- Supose that you have server that answers on the one IP - for example 220.127.116.11
- You created directory c:\hosting as root of customers' sites
Then you have created two virtual sites for your customers:
- Site1 - placed in the subtree of c:\hosting\site1 and answering only on
- Site2 - placed in the subtree of c:\hosting\site2 and answering only on
To do so in the MMC you was created these two sites by choosing "new site"
and then editing properties - Site identification to set sites to answer on port 80 and
host www.site1.com , www.site2.com respectively (Button "Advanced" on WEB site
Then you are going to install filter and give to the site1 and site2 owners ability to
manage its own authorities for user access.
To install filter you create directory c:\ISAPIFILTERS and give acces only for you and
system to this directory. Then you must copy authenticator1.dll to this directory and go
to the general WWW properties in the MMC (Microsoft Management Console). In the ISAPI
filters tab you must install the filter (see usage and installation
Then you created directory c:\authconfig and make it accessible for system, you and
site1 and site2 owners. Then you must copy empty configuration file AUTH.CFG here.
Now you create special directory c:\webadmintools and restrict access to it only for
you )and potential additional administrators). Copy here the AUTHADMINCGI.EXE and
share this directory in the Administration WEB site as virtual directory - for example
Then using your browser you are going to the admin site
http:/18.104.22.168:some_port/webadmin/AUTHADMINCGI.EXE (see IIS configuration
to determine port) and continue with configuration:
- Admin tool will generate an error that means that no configuration was specified
- enter path to it (c:\authconfig\auth.cfg) and continue.
- In the general options enter your serial number
Now minimal configuration required by filter was set and you must define what it will
do with sites. While nothing else was specified it will pass all requests through (to IIS
and NT security) i.e. no change of default behaviuor.
- Now you must create two authorities - Authority1 and Authority2.
- Add two bindings:
for www.site1.com to Authority1 and for www.site2.com to Authority2
- Create one user in every authority with the same name as site owners are registeres in
the NT user manager - for example User1 and User2 and specify do not map in their accounts
- filter will pass them through.
- Create several users that will be used for mapping of the authenticated users and
restrict access to the subdirectories of the hosted sites as their owners wish using newly
- Create directory c:\hostingtools for example and make it avalable in site1 and site2 as
virtual directory - for example /authadmin. This directory must be accessible for USer1
and User2 but it must not be accessible for other users (except administrators of course)
- Instruct User1 and User2 how to use these tools and to not change MapTo flag for their
own accounts (It is possible to exist more than one owner of one site)
Now User1 and User2 are able to add/delete/change users in their authorities using
/authadmin/AUTHMANCUSTOMERCGI.EXE directory in their sites. Tool will
automaticaly determine bindings and expose only bundled authority to them.
What filter will restrict depends on security in site1 and site2 subtrees. Using
created for mapping purposes users you can make some subdirectories accessible for users
mapped to one and not accessible to users mapped to another. You can these specialy
created users as groups for the Authenticator filter. There is no problem to leave some
directories accessible for the world. Another recommended task is to set IIS to accept
clear text authentication on these sites. Filter will not cause problems itself but
browsers like Netscape do not support NT chalenge response authentication and in the other
hand this type of authentication drives IE to try with local username and password (hash)