to "Current Users". It shows me whos on now. However I cannot see any currently logged in users even though I know I am logged in!
A.
Go to MMC/IIS and right click on the website and select Properties. In the Home Directory tab, change the Application protection level to Low (IIS Process). Now that asp module will have access to the internal datastructures in the AuthentiX filter that runs as part of the the IIS process and you will be able to see the currently logged on users.
Q. Adding users via remote administration does not update the filter.
A.
Assuming that the software has not expired:
With Windows 2000 (not Windows NT 4.0), the default file permission settings do not
give access to IWAM_machineName or IUSR_machineName.
AuthentiX/WebQuota (Standard): The configuration file authx.adb does not have write permission for IUSR_machineName or IWAM_machineName so the remote administration module cannot update it.
AuthentiX/WebQuota ISP: The configuration files *.adb in the authxISPData directory do not have write permission for IUSR_machineName or IWAM_machineName so the remote administration module cannot update it.
Grant Read and Write permissions for IUSR_machineName and IWAM_machineName to these files.
This will be done automatically on installation with Versions 5.1 and above.
If you believe you have a registered version, please let us know the serial number.
Q. Where is the remote administration dll?
A. The remote administration dll is no longer used for remote administration. Check out the aspRemote ASP pages instead!
Q. How do I set things up for FrontPage?
A. In IIS Manager, turn on Allow Anonymous (otherwise the whole site will be protected by IIS), turn off Basic Authentication (You don't want AuthentiX's Basic Authentication to conflict with IIS's Basic Authentication), Turn on NTCR (Integrated Windows Authentication in Windows 2000) (those using Frontpage will be logging in via NTCR instead). In the Options dialog turn on "Don't Authenticate Frontpage subdirectories". Make sure that the anonymous user can access the actual directory, without the software having protection for that directory, then Add protection. Make sure the Frontpage filter is loaded after the AuthentiX filter.
For FrontPage 2000 there is an issue with the new virtual vti_bin methodology, if you
are authenticating FP with IIS Basic Authentication (and not NTCR (Integrated Windows Authentication in Windows 2000)).
To edit a site with frontpage,
the vti_bin virtual directory must have IIS Basic Authentication on,
however if this is the case users/browsers cannot use the bot without being prompted for
an NT basic auth sign on.
This is because (I think) the browser is sending Basic Authentication creditials
to AuthentiX, but these are being passed to the bot in the vti_bin, and
these credentials do not match IIS NT Basic Authentication credentials.
If you turn off vti_bin IIS Basic
Authentication, the bot will work for the user, but you won't be able
to edit the site with FrontPage.
It is better to use ASP solutions rather than bots, when you are
authenticating FP with IIS Basic Authentication (and not NTCR (Integrated Windows Authentication in Windows 2000)).
If you must authenticate FP with IIS Basic Authentication (and not NTCR (Integrated Windows
Authentication in Windows 2000)),
and you must use FP bots, and you cannot have 2 IP addresses, then you have
got a problem that cannot be resolved at the
present time (8/3/00).
Better to:
Also see here.
and Microsoft's
comments here
Q. FrontPage Setup - Camille's way
A. Camille (camilletrapp at hotmail.com) went through the grinder, and came up with this:
What to do so you can open your site in IIS4 (and above), frontpage2000 AND protect directories via logon using AuthentiX 5.1 at the same time
Thanks Camille!
Q. FrontPage Search Bots
A. Marj Palmer went through the grinder, and came up with this:
Thanks to all for taking the time to give me the full info on this issue. I tried Kevin's 'Map Request to NT User' suggestion on the _vit_bin directory and the results were the same...NT still popped up a dialog to validate an NT user.
I gave it some more thought and came up with a workaround that I can live with. I have a public and a private part to my web site. I don't want the general public to be able to search the entire web site, only authenticated users from the protected site. What I did is relocate the Search page containing the bot from the protected directory to the root unprotected directory. The Search page runs fine there. Most of the links to navigate to the Search page still come from a page in the protected directory. I had just one link to the Search page from the Site Map page in unprotected site. I revised the Site Map link to instead go to a search_redirect.asp page in the protected site, which after causing User authentication does a redirect to the Search page in the unprotected site. If some public user figures out how to directly type in to the search.htm they will be able to bring up and run the Search page. However, they won't be able to follow any results links to content in the private site, without getting authenticated. That's good enough for me.
Thanks again for your help. I've been very pleased with AuthentiX and the hosting support I've received fro CrystalTech. I'm rolling out the finished web site this week!
Thanks Marj, don't you just love Frontpage!
Q. Everyone is permitted access to change the site with Frontpage!
A. If you are on the same local network, this will appear to be the case because (like IE) Frontpage will log you in "behind your back" as your current Windows login. If you try accessing the site outside your local network, you will see the protected behaviour as desired.
Q. http://username:password@www.mydomain.com doesn't work anymore!
A. That's right. Around 2/2004 Microsoft issued a security update for IE which disallows this form of URL.
The most likely workaround is to convert to using forms-based/cookie login, and modify the easyloginnow.asp to accept the username/password from the source of your choice, rather than the usual login.htm page.
For example, instead of using
http://username:password@www.mydomain.com
use something like
http:/www.mydomain.com/firstfile.asp?u=username&p=password
then grab the u/p out of the url string, and use these to set the cookie for cookie-based login.
Be aware that this method of passing in a username and password is vulnerable to simple copy/paste attacks,
whereby the URL can be posted on forums to effectively destroy your security.
Note that VideoQuota is soon to
have "TimerTokens". (VideoQuota includes AuthentiX/WebQuota with enhanced functionality.)
Timertokens are generated on the fly, and contain the username and password encoded,
along with the current time, encrypted. VideoQuota decodes and matches up the token,
permitting access only if the token is freshly minted within the last few seconds. Good for links.
This premium feature is only available in VideoQuota, which costs more.
Q. Installation with Cold Fusion Service Running
A. One user reported that Installation (setup.exe) was suspended when Cold Fusion service was running. When he stopped the service the setup/installation continued.
Q. My IIS system restarts every 15 minutes (OR every 30 minutes OR every hour OR once per day). In the event log I see a message about AuthentiX"
A.
The AuthentiX message is a general message that is created when the system is restarted.
Itcould be because the IIS6 default pool restarts itself once a day.
If this happens very frequently, then the cause of the problem could be related to the Red Worm Patch:
"Speaking of patches, I've read several recent posts on the Bugtraq mailing list that indicate a problem might exist with the Microsoft patch listed in Microsoft Bulletin MS01-033. A few people have reported that after they installed the patch, their systems remain immune to Code Red infection. However, when an infected system attempts to connect to their system to infect it, several IIS services (e.g., FTP, the default Web site, the administrative Web site, and the proxy service) stop processing." - Windows Security Update