Flicks Software's FAQ BBBB
Flicks Home

Frequently Asked Questions

Last modified: 10/6/2014

GENERAL INSTALLATION ODBC E-COMMERCE TUTORIALS
REMOTE ADMIN FRONT PAGE COOKIE
(Forms)
MISC VideoQuota ASP /.NET RESOURCES

NOTE:To search this FAQ by keyword, press CONTROL and F simultaneously. The Windows FIND box will appear. Type in the keyword, and click FIND NEXT until you find the topic that addresses your question.
Individual FAQ items are numbered for reference, beginning here.
(C) Flicks 2010

    General

  1. Flicks Software Support Page
  2. Beginner's Step by Step (using the internal database)
  3. Beginner's Step by Step (using an ODBC database)
  4. I have tried to install the latest version, however it still comes up with the old version!
  5. I'm using IIS6 and I get "An attempt was made to load the filter but it requires the SF_NOTIFY_READ_RAW_DATA filter notification and this notification is not supported in Worker Process Isolation Mode."
  6. IIS6 - it doesn't seem to be working (when in fact it is).
  7. When I start the program, I get "Could not CreateDispatch (21434) , did you regsvr32 on the dll containing FlicksIISInstall.Install"
  8. Ordinal 6571 (or 6883, etc) could not be located in the dynamic link library MFC42.dll, or OCX error 800401f3
  9. Office2000 and IE Basic Authentication - inconsistent behaviour.
  10. What is the difference between the trial version and the registered version?
  11. I am going to upgrade and I want to make sure that installation will not overwrite my existing setup and configuration.
  12. AuthentiX and AuthentiX ISP - what is the difference between AuthentiX ISP and AuthentiX with a license for multiple DSN's?
  13. I have heard a lot about AuthentiX and it sounds great! Our website hosted at a ISP (internet service provider)/ WPP (web presence provider), Can we use it on our website hosted at the ISP?
  14. Problems with IE4.01 because of IE4.01 bug Q182133
  15. Problems with IE4.01 because of IE4.01 bug Q196383
  16. I installed the software, and it was protecting membership areas just great. But now it is not working.
  17. Where is the remote administration dll?
  18. Current user: how do I determine who the current user is, using CurrentUserName?

  19. How do I protect individual files?
  20. Add user directly to group?
  21. Cannot save to file
  22. I get into the the protected area, but it keeps re-prompting me with multiple prompts for a username and password.
  23. "I've installed the Red Worm patch. My IIS system restarts every 15 minutes (OR every 30 minutes OR every hour OR once per day). In the event log I see a message about AuthentiX starting up"

  24. The software keeps prompting me (three times or more!) on the page in the protected directory. It is a terrific page, it's got stylesheets, framesets, a whole bunch of cool gifs, all the latest stuff and more. Why am I having problems?
  25. I have been able to protect Real streaming files with WebQuota by saving them as .rm files .... but my visitors receive a double prompt for a username and password the first time they log in. How can I fix this?
  26. How can I turn on tracing, to see what files are being denied access?
  27. ASP Samples
  28. Can I run multiple copies of the software for multiple users?
  29. What happens if I use AuthentiX to protect a directory, then use it to protect a sub-directory of that directory?
  30. How do I change the access denied message and the realm?
  31. If i type a different page into the Address box on my browser, I am let in without another prompt.
  32. What's the performance hit of using the software?
  33. With AuthentiX ISP, can one administrator protect the files of another adminstrator?
  34. Are there any log files generated by Authentix?
  35. The REMOTE_USER environment variable is not being set for CGIs if a directory is protected using the software. How do I get the login name?
  36. I cannot get ASP to add users, or get any changes to 'stick'.
  37. Limit logins? Details, restrictions?
  38. Limit logins? How do I get it to work with my ODBC/SQL/mySQL database?
  39. The proxy server at AOL, etc. are driving me crazy. I am spending too much time analyzing whether my users are cheating on their subscriptions or just victims of these proxy servers.
  40. What is the process that takes place to validate a user.
  41. I have content which is license-restricted to 15 concurrent users - can you help?
  42. I notice that once I have entered a username and password to access a directory, I don't have to enter it again. Because several people share each computer/browser that access the directory, how do I turn this caching off?
  43. I have multiple protected directories and each are subdirectories of each other, ie /paid/, /paid/b/, /paid/c/, /paid/c/d/, etc. They are all separately protected by the same group. When a browser goes straight first to /paid/c/ he is prompted once. Then when going to /paid/b/ he is prompted again for the same username/password! I want him prompted only once!
  44. I am using files that are played with Windows Media Player. When they are protected with AuthentiX and Basic Authentication, Windows Media Player cannot access them when using IE, although Netscape works fine. (mpg, mpeg).
  45. I am using files that are played with Real Video and Real Player When they are protected with AuthentiX and Basic Authentication, Real Player cannot access them!
  46. I want to have several different directories, each with different levels of access (corresponding to an AuthentiX Group), but I only want users to login once, then be redirected to the appropriate directory based on their group. How can I do this? I don't want to put 3 buttons from a free area because everyone will see the different access levels.
  47. I expect to have tens of thousands of users, probably many more than that. Is the internal database the way to go, or how do you recommend I set up the site?
  48. Text file, versus Internal Database,versus ODBC, how do I choose?
  49. Text file, permission issues. ?
  50. I want the ability in ASP to take away content that a logged on user without sufficient privileges shouldn't see, for a particular page in a protected directory.
  51. I'm using Cookie-protected directories over an SSL connection and I cannot download zip files (or Save-target-as) with Internet Explorer (Netscape works fine). How do I fix this? (.pdf, .xls, .doc, .zip, .exe).
  52. I'm serving up .pdf, .xls, .doc, .zip, .exe files, however if I open them in a new browser using javascript:window.open function but the cookie gets lost and the file cannot open!
  53. I want to change the dialog box the user sees when logging in using Basic Authentication. Where in AuthentiX do I set this up?
  54. Basic Authentication: can I set the username and password on the browser, so the user does not have to see the popup login dialog?
  55. Basic Authentication: how can I logout a user?
  56. Why is the FAQ in one great huge file?
  57. I am using AuthentiX ISP and the aspAdminISP asp web pages for remote administration, and I am getting -14 users, and other strange results. In the Administrator Settings, it tells me "This domain has a bad password (status: 2). See your ISP Administrator".
  58. I am using AuthentiX ISP and the OCX module and I am getting error 102, and other strange results.
  59. I am using the AuthentiX OCX module and I am getting error 50.
  60. I just used AuthentiX to protect a directory that I've been working on, and I was shocked to find that after it prompted me for a username and password, I could click the browser's "forward" button, then the "back" button and lo! the protected page appears! Is this a security hole?
  61. Can you show me the code you use for the AuthentiX and WebQuota signup forms - it sends confirmation email and adds the new user to the AuthentiX database...
  62. I have two different websites with different domain names (ie www.abc.com and www.efg.com), and I only want the user to log in once for access to both of them.
  63. Implementing a multiple domain authentication model
  64. Inktomi Traffic Server
  65. I have WebQuota, what are the optimal settings for preventing account abuse?
  66. Can we use AuthentiX as well as maintain IIS directory and NTFS security?
  67. How do I map Authentix to use an NT account?
  68. Password expiration - how is this done?
  69. One time password, to administer tests over the web for students, or downloading files.
  70. I want to use Windows NT/2000 Load Balancing Service for multiple webservers in a cluster. What do I need to consider when using WLBS and/or Microsoft Application Center (MAS) with AuthentiX/WebQuota?
  71. How do I use the OCX in other languages such as Cold Fusion, SQL, Visual Basic etc?
  72. I am using referral (referer) protection however, with MPEGS, WMV's and pdf's it does not work - users are denied access, and with printing CSS I have the same problem.
  73. I'm using one of your advanced authentication methods (eg ODBC-Advanced, or By COM) in conjunction with site-wide cookies. How do I decode the password supplied by AuthentiX to the advanced method so I can compare it with the password value in my data store?
  74. I want the user to be redirected to a sign up page, if they fail to login with Basic Authentication.
  75. I want the option of using my existing NT or Active Directory Accounts as well.
  76. How can I automatically sign up users and have them expire after 90 days, using the internal database, or an ODBC database?
  77. ASP and session ids.
  78. In the Event Log I am seeing [5] Access is denied with message ID's 8729991 and 883762
    Is this a problem?
  79. By referrer issues.
  80. Lots of IIS startup messages.
  81. Protecting by Referrer and very large Adobe pdf files.
  82. INSTALLATION

  83. Once we have installed and incorporated the evaluation version will we have to redo the configuration when we upgrade to the purchased version?
  84. Ordinal 6571 (or 6883, etc) could not be located in the dynamic link library MFC42.dll, or OCX error 800401f3
  85. What is the standard installation procedure for IIS4/5?
  86. How to uninstall Authentix?
  87. I tried that, but it won't let me uninstall.
  88. I get an error regarding the Virtual Device Driver during installation
  89. On installing, I get a weird dialog box with dlgcacwinname and ins0432 in it. Then the install fails. What do I do?
  90. I get an error titled "Setup initialization Error". The message is "Insufficient memory to run the setup".
  91. I have tried to install the latest version, however it still comes up with the old version!
  92. IIS4/5 filter installation problems
  93. Installation with Cold Fusion Service Running
  94. The Authentix filter won't stay loaded
  95. IIS4/5 filter installation problems with MS PWS
  96. I'm using IIS and I think I've loaded the filter, but it doesn't seem to be working!
  97. Can I install two copies of AuthentiX on two different sub-webs under IIS4 and above?
  98. I installed the software, but it doesn't protect anything at all!
  99. I want to install the software on a second machine because we are moving the website to this new machine. How do I move the AuthentiX/WebQuota settings to the new machine? (move to, moveto, migrate).
  100. I cannot completely uninstall. I am having problems uninstalling. How do I manually uninstall?
  101. I notice that other ISAPI filters with high priorities run first, before AuthentiX. I want to run AuthentiX / WebQuota as a high priority filter. How do I do this?
  102. I'm running IIS6, and after I install the software nothing works! You pop up a dialog box saying IIS needs at least one request to activate, but I can't make any requests at all. IIS6 just hangs. What shall I do?
  103. I'm running IIS6, and I am having problems. In the Application Event Log I am getting:
    RegCreateKeyEx: [5] Access is denied.
  104. I am trying to install but I am getting the message:
    "The image file is valid but is for another machine."
    I understand that this is because it is a 64bit Windows machine. How do I install on 64 bit Windows?
  105. E-COMMERCE

  106. I want to protect pages and sell access to them automatically.
  107. ODBC

  108. Beginner's Step by Step (using an ODBC database)
  109. How do I setup using groups with my ODBC database?
  110. I cannot get past the Authentication dialog!
  111. I still can't get in!
  112. ODBC and Windows 2003
  113. ODBC won't let me in!
  114. The test button works fine, but I cannot login. I turned on "Show Reason in Access Denied Message" and it just says "Bad Password" :-(
  115. Am I using the right SQL syntax?
  116. How to setup SQL database on a different machine, not on the webserver itself. (Can also help with a W2K3 SP2 permissions issue)
  117. SQLOLEDB connection string, and useful MS articles.
  118. ODBC caching? What's going on?
  119. I'm using Oracle with ODBC and it won't let me in!
  120. I just installed MDAC, and now I cannot modify my ODBC database with Access 2000 via the ASP remote admin pages.
  121. How are ODBC and Internal Database groups related?
  122. I need a single username with several passwords with the Internal Database.
  123. I need a single username with multiple passwords with my ODBC database.
  124. ODBC Case Insensitive passwords.
  125. How can I protect access to two dbWeb "schemas"?
  126. I am using Oracle, where are the latest drivers?
  127. I am trying to authenticate with the software and IIS against a database on another machine on my LAN. It doesn't appear to work. What do I need to do?
  128. I am trying to use an SQL database which uses trusted (or mixed) security. The Test button works but it doesn't let me in.
  129. Sample to change password with an ODBC database.
  130. Denied_ODBC_Expired
  131. Inner Joins, Table Qualifiers on the password field in Custom Select Statements.
  132. I am using the remote admin tool with an ODBC database,
    however I am getting 31, ODBC error with statement, error number is: 3704 The operation requested by the application is not allowed if the object is closed.
  133. Stored procedure example for use with ODBC - Advanced.
  134. I've moved on from the Standard and Custom ODBC Select statement and I am in the process of setting up with the "Advanced" ODBC string. Tell me more about this.
  135. Finally! SQL server and the 255 character limit resolved.
  136. If I am using an ODBC database (say SQL Server). Is the remote administration module and properties of the OCX useless to add and remove users from and ODBC database?
  137. I'm using Version 5.3f1 and I am getting
    >Microsoft VBScript runtime error '800a000d'

    >Type mismatch: '[string: ""]'
    in the remote admin.
  138. I've got thousands of files, each of which I want to have different permissions. Customers can buy access to any number of these individual files, and this information is stored in an ODBC database. Do I have to individually protect each file with a different SELECT statement, or is there an alternative.
  139. Is there a way to check for the script_name, the file requested, in the custom select statement? I can't seem to get it to work?
  140. I've tried everything. The Test button works fine, I've set all the optional switches, its a system DSN, I have permission to access the database from IIS, I've read and tried everything else in the FAQ - I'm pulling my hair out, MARIO - help me!
  141. How can I automatically sign up users and have them expire after 90 days, using an ODBC database?
  142. I have a bunch of users in the internal database, and I want to convert to using an SQL database. (Convert to SQL).
  143. ODBC return error -51 rows. This is AUTHX_ODBC_NO_CONNECT, and means that the software cannot connect to the database.

  144. FRONT PAGE

  145. FrontPage Setup
  146. FrontPage Setup - Camille's way
  147. FrontPage Search Bots
  148. When I protect a subdirectory of a frontpage directory, I cannot edit it with Frontpage (or Visual Interdev)!
  149. Sometimes, little features, like hover buttons and other items are protected when they shouldn't be, what can I do?
  150. Everyone is permitted access to change the site with Frontpage!
  151. COOKIE

  152. Cookie-based login
  153. Cookie tutorial
  154. I have an existing personalization cookie and/or session variable. Now I want the additional security that AuthentiX provides. Can I merge the two?
  155. Current user: how do I determine who the current user is, using CurrentUserName?
  156. Migration, ASP, .NET and integration.
  157. I want cookie based login with a form, not Basic Authentication with a pop-up dialog.
  158. I want to encrypt and decrypt the cookie, to get the current username and other information.
  159. Logout a user, tips and traps.
  160. Can Authentix be used to track users before they have logged in, for example for a shopping cart?
  161. How can I create custom / dynamic pages for my users, only showing them links to which they have permission to access?
  162. I'm using cookie-based login. A user bookmarks a page, then the following week she returns to it and is sent to the login page. Now I want to redirect her to her original bookmarked page.
  163. ISAPI Extension.
  164. I'm using cookie-based login, and I have set the cookie to timeout after 10 minutes in the Windows GUI. However it never seems to timeout like I want it to!
  165. I've set up cookie protection for a directory, but when I browse to it, my web browser just goes crazy, in some kind of infinite loop!
  166. All well and good, however I want to protect an entire website with cookies, but I cannot get to the login page in that website!
  167. With Cookie based protection, I am trying to get the cookies to be persistent, but they always seem to expire with the session. I don't want the user to log in each time they come to the site. How do I make the cookies persistent?
  168. With Cookie based protection, I want the user to login once, then have access to multiple different directories.
  169. With Cookie based protection, I've protected a directory //servername/dirname, however when I go to //servername/dirname it prompts for a password even though I have got in successfully to //servername/dirname/ (with the slash included).
  170. I am protecting a directory called "secure" with cookies - it works with IE but not with Netscape!
  171. I am using "site-wide" cookie-login, but the if the the directory just below the root directory changes case, (for example with a link which goes to the same directory, but with upper-case instead of lower case letters in the URL), then the user is logged out!
  172. I am confused about cookie-timeouts on the browser, AuthentiX cookie timeouts, and the limit-concurrent-login timeout.
  173. How do I get cookie-failover to work, so that if cookies are disabled, they will be prompted for Basic Authentication?
  174. OCX/Remote Admin

  175. How do I setup browser based remote administration?
  176. I have the MMC/IIS Properties/Home-Directory application protection set to Medium, or High (IIS5 and above) or NOT "running in its own application space" (IIS4 and above). Then strange things happen with remote administration. I cannot see who is currently logged in as I should be able to. Sometimes the remote administration tool clears the configuration. and I have to restore the adb file.
  177. I'm having problems with ASP remote admin,
  178. I cannot find AuthxRem.dll!
  179. Remote Administration tells me that it has has encountered an error. Code is [5] Access is denied. The file could not be accessed.
  180. I get the message:
    "There is a problem (DomainEnabled returned 5). Unable to write to the configuration file. Ask your ISP Administrator to grant read and write permission to the AuthentiX ISP configuration data directory. Check the Application Event Log for details. "
    What do I do about this?
  181. I get 501 errors!
  182. When I try and add or remove users, I get error code 50 instead!
  183. In the remote admin, I am getting -3 errors, or it just hangs.
  184. I get an error saying "object not found"
  185. I get, "The call to Server.CreateObject failed. The requested object instance cannot be created. " with an error code of 0177:80040154.
  186. I still get an error saying "object not found".
  187. I cannot update the OCX, I cannot delete the old one.
  188. Error message with sendmail
  189. When I use the sendmail method, I get 'cannot open socket'.
  190. Could not open socket 25
  191. I am using the remote admin tool with an ODBC database,
    however I am getting 31, ODBC error with statement, error number is: 3704 The operation requested by the application is not allowed if the object is closed.
  192. I'm getting VBScript runtime error '800a01ad': ActiveX component can't create object.
  193. I'm getting error 1450 in the event log.
  194. With the remote admin/OCX component I'm getting Failed on creation from object context: CoCreateInstance
  195. I cannot create the AuthentiX object in ASP! I get an Event log message about ccontext.cpp
  196. If I am using an ODBC database (say SQL Server). Is the remote administration module and properties of the OCX useless to add and remove users from and ODBC database?
  197. MISC

  198. I have a "webfarm", of 15 web server machines. I want to have a single location in which to manage my users and groups. How can I protect directories on each machine from a single location?
  199. Current user: how do I determine who the current user is, using CurrentUserName?
  200. How can I import a bunch of usernames and passwords from a text file to the internal database, without having to type them all in again?
  201. Do you do custom work and consulting?
  202. HTTP/1.0 403 Access Forbidden.
  203. I am using MS Proxy 2 and IIS 4/5. We can get to the member area from our internal network, but not from the internet.
  204. IIS4/5, a virtual web site in its own memory space, and reason=denied_cookie_timed_out
  205. I notice that once authenticated, I am able to view any directory - even those which I do not have permission to view. How do I fix this?
  206. I get an error regarding the Virtual Device Driver during installation
  207. Filtering searches using Index Server
  208. I try and save a change, and I get Could not save to file!
  209. I am using AuthentiX/WebQuota ISP, however I cannot get into any of my websites when AuthentiX is installed. I turned on the Option to "Show reason in Access Denied message", and I get DENIED_INVALID_3b
  210. I am concerned about encryption/encoding. Does AuthentiX encrypt passwords with Basic Authentication? How about with cookie-based AuthentiX authentication?
  211. How do I get the user's name and password from within a C++ ISAPI DLL?
  212. I am trying to use server.MapPath on an AuthentiX protected directory but I cannot get it to work!
  213. When I login, all my ASP session variables seem to disappear!
  214. ASP 0115 a Trappable Error Has Occurred
  215. In the event log, I am getting Failed to Create/Open File (1): filename.
  216. In the event log, I am getting Accept raw header overflow
  217. In the event log, I am getting "(!m_directory.IsEmpty())", "(!m_codeName.IsEmpty()", or "AXISP (7726725) error, directory not set"
  218. In the Application Event Log, I keep getting messages like "Successfully Loaded Configuration Data". . What's wrong?
  219. How to protect a directory that is specified via UNC like this:
    \\theweb\$d\inetpub\wwwroot
  220. I am getting "Invalid License (Code4)!, (code 4) The software has not been installed correctly. Invalid license (Code5)! (Code 5)
  221. The installation went fine, but I'm having trouble making the authentication via the NT database work at all.
  222. I have two websites that have differently named domains: www.economics101.com and www.economicsToday.com. How do I get a single logon, that permits the browser to go to both domains, but doesn't popup a second login dialog when I go to the second domain?
  223. I am using Windows 2000, IIS5, and the log files are not reporting the correct filesize, so that the reported number of bytes sent is incorrect.
  224. I am using AuthentiX ISP, and the IP addresses on my machine don't show up!
  225. I am using the Extensibility SDK with a COM object written in Perl for authentication. However I am getting Could not AfxOleInit (2) and RPC_E_CHANGED_MODE in the event log, and I cannot get access with a valid username password.
  226. I would like to use AuthentiX in combination with LDAP, How can I do this?
  227. Mac client problem with Frames not showing graphics or images?
  228. The adb file has been trashed! What happened and how do I fix it???
  229. I am getting saveLoadMutexLock failed in the event log.
  230. 16bit, 16-bit 16 bit errors on Installation.
  231. I am getting ugly bitstreams in IE, instead of my Word/Excel/otherApp document? Why?
  232. PHP sample.
  233. Problems with HSphere/H-Sphere
  234. VideoQuota

  235. I cannot access any WMS files! I am getting an NSUnicast Error in the application event log, with the message "The Windows Media Unicast Service Plugins encountered a catastrophic failure." in plugin: "VQTrack ErrorCode=0x80040154."
  236. Remember to turn off "Enable Fast Cache".
    Caching can disable Basic Authentication, because it necessarily bypasses the usual processing channels.
  237. How do I change the VideoQuota realm?
  238. I want to protect both WMS served video, and IIS served webpages with Basic Authentication, but I only want the user prompted once.
  239. I am running WMS and IIS on the same machine, they seem to conflict!. IIS doesn't work!
    You must set Windows Media component services to be dependent on the Web service so that the Web service can bind to port 80. If you do not set this dependency, then Windows Media server components might bind to port 80 first, and the Web server will not function properly. These steps are specific to using Windows Media Services with IIS 4.0 or later. If you use Windows Media Services with a different Web server, check the documentation for that server for instructions on setting dependencies.
  240. VideoQuota and protecting By Referrer.
  241. Embed video.
  242. In the Event Log, I have a message that just says "No g_pServer."
  243. Windows 2000

  244. Windows 2000 Compatibility
  245. Windows 2000 and aspAdmin remote administration Error: 50;
  246. I change the user's info via remote admin, but the change doesn't seem to stick!
  247. I change the user's info via the Windows GUI, but I have to restart IISAdmin to see the changes!
  248. I'm using Windows 2000 and I really like being able to see who is currently logged in with the aspAdmin remote admin module. However I cannot see any currently logged in users even though I know I am logged in!
  249. ASP /.NET RESOURCES

  250. Creating a Runtime Callable Wrapper.
  251. Loading up the AuthentiX COM object in .Net
  252. Example of use in an aspx page
  253. Example of use with "code-behind"
  254. Sample aspx code you provided doesn't work!
  255. GroupAddNewUser - how do I make the expiration zero or null?
  256. Duplicates in the Event Log?
  257. VB.Net sample

Q. Beginner's Step by Step with the internal database.

A. If you are running the software for the first time, here are the steps you need to take to protect a directory using the internal Database:

First make sure you can access the directory you wish to protect freely (via http://...), without any IIS/NTFS protections.
Use Netscape for this, since IE will sometimes log you in with your current login without telling you.
Make sure the directories you are trying to access have Read (and execute) Permissions for Everyone with NTFS.
Make sure Basic Authentication is turned OFF in IIS5 (and above) Management console, otherwise it will conflict with AuthentiX Basic Authentication.
Make sure Allow Anonymous is ON. NTCR can be ON or OFF.

  • Create a user. From the main dialog, click the Users button, Then Add. Type a username and password and press OK. You should now see the user in the user list. Press OK.
  • Create a group. From the main dialog, click the Groups button, Then Add. Type a groupname and then click on the user you just created in the non-members list box. It should be highlighted. Now click Add. The user should now be moved to the Members listbox. Press OK. You should now see the group in the group list. Press OK.
  • Protect a directory. From the main dialog, click the Access button, Then Add. Use the Browse button to select a directory that is part of your web directories, and that you would like to protect. Click on the "By Internal DB" tab, then the "By Group" button and add the group you added above to the Permitted list. Press OK. You should now see that the group is protecting that directory. Press OK. Press OK.
  • Use a browser to go to the URL that the directory is accessed from, using IIS5 (and above), via http. It should prompt you for your username and password.
  • Type the username and password you entered above to gain access.

NB: To change the Access Denied message, click the "Basic/Cookie" tab, and click the Messages button.

Back to the top of the FAQ

Q. Beginner's Step by Step with ODBC.

A. If you are running the software for the first time, here are the steps you need to take to protect a directory using an ODBC datasource: First make sure you can access the directory you wish to protect freely (via http://...), without any IIS/NTFS protections. Use Netscape for this, since IE will sometimes log you in with your current login without telling you. Make sure Basic Authentication is turned OFF in IIS Management console, otherwise it will conflict with AuthentiX Basic Authentication. Make sure Allow Anonymous is ON. NTCR (Integrated Windows Authentication in Windows 2000) can be ON or OFF.

Also see here.

Note: You can administer and setup ODBC via a webbrowser using the remote administration. However you need to know the structure of the database, and the exact form of the Connect String for the System DSN. Selecting the Connect String from the console is conveniently easy and straightforward.
Set up the DSN from the console, or have your ISP do it for you.

Back to the top of the FAQ

Q. How do I protect individual files?

A. You can use the following tip: Hi,
Downloaded your software and it looks great. I will be purchasing it today. By the way, I typed in the full pathname of a filename into the Browse edit box in the Authorization dialog - and guess what - it protects just that file!
--Jon

Thanks Jon! The software adds a slash to the end of the filename, aside from that it works just like you say!

Back to the top of the FAQ

Q. I have the MMC/IIS5 (and above) Properties/Home-Directory application protection set to Medium, or High (IIS5 and above) or NOT "running in its own application space" (IIS4). Then strange things happen with remote administration. I cannot see who is currently logged in as I should be able to. Sometimes the remote administration tool clears the configuration. and I have to restore the adb file.

A. Go to MMC/IIS and right click on the website and select Properties. In the Home Directory tab, make sure the Application protection level is set to Low (IIS Process). You should be able to set this value on the aspAdmin directory itself.

Because the software is implemented as an ISAPI filter, ASP programs accessing the AuthentiX OCX module need access to the datastructures in the IIS process itself. If application protection is set to one of the ASP debugging levels (Medium or High), then this access will be unavailable.

Back to the top of the FAQ

Q. I'm having problems with ASP remote admin,
A. Check out the OCX/ASP Component Problem solver

Back to the top of the FAQ

Q. When I have set up protection for a directory, I can get in with Internet Explorer when it prompts me for the Username and Password. However when I use Netscape, I type in the Username and Password, then it gives me another dialog to type in the username/password, this time with no Realm. When I cancel out it says "Error - access denied".

A. Looks like the directory is protected with NTFS. IE will use your login name behind your back (especially if you are on the same machine or local network) to let you in. Use Netscape Navigator and try to access the directory without any protection with the software. Free up the permissions on that directory so that Netscape can get in. Then put the software protection back. That should fix you up.

Back to the top of the FAQ

Q. ODBC and Windows 2003

A. You will be pleased to note that Windows 2003's is locked down much more than Window 2000.
You won't be so pleased to learn that this can make it harder to create DSN strings, and harder to successfully connect to the database.

One user found that everything was working on Windows 2000 but when moved to W2K3 the AuthentiX filter was not able to gain access to the database, with the following message in the Event Log:

General Error: [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. - 28000

In the second dialog for setting up System DSN, he was using Network Logon for Trusted Connection. Changing this to using SQL Server Mixed Authentication (SQL2000) with a matching account in SQL Security, solved the issue.

Adding the NT Authority\network service (s-1-5-20) user to the admin group may help.

Also, see here.

Back to the top of the FAQ

Q. The test button works fine, but I cannot login. I turned on "Show Reason in Access Denied Message" and it just says "Bad Password" :-(

A. Make sure that the DSN you are using is a System DSN. Other DSN's are not accessible to system processes such as IIS.
Also note that the "Test ODBC" button may work properly with non-text or multiple-word fields, but the web authentication may fail. Make sure you are using text fields and that the field names do not contain spaces.

The Test ODBC button differs from using the ODBC connection from the filter in the following ways:
1) The Test ODBC executes in the permission context of the logged in user. So if that user has permissions, all will go well for the Test button. However the ISAPI filter logs in as the system account, which usually will not have permission to access resources not on the local machine. If you need to access a database on another machine, try using the "Impersonate User when Accessing Database" settings.
2) The statement executed, does not include the where clause for the username. So it only executes
Select password from tablename
and comes back with a count of all users. As opposed to the ISAPI filter, which will execute
Select password from tablename where username='suppliedUsername',
and will come back with one entry, if there is a match for the username. Then the filter compares the returned password with the supplied password.

Back to the top of the FAQ

Q. I just installed MDAC, and now I cannot modify my ODBC database with Access 2000 via the ASP remote admin pages.

A. With newer versions of drivers and databases, permissions can become an issue where there was no issue before.

Make sure you grant Change permissions for IUSR_MachineName (and IWAM_MachineName where appropriate) ,where MachineName is the name of your machine, to the directory containing your database, and everything within and below that directory, including the database itself.

Back to the top of the FAQ

Q. Single user name, multiple passwords with ODBC database?

A. It is normally best to have the username as a unique key. However, if you have multiple users with the same name but different passwords, then you can set a switch in the registry to tell the AuthentiX to add " AND passwordField='passwordEntered' at the end of the select statement (standard or custom select).

To make this happen, using regedt32.exe, add a value in the registry

HKEY_LOCAL_MACHINE
	/Software
	/Flicks Software
	/AuthentiX
	/1.0
	/AuthentiXConfig
of type REG_DWORD with the name addPasswordToSelect.
Make its value 1.

Note: the software caches successfully logged in ODBC usernames and passwords for performance reasons. If a username logs in with one password and another tries to login with that username using a different password (while the first is still in the cache), then the second will not be able to get in, because the ODBC database will not be queried again.
To turn off this caching, go to the options dialog/ ODBC options, and set relevant checkbox. This will disable the cache and query the database for every request. This may have a performance impact.

Then stop IIS Admin Service (IIS4 and above) or World Wide Web Publishing Service (IIS3) from the control panel and restart.

This really isn't recommended because of the performance issue.
It will not work if for example you are using cookie-based login, where the passwords need to be decrypted and/or hash-matched first.

NB: This ability is intended to help ease the transition to a database with single username/password combinations. It works for the most common scenarios, but may not be fully supported for all functionality, for example cookie-based login with ODBC. Additional custom upgrades may be required, if you wish to persist in using multiple passwords with a single username.

Alternatively:

You could use the "By COM" option (with the Extensibility SDK), and specify the Option: "Call On Every Request". This option will bypass the built-in username/password caching, and you can check usernames passwords etc with any scheme you wish.

Back to the top of the FAQ

Q. How are ODBC and Internal Database groups related?
How do I setup using groups with my ODBC database?

A. ODBC users and Internal Database Groups are not related at all!

If you are using ODBC and you want groups, then make groups a part of your database, and the use the custom select statement for each directory

Add a field to the usertable indicating the access priviledges for that users. This could be a hierarchical priority level ("A", "B", "C") or group membership ("Vendors", "Wholesalers", "Customers").

Then use the custom select statement on each directory you want to protect, setting the select statement to reflect the group, eg
Select Password from Users Where AccessLevel='Customers' AND user= etc.

Back to the top of the FAQ

Q. I am using the ODBC interface with Oracle, and when I hit the Test button it doesn't work :-(

A. The DSN setup does not automatically add the password field to the DSN string. Try adding
PWD=password
after the last semicolon in the DSN string, where password is the password you use to access the database.

Also note that with Oracle, all variable names must be capitalized.

Back to the top of the FAQ

Q. I get into the the protected area, but it keeps re-prompting me with multiple prompts for a username and password.

A. Always make sure that Basic Authentication in IIS/MMC is turned off.

If you are including images, make sure the images are in a sub-directory of the protected area.

If you are using frames, make sure that all the frame components are in the same directory, and that it is the same protected directory.

When you are prompted the second and third time, what is the realm indicated in the prompt dialog? If it is not the same as the one set by AuthentiX, there is a file being protected by IIS/NTFS. When you escape out of the prompt, you should see an Access Denied message. If this is not the one you set with AuthentiX, there is a file being protected by IIS/NTFS.

If you are using ODBC to validate users, and you are getting reprompts that cannot otherwise be explained, try setting the "Impersonate NT User" in the ODBC settings for that directory's protection, to an NT account that has valid access to the database.

Windows2000
With Windows 2000, Everyone has only list permissions within the inetpub directory by default, even though the advanced properties say they have read and execute, they are not inherited by default like in IIS4/5.

AuthentiXISP / WebQuotaISP

If you are protecting content on several drives using Basic Authentication, make sure that the realm is the same for each.

HTTP Keep-Alives
Try turning off HTTP Keep-Alives, some filetypes (eg pdf files) will multiple prompt, because the browser asks for information in 1mb chunks (or thereabouts), but only supplies the username and password for the 1st chunk, which will cause multiple prompting. Sometimes quitting out of the 2nd and subsequent prompts, allows you to see the file anyway, which is what you want, but is somewhat disconcerting.
You turn off HTTP Keep-alives by going to the master properties for the website (In IIS/MMC) and turning off the corresponding checkbox.

Also see here

See also here.

Back to the top of the FAQ

Q. The software keeps prompting me (three times or more!) on the page in the protected directory. It is a terrific page, it's got stylesheets, framesets, a whole bunch of cool gifs, all the latest stuff and more. Why am I having problems?

A.
Likely you are including something outside of the protected area, the browser is sending the credentials (username/password) to the non-protected area, and IIS thinks it should authenticate the request, but it doesn't recognise the AuthentiX username/password. This is why you are seeing the pop-up dialog with a different realm than the realm specified in AuthentiX.

[NB, see also here]


Alternatively, you could be using a complex set of html/asp features, that is confusing the browser, so that the browser is sending authentication information in the http header when it should not be, or failing to send authentication information when it should be.

Create a directory with just one simple htm file in it. Protect it with AuthentiX and see what happens. If all is well, add a graphic and an <img src> tag. If all is well, keep adding things from the page that is not working right, one by one, until you get the problem. The last thing you added after the last edition that was working right is what is causing the problem.

Additional info:

If you are using ASP server object features such as MapPath, then check this FAQ.

You could also try turning on NT Security Auditing for the directories and files in question, and check the event log for more information.

One user reported that turning on logging would stop reprompts (!). As far as we know there is no possible relation between logging (which happens right at the end of a request) and authorization (which happens right at the start). We have only heard of this one time, but if it happens for you, let us know...
Another user reported this (Windows 2000/IIS5), and turning on logging fixed it! (10/1/04)
And a third (Windows 2000/IIS5/SP4).

An additional workaround (particularly useful for users experiencing problems with Excel, PDF, and Word files) is the following:

If you are reprompted for excel files, but not for jpg s in the same directory, then it is most likely an issue of how the excel file handles the authentication.

For those files that reprompt, you could get the current username:

http://www.flicks.com/fbeta/q_and_a.htm/TechnicalSupport/who_is_the_current_user.asp

then populate the link using the following formula:

http://username:password@www.website.com/directory
(but see here).

where username is the username variable and password is the password variable.

Back to the top of the FAQ

Q. I have been able to protect Real streaming files with WebQuota by saving them as .rm files .... but my visitors receive a double prompt for a username and password the first time they log in. How can I fix this?

A.
This is a fairly easy solution. To eliminate the double prompt, you will need to create a redirect page. This redirect page will get the current username, form a link with the username and password hard coded within it (user the format http://username:password@www.website.com/filename - but see here), and redirect the user to that link.

Instead of linking directly to the .rm file, link to the redirect. You members will not know the difference!

Link to trace failures
TRACE FAILURES (trace access denied)

New in 5.2d2 there is a debug mode that you can enable as follows: In

HKEY_LOCAL_MACHINE
	/Software
	/Flicks Software
	/AuthentiX
	/1.0
	/AuthentiXConfig
create a value called traceAccessDenied, of type DWORD, and set it to be 1. Stop and restart IIS Admin Service (IIS4/5 and above) or World Wide Web Publishing Service (IIS3) from the control panel. You have to stop IIS Admin from the control panel/services, not just a subweb in Internet Manager.

Try logging into the page again. When it fails, check out the application event log. You should see various extra entries and they should say things like this:
The description for Event ID ( 0 ) in Source ( Flicks Denied ) could not be found. It contains the following insertion string(s):
Denying *Empty user name* for F:\x1\x2\graphics\index.gif, protecting path is f:\x1\x2\
or
Denying Raxer for F:\dir1\dir2\graphics\index.gif, protecting path is f:\dir1\dir2\

Inspect all the values and output generated, they should give extra clues as to what is going on.

Back to the top of the FAQ

Q. 2. I understand that I can use ASP to let the user create his own UID and Password. Can you point me where I can get the sample code :-) ?

A.

There are several samples in the aspocxsamples subdirectory of the installation directory. More are being added over time.

The aspAdmin directory contains a comprehensive ASP working example of remote administration.

If you have some ASP files working with that you are proud of and would like to share, let us know and we'll see if we can get them in the next release.

If you want the samples, and your website is hosted at an ISP, you can always downlaod the free trial, and get the samples that way.

Back to the top of the FAQ

Q. What happens if I use AuthentiX to protect a directory, then use it to protect a sub- directory of that directory?

A.

The protection associated with the lowest (longest) path name takes priority.

Back to the top of the FAQ

Q. How can I import a bunch of usernames and passwords from a text file to the internal database, without having to type them all in again?

A. Create a group and import to it.

Back to the top of the FAQ

Q. Do you do consulting or/and custom coding?

A. We are always very busy. If your project is consistent with our development goals, we do consider taking on custom work.

We are always happy to provide technical support for our products:

Back to the top of the FAQ

Q. How do I change the access denied message and the realm?

A. Use this dialog.

Back to the top of the FAQ

Q. What kind of performance hit is there with the software loaded?

A.

Performance statistics for IIS Website with 
600,000 hits per day. 12 Virtual Directories.	
Mostly static pages. Your mileage may vary.

System: Pentium 90 with 64 Mb Ram. 
IDE Hard disk drives.

Without the software

	Processor time      27%
	Bytes Total/Sec     60000
	Anon Users          160

With the software

	Processor time      35%
	Bytes Total/Sec     60000
	Anon Users          160


Back to the top of the FAQ

Q. Single user name, multiple passwords with the Internal Database?

A. Currently, there can be only 1 unique user name across all groups. However, group 'sale' can have user 'win', group 'support' can have user 'win' too.

AuthentiX ISP has separate adb files. http://www.flicks.com/authentix_isp/

Back to the top of the FAQ

Q. I want to protect pages and sell access to them automatically.

A.

First you need to setup your website, either on your own machine with your own dedicated internet connection, or with one of our recommended ISP's. Create a directory containing the content to which you want to sell access.

You need to be able to accept online payments. You can either setup your own merchant account and connect this up to one of our recommended credit card clearers or discuss your requirements with one of our recommended credit card clearers and use their merchant credit card account.

Protect your saleable content directory with AuthentiX and an AuthentiX internal database group. This group should match the group coded in the free script mentioned below.

Use one of the free Credit-card-clearer AuthentiX integration scripts (each credit-card clearer has a slightly different version). Work with your selected Credit-card-clearer to make sure this is setup right for your environment and works for you.

Use the html order form supplied by your selected Credit-card-clearer to let customers order access to your protected content.

The combination of the free integration script, your credit card clearer, your ISP (if appropriate), and the order form will allow you to automatically sell access to protected pages.

Other notes:

  • If you just want automatic signup, without charging money, as with the signup for AuthentiX and WebQuota (which uses the email address as the username and sends an email to the person signing up), then check out the sample in the installation directory
    "\ASPocxSamples\WebQuota Signup Sample"
  • If you want to send additional emails to yourself, confirming various other order details, then you can modify the free installation script, which is called after the order is accepted, and before the customer is granted access. See the bonus OCX method SMTPSendMail or the dedicated email products OCXMail and ocxQmail.
  • If you want to signup users for 30, 60, or 90 days, then carefully refer to the signup sample and modify the free signup script appropriately.
  • If you have, or anticipate a large number of users, consider using an ODBC database instead refer to the ODBC signup sample and modify the free signup script appropriately, and refer to the ODBC FAQ and related documentation.

Back to the top of the FAQ

Q. Ordinal 6571 (or 6883, etc) could not be located in the dynamic link library

or

 server object error 'ASP0177:800401f3
 the call to Server.CreateObject failed.
 the requested object instance cannot be created
[Note: if you get this error, it is worth doing
regsvr32 authxocx.ocx in the installation directory as a first step, then try again]

or

regsvr32 <module>.ocx returns
"Get last error returns 0x000000b6"
or
you see the following when installing the software:
Installation attempted to update the file
MFC42.dll
but failed.

A.

Note Flicks Software products require Windows NT/2000 and above.

Also see here and here

Flicks Software products as of 12/16/98 use the latest version of the mfc42.dll support file from Microsoft.
The products come with and require the latest version of the mfc42.dll dated 9/26/98, size 995,383 (File Manager - winfile.exe) 973k (Explorer), File version 6.00.8267.0, product version 6.0.100.

  • Exit the installation program.
  • Make a backup copy of mfc42.dll (likely location: C:\WinNT\system32\mfc42.dll)
  • Download the latest mfc42.dll: http://www.flicks.com/mfc/mfc42.dll and save it into your system32 directory.
  • If you cannot save (access denied: in use) then try and delete mfc42.dll in the system32 directory
    • If you cannot delete the file (access denied: in use) then move or rename mfc42.dll to mfc42.old.
    • Download the latest mfc42.dll: http://www.flicks.com/mfc/mfc42.dll and save it into your system32 directory.
    • Reboot
    • Install the software again.

Installation should update mfc42.dll. However if it is being used by other programs, the older version will remain locked in place.

Back to the top of the FAQ

Q. Office2000 and IE Basic Authentication - inconsistent behaviour.

A. Several customers have reported that Office2000 does not work properly with Basic Authentication, whether it be AuthentiX Basic Authentication, or the Basic Authentication provided by Microsoft in IIS.

Office2000 will prompt for Basic Authentication username and password even though this has already been supplied for the requested directory. It may prompt a second time.

If you have already supplied a username and password to get access to the contents of the directory, then it doesn't matter whether the username and password are entered again (ie you can escape out of the pop-up prompt) and you will be able to view the document.

If you enter the URL of the document directly, it will require a valid username and password, however IE will present the document as a stream of binary data.

Needless to say, this is a less than satisfactory user experience. Contact Microsoft to ask when they will provide a fix.

See also here.

See also here.

NOTE:

  • The problem occurs with any Basic Authentication method, IIS built-in with Windows NT/2000 Accounts, or AuthentiX
  • Netscape does not have this problem.
SRF000330663894


Back to the top of the FAQ

Q. How to setup SQL database on a different machine, not on the webserver itself. (Can also help with a W2K3 SP2 permissions issue)

A. Hopefully the following will help set this up. Configurations vary so widely it is not possible to document them all here. Sometimes patience is needed (!)

7/7/2005:
With W2K3 and SP1, two new groups have been added:
Distributed COM Users
IIS_WPG
When you impersonate an NT user when making the ODBC call (usually with an Administrator account), make sure this account is a member of these two groups.

You will need to use the SQLOLEDB driver, instead of the default SQL driver normally presented in the ODBC control panel. The SQLOLEDB driver will not be visible here, and it shouldn't be.

The SQLOLEDB driver is available in the MDAC (Microsoft Data Access Components) package.

Create an SQLOLEDB connection string (see below).
Driver{SQL Server};Server=ServerName;Database=databaseName;UID=sa;PWD=;

eg
ConnectionString="Provider=SQLOLEDB.1;Password=WebUser1;
Persist Security Info=True;User ID=WebUser1;
Initial Catalog=VideoQuota;Data Source=MMS-ITVMEDIA;
Integrated Security=SSPI"
Here is a recent working sample:
Driver={SQL Server};SERVER=MACHINE_NAME;Provider=SQLOLEDB.1;
Password=user1;Persist Security Info=True;User ID=WebUser1;
Initial Catalog=CATALOG1;Data Source=MACHINE_NAME
And another:
Driver={SQL Server};SERVER=servername;Persist Security Info=True;
Database=dbname;UID=userid;PWD=password
Carefully match up the parameters on your connection string with the above example.

You may need to set up the appropriate SQL user/pass to access the database, as well as an NT user/pass that matches and is good for both machines. Make sure your SQL account has permissions to access all the relevant tables and procedures etc.

How to get it right every time:

  • First, catch your connection string.
    The best way to do this is to create an ASP/ADO page on the webserver, that connects to and reads from your Database. Likely you have already done this in order to add/change usernames/passwords in your database from the web.
    If not however, there are many excellent resources to help get this setup, including www.wrox.com, this great article at 4guysfromrolla, www.asp101.com (especially this article on connection strings), aspAlliance.com, etc. and Microsoft articles! BEGINNERS will enjoy this article from WebMonkey's Jay Greenspan
    Also see http://www.connectionstrings.com/.
    If these don't help, then since you are using only ASP, ADO, SQL and these are all Microsoft products they will be able to fix you up, (probably for a Tech Support fee though).
    Even so, most of the bases are covered by referring to the format of the SQLOLEDB Connection string above (and below).
  • In the ODBC setup dialog, paste this connection string into the Text Box next to the Data Source button.
  • Use Standard Select to begin with.
  • Press the Table button, it should come up with a list of Tables in your database. This is the first hurdle to overcome. Should there be permission errors, try the "Impersonate NT User" Option, and check your SQL user/pass.
    Note also, that if you check the "Impersonate NT User" Option, the Test button may fail, however, the actual filter database access can succeed. Give it a try.
  • Fill out the username and password fields.
  • Press the Test button. Check and resolve any error messages.
  • Now try to access the protected directory via the web (http).
  • If it doesn't work perfectly, check the "Show reason in access denied" (Options dialog), and try again.
  • If this doesn't help, check the Application Event Log for clues. Perhaps the NT user you are impersonating does not have
    "Act as part of the Operating System" advanced user rights. If it doesn't then add them (if you are logged in under that account, logout/login or reboot to apply the changes). The same goes for the
    "Log on locally" privilege. Otherwise you will likely get "[1314]A required privilege is not held by >the client" when using the Test button. To add privileges: Control Panel, Administrative Tools, Local Security Policy, Local Policies, User Rights Assignment. (Phew! knew where it was in NT4, took some finding in W2K!).
  • If this doesn't help, open the SQL Profiler, and check the SQL is getting through to the server and correctly executing.
  • If it is still not working, it is time for MARIO to help us...
That being said, Cory has some additional insight for his setup:

Here's the final version:

Driver={SQL Server};SERVER=206.xxx.234.xxx;Persist Security Info=True;Database=dev;UID=xx;PWD=xxxxx;

A few things I experienced went against the FAQ page, and I thought I'd make note of:

1. Your FAQ #94 needs an equal sign after the "driver" in the first example, as in "Driver={SQL Server};".

2. SQLOLEDB would never work, even though several combinations of the connection string worked in ASP.

3. It wasn't clear that integrated NT security was not required.

4. While I was trying to get integrated NT security to work, I kept getting "A required privilege is not held by the client", even though the user I was using had both "act as operating system" and "log on locally rights", and also had full control of all databases, which was all set up prior to installing AuthentiX.

Thanks Cory!

Back to the top of the FAQ

Q. SQLOLEDB connection string, and useful MS articles

A. Should be of the form:

ConnectionString="Provider=SQLOLEDB.1;Password=WebUser1;
Persist Security Info=True;User ID=WebUser1;
Initial Catalog=VideoQuota;Data Source=MMS-ITVMEDIA;
Integrated Security=SSPI"
Also see this useful article from Microsoft:
Q247931: Authentication Methods for Connections to SQL Server in Active Server Pages
and
Q176379: IIS and SQL Server on Separate Machines with Trusted Connection


Back to the top of the FAQ

Q. I have some questions about ODBC caching. I understand that the ODBC user requests are cached and there are settings to control expiration etc. If the request is authenticated from the cache does it look it up again real-time? (i.e. if a currently logged-on user changes password and the user id is located in the cache, will it re-validate or what will happen?

A. From the windows help file:

If you have set up and enabled an ODBC authorization database (see Set Up ODBC), you can adjust the following options:

  • Minutes between cache cleanup (default = 10) — The Software caches user lookups. This value determines how frequently the cache is emptied.
  • Minutes to discard old users (default = 10) — If a user has not accessed a protected directory in this number of minutes, the user is deleted from the cache.
  • Minutes between forced user lookup (default = 60) — Determines how frequently to check a user’s username and password. This feature makes it possible to “kick out” a user who has been accessing a protected directory continuously for a very long time. You can change his or her password., and after the number of minutes entered here, the user’s name and password will be checked and the user will be denied access to the protected directory.

You can use the ODBCRemoveUserFromCache OCX method to force a user to be removed from the cache,

Back to the top of the FAQ

Q. Are there any log files generated by the software?

A. The software notifies IIS of the username of each authenticated request, and then IIS will place this info in the IIS configured logfile.
Note that with IIS4, by default you will be using W3C extended logging format by default, and you must click on the Properties button, go to the extended properties tab, and enable the Username checkbox. Otherwise usernames will not appear in the log. Refer to your IIS documentation for more details.

See also the Options/Audit button, to have AuthentiX create an audit log in the text file you specify.

Back to the top of the FAQ

Q. Migration, ASP, .NET and integration.

Our company, like so many, is rushing to migrate all of our existing web applications from ASP to ASP .NET. However, this process is taking time as we strive to manage our new project development and still migrate old development.

With that said, we need to put an authentication process in place that will work with our new .net web applications and old ASP applications.

Our hope is to create a single portal that will authenticate a web user and then give them links to access all of our different online applications (both ASP & ASP.net).

All of our applications are running on a single server. (Windows 2003, SQL Server 7, IIS 6) The applications are however running under different websites. We have approximately 5 different websites. We are currently working to combine all of the applications and sites into a single website as we migrate everything to .NET. However, that currently isn't the case.

Our Need: We need to authenticate the user one time and then allow them to move between the different applications. Again, some of the applications are setup within different web sites and some are ASP others .NET.

A. This is an excellent question.

I suggest that you use AuthentiX with cookie-based authentication.

set this up per the instructions and note how the easyloginnow.asp works - it receives the username and password from the login form, and creates the AXCOOKIELOGIN.

You can modify easyloginnow.asp so that it also sets up session variables etc that are required for your other mechanisms. Or you can take another .NET login aspx file, and modify that to create the AXCOOKIELOGIN as is done in easyloginnow.asp.

Please let me know if you need further help.

Back to the top of the FAQ

Q. I am using MS Proxy 2 and IIS. We can get to the member area from our internal network, but not from the internet.
I am prompted, and a valid supply username and password is supplied, then I am asked a couple more times, and eventually it is as though an incorrect

A. Hi Kevin!

I have finally solved the problem. It was the Proxy server that caused the problem.
As I mentioned before we access our webserver through a proxy which is on a different domain. This is why everything worked internally, since the proxy is never used for internal traffic. This is what happens.

When trying to access the protected directory, AunthentiX displays the login dialog.
When the user clicks OK the web service on the proxy tries to login with the username and password entered. This will of course not work, since no such NT user exists. What you must do is to uncheck the Basic (Clear Text) and NT Challenge Response in the web service on the proxy server (the proxy server uses the web service to authenticate users). Once this is set, all authentication is forwarded to the real web server. This regards IIS and MS Proxy 2.0 I don't know if it would work in the same way with IIS 3 or Proxy 1.

Back to the top of the FAQ

Q. The REMOTE_USER environment variable is not being set for CGIs if a directory is protected by the software. How do I get the login name?

A. This is to be expected. If REMOTE_USER was set, then IIS would try to authenticate against NTFS, which would disallow all entry. Instead, you can use the OCX component to find out who is logged in, http://www.flicks.com/authentix/currentusername.htm You should be able to add the component to your cgi program. or you can get it out of HTTP_AUTHORIZATION and then base64 decode it.

Back to the top of the FAQ

Q. When I start the program, I get "Could not CreateDispatch (21434), did you regsvr32 on the dll containing FlicksIISInstall.Install"

A.

The automated IIS filter install (which is not working for you), requires a vbruntime dll MSVBVM60.DLL, which is missing from your machine. The required vb runtimes are included any machine that has IIS4 (and above) installed, however they must have been removed since the IIS4 (and above) was installed.

You can download the zipfile containing the dll here.
Unzip it into your system32 directory and reinstall the software.

This dll is included in Flicks Software versions 5.1f and above.

(Thanks go to Tom Kelleher).

If this still does not work,try manually installing, according to the instructions given in the dialogs on installation.

Back to the top of the FAQ

Q. I am going to upgrade and I want to make sure that installation will not overwrite my existing setup and configuration.

A. The setup and configuration information is stored in authxdb.adb in the installation directory (authxISPData/*.adb for ISP versions).
Make sure you backup these files at regular intervals and before you upgrade.

So long as you uninstall and reinstall to the original installation directory, your configuration will be preserved.

If you are using WebQuota and have set additional IP Addresses in Options/AOL-Limit-Logins, you need to copy the machine's list of IP Addresses out of the registry, using regedt32.exe, here:
HKEY_LOCAL_MACHINE
/Software
/Flicks Software
/AuthentiX
/1.0
/AuthentiXConfig
/mzAOLData

and paste them back in after the install.

Also see upgrading

Back to the top of the FAQ

Q. AuthentiX and AuthentiX ISP - what is the difference between AuthentiX ISP and AuthentiX with a license for multiple DSN's?

A.

First, see here.

AuthentiX ISP is for Internet Service Providers who need to support multiple customers each with their own community of users. Each customer is able to remotely administer access to their subdirectories (and only their own subdirectories)

Each customers database of usernames is separate and private from others. Customers are distinguished either by their domain's IP address, or by their host-header domain name.

If you have multiple customers, and you administer their username/passwords yourself, you could use AuthentiX with the unlimited DSN license.

However if you want them to do their own administration and it is important to you (or your customers) that each customer is unable to edit another customers usernames/passwords/configuration, then you would use AuthentiX ISP.

Back to the top of the FAQ

Q. I have heard a lot about AuthentiX and it sounds great! Our website hosted at an ISP/WPP (internet service provider/web presence provider). Can we use it on our website hosted at the ISP?

A. Certainly. You need to discuss your specific requirements with your provider. They will need to agree to install AuthentiX on their server for you.
(Note for the ISP: AuthentiX and its variants are based on an ISAPI filter, and need to be installed via the console on the IIS machine your website is running on. Also see the note below about Sharing)
If your ISP is unwilling or unable to install AuthentiX, then many other ISP providers already offer an AuthentiX plan. Here is a list of approved providers that offer AuthentiX/WebQuota ISP.

If you have a dedicated IIS server machine (your website is the only website on the machine), then purchase the AuthentiX (Standard) or WebQuota (Standard) software and have your provider install the software. If you have a remote access program like PC-Anywhere, you may be able to install the software yourself.

Sharing: If your website is sharing the IIS machine with several other of your provider's customers, the ISP version of the software will be more appropriate. Essentially, the ISP version places firewalls between each customer so they do not have access to, and cannot modify, each others AuthentiX configurations. Also you can only protect directories on your own website (and not other people's websites on the same machine!).
Consequently, your provider may not permit you to use AuthentiX, and may require you to purchase AuthentiX ISP 5-pak.

Back to the top of the FAQ

Q. Also what is the proper way to uninstall Authentix?

A. Go to control-panel, Add-Remove Programs, and select the software from there. (look for Membership Systems or AuthentiX)

Do not run uninstall.exe in the flicks installation directory.

Back to the top of the FAQ

Q. On installing, I get a weird dialog box with dlgcacwinname and ins0432 in it. Then the install fails. What do I do?

A.

It sounds like there are some old InstallShield files hanging around from another vendors installation procedures.

Remove everything from the temp directory (reboot first if necessary), then try the install again.

Someone also mentioned a security lockdown setting that makes long filesnames and or filenames with spaces in them fail. It could be related to this.

Try installing to c:\flicks\authx (with no spaces and 8.3 compatible filenames) rather than c:\program files\Flicks Software\AuthentiX

Also see here.

Back to the top of the FAQ

Q. I tried that, but it won't let me uninstall.

A. Try running flicksUninstall.exe in the installation directory. If it complains that it cannot find mfc42d.dll, then you need to download the latest flicksUninstall.exe Overwrite the one in the installation directory. Then try uninstalling from the control-panel again.

Back to the top of the FAQ

Q. I have tried to install the latest version of the software, however it still comes up with the old version!

A. Are you sure you installed the correct zipfile? If you have just purchased the software and are installing over the trial version, are you sure you are installing the software sent to you?

If you are sure you are installing the correct version, then perhaps the old files are still 'hanging' around.
There are several reasons this could happen, for example you may have forgotten to stop IIS before the installation procedure, or the Windows console GUI app was still running.

Try the following to reinstall: Stop IIS from the control-panel/Services. Make sure you stop IISAdmin service and say yes to stopping all sub-services (including IIS).
Make sure the AuthentiX/WebQuota Windows user interface is closed.
Make sure no other programs are using any AuthentiX/WebQuota OCX/COM component.
Uninstall from the Control-Panel/Add-Remove Programs.
Install the software again, making sure you use the correct zipfile.

If this still does not work, then to make sure you have a clean re-install, copy the manualdelete.bat from the installation directory to a separate directory, stop IIS and the console app, and uninstall from the control panel.
Modify the manualdelete.bat file to reflect the directories of your installation/machine configuration, and run it.
If any of the files fail to be deleted, then they are still being held open by another process. Rename the offending files, and reboot. This should guarantee that the old files are gone. Then install the software.

In the last resort, make a backup of any/all adb files in the installation directory, delete the entire installation directory, and in the system32 directory delete the following files:

  • AuthentiX/WebQuota: authxdb.dll and axodbc.dll
  • AuthentiX ISP/WebQuota ISP: authxispdb.dll and ISPodbc.dll

If you are still having problems email support@flicks.com

Back to the top of the FAQ

Q. I'm using IIS6 and I get "An attempt was made to load the filter but it requires the SF_NOTIFY_READ_RAW_DATA filter notification and this notification is not supported in Worker Process Isolation Mode."

A.

HKEY_LOCAL_MACHINE
	/Software
	/Flicks Software
	/AuthentiX
	/1.0
	/AuthentiXConfig
create a value called ENABLE_SUBWEB, of type DWORD, and set it to be 1. Stop and restart IIS Admin Service. You should then get a message in the event log saying "SF_NOTIFY_READ_RAW_DATA turned off", rather than the above message. (This is the default in 5.5k2 and above).

If you have not upgraded to 6.0 or above, you need to now.

Back to the top of the FAQ

Q. IIS6 - it doesn't seem to be working (when in fact it is).

A.

The worker processes that indicate to the system that IIS6 are running are not activated until an actual http call is made. If, on installation, it doesn't seem to be working, try protecting a directory and seeing if it is protected by making a request. It should be fine.

Back to the top of the FAQ

Q. Windows 2000 and aspAdmin remote administration Error: 50;

A.

Assuming that the software has not expired:
With Windows 2000 (not Windows NT 4.0), the default registry permission settings do not give access to IWAM_machineName or IUSR_machineName.

Using regedt32, in the registry, HKEY_LOCAL_MACHINE, the SOFTWARE key, Flicks Software: set the permissions to grant IWAM_machineName and IUSR_machineName Read Control and Full Control.

Additionally, in the Flicks Installation directory, grant IWAM_machineName and IUSR_machineName Full Control on the directory containing all the .adb files.

Version 5.1 will not need this permission to be set at the top SOFTWARE key level, and the necessary permissions will be set automatically on installation.

If you believe you have a registered version, please let us know the serial number.

Also see here and here.

Back to the top of the FAQ

Q. I change the user's info via the Windows GUI, but I have to restart IISAdmin to see the changes!

A.

You should be able to make changes via the Browser-based administration, use this as a temporary workaround.

We have found that this can occur when using Terminal Services to remotely access the server machine. Version 5.5b2 and above eliminate this glitch. For prior versions you may continue to use the Browser-based administration aspAdmin, or use alternate remoting software such as PCAnywhere or Remotely Possible.

The issue is normally related to permissions issues, depending on the security regimen implemented on the machine, either by corporate policy, or by any of the many service packs. Each of the latter seems to make undocumented modifications to the security structure, and vary between service packs.

The problem is caused by one of two things:

1) The Windows GUI does not have permission to update the authx.adb file. This is relatively easy to fix by making sure the authx.adb file and its parent directories have the permissions necessary to update the file.

2) The global mutex that signals all applications (particularly the AuthentiX ISAPI filter plugin which runs as a part of IIS) is not having the desired effect. This is most always caused by permission issues for the global mutex and the permissions of the processes involved (IIS, AuthentiX GUI). Because the remote admin uses the AuthentiX OCX, which itself runs as part of IIS, the permissions issue is sidestepped.

A customer observed this behaviour:

We were able to restart all IISAdmin services except the http SSL service while being remote into the server. After restarting those services and making a change through the GUI, the change showed up in remoteAdmin.

Permissions could be an issue here. Make sure you are logged in as an Administrator with
"Act as part of the Operating System"
and
"Log on locally"
advanced user rights/privileges.
To add privileges: Control Panel, Administrative Tools, Local Security Policy, Local Policies, User Rights Assignment.

See also here.

Back to the top of the FAQ

Q. In the Event Log I am seeing [5] Access is denied with message ID's 8729991 and 883762
Is this a problem?

A.

This should have no negative effect on operations.

Likely you are installing on Windows 2003 using Terminal Services.
See this interesting (but very technical) article here: http://www.brianmadden.com/content/content.asp?ID=480

In brief, the software attempts to open the Registry Key
HKEY_LOCAL_MACHINE\SOFTWARE\Flicks Software\AuthentiX\1.0
but fails the permission check, which generates the Event Log message.
However the system then automatically tries again with higher permissions, which succeeds.

If you do in fact have problems that are related to this please let us know.

Back to the top of the FAQ

Q. Lots of IIS startup messages! Authentix is filling our Application Event Log with entries. They are mostly Informational events, such as the one I pasted below. How can I turn these off?

A. These messages are normal startup messages. Every time the AuthentiX ISAPI plug-in filter starts, it outputs these messages.

The AuthentiX ISAPI plug-in filter starts up when IIS starts up.

If the AuthentiX ISAPI plug-in filter starts up frequently it is because IIS starts up frequently.

Assuming auto-recovery is on (and it must be here) IIS will startup frequently if it crashes frequently.

It will crash frequently if it running an application that crashes frequently.

You are seeing AuthentiX messages frequently and so you are assuming the problem is caused by AuthentiX. Instead, the messages are a symptom of another issue.

100% of the times I have seen frequent startup messages like this from AuthentiX it is because of another application crashing IIS.

For example, one customer who was using a (rather rare) IIS programming language found that when he moved to IIS6 he got these frequent messages. It turned out the programming language interpreter crashed IIS at the end of each page it was called from, although the page itself would actually be served (the last one before crash and recovery). It worked ok under IIS5.

Try turning off auto-recovery and observe IIS failing. Then check the Event Log for clues.

If enough people ask, I will add a registry switch so that you can turn these messages off.
That way, AuthentiX will not fill up your Event Log with startup messages (always annoying!) and the actual cause of IIS restarting will remain hidden until your system crashes and burns later and you will be none the wiser why.
AuthentiX is just the messenger here.

Back to the top of the FAQ

Q. By referrer issues.

A.

Yes, there are cases where the http-header referrer information is not correctly passed to the server.

It could be because of an option in a browser, a firewall or proxy stripping out the header, a browser not even having the capability.

One common example is the WMP browser, which standalone does not pass the referrer to the server, however if embedded in IE or Firefox it does. See here.

In the AuthentiX installation directory there are some copies of debug.asp.

Take one of these and put it in an unprotected directory on the target machine. Use the browser method in question to access this file via http. If there is no referrer information there, then none is being passed to the server.

If the referrer information is required for access, but the referrer information is not passed to the server, then the browser will be blocked by referrer.

Back to the top of the FAQ

Q. I really like being able to see who is currently logged in with the aspAdmin remote admin module. It is in the Access List, where it says "Who's on now" and a link to "Current Users". It shows me whos on now. However I cannot see any currently logged in users even though I know I am logged in!

A.

Go to MMC/IIS and right click on the website and select Properties. In the Home Directory tab, change the Application protection level to Low (IIS Process). Now that asp module will have access to the internal datastructures in the AuthentiX filter that runs as part of the the IIS process and you will be able to see the currently logged on users.

Also see here and here.

Back to the top of the FAQ

Q. Adding users via remote administration does not update the filter.

A.

Assuming that the software has not expired:
With Windows 2000 (not Windows NT 4.0), the default file permission settings do not give access to IWAM_machineName or IUSR_machineName.

AuthentiX/WebQuota (Standard): The configuration file authx.adb does not have write permission for IUSR_machineName or IWAM_machineName so the remote administration module cannot update it.

AuthentiX/WebQuota ISP: The configuration files *.adb in the authxISPData directory do not have write permission for IUSR_machineName or IWAM_machineName so the remote administration module cannot update it.

Grant Read and Write permissions for IUSR_machineName and IWAM_machineName to these files.

This will be done automatically on installation with Versions 5.1 and above.

If you believe you have a registered version, please let us know the serial number.

Also see here and here.

Back to the top of the FAQ

Q. Where is the remote administration dll?

A. The remote administration dll is no longer used for remote administration. Check out the aspRemote ASP pages instead!

Back to the top of the FAQ

Q. How do I set things up for FrontPage?

A. In IIS Manager, turn on Allow Anonymous (otherwise the whole site will be protected by IIS), turn off Basic Authentication (You don't want AuthentiX's Basic Authentication to conflict with IIS's Basic Authentication), Turn on NTCR (Integrated Windows Authentication in Windows 2000) (those using Frontpage will be logging in via NTCR instead). In the Options dialog turn on "Don't Authenticate Frontpage subdirectories". Make sure that the anonymous user can access the actual directory, without the software having protection for that directory, then Add protection. Make sure the Frontpage filter is loaded after the AuthentiX filter.

For FrontPage 2000 there is an issue with the new virtual vti_bin methodology, if you are authenticating FP with IIS Basic Authentication (and not NTCR (Integrated Windows Authentication in Windows 2000)).
To edit a site with frontpage, the vti_bin virtual directory must have IIS Basic Authentication on, however if this is the case users/browsers cannot use the bot without being prompted for an NT basic auth sign on.
This is because (I think) the browser is sending Basic Authentication creditials to AuthentiX, but these are being passed to the bot in the vti_bin, and these credentials do not match IIS NT Basic Authentication credentials.
If you turn off vti_bin IIS Basic Authentication, the bot will work for the user, but you won't be able to edit the site with FrontPage.
It is better to use ASP solutions rather than bots, when you are authenticating FP with IIS Basic Authentication (and not NTCR (Integrated Windows Authentication in Windows 2000)).
If you must authenticate FP with IIS Basic Authentication (and not NTCR (Integrated Windows Authentication in Windows 2000)), and you must use FP bots, and you cannot have 2 IP addresses, then you have got a problem that cannot be resolved at the present time (8/3/00).
Better to:

  • Use NTCR (Integrated Windows Authentication in Windows 2000) for FP authentication
  • Don't use bots, use ASP or other solutions
  • Use 2 IP addresses

Also see here.
and Microsoft's comments here

Back to the top of the FAQ

Q. FrontPage Setup - Camille's way

A. Camille (camilletrapp at hotmail.com) went through the grinder, and came up with this:

What to do so you can open your site in IIS4 (and above), frontpage2000 AND protect directories via logon using AuthentiX 5.1 at the same time

  • Make sure the Authentix isapi filter is on top of the fp filter no matter how many filters you have. Inetinfo filter should be highest of all. If you don't know which is which, right click.
  • Uncheck the box in the vb Version of AuthentiX on the server that says "Don't protect Frontpage directories with _vti...."
  • Open the permissions in the WINNT/System32 to Everyone Full Control
  • Open the permissions in the Authentix program directory (where the adb is) to Everyone Full Control
  • Open the permissions to wwwroot and all subdirectories to Everyone Read/Execute control (millions of files), then your Windows NT/2000 or Frontpage NT accounts/groups write permissions.
  • Then open the web in frontpage. Then Open a protected or logon page in your browser and verify that logon is working.
Once you've got there....start working backwards choking down directories and files always checking that everything stays working. Good luck!

Thanks Camille!

Back to the top of the FAQ

Q. FrontPage Search Bots

A. Marj Palmer went through the grinder, and came up with this:

Thanks to all for taking the time to give me the full info on this issue. I tried Kevin's 'Map Request to NT User' suggestion on the _vit_bin directory and the results were the same...NT still popped up a dialog to validate an NT user.

I gave it some more thought and came up with a workaround that I can live with. I have a public and a private part to my web site. I don't want the general public to be able to search the entire web site, only authenticated users from the protected site. What I did is relocate the Search page containing the bot from the protected directory to the root unprotected directory. The Search page runs fine there. Most of the links to navigate to the Search page still come from a page in the protected directory. I had just one link to the Search page from the Site Map page in unprotected site. I revised the Site Map link to instead go to a search_redirect.asp page in the protected site, which after causing User authentication does a redirect to the Search page in the unprotected site. If some public user figures out how to directly type in to the search.htm they will be able to bring up and run the Search page. However, they won't be able to follow any results links to content in the private site, without getting authenticated. That's good enough for me.

Thanks again for your help. I've been very pleased with AuthentiX and the hosting support I've received fro CrystalTech. I'm rolling out the finished web site this week!

Thanks Marj, don't you just love Frontpage!

Back to the top of the FAQ

Q. Everyone is permitted access to change the site with Frontpage!

A. If you are on the same local network, this will appear to be the case because (like IE) Frontpage will log you in "behind your back" as your current Windows login. If you try accessing the site outside your local network, you will see the protected behaviour as desired.

Back to the top of the FAQ

Q. http://username:password@www.mydomain.com doesn't work anymore!

A. That's right. Around 2/2004 Microsoft issued a security update for IE which disallows this form of URL.

The most likely workaround is to convert to using forms-based/cookie login, and modify the easyloginnow.asp to accept the username/password from the source of your choice, rather than the usual login.htm page.

For example, instead of using
http://username:password@www.mydomain.com
use something like
http:/www.mydomain.com/firstfile.asp?u=username&p=password

then grab the u/p out of the url string, and use these to set the cookie for cookie-based login.

Be aware that this method of passing in a username and password is vulnerable to simple copy/paste attacks, whereby the URL can be posted on forums to effectively destroy your security.
Note that VideoQuota is soon to have "TimerTokens". (VideoQuota includes AuthentiX/WebQuota with enhanced functionality.)
Timertokens are generated on the fly, and contain the username and password encoded, along with the current time, encrypted. VideoQuota decodes and matches up the token, permitting access only if the token is freshly minted within the last few seconds. Good for links.
This premium feature is only available in VideoQuota, which costs more.

Back to the top of the FAQ

Q. Installation with Cold Fusion Service Running

A. One user reported that Installation (setup.exe) was suspended when Cold Fusion service was running. When he stopped the service the setup/installation continued.

Back to the top of the FAQ

Q. My IIS system restarts every 15 minutes (OR every 30 minutes OR every hour OR once per day). In the event log I see a message about AuthentiX"

A.

The AuthentiX message is a general message that is created when the system is restarted.

Itcould be because the IIS6 default pool restarts itself once a day.

If this happens very frequently, then the cause of the problem could be related to the Red Worm Patch:

"Speaking of patches, I've read several recent posts on the Bugtraq mailing list that indicate a problem might exist with the Microsoft patch listed in Microsoft Bulletin MS01-033. A few people have reported that after they installed the patch, their systems remain immune to Code Red infection. However, when an infected system attempts to connect to their system to infect it, several IIS services (e.g., FTP, the default Web site, the administrative Web site, and the proxy service) stop processing." - Windows Security Update

Back to the top of the FAQ

Q. IIS4 filter installation problems with MS PWS

A. If you're installing the software with Microsoft PWS (Personal Web Server or Peer Web Services depending on who's speaking), the installation procedure varies from the documentation.
The Peer Web Manager application that ships with PWS doesn't have an option to install filter DLLs, so it has to be done manually.
To install, run REGEDIT or REGEDT32 and locate HKEY_LOCAL_MACHINE/SYSTEM/ CurrentControlSet/Services/W3SVC/Parameters
and add a value "Filter DLLs" (note the space between FILTER and DLLs and leave out the quotes) of type REG_SZ with a string of
"c:\flicks\authentix\authxfilt.dll"
A stop and restart of the web service and a check of the Event Log show everything to be running correctly.

One user reports that when the installation process prompts to confirm IIS4 (and above) is detected, click the "No" button. This only applies to PWS.

Back to the top of the FAQ

Q. I installed the software, and it was protecting membership areas just great. But then it just suddenly stopped working :-(

A. Likely you have installed the request limited trial version. You will see that the Requests Remaining indicator in the Windows Console GUI will have dropped to zero. The Application Event Log will have a message containing "Demonstration request limit exceeded". You need to stop stop the IIS Admin Service (IIS4 and above) or World Wide Web Publishing Service (IIS3) from the control panel and restart, or purchase a licensed version.

Another cause may be the permissions on the adb configuration files. Go to the remote adminisatration and click on the Administrator Settings. If there is red text saying "Error 5" or similar, then this is a permissions issue. Make sure that Everyone has Full Access to the installation directory and everything below it.

Back to the top of the FAQ

Q. I installed the software, but it doesn't protect anything at all!

A.

Probably the AuthentiX ISAPI filter is not loading. Make sure you have followed the installation instructions properly.

The main dialog of the Windows AuthentiX GUI should have a message at the top saying "The filter is loaded and running correctly".

Even so, go the MMC for IIS and right click properties and click on the Filters tab. The ISAPI filter should be loaded, and should have a green "go" arrow beside it. If you are using a time-expiry version, make sure that the software has not expired - look in the About Box, If you are using the request-limited (990) version, then perhaps the request limit has been reached - look in the About Box to check and if so, restart IISAdmin.

If none of the above apply, then far and away the most common issue is the following: You are not protecting the same directory you are accessing via the browser!

  • Make sure you are accessing the files via http.
  • Make sure you are accessing URLs on the same machine that you installed AuthentiX on!
  • Make sure you are protecting a directory on the same hard drive as the directory that IIS is using!
  • Make sure you are protecting the same directory you are accessing, even though it is on the same machine and the same drive!
Often a second administrator has reorganised the webroot and/or IIS virtual directories without you knowing.
Other times you may be attempting to protect a backup or "staging" set of directories.
It is all worth checking.

IE will sometimes log you in with your current login without telling you. Try using Netscape or turn off NTCR (Integrated Windows Authentication in Windows 2000).

Back to the top of the FAQ

Q. I want to install the software on a second machine because we are moving the website to this new machine. How do I move the AuthentiX/WebQuota settings to the new machine?

A.

For AuthentiX or WebQuota Standard

Look for the adb (AuthentiX database) file in the existing installation directory. Create the new installation directory on the new machine. Copy the authx.adb file to the new installation directory. Then install the software into this new directory, using the zip file and serial/reg codes you used for the original installation (or the zip file that was recently sent to you, if you just upgraded).

You can find the serial number in the About Box.
If you do not have the original zip file, then you will need to upgrade - Flicks Software does not provide backup services.

The settings will be ready and waiting.

If you try to copy the authx.adb to a machine that is running IIS &/or the AuthentiX Windows GUI (or any other programs holding open AuthentiX files) then it will not succeed. You must stop all these programs first.

For AuthentiX or WebQuota ISP

follow the same process, but move the entire authxISPData directory to the new machine. If the IP addresses change, then rename the individual adb data files to the corresponding new IP address.

For Standard to ISP or ISP to Standard

Prior to Version 5.8, only users can be
imported/exported, other settings must be done by hand.

With Version 5.8 and above, all adb files are compatible, and can be interchanged using the above guidelines.
Upgrade your target software (Standard or ISP) as necessary, and use a free trial download for the old software to convert the adb file to 5.8 and above format.

Top

Note: if you originally order the software "by IP Address" and you want to move it to another machine, then you will need to purchase an upgrade . Be sure that you are able to accept large attachments up to 4MB.

In WebQuota, if you have set additional IP Addresses in Options/AOL-Limit-Logins, you can copy the old machine's list of IP Addresses out of the registry, using regedt32.exe,

HKEY_LOCAL_MACHINE
	/Software
	/Flicks Software
	/AuthentiX
	/1.0
	/AuthentiXConfig
	/mzAOLData
and paste into the new machine's registry in the same location.

Back to the top of the FAQ

Q. I cannot completely uninstall. I am having problems uninstalling.
How do I manually uninstall?

A.

Possibly you now have less permissions than when you first installed.

Make a backup copy of your authx.adb files (or *.adb for AX ISP), if you want to preserve the configuration information.

Go to Control Panel Services, Stop IISAdmin and its subservices (ie IIS).

Check that the Event Viewer is not running.

Close the AuthentiX Windows GUI if it is running.

Close all Microsoft Management Service Consoles

Now double check: Go to the task manager, and look in the "Processes" to see if there is any AuthentiX application running, or IIS or Event Viewer process running? (Authx.exe or inetinfo.exe) Close all Microsoft Management Service Consoles (MMC.exe).

Uninstall the software. Look in the installation directory and make sure only the authx.adb remains.

Go to the system32 directory. If present, delete the file authxdb.dll and the file axodbc.dll (for AX ISP this will be axispdb.dll and ispodbc.dll).

If there are any files that cannot be deleted then rename, and reboot.

Then install again.

Make sure that the installation directory is populated with the installation files.
Make sure that authxdb.dll and axodbc.dll are in the system32 directory,

Back to the top of the FAQ

Q. I notice that other ISAPI filters with high priorities run first, before AuthentiX. I want to run AuthentiX / WebQuota as a high priority filter. How do I do this?

A. To make AuthentiX high priority:

In the registry, using regedt32.exe,:

HKEY_LOCAL_MACHINE
/Software
/Flicks Software
/AuthentiX
/1.0
/AuthentiXConfig

create a value called NOTIFY_ORDER_HIGH, of type DWORD, and set it to be 1. Stop and restart IIS Admin Service (IIS4/5 and above) or World Wide Web Publishing Service (IIS3) from the control panel.

This should fix it.

If you are using WebSphere, then you will need AuthentiX to be higher priority (than WebSphere) also.

Back to the top of the FAQ

Q. I'm running IIS6, and after I install the software nothing works! You pop up a dialog box saying IIS needs at least one request to activate, but I can't make any requests at all. IIS6 just hangs. What shall I do?

A.
First,see this MS Article. (Note IIS5 compatability mode is NOT required for AuthentiX).

Check the application and system event logs for any obvious errors.

If none are found then likely there is a permissions issue, and it's possible you cannot load any ISAPI filters at all.

Microsoft has kindly supplied two test ISAPI filters. One uses MFC the other not.

Download MFCISAPILogCount.zip or NONMFCLogCount.zip filters. Either one will do.

Uninstall AuthentiX.
Manually add the ISAPI filter dll fromt the download above. In IIS Manager, click on the machine name, then right click on "Web Sites", properties. Click on the ISAPI Filters tab, and add the filter dll.
Stop IISAdmin (not just IIS) from Services, then start World Wide Web Publishing Service.

If this filter also stops any requests from being served, then no ISAPI filters can be loaded on this machine.

Very often, the software will run fine on one W2003 server, but not on another, suggesting this is a permissions issue.

Possible solutions:

1) Previously we have found that the C:\ does not have sufficient permissions, "Everyone" should have at least read and execute permissions. Check this first.
It can eliminate a nasty problem with an Application Popup error in the system event log.

Alternatively, try changing the Identity of the application pools.
2) In IIS Manager, click on the machine name, then click on "Application Pools". Right click on each, click on the Identity tab, and change the Predefined account to "Local System".

And this is effective:
3) Yes we (ActiveHost) have resolved the issue of successfully implementing AuthentiX ISP on our Windows 2003 Server Shared Hosting Platform. The fix was to install the isapi filter and related files in a drive/folder that has full access to the ASPNET user or whatever user that the respective site impersonates to run under.
Initially we installed the software under D:\Flicks or C:\Flicks which did not have the proper permissions set. I got it to work by either installing the software on a drive that we allow full permissions on or on a drive letter/path where we already allowed full access.

If the above does not work, we have to take some more steps:

To identify the permissions problem, we will need several pieces of information.

Collect the system and application event logs from this server. Please have both EVT and TXT formatted logs.

Run the following from the command line:
cacls c:\ >Cacls.txt

From the following article go to the download page and get MPSRPT_DirSvc.EXE. And run this on the server http://support.microsoft.com/default.aspx?scid=KB;EN-US;818742
Save the cab file from the following location C:\WINDOWS\MPSReports\DirSvc\Logs\cab

This information should help us resolve the issue.

Next time it hangs, can you run IISState (www.iisfaq.com/iisstate) and post the log. We can then see what is hanging and give some guidance:
iisstate -p

Back to the top of the FAQ

Q. I'm running IIS6, and I am having problems. In the Application Event Log I am getting:
RegCreateKeyEx: [5] Access is denied.

A. The above messages are "unusual". They indicate that your installation and running login does not have permission to access crucial areas of the registry.

Make sure you are logged in as Administrator first. Then if the install still fails, using regedt32.exe, make sure the registry areas in question in
HKEY_LOCAL_MACHINE

SOFTWARE\Flicks Software\AuthentiX\1.0

SOFTWARE\Flicks Software\AuthentiX
SOFTWARE\Flicks Software
SOFTWARE

have full permissions for Everyone, and try installing again.

Back to the top of the FAQ

Q. Once we have installed and incorporated the evaluation version will we have to redo the configuration when we upgrade to the purchased version?

A. So long as you install to the original installation directory, your existing configuration data will be preserved.

If you are using WebQuota and have set additional IP Addresses in Options/AOL-Limit-Logins, you need to copy the machine's list of IP Addresses out of the registry here, using regedt32.exe:
HKEY_LOCAL_MACHINE
/Software
/Flicks Software
/AuthentiX
/1.0
/AuthentiXConfig
/mzAOLData

and paste them back in after the install.


Also see moving AuthentiX
Also see upgrading

Back to the top of the FAQ

Q. I cannot create the AuthentiX object in ASP! I get an Event log message about ccontext.cpp

A. Likely this is a permissions issue. Make sure the AuthentiX installation directory has full permissions for everyone.

See also here.

Q. I'm using IIS and I think I've loaded the filter, but it doesn't seem to be working!

A. Check the event log. If you get a message like:

"An attempt was made to load filter 
on a server instance but it 
requires the SF_NOTIFY_READ_RAW_DATA filter notification 
so it must be loaded as a global filter."
Then that means that you have tried to load the filter on a sub-web. It needs to be loaded at the machine-level, as described in the installation instructions. Try loading it as a global filter at the machine-level, as suggested.

Also see here and here .

Back to the top of the FAQ

Q. With Remote Administration I get Code is [5] Access is denied. The file could not be accessed.
And I cannot get ASP to add users, or get any changes to 'stick'.

A. Make sure that IUSR_machinename and IWAM_MachineName have full access to the installation directory particularly the authx.adb file.
For AuthentiX ISP access must be granted to the authxISPData directory.
If that fails, then you may need to turn on Security Auditing to see which account is trying to gain access, or grant Full Access to Everyone.

Back to the top of the FAQ

Q. I get the message:
"There is a problem (DomainEnabled returned 5). Unable to write to the configuration file. Ask your ISP Administrator to grant read and write permission to the AuthentiX ISP configuration data directory. Check the Application Event Log for details. "
What do I do about this?

A. Make sure you grant read and write permission to the AuthentiX ISP configuration data directory for everyone!

Back to the top of the FAQ

Q. Sometimes, little features, like hover buttons and other items are protected when they shouldn't be, what can I do?

A. You can solve this by AuthentiX-unprotecting both _overlay and _derived subdirectories which FP2000 use to replicate graphics in a theme throughout the WEB-application. Such directories may change from time to time, depending on the version of Frontpage, so check which need to be unprotected.

Back to the top of the FAQ

Q. When I use the Software to protect a subdirectory of a frontpage directory, I cannot edit it with Frontpage (or Visual Interdev)!

A. In Internet Service Manager, Turn off Basic (Clear Text), and turn on NT Challenge response. The Software will validate for Basic, and let through NTCR (Integrated Windows Authentication in Windows 2000) requests that Frontpage uses.
If for some reason you must use Basic (Clear Text) for Frontpage editing, look in the Options dialog. You will see "Don't authenticate Frontpage subdirectories (with _vti_ in them) even if they are in a protected directory."
Check it.
If this still does not work, try creating an AuthentiX "root user" with the same username and password as the NT user that administers the website. Grant permission for that user.

One customer reported that if the username/password in Frontpage is the exact same as the one in AuthentiX, an AuthentiX prompt appears, although escaping out will let you in no problem.
To fix, make the username/password different in each.

Subweb by Frontpage, user1 is username is the same exact as in AuthentiX and Frontpage admin it prompts. Changing the Frontpage username/password fixes this.

Make sure the Frontpage filter is loaded after the AuthentiX filter.

If you are using Frontpage for the root of the website, you may also have to unprotect individual files in the root directory that Frontpage requires access to (eg _vti_inf.html). Add the file as an AuthentiX protected file and uncheck ODBC and Internal DB protection (both). Alternatively, just protect those individual files in the root that you need to protect.

There are some situations where IIS Basic Authentication must be used instead of NTCR/NTFS (Integrated Windows Authentication in Windows 2000) authentication, for example, if there is a proxy server being used.

One solution is to create a username and password in AuthentiX that matches the NT username and password, and permit the AuthentiX user to that directory.

Another way to approach this issue is to use 2 IP addresses to access the same website, one for Frontpage only, the other for the public (but AuthentiX protected) website. Then use AuthentiX ISP (-not- AuthentiX standard) to protect the public website via the public IP address, and do not protect the (private) Frontpage IP address. Make sure read access is permitted for everyone, and write access permitted just for the Frontpage user. This may be your only solution if you want to use Frontpage as well as CurrentUserName, because of Microsoft bug Case Number SR X980 2166010 644.

Also see the FAQ item here,
and Microsoft's comments here

Back to the top of the FAQ

Q. Limit logins? Details, restrictions?

A. Limit logins is only available in WebQuota.

Due to the connectionless architecture of the http protocol, certain conventions are commonly used to identify a 'user' and a 'login session'. With http, every request for a page or a picture is separate and distinct. The common convention to define a 'user' is a sequence of requests from the same IP address. This is further refined as being a request from the same IP address in combination with the username. There is no way for any web server software to differentiate between a single IP address with the same username and password, which can happen if the two users are on the other side of a proxy (their side).
An exception is with the HTTP 1.1 protocol, which allows multiple requests using the same TCP/IP connection. However not all browsers support this. Additionally, proxy servers usually disable HTTP 1.1 and dumb it down to HTPP 1.0.

In HTTP a 'login session' is typically defined as a series of requests from a single IP address with no break in requests for 10 minutes. This is the convention the software uses also (adding the username into the mix).

Since some ISP's such as AOL can change the requesting IP address on the fly, and/or some users will drop their POT connection and dial back in, it may be a good idea to have the minimum limit login level to be higher than 1. This way obvious abuse will be detected and prevented, while legitimate users will not be locked out. In version 4.0d and above, the Options dialog has a checkbox to consider only the first 3 octects for limit-logins (ie 201.202.203.*) rather than all 4 (201.202.203.204) - this handles the AOL proxy-client implementation where a single user can have as many as 20 different IP addresses - but all from the same Class C address.

Here is a link to list of AOL's ip addresses.

You can manually add this list (if the Windows GUI is too clumsy for you) to the registry as detailed here

Since version 5.0 of WebQuota this mechanism has been refined to allow a set of Class C addresses to be specified. This is in response to AOL using multiple class C address in its client proxy polling.

You may be interested in WebQuota CMCL Edition , which has more advanced features and a different pricing model.

Also, see the next FAQ item.

Back to the top of the FAQ

Q. Limit logins? How do I get it to work with my ODBC/SQL/mySQL database?

A. Limit logins is only available in WebQuota.

You have a ODBC database table with username, password fields.
Add another field and call it Blocked, default to "No".
In the ODBC dialog use the custom statement and specify the names of your username and password fields. In the middle text box, have something like this:
"From userAccounts where Blocked="No" And "
with spaces at the end.

In the Limit Logons dialog open the Update ODBC dialog and set the DSN, table and username field appropriately.
In the "Field to Update", select the field "Blocked".
In the Update Value text box, put in "Yes".
Then if limit-logins is exceeded, the Blocked field for that user will change from "No" to "Yes", and the custom statement will return no records, and the user will be blocked from logging in again.

Back to the top of the FAQ

Q. The proxy server at AOL, etc. are driving me crazy. I am spending too much time analyzing whether my users are cheating on their subscriptions or just victims of these proxy servers. I sell individual memberships to technical data. I only have about 50 users, and they do not pay a lot, but it is necessary to protect the data. Is their anything that can be done? I have entered the AOL server ip's, but that effectively allows anyone using AOL to cheat. Now it appears that there are others doing the same as AOL.

A. With standard webquota you can use cookie based authentication to better identify concurrent logins with the same username (better known as password sharing).

Because HTTP is stateless, every request is unique. What that means is with AuthentiX , each username is checked for authentication, but there is no way to tell if it is one user or four users logging in at any one time. In the past, WebQuota Standard allowed you to look at the username, and the IP address. This helped identify unique users (during a session, a username would only have one IP address). Ah, but AOL and Earthlink decided to change IP addresses, even mid session. A valid user could now appear to be coming from different IP addresses...even during the same session. Enter the new and improved WebQuota Standard. Now you can use cookies to uniquely identify a user during a session. This stops password sharing cold. If you want to create individual threshholds for account abuse based upon username, then you'll still need to use WebQuota CMCL rather than standard WebQuota.

NEW!! WebQuota nows includes cookie based Limited Concurrent Logins protection- which prevents password sharing, even for users with revolving IP addresses!
(Note: if you are upgrading, you will need to get a new registration code - with FUNCTIONALITY_PER_BROWSER set. However, if you can see the Concurrency Metering Radio buttons in the Cookie dialog box, you should be fine.)

See GetConcurrencyToken and setup instructions.

Note that this will mean the the Limit-login email warnings will show the remote IP address as the session id instead (of the form "NIN0IANIN0KXNC0KZMQIQIQUMKJAIBNTAIANKZIX0NKY0KX").

Will says:
This works well. I had to add the following line:
' whichType: 1 for per-directory, 2 for sitewide
cookieValue = cookieValue + authx.GetConcurrencyToken(2, cookieName)
Once I added that it worked for AOL accounts.

Thanks Will!

Back to the top of the FAQ

Q. What is the process that takes place to validate a user.

A. With Basic Authentication when a request comes in that is for a protected directory, and there is no Base 64 encoded authentication header, then a 401 Access Denied message is returned. This should tell the browser to prompt for a username password and send the results in a Base 64 encoded authentication header. If there is a Base 64 encoded authentication header, then it is decoded and matched against the Internal Database database. This happens for each request. If you are using ODBC, then the user is looked up and the username/password is cached (for a period you specifiy in Options). The cache can be purged if you change ODBC passwords on the fly and want the change to be immediate, using the ASP/OCX method ODBCRemoveUserFromCache.

With cookie protection, once the user has entered their credentials via a form, OCX methods set a cookiename and a cookievalue (both encoded but not with Base 64) and apply it to the protected directory. When the cookie protected directory is accessed, the Software looks for these special cookies, and validates against them.

Back to the top of the FAQ

Q. I want cookie based login with a form, not Basic Authentication with a pop-up dialog.

A. Cookie-based authentication allows you to make various extra settings, such as timeout.
Browsers that do not have cookies enabled will be denied access. See the dialog here: cookie.htm <-- Also the cookie demo here: loginfirs t.htm -->

Note, Windows 2003 requires version 6.0 and above for cookies to work correctly.

The Software comes with samples to help you get started with cookie authentication:
Look in the ASPocxSamples\CookieLogin-SiteWide subdirectory of the installation directory.
Map a virtual directory to this directory. Then use AuthentiX to protect the members sub-directory with cookie-based protection. See the dialogs above.

Note that if you are using per-directory cookie login, the urls that AuthentiX checks are case sensitive, make sure that links into the protected area are all lower case (or match the case of the directory you specified when setting up the cookie).

If you suspect the cookie is not being correctly passed to the server, setup cookie protection as normal, then place debug.asp (there are several of these in the samples directories) into the protected area. Then -remove- the protection in AuthentiX (you can just rename the directory in AuthentiX to keep your settings), and redirect to the debug.asp. This will show you what cookies have been set. Remember to View Source, because the angle brackets in the cookie value will be interpreted by the browser as failed html tags.

If you are having problems with your implementation of cookie-based protection, go back to ASPocxSamples\CookieLogin-SiteWide, and protect the members subdirectory.
This will work, then step forward to where you want to be.

Please do not call or email tech-support with a whole set of asp files you have created saying "it does not work - help". We are not equiped to handle this kind of enquiry unless it is on a consulting basis.

If you are having problems with your implementation of cookie-based protection, go back to ASPocxSamples\CookieLogin-SiteWide, and protect the members subdirectory.
This will work, then step forward to where you want to be.

If you are still having problems, and you are authenticating against an ODBC database, please supply the answers to the following questions:

  • Start with Basic Authentication and Internal database.
    Works? Yes or no.
  • Then Basic Authentication with ODBC database, Standard select statement.
    Works? Yes or no.
  • Then cookie Authentication with internal database, using the sample provided only, with no modifications.
    Works? Yes or no.
  • Then cookie Authentication with ODBC database, Standard select statement, using the sample provided only, with no modifications.
    Works? Yes or no.
  • Advanced Users only: If you are using stored procedures, or By COM, make sure you follow the instructions here regarding GetCrypt.

Here is the zipped source code . However DO NOT use this as the sample to get you started, it is just for reference. Instead, start instead with the CookieLogin-SiteWide sample mentioned above.

Here is the online documentation for the OCX cookie methods:
http://www.flicks.com/authentix/authxref.htm
http://www.flicks.com/authentix/cookieSWValue.htm

If you are implementing cookie login at your ISP who supports AuthentiX, you will need to get the CookieLogin-SiteWide samples by downloading the free trial download, install it, and refer to the installed samples. Remember if you are using the samples on AuthentiX ISP version, you will need to change the line:
usingAuthentiXStandard = true
to usingAuthentiXStandard = false
If you are at an ISP, and you are administrating by Host-Header or directory, then you will also need to uncomment the line
protectedDomain = "hostheader.com"
and change the value appropriately. If you don't do this right, you will get lots of -3 errors.

If the remote admin just seems to hang, try the /aspadminisp/standardtext/ directory instead.

Back to the top of the FAQ

Q. Logout a user, tips and traps.

A.

Yes, with cookie-based login, it is possible to have a user logout. There are samples in the installation directory for all the types of cookie-login.

If you need the logout capability, we recommend turning off keep-alives on the server, because requests will continue to be served even after the user has logged out. Credentials are only requested at the start of each stream, which can last over several requests with keep-alive on.

If instead you need to use keep-alives then we need to tell the server to terminate the keep-alive from the logout.asp page. Add the following 2 lines to the end of the logout.asp:

response.buffer = true
response.flush
This will tell the server to terminate the connection, and fresh credentials will be required from now on.

Also remember that cachable pages will remain in the browsers cache, until it is emptied.

If you experience problems, try this script

In the logout.asp file, after the section of code:

' whichType: 1 for per-directory, 2 for sitewide
ccresult = auth.ClearConcurrencyToken(2, protectedAbsPath, Request.Cookies(cookieName)) ' only useful with WebQuota CMCL Edition, no-op otherwise
if 0 = ccresult Then
' all well and good
Else
response.Write("ClearConcurrencyToken failed with error code: " & ccresult & ", check the event log")
response.End
End if


Add the following:

currentUserText = Request.Cookies("AXCOOKIELOGIN")
if ("" <> currentUserText) Then
currentUser = Right(currentUserText, Len(currentUserText) -1)
currentUser = Left(currentUser, Instr(currentUser, ">") - 1)
End if


' MAKE SURE protectedAbsPath is all LOWER CASE!
' and IIS Application is Low (IIS Process) for this directory.
unLockResult = auth.UserUnlock(protectedAbsPath, currentUser)
if (0 <> unLockResult) Then
'response.Write("UserUnlock returns: " + CStr(unLockResult))
else
'response.Write("UserUnlock returns: " + CStr(unLockResult))
end if


Back to the top of the FAQ

Q. I notice that once I have entered a username and password to access a directory, I don't have to enter it again. Because several people share each computer/browser that access the directory, how do I turn this caching off?

A. You are using Basic Authentication, and the browser caches the username and password. Browsers differ in their behaviour, but they will always cache a username/password for a URL directory until they are closed. Some will save the cached information for when they are restarted, although this is usually configurable. If you could turn caching off, you would be prompted for your username and password on every request for each file and image!

You can achieve what you want to do using cookie based authentication and setting a timeout. Click here for more info

Back to the top of the FAQ

Q. With Cookie based protection, I am trying to get the cookies to be persistent, but they always seem to expire with the session. I don't want the user to log in each time they come to the site. How do I make the cookies persistent?
A.

To make the cookies persistent, set the date you want the cookie to expire in in the loginNow.asp (or equivalent) script, eg:
response.Cookies(cookieName).Expires = #July 4, 2010#
Response.Cookies("name").Expires = Date + 365
Response.Cookies("name").Expires = #January 01, 2011#
Response.Cookies("name").Expires = #01/01/2014#
Response.Cookies("name").Expires = #7/30/12 00:00:00#
should all be valid.

Top

Q. I am protecting a directory called "secure" with cookies - it works with IE but not with Netscape!
A.

Netscape doesn't transmit cookies to directories called "secure". Or in fact any directory with "secure" in it, eg "secureRoot". Bizarre but true.
Rename the directory and protect that instead (remember to change the values in loginnow.asp).

Back to the top of the FAQ

Q. I am using "site-wide" cookie-login, but the if the the directory just below the root directory changes case, (for example with a link which goes to the same directory, but with upper-case instead of lower case letters in the URL), then the user is logged out!
A.

If you login to a URL like
http://www.yourdomain.com/maindir/area1/members/index.htm
and index.htm has a link to
http://www.yourdomain.com/MAINDIR/area1/members/index.htm
then the AXCOOKIELOGIN cookie is not passed by the browser to the server!

In the easyloginnow.asp file (or your equivalent) add the line:
response.Cookies(cookieName).Path = "/"
after the line
response.Cookies(cookieName) = cookieValue

This explicitly forces the browser to apply the cookie to every directory on the site, regardless of case. This line is added from version 5.1 on up, so recent users should not experience this problem. Not sure why browsers behave this way.

Back to the top of the FAQ

Q. I am confused about cookie-timeouts on the browser, AuthentiX cookie timeouts, and the limit-concurrent-login timeout.
A.

Yes, there are several different levels, each with their own subtle requirements and reasoning.

The three timeouts you mention are:

1) The browser - on the server you can set a cookie to timeout after a certain time, which means the cookie can persist beyond closing the browser, or disappear while the browser is open if it is set for a very short time.. With no timeout specified when the cookie is created it is destroyed at the end of the session, ie when the browser is closed.

2) The AuthentiX internal cookie timer (which you can set to be 2 minutes or 600 minutes), which decides at the server (independent of the client browser) when a cookie has timeout out, requiring a fresh login. This is intended for "lower limit" of time, so that a user is forced to log back in if they have not been active in a (short) period of time (maybe they went to the water-cooler).

3) Limit-logins timeout ie whether a "user session" has finished. This is deemed to be 10 minutes after the last http request. This is intended for "upper limit" of time, so that a session is deemed abandoned after 10 minutes. This is useful if a dial-up connection has been dropped. If you were to increase this to 600 minutes, each dial-up connection that is dropped will eat up 1 concurrent login - with undesirable results.

The limit-logins timeout works with both Basic Authentication and cookie-based login, so do not imagine that the internal cookie timer and limit login timer are connected.

This means that a browser could have a non-expired cookie, and yet because there has been no activity for a while, then the limit-login has timed-out, which will allow a 2nd user with the same name to login. If the first user tries to access the protected directory they will be denied access because of limit-logins, even though their cookie is still valid.

With Limit-logins one user cannot "lock out" an account, for long periods of time, even though they are not accessing the site.

Back to the top of the FAQ

Q. With Cookie based protection, I want the user to login once, then have access to multiple different directories.
A.

Cookie Site Wide Value (CookieSWValue) is the best tool for this.

However if you want different per-directory restrictions the following will apply:
Determine what groups and directories a particular user has permissions for when the user first logs in (loginnow.asp). Then set the correct cookies for all the appropriate directories. So you would do something like this:

' lookup up the user in the database,
' figure out which directories+URLs he has access to
' for each directory+URL do this:
protectedAbsPath = "c:\aspmail\ACookieLogin\example2\members\"
protectedDirectory = "/aspmail/ACookieLogin/example2/members/"
cookieName = AuthX.
			CookieLoginCookieName(protectedAbsPath, _
			protectedDirectory  _
			)
cookieValue = AuthX.
			CookieLoginValue(serverName, _
			protectedAbsPath, _
			Request.Form("USERNAME"), _
			Request.Form("PASSWORD")  _
			)
response.Cookies(cookieName) = cookieValue
response.Cookies(cookieName).Path = protectedDirectory
Cookie-based protection must actively set the cookie on the browser for each protected directory via ASP, rather than Basic which passively rejects unauthorized access with a 401 reject message.

With Basic Authentication, the browser automatically caches the username and password for each directory. With cookie-based protection it is necessary to emulate this behaviour.

You may want to have a single login for the entire protected area (/members in this example), and yet discriminate access between each of several sub-directories. For example

/members/secretaries
/members/developers
/members/managers
/members/administrators
/members/executives
/members/finance
If you are using the AuthentiX internal database, then conditionally set the appropriate cookies (within if/then/else/end if) depending on the USERNAME's groups, using UserGroups. or GroupHasUser..

If you are using an ODBC database, then use ADO and set the appropriate cookies based on the query results for that user.

The directories you set for cookie protection are case sensitive. If you protect "c:\inetpub\wwwroot\membersonly" links to "c:\inetpub\wwwroot\MEMBERSONLY\asecretPage.htm" will take you back to the login page with "Denied_Empty".

Also check out CookieSWValue for an alternative choice for cookie validation.

Back to the top of the FAQ

Q. I get an error titled "Setup initialization Error". The message is "Insufficient memory to run the setup".
A.

Refer to these links

Click here

or here:

or here

using: Q101828

"Insufficient Memory" Error Occurs When Launching Setup.exe on Systems with Too Much Extended Memory

Document ID: Q101828
This article applies to the following: Product(s): InstallShield 5.x Professional, InstallShield 3, InstallShield Express 2.1x Last Revised On: 12/09/1999

Symptoms
On systems with large amounts of extended memory ( < 128 MB of RAM), Setup.exe will fail to launch. An error message is displayed stating that there is insufficient memory available to run the setup, even though this is not the case.
Cause
When Setup.exe is launched, it first checks the memory available. The check it performs was not designed to take into account such large amounts of memory, and returns failure.
Workaround
You can disable this memory check routine by using the -z switch when launching Setup.exe. This will prevent Setup.exe from reporting any errors due to available memory. Note: The -z switch only affects the initialization process. If you are performing any memory checking routines later on in the setup through the script, they will still function as expected regardless of whether this switch is used.

Back to the top of the FAQ

Q. I'm using Cookie-protected directories over an SSL connection and I cannot download zip files (or Save-target-as) with Internet Explorer (Netscape works fine). (.pdf, .xls, .doc, .zip, .exe).

A. Normally AuthentiX sends a pragma-no-cache with each file that is served in a cookie-protected directory - if you have cookie-timeouts set, then this will ensure that a page will not be cached in the browser and available for viewing after the timeout has expired. With SSL and IE trying to download a file, this causes a problem and you need to switch the pragma-no-cache off.
(For IIS6 this now also seems to be true for .exe files.)
With SSL, the default setting for all browsers is not to cache pages from SSL encrypted sites, so the pragma header is unnecessary anyway .

To switch the pragma-no-cache off add a value in the registry, using regedt32.exe,

HKEY_LOCAL_MACHINE
	/Software
	/Flicks Software
	/AuthentiX
	/1.0
	/AuthentiXConfig
of type REG_DWORD with the name CookieStopNoCache make its value 1 to stop the no-cache.
Then stop and restart IIS Admin Service (IIS4/5 and above) or World Wide Web Publishing Service (IIS3) from the control panel.

Other options are CookieStopPrivate, to stop the "Cache-control: private", and CookieStopExpires, to stop "Expires: 0"

One user reported that hitting the back button after submitting a form in Netscape resulted in:

Data Missing
This document resulted from a POST operation and has expired from the cache. If you wish you can repost the form data to recreate the document by pressing the reload button.

To remove this message he used the following options:
CookieStopExpires 1
CookieStopNoCache 1
CookieStopPrivate 0

See also Media.

See also Reprompt.

Back to the top of the FAQ

Q. I'm serving up .pdf, .xls, .doc, .zip, .exe files, however if I open them in a new browser using javascript:window.open function but the cookie gets lost and the file cannot open! A.

Yes, some integrated browsers are still not working right in all situations.
Try notifying the author of the software. You may have to go back to opening it in the same browser window.

Back to the top of the FAQ

Q. Can I install two copies of AuthentiX on two different sub-webs under IIS4 (and above)?

A.

At its core AuthentiX is an ISAPI filter, which needs to be installed at the machine level (not on a sub-web or the default web). Only one copy of the software can be installed on one machine. The administration of AuthentiX (Standard) applies to the whole machine, and if a person has access to the remote administration module, they will be able to modify access restrictions for all directories.

AuthentiX ISP separates the administration and access protection by web-hosted IP address, and each administrator only has control of access protection for their own IP address, and cannot protect directories that are requested via other IP addresses on the same machine (unless each ip address has a virtual directory that points to the same single physical directory in which case they can).

Back to the top of the FAQ

Q. Basic Authentication: how can I log a user out?

A.

The browser caches the username and password until the browser is closed. The Basic Authentication protocol does not allow you to "logout" a user without changing his password. The Basic Authentication protocol does not support the notion of timeout either. You could use AuthentiX cookie-based authentication which supports timeouts and logouts.
Also see cookies and tips.

Back to the top of the FAQ

Q. I have two different websites with different domain names (ie www.abc.com and www.efg.com), and I only want the user to log in once for access to both of them.

A.

1) If the two domain names are off the same primary domain (eg roundPeg.maximus.com and squareHole.maximus.com) then be sure the the Realm is identical for both of them. This should cause the browser to supply the username and password to both. If this does not work, or if the two domains are different (eg www.theOne.com and www.theOther.com) then

2) Using Basic Authentication, create an ASP page, which gets the currentusername and password. Then constuct a URL link of the form
http://username:password@www.theOther.com/protectedDir - but see here
This link will log them in on the other website.

3) If you are using cookie-based protection, then make the link a POST and in the form, have a couple of hidden fields which correspond to the username and password. POST to a non protected ASP page on the second webserver, have that ASP page set the cookies on that server, and redirect into the protected area.

Back to the top of the FAQ

Q. Implementing a multiple domain authentication model

A.

To successfully implement a multi domain Authentication model (using the BY NT authentication method), append the domain name + "\" to the beginning of username. Using this method you are able to authenticate against multiple domains. For example:

Domain1\userid will query the domain1 PDC for the validity of the authentication credentials.

Back to the top of the FAQ

Q. 16bit, 16-bit 16 bit errors on Installation. NTVDM.

A. Kevin, your FAQ should definitely include a comment in it about installing from a directory that is longer than 8 characters on machines that have 8.3 filenames disabled. Microsoft says that 8.3 filenames should be turned OFF for security, and that caused your software to exit with a mysterious message when I tried to install it from the C:\authentix directory on my server. The problem is caused by a 16-bit install program that you're using. You can easily duplicate the problem and the error message by changing the registry values below, using regedt32.exe, from 0 to 1 (see the URL below for more info). Try making these changes, and then install from a directory that has more than 8 characters in its name to duplicate this problem:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/FileSystem/
  NtfsDisable8dot3NameCreation [change value to 1]
  Win31FileSystem [change value to 1]
See http://www.microsoft.com/TechNet/security/iischk.asp#6

Thanks Steve, now it does!
Seems like other programs, even IE can have this problem too!
http://support.microsoft.com/support/kb/articles/Q183/3/87.ASP

Note also that the install application requires the 16bit WOW Services to be running. If you have removed WOW from the server then the install will fail.

One user resolved the issue this way:
as a work-a-round I used SMS Installer to package it as a 32bit app and installed it from that. This has worked with a small amount of manual tweaking such as adding the filter and copying the authxocx.ocx to a directory off the root without spaces and less than 8 characters and registering it from there.

Also see here.

Back to the top of the FAQ

Q. Problems with HSphere/H-Sphere from Positive Software

A. ISAPI filters are expected to behave "well", ie pass on all information that they don't use to the next filter. This is true for all filters, doubly so for Medium priority filters, triply so for High priority filters.

HSphere or H-Sphere installs a High priority filter called htaccess.dll. This filter behaves badly - it strips out Basic Authentication information regardless of whether it uses the data or not.

Low priority, well behaved filters like AuthentiX thus do not have access to this information, and operations like CurrentUserName will not work properly because of H-Sphere. Contact H-Sphere to report this bug to them.

Open Tech Support Question at https://www.psoft.net/support/
8/30/05
id 3041-RYJB-2428

Latest response from psoft 9/2/05:
" You can delete htaccess.dll filter on your own mind, but the reason of this issue is that we did not support AuthentiX at all.
Dmitry Yatsyk
Windows Developer Team
Positive Software Corporation"

Not a particularly positive response.

In my opinion, not supporting another product should not mean disabling it.
I would urge that you contact them at support@psoft.net.

Possible workaround:
I have not tried this, but making the dll Low Priority and after the AuthentiX filter may help.

Back to the top of the FAQ

Q. Can we use AuthentiX as well as maintain IIS directory and NTFS security?

A. You could choose to map requests to an NT user for a directory (eg MemProxyUser), see http://www.flicks.com/authentix/discover/access/protectBy.htm

Then remove permissions for that directory for all but that NT user. If someone accidently removed the AuthentiX filter, NTFS would take over.

Also see here.

Also try turning on security auditing for authx.adb, make sure that only the right people are accessing it.

Are you using the internal database? If so make sure you have less than about 5000 users, see here

Top

Back to the top of the FAQ

Q. How do I map Authentix to use an NT account?

A. First create the user in NT that you'll want to have mapped through Authentix. Once you've done this, edit your NTFS security properties for the directory or directories you want protected. If you add a group to the NTFS permissions, make sure your user is in that group!

In Authentix, click Access from the menu. Then add the directory you want to protect and map to the NT account. Once added, click on the Basic/Cookie tab: Choose Map Requests to NT User: and enter the correct NT Username and NT Password. Then click on By Internal DB tab and make sure you enter the Authentix group or user(s). Click OK, OK, OK, OK.

Now you'll need to open IIS MMC, Internet Service Manager, to edit the web site security. Find the web site of interest and open to the directory that is to be protected. Right-click on the directory name and click on Properties. Under Directory Security, make sure Allow Anonymous is on, and Basic Authentication is off, and NTCR (Integrated Windows Authentication in Windows 2000) can be on or off, however we recommend turning this off if you are having problems.

Also see here.

Back to the top of the FAQ

Q. Password expiration - how is this done?

I can see there is user expiration. Is there a way to have passwords expire with AuthentiX?

A. I am assuming you are using the internal database, but you can make this work with ODBC too.

User expiration and password expiration are really the same thing. The user will exist even though expired.
Using Basic Authentication, in the access denied page, offer them a link to change their expired password (among the other sign-up offer links).
With Cookie-based authentication the denied url will indicate the reason, and you will be able to use ASP to tell them they have expired, and go to change their expired password.

Then ask them to enter their username, old password, new password. In the script that processes the form, check their details and if all checks out, set the new password as well as the new expiration date (if any).

There is a sample that does this in the ASPocxSamples\changePassword subdirectory.

Back to the top of the FAQ

Q. I want to use Windows NT/2000 Load Balancing Service for multiple webservers in a cluster. What do I need to consider when using WLBS and/or Microsoft Application Center (MAS) with AuthentiX/WebQuota?

A.

You will need to authenticate against a centralized ODBC database.

Basic Authentication will work just fine if a user is switched from one machine to another.
Cookie-based should work fine too (the AuthentiX Cookie based protection is not session based, so there are no worries about storing sessions in a back end db). However you will not be able to utilize the AuthentiX server-side cookie timeout feature (setting a cookie to expire on the browser will still work of course).

Unlike session based systems (see the white paper on affinity below) AuthentiX works great on clusters. If you have any problems, please let us know.

In the white paper for Microsoft Windows NT/2000 Load Balancing Service, the section on Affinity and Session Support provides the key information:
"WLBS supports client sessions and Secure Sockets Layer (SSL). If a server application (such as a Web server) maintains state information about a client session that spans multiple TCP connections, it is important that all TCP connections for this client be directed to the same cluster host. Should a server or network failure occur during a "stateful" client session, a new logon may be required to re-authenticate the client and re-establish session state."

So long as the domain name (eg www.domain1.com) remains the same across requests, then the browser will continue to supply the cookie-based or Basic Authentication logon credentials in the http request. If you have AuthentiX installed on each machine in the cluster, then users will not have to login each time they are served by a different machine in the cluster.

The white paper goes on to say:

WLBS also allows modification of session support to direct all client requests from a TCP/IP Class C address range to a single cluster host. This feature ensures that clients which use multiple proxy servers to access the cluster will have their TCP connections directed to the same cluster host. The use of multiple proxy servers at the client's site causes requests from a single client to appear to originate from different systems. Assuming that all of the client's proxy servers are located within the same 256 host Class C address range, WLBS ensures that client sessions are properly handled with minimum impact on load distribution among the cluster hosts."

WebQuota and WLBS both use this same method of dealing with proxy clients such as AOL.

Another opinion on load balancing from Adwait Ullal:
"Your best (and easiest, in terms of no coding changes) bet would be to look at any of the hardware load balancers, such as Cisco's Local Director, Alteon (I forget the product name), etc.
They usually have a 'sticky bit' option wherein a user coming to a particular server will return to the same server on subsequent visits."

More info from Hank:
I successfully clustered the Authentix by installing the application on node A while it has control of the drive array that is swapped between nodes. Once finished, swap nodes and install the application on node B (GUI and ALL).

Anytime you move nodes, your GUI will work. Here is the catch to making this work. Copy the flicksflt (sorry am at home and don't remember the exact name of the filter for IIS) DLL and the OCX to a location on your C: or OS drive. You will have to go to IIS MMC and point to the filter that you copied to the C: or OS drive. Do this on each node.

The reason why I had to do this is that whenever the nodes were moved, the web sites would fail and try to roll back to the node that initiated the move. I think the reason why this happens is that IIS is not ready because of the filter DLL and OCX are trying to be started from that shared drive array. If you move them to the C: or OS drive, IIS is happy because it always has a copy of the IIS filter.

Hope this helps.

Hank

Also see here .

Back to the top of the FAQ

Q. I have WebQuota, what are the optimal settings for preventing account abuse?

A. WebQuota provides several tools for preventing account abuse, including:

  • Limiting concurrent logins.
  • Throttling bandwidth consumed
  • Dictionary Attack Protection (DAP)
Here are some suggested settings for each. Apply these settings to each directory you have protected with WebQuota/AuthentiX

Limit concurrent logins enabled checked:
Concurrent logins exceed: 3
Deny Excess checked
Nofify by email checked, fill out the Configure Email dialog appropriately.
If you are using the internal database: Expire account checked
If you are using the ODBC database: Update ODBC Database checked, fill out the Configure ODBC Update dialog appropriately.
In the main GUI dialog: Options dialog: Limit-Concurrent-Logins, consider only top three octets checked

Throttles enabled checked:
Restrict Kbytes served to each user: Checked
Permit up to 10000 kbytes in each 3 hour period.
Restrict Requests served to each user: Checked
Permit up to 1000 requests in each 1 hour period.
Restrict Sequential logins to each user: Unchecked

Dictionary Attack Protection enabled checked:
If login attempt fails more than 50 times
within 30 minutes
block IP address checked for 60 minutes
Write to event log checked

Remember these are just suggestions, you can fine tune these settings to your own requirements.

Also see here.

Back to the top of the FAQ

Q. Inktomi Traffic Server

A.

FYI....Someone from my organization has determined was the problem is. They have an automatic proxy config script that most users are using to configure their proxy access to the internet. The proxy is an Inktomi Traffic Server. When using Netscape, the autoconfig script has no way of setting the exclusion list, therefore, any subsequest access to any protected site, Netscape deems this to be an internet (not intranet) site and since the Inktomi proxy server (or Netscape??) caches the user id and password, it passes that user id and password no matter what. Thanks for all your assistance in this matter.

Back to the top of the FAQ

Q. Can you show me the code you use for the AuthentiX and WebQuota signup forms - it sends confirmation email and adds the new user to the AuthentiX database...

A.

Sure, see the
"ASPocxSamples\WebQuota Signup Sample"
subdirectory of the installation directory for a copy of this code.

The sample asks for the email address, and uses that as the username, and you can see it in action here: webquota/freeTrial.htm

It is usually better to use a unique identifier such as their email address than letting them pick their own username, because if they pick their own username, you will have to write code to check the username does not already exist, which is a little more complicated (but easy enough to do really).

Back to the top of the FAQ

Q. I am using referral protection however, with MPEGS and pdf's it does not work - users are denied access, and with printing CSS I have the same problem.

A.

You need to set up the pdf Mime Type in IIS to get this to work properly.

In IIS Web Properties:
In the Mime Map area, click on the File Types.
Then New Type
First field enter your extension: pdf
Second field enter a description eg: Adobe Acrobat Files

See also here.

You could also try using cookie-based protection. Some clients (notably pdf) work properly with cookies.

The following are protected by referrer:

/pdf/MiniReader.pdf,77k
/pdf/iQuePalmManual.pdf, 5MB+
/pdf/ENUtxt.pdf, 7k

For WMV files, you will need to embed the video, (code for this is here).
/pdf/copycd.wmv, 373KB

You won't be able to directly access
http://www.flicks.com/pdf/iQuePalmManual.pdf
for example. Cut and paste the url into your browser to see.

Back to the top of the FAQ

Q. I am using AuthentiX ISP and the aspAdminISP asp web pages for remote administration, and I am getting -14 users, and other strange results. In the Administrator Settings, it tells me "This domain has a bad password (status: 2). See your ISP Administrator".

A.

As the Administration Settings page indicates, the domain has a bad password.
Go to the Windows AuthentiX GUI, select the domain, and click on password. Make sure the value there corresponds with the value in incl.asp
auth.SetVirtualDomainPassword("")

You can get a copy of the incl.asp by copying from the AspAdmin (AuthentiX Standard) or AspAdminISP (AuthentiX ISP) directory in the installation directory.

Back to the top of the FAQ

Q. I just used AuthentiX to protect a directory that I've been working on, and I was shocked to find that after it prompted me for a username and password, I could click the browser's "forward" button, then the "back" button and lo! the protected page appears! Is this a security hole?

A.

This is happening because certain browsers will present the contents of the local cache when you navigate this way, i.e. if you had previously loaded the page, and it is in the browsers cache. Clear the cache when a directory is newly protected to see the normal expected behaviour (and the behaviour that visitors will see).

If you want to prevent this behaviour at the server-side, you could set the
Pragma: no-cache

<META HTTP-EQUIV="Expires" CONTENT="0">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-control" CONTENT="private">

directive on each page. However this may have a performance impact, since the pages will not be cached.

Back to the top of the FAQ

Q. I want to have several different directories, each with different levels of access (corresponding to an AuthentiX Group), but I only want users to login once, then be redirected to the appropriate directory based on their group. How can I do this? I don't want to put 3 buttons from a free area because everyone will see the different access levels.

A. The answer is very similar to this question.

Make sure that index.asp is a permitted default file in your IIS configuration. Set up a directory structure as follows
/Main
/Main/Group1
/Main/Group2
/Main/Group3

Setup three groups in AuthentiX: Group1, Group2, Group3.

Protect /Main with all three groups.
Protect each subdirectory with its corresponding AuthentiX Group.

in /Main/index.asp have the following code:
Click on this link for code
Then make their first link into the protected directories /main/ and they will be passed into the appropriate access level directory.

Back to the top of the FAQ

Q. I expect to have tens of thousands of users, probably many more than that. Is the internal database the way to go, or how do you recommend I set up the site?

A. There is no hard-coded limit for the internal database, however if you have or are planning to have more than about 10,000 users it is advisable to use an ODBC database instead.

The internal database is designed to help get administrators up and running quickly For large numbers of users a commercial grade ODBC database such as Oracle or SQL Server is more appropriate.

Note that you can check both the internal database and an external ODBC database on a single AuthentiX protected directory. If the internal database doesn't find the user, AuthentiX will do a lookup in the ODBC database.

Should this ODBC server still prove to be a bottleneck, consider moving the database to its own dedicated machine. You should be able to scale the dedicated database machine up as large as you wish according to the recommendations of the database manufacturer.

If this is still not enough, consider an IP address round-robin system such as the one Microsoft uses. Then have multiple copies of your website on several different machines ("web-heads"). Install AuthentiX on each of them and connect the AuthentiX protected directories to the appropriate DSN.

Also see here .

Back to the top of the FAQ

Q. Text file, versus Internal Database,versus ODBC, how do I choose?

A.

Setting up protection by Text-File is straightforward:
See http://www.flicks.com/authentix/discover/access/byTextFile.htm

However flat-files are not recommended, since ordinary files do not have mutex protection. Ie someone could have it open in an editor for writing, and no other process can open it for reading (ie the AuthentiX filter), so no one can get in.

File based is mainly to help transition to the internal or ODBC solutions. Not recommend for more than a few hundred users.

The internal database is not a commercial grade database. It is mainly to help start up easily, prior to transition to an ODBC solutions. Not recommend for more than several thousand users.

Also see here .

Back to the top of the FAQ

Q. I want the ability in ASP to take away content that a logged on user without sufficient privileges shouldn't see, for a particular page in a protected directory.

A. The answer is very similar to the question above.

Setup three groups in AuthentiX: Group1, Group2, Group3.

Protect /Main (the directory containing the page with the "variable" content") with all three groups.

in /Main/variable.asp have the following code:

' change this value if you are using AuthentiX ISP
usingAuthentiXStandard = false
if (usingAuthentiXStandard) then
axCtrlString = "AUTHXOCX.AuthXOCXCtrl.1"
Set auth = Server.CreateObject(axCtrlString) 
else
axCtrlString = "AUTHXISP.AuthXOCXCtrl.1"
Set auth = Server.CreateObject(axCtrlString) 
' use this line to automatically set 
' the domain to be the requesting IP
protectedDomain = Request.ServerVariables("LOCAL_ADDR")
' use this alternative if you are protecting by host header,  
' set protectedDomain to be -your- host header
'protectedDomain = "hostheader.com"
auth.SetVirtualDomain 
protectedDomain, Request.ServerVariables("SCRIPT_NAME")
' check with your isp for your password,  initially it is empty
auth.SetVirtualDomainPassword("")
end if

l = Request.ServerVariables("LOCAL_ADDR")
s = Request.ServerVariables("SCRIPT_NAME")
h = Request.ServerVariables("HTTP_AUTHORIZATION")
currentUser = 
auth.CurrentUserName(l, s, h)

if (0 = auth.GroupHasUser("Group1", currentUser)) Then
	response.Write("<P>Content for privilege level 1<P>")
elseif (0 = auth.GroupHasUser("Group2", currentUser)) Then
	response.Write("<P>Content for privilege level 2<P>")
elseif (0 = auth.GroupHasUser("Group3", currentUser)) Then
	response.Write("<P>Content for privilge level 3<P>")
else
	response.Write("Error - user not in any Group!")
	response.End
End If
The same mechanism can be used from cgi applications such as Cold Fusion (sample), Perl (sample), etc.

Back to the top of the FAQ

Q. I am using files that are played with Windows Media Player. When they are protected with AuthentiX and Basic Authentication, Windows Media Player cannot access them, when using IE, although Netscape works fine.

A. Make sure you have the latest version of Windows Media Player.
This is a bug with Basic Authentication and older versions of Windows Media player. The Basic Authentication username and password is not being passed to the player application. Netscape downloads the file and opens the application on that file, so it works fine. IE sometimes also has problems with Word files and other files it tries to launch. Call Microsoft and ask them when the fix will be ready (fixed in latest version). The tracking number is SRX 980 722 602 061. Bug number #31612. Some have moved to using a zipfile, or tried cookie-based authentication.

This problem does not occur with Netscape.

Also this,from Alex

From: alex@event.com
To: aspflicks@ls.asplists.com
Subject: [aspflicks] RE: double logins problem
Date: Wed, 11 Apr 2001 10:07:49 -0700

Hi,

The first thing you want to check and ensure is that your "Realm" for each protection has the same name. If the names are different that will cause double prompting (even on the same server).

Another problem (which I believe is probably the one you have) is with the Microsoft Media Player. This problem has been fixed with the most recent version of Media Player. You will be double prompted for a username and password the VERY FIRST time you use the Media Player but if you opt to save your username and password you will not be prompted again.

Finally... if this doesn't work for you try configuring your IIS server. If you have footers turned on try turning them off. If you have footers off try turning them on and point the file to an "empty" file (ie. just a file with a space of a comment tag). It's a wierd bug... I don't recall which is the correct solution because IIS4 and IIS (and above) were completely opposite solutions. I believe you had to turn footers ON for IIS4 and OFF for IIS5 (and above). Even Microsoft couldn't explain why the footers would affect playing a movie. :)

Hope this helps, Alex

See also here.

See also here.

Back to the top of the FAQ

Q. How can I protect access to two dbWeb "schemas"?
A. mark@apratech.org discovered that it is possible to protect dbWeb Schemas.

In using dbWeb, and the difference between two "pages" of information (schemas as they are called by dbWeb) is just in the "command" line. ie)
one is
http://www.apratech.org/dbweb/dbwebc.dll/cvers?getqbe
another
http://www.apratech.org/dbweb/dbwebc.dll/disks?getqbe

as you can see the directories are the same, just the commands to the .dll are different.

The validation works great, but you just have to leave the parameters off (every thing including and after the question mark) So you can control access to two dbWeb schemas by authenticating the following.
http://www.apratech.org/dbweb/dbwebc.dll/cvers
http://www.apratech.org/dbweb/dbwebc.dll/disks

Back to the top of the FAQ

Q. I am using Oracle, where are the latest drivers?
A.

The latest Oracle drivers are here: http://www.oracle.com/support/catagories/html/drivers.html

However, note the following:

Date: Sat, 29 May 1999 14:24:29 -0400
To: support@flicks.com
From: Stephan Moskovic
Subject: update on oracle odbc for authentix

Hi Kevin,

I found out that the Miscrosoft ODBC drivers for Oracle work much better than the Oracle ODBC drivers. And also I found out that if I used the Oracle ODBC drivers for AuthentiX to log into Oracle and then used the MS Oracle drivers in ASP pages within the AuthentiX protected site it would crash/freeze IIS. The solution has been to modify all my ODBC calls to Oracle so that they use the latest Microsoft ODBC for Oracle drivers (mdac 2.0 drivers) instead of the Oracle ODBC drivers. The MS ODBC drivers for Oracle are also easier to use/install than the Oracle ones.

I thought you would be interested to know and that you should update your
FAQ.
regards,
Stephan.
Thanks Stephan!

Back to the top of the FAQ

Q. I am trying to authenticate with the Software and IIS against a database on another machine on my LAN. It doesn't appear to work. What do I need to do?
A. If you are using an Access database (mdb) on another machine, or an SQL Server on another machine using "Integrated" security, then you will need to tell the Software to impersonate a user that has access to that database.

Go to Options/ODBC, check the "Impersonate user when accessing database" checkbox, and enter the username and password of the user that has permission to access the remote database.

If you are using SQL server with Standard or Mixed security, and you have the username and password in the DSN, you will not experience this problem.

Back to the top of the FAQ

Q. I am trying to use an SQL database on the same machine which uses trusted (or mixed) security. The Test button works but it doesn't let me in.
A. When you are using this model, you will have the same problem and need the same solution as if you were trying to use a database on a remote machine.
Q.
OK, but why is it that only your software needs to do this to access the database? I have no problems with ASP, Cold Fusion, InfoMaker, Powerbuilder, etc.
A. It is to do with how the system loads services and the permission it assigns them. When the IIS service is loaded (and consequently the AuthentiX filter along with it) it is given a special identity. This identity only has anonymous access to local resources. If a service needs resources which require additional permissions, then the service (and any dll's it loaded) needs to impersonate a "real" user.
I cannot speak to the other applications you mention, however if they do not load as part of a system service, then they won't have the same kind of requirement, because they'll be running in the context of a "real" user (just like the AuthentiX windows GUI, when you hit the Test button).

Back to the top of the FAQ

Q. Inner Joins
A. When you use the custom select statement and the custom select statement is an inner join, make sure that the Password field that you specify does not contain a table qualifier.

For example:
select password text: Users.Password
custom select text: FROM ProjectUsers INNER JOIN Users ON ProjectUsers.UserName = Users.UserName Where ProjectUsers.Project = 'Project1' AND
Username text: Users.UserName

will succeed using the Test button, but will fail when trying to Authenticate actual web pages. Instead make sure you have
select password text: Password
without the Users. part.

This is because the test button merely executes the statement and returns the number of rows. However when authenticating, AuthentiX binds to the columns of the ODBC result, according to the names of the fields returned by the ODBC calls. These only return the field name, and not the table-qualified name.

Back to the top of the FAQ

Q. I've turned auditing on. With the remote admin/OCX component I'm getting
Failed on creation from object context: CoCreateInstance in the event log.

A. This is a permissions issue.

The top 3 solutions for initial permissions issues are as follows:

  • Make sure the directory you are trying to protect with AuthentiX is not protected by NTFS. Use Windows NT (2000) Explorer (not IE) to go to the directory/folder you are trying to protect with AuthentiX. Right click on it to bring up the Properties/Security/Permissions. Grant Read and Execute rights for everyone.
  • In the Microsoft Management Console (MMC) IIS settings for your site/directory, check that Allow Anonymous is ON, Basic Authentication is OFF, NTCR/Integrated/Digest Authentication can be ON or OFF.
  • Make sure the Flicks installation directory and all its subfolders and files have Full Control for Everyone. Also make sure the root directory has Read and Execute permission for IWAM_machinename and IUSR_machinename.
You can lock down the permissions by experimentation later, but these are the most common things required to start up.

Please also see:
PERMISSION_DENIED
http://www.flicks.com/ASPMail/faq.htm#CREATEOBJ
http://www.flicks.com/ASPMail/faq.htm#CANNOT_CREATE
http://www.flicks.com/fbeta/q_and_a.htm#CCONTEXT

Back to the top of the FAQ

Q. IIS4 filter installation problems

A. From version 5.1 and above, successful installation is as easy as it could possibly be, including automatic installation of the filter, and popping up the AuthentiX main dialog which now has a confirmation message indicating the successful installtion of the filter:

If you have any previous versions of the software (AuthentiX or WebQuota) uninstall it from the control panel (Services - Add/Remove programs). Your data files (*.adb) will be preserved.

Run setup.exe.

Note - if you have disabled the 16-bit Windows subsystem, InstallShield won't even load, let alone work properly. You will get no error messages, nothing. Re-enable the 16-bit Windows subsystem. Turn it off after if you need to.
See also here.

Now follow the beginner's step by step to protect directories.

For versions prior to this, or if the automated installations runs into problems, please refer to the following:

Make sure you followed the installation instructions you saw when you installed the software.
Here they are again for your reference.

Go to the Microsoft Management Console for IIS.
Click on the item with your machine name.
Right click on it and select Properties.
Click on edit and select the ISAPI Filters tab.
Click on add and type in
Membership Protection Software
in the filter name field.
Click the browse button and select the filter
authxflt.dll
in the installation directory
If it does not appear, Explorer/View/Options "Hide System Files" is checked, so you'll have to type in authxflt.dll by hand.
Press OK until you return to the ISAPI filters tab.

The filter should now be installed.
If the filter's priority is unknown (it will be at first),
Apply and OK all changes until you have exited the
Microsoft Management Console.
Then stop IIS Admin Service (IIS4/5 and above) or World Wide Web
Publishing Service (IIS3) from the Control-Panel/Services and restart.
Return to the ISAPI filters tab again.

Are you sure you are installing the filter at the machine level (in the MMC tree) and not on a sub-web? And then checking the same place? If you see
An attempt was made to load filter 'C:\Program Files\Flicks Software\AuthentiX\AuthXflt.dll' on a server instance but it requires the SF_NOTIFY_READ_RAW_DATA filter notification so it must be loaded as a global filter.
in the Event Log then you are trying to load the filter on the default website, or a sub-web. You need to load it at the machine level per the instructions above.

In the application event log, when you start IIS, there should be a message containing "Successfully Loaded Configuration Data", and another containing "AuthentiX Started". If not there then the filter is not installed properly.
Try stopping and restarting IIS Admin Service (IIS4/5 and above) or World Wide Web Publishing Service (IIS3) from the control panel and restart. Stopping IIS 4 from Microsoft Management Console (MMC) has virtually no effect. Be sure to stop and restart from the CONTROL PANEL. If that doesn't work try a reboot (this can make the difference!).

Permissions

In order to first make sure that permissions are not an issue in the correct operation of the software, make sure IUSR_machineName and IWAM_machineName have full access to the flicks installation directory and the system32 directory. If this does not work, grant Full Access to Everyone for the Flicks Installation directory, and all subdirectories and files. You may wish to experiment with reducing the amount of access granted to these directories, in accordance with any security policy. Likely you will need at least write access to the Flicks installation directory, so that the ASP based remote Administration can update its configuration files held there. Also you will definitely need at least read permission on system32!
The software needs Users Group to have at least Read permission on all folders down from the root.

If you are still having problems see here.

Back to the top of the FAQ

Protecting by Referrer and very large Adobe pdf files.

It seems that IE trying to open the file within browser app space is the culprit. Changing Adobe preferences to not load PDF files in the browser corrects this so we'll go that route for now.

Back to the top of the FAQ

Q. If I am using an ODBC database (say SQL Server). Is the remote administration module and properties of the OCX useless to add and remove users from and ODBC database?

A. Not completely useless. There is the ability to add/search/remove users etc from an ODBC database, BUT ONLY if you are using a Standard Select Statement, and ONLY if your database has no other fields that AuthentiX doesn't know about. (See aspAdmin/default.asp, click on "Access List", click on "ODBC Users").

For example if your customer record has a zip code field which is a required field, there is no way AuthentiX can know about this, and so adding/modifying the record will fail. You will have to create your own ADO/ASP code, but you can still use the samples in the aspAdmin/ODBC as a starter sample.

The software will still validate users in your database regardless of their format so long as they have a field for the username and a field for the password somewhere.

Back to the top of the FAQ

Q. Finally! SQL server and the 255 character limit resolved. 5/15/01

A.

Justin James tells us:

I found the solution for the SQL Server 255 character limit when using ocxQmail directly from with a SQL stored procedure. Your "Another SQL Example" sample already has the solution but it does not appear that it is known that it is there. The solution is to pass the body of the message into the stored procedure as a text data type instead of declaring a local varchar data type variable greater than 255 characters.

See also ocxQmail SQL

Q. HTTP/1.0 403 Access Forbidden.

A. You might encounter this in trying to set up the software. This is a message from IIS saying that there is no default file in the directory you are looking at, AND you do not have directory browsing enabled. While you are setting up new web directories, it is often easier to enable directory browsing, just in case you mistype the default file when you are saving for example.

Back to the top of the FAQ

Q. I've moved on from the Standard and Custom ODBC Select statement and I am in the process of setting up with the "Advanced" ODBC string. Tell me more about this.
A. While the Standard and Custom options are useful to get AuthentiX working quickly and easily, the Advanced option is useful for database experts who want complete flexibility and power.

When you use the "Use string to validate (empty rowset indicates failure)" option a simple macro substitution is made at run time, replacing values such as $USERNAME$ with their runtime values.. Then the statement is executed using the ODBC SQLExecDirect call. You need to make sure the statement you use should make sense to the ODBC driver and database you are using. If the call results in an empty rowset access is denied, otherwise access is granted, and the username and password combination are stored in the AuthentiX ODBC username/password cache.

The other two Advanced Options ("Use Standard Select to validate, execute ODBC string on success." and "Use Custom Select to validate, execute ODBC string on success.") only calls the Advanced ODBC string if they succeed. This can be useful if you want to log successful logins for example. In this case the $VERIFY$ macro subsitution indicates whether this is an initial login, or a verification against the database, in accordance with the operation of the ODBC cache.

Here is an example string:

EXEC sp_Login '$USERNAME$', 
	'$PASSWORD$', '$IPADDRESS$', 
	'$USERAGENT$', '$VERIFY$'
And another, used in the SQL sample below
EXEC sp_Login '$USERNAME$', 
	'$PASSWORD$', 'c:\inetpub\wwwroot\members"

Here is an example SQL Stored procedure:

CREATE PROCEDURE VerifyUser
  @UserName VarChar(50), /* THIS IS THE USERNAME PARAMETER */
  @Password VarChar(15), /* THIS IS THE PASSWORD PARAMETER */
  @DirName VarChar(50) /* THIS IS THE DIRECTORY NAME PARAMETER */
AS
  /* THIS SELECT RETURNS A NON-EMPTY RESULTSET IF */
  /*  THE USER IS A MEMBER OF A GROUP THAT HAS ACCESS TO THE */
  /*  REQUESTED DIRECTORY AND IF THE USER HAS A VALID PASSWORD */
  SELECT @UserName, @Password, @DirName FROM 
    WebUsers w, UserRelations u,  GroupRelations g, GroupDirs d
    WHERE w.UserName=@UserName
    AND w.Password = @Password
    AND w.UserID = u.UserID
    AND u.GroupID = g.GroupID
    AND g.DirID = d.DirID  
    AND d.DirName =@DirName
Also, "Alexandre Volpim" (volpim@camerasurf.com.br) shows us how to create a stored procedure with multiple selects.
set nocount on
declare @loginCheck varchar(100)

select @loginCheck=login from clients where login=@login and
password=@password
if (@loginCheck<>'') then
begin
    insert into log (login,date) values (@loginCheck,getdate())
end
select * from clientes where login=@loginCheck

The result of this stored-procedure will be the result of the last Select because all other statements (select and insert) don't return data. This SP is not usefull, but my ideia is to tranform the IP of the form xxx.xxx.xxx.xxx to a int before the select statement. The code to transform the IP didn't return data, but the SP doesn't works. Actually I call another SP (valIP) in the authentication SP:
CREATE PROCEDURE valIP

@ip char(15),
@resultado numeric(15) output
AS

DECLARE
@octeto int,
@pos int,
@posant int,
@contador int,
@valor numeric(15)

select @posant=1
select @valor=0
select @contador=0
select @pos=CHARINDEX('.',@ip)
while (@pos<>0)
begin
  select @octeto=SUBSTRING(@ip,@posant,@pos-@posant)
  select @valor=@octeto+@valor*256
  select @contador=@contador+1
  select @posant=@pos+1
  select @pos=CHARINDEX('.',@ip,@posant)

end
select @octeto=SUBSTRING(@ip,@posant,Len(@ip)-@posant+1)
select @valor=@octeto+@valor*256

select @resultado=@valor

Back to the top of the FAQ

Q. I've tried everything. The Test button works fine, I've set all the optional switches, its a system DSN, I have permission to access the database from IIS, I've read and tried everything else in the FAQ, what else can I do to find out what is going on?
A.

It is often useful to enable ODBC tracing. In the Control Panel, double click the ODBC icon, and select the Tracing Tab. Select the options you need to enable tracing.

If you are using SQL Server, you can use the Profiler to examine the incoming requests to the database. Other databases should have a similar diagnostic tool.

As a last resort, there is a debug mode that you can enable as follows: In

HKEY_LOCAL_MACHINE
	/Software
	/Flicks Software
	/AuthentiX
	/1.0
	/AuthentiXConfig
create a value called MARIO, of type DWORD, and set it to be 1. Stop and restart IIS Admin Service (IIS4/5 and above) or World Wide Web Publishing Service (IIS3) from the control panel.
Restart WMS if you are using VideoQuota.
When it fails, check out the application event log. You should see various extra entries and they should say things like this: The description for Event ID ( 0 ) in Source ( MARIO Debug1 ) could not be found. It contains the following insertion string(s): 1 rows, password from db is: *petepete* password supplied is: *petepete.

Inspect all the values and output generated, they should give extra clues as to what is going on.

If it says 0 rows, then likely the connection to the db is failing.

For more detailed messages, set MARIO to be 2.
For really detailed messages, set MARIO to be 3.

Note 1: In some circumstances, turning on the Options/Passwords checkboxes can leave encoding/encryption on, even when the checkboxes are subsequently turned off.
This will have the effect of no usernames/passwords ever being able to log in, even though the Test button succeeds.
In the AuthentiXConfig registry, using regedt32.exe, area mentioned above, make sure there are no keys containing "EncryptDLL" - if there are, delete them, and reboot.

Note 2: If you ordered the software "By IP Address" and you change the IP address, ODBC access will stop working. Running the application will show "Trial Expired". The application log event will have an entry saying "Trying to ODBC lookup, but trial expired". See "Delivery Method" on the product order page, where it says: "I understand if the IP changes I will have to upgrade."

Back to the top of the FAQ

Q. Browser Based Remote Administration

A.
Also see here.

Copy the entire aspAdmin installation subdirectory from the installation directory to a script enabled directory under your web root. Use a browser to go to this directory (via IIS, not via the file system) and remotely administer via html and asp.

You may wish to rename the directory, so that malicious people will not immediately guess where it is.

Be sure to set up protection for this directory. Click on the link "Administrator Settings", which will indicate whether the current directory is protected, and offers a single button to set up AuthentiX protection for that directory.

There other ways to protect the directory, for example "By Referrer", which can be used in combination.
In addition the Operating System allows you to protect with NT protection, and/or combine any of these methods with SSL.

Apply the level of protection that you feel is appropriate.
Definitely do not announce to the world the location of this directory and leave it unprotected! (Do I even need to say this?)

Make sure the Application protection level is set to Low (IIS Process). (IIS5 and above) or NOT "running in its own application space" (IIS4).

For IIS6 and above it should run fine as is. You can run it in its own application space.

For IIS6 and above make sure Active Server Pages (ASP) is enabled:
In IIS Manager, expand the local computer, and then click Web Service Extensions.
In the details pane, click Active Server Pages, and then click Allow.

AuthentiX ISP Only:

Copy the entire aspAdminISP installation subdirectory from the installation directory to a script enabled directory under your customer's web root. Use a browser to go to this directory (via IIS, not via the file system) and remotely administer via html and asp.

You may wish to rename the directory, so that malicious people will not immediately guess where it is.

Be sure to set up protection for this directory. Click on the link "Administrator Settings", which will indicate whether the current directory is protected, and offers a single button to set up AuthentiX protection for that directory.

There other ways to protect the directory, for example "By Referrer", which can be used in combination.
In addition the Operating System allows you to protect with NT protection, and/or combine any of these methods with SSL.

Apply the level of protection that you feel is appropriate.
Definitely do not announce to the world the location of this directory and leave it unprotected! (Do I even need to say this?)

If you are setting up remote administration for an Administrator by host-header, go to the incl.asp file in aspAdminISP directory you have just copied and uncomment the line with
protectedDomain = "hostheader.com"
Change the value to be the appropriate host-header name.
10/6/03: You need to enable the host-header for protection, then restart IIS for the filter to read in the new host-header information.

If you are setting up remote administration for an Administrator by directory:
First add a new administrator from the main AuthentiX ISP dialog ("Add"). Check the option button for "Directory Based Administrator" and enter appropriate values in the text-boxes.

Then go to the incl.asp file in aspAdminISP directory you have just copied and uncomment the line with
protectedDomain = "hostheader.com"
change it to:
protectedDomain = "Dir1"
Change the value to be the unique descriptive name (UDN) you entered in the Add/Edit Administrator dialog (here it is Dir1, but enter whatever you set the UDN to be).

If you set this administrator's password, be sure to set the password in the incl.asp line here: auth.SetVirtualDomainPassword("adminPassword")

For superUser administration (allowing you to create host-header administrators remotely, copy the entire aspSuperUser installation subdirectory from the installation directory to a script enabled directory under your own web root. Use a browser to go to this directory (via IIS, not via the file system).

Set the password
auth.SetSuperUserPassword("superUserpassword")
in the incl.asp file to match the password you set in the Options/ISP AuthentiX dialog at the console.

Also see here , and here

Back to the top of the FAQ

I want to encrypt and decrypt the cookie, to get the current username and other information.

Please see
http://www.flicks.com/authentix/CookieCurrentUserName.htm
for per-directory cookies,
and
http://www.flicks.com/authentix/cookieSWValue.htm
http://www.flicks.com/authentix/cookieSWValue.htm#CONFUSION_ALERT
for site-wide cookies.

Back to the top of the FAQ

Q. Can Authentix be used to track users before they have logged in, for example for a shopping cart?

A.

One of the directory option tabs is titled "P&M", short for Personalization and Membership.

This allows you to have AuthentiX automatically set a unique cookie for each visitor (they must have cookies enabled).

The dialog says:

"Create a unique personalization cookie value for new visitors (AXUNIQID)."

"Use this setting on your root web directory, and turn off all other protections on this directory. Then use the value of this unique cookie as a unique key for your database of personal profiles."

No ASP files are required for this functionality, although you will probably need an ASP file to process the user when s/he decides to login!

Back to the top of the FAQ

Q. I'm using cookie-based login, and I have set the cookie to timeout after 10 minutes in the Windows GUI. However it never seems to timeout like I want it to!

A.

For IIS5 only: In the MMS/IIS Properties for the website, under the Home-Directory tab, make sure that Application Protection is set to Low ("in the IIS process") and is not Pooled or Isolated.

For IIS6, please let us know if you experience this problem.

Back to the top of the FAQ

Q. I've set up cookie protection for a directory, but when I browse to it, my web browser just goes crazy, in some kind of infinite loop!

A.

You will create an infinite loop of redirection if you accidently protect the directory containing the login.asp scripts.

In the Basic/Cookie tab, Cookies: Configure button, make sure the Login Page, Failed Login Page and the Timeout Page (if enabled) are not in the directory you are protecting. Double check this.

Back to the top of the FAQ

Q. I want to protect an entire website with cookies, but I cannot get to the login page in that website!

A.

You will need to override the AuthentiX protection on both the login form, and the script which accepts the POST from the login form.

Protect both of these files individually , then turn off "By Internal DB" protection for them. This will override the protection for these files and you will be able to access them to login.

Back to the top of the FAQ

Q. Could you please tell me iF in AuthentiX the Option: "Call On Every Request" ("By COM" option)should work? I am successfully using a component to authenticate, however I want it to check (for now) every page request. This doesn't seem to work. I even added a DisableODBCCache Reg_DWORD in the registry, using regedt32.exe, and set its value to 1.

I still am only asked for my user name/password when I initially request a page in the secured directory. If i type a different page into the Address box on my browser, I am let in without another prompt. Please explain if I am missing something.

A. Turn off http keep-alives (http 1.1) first on the server, this should do it. (Then on the browser). With keep-alives, a single connection serves multiple files.

Back to the top of the FAQ

Q. How do I get cookie-failover to work, so that if cookies are disabled, they will be prompted for Basic Authentication?
A.

Select cookies on the Basic/Cookie tab, and set up as usual.

Then select Basic Authentication, and set that up, checking the Cookie-failover checkbox.
Be sure to leave Basic Authentication enabled.

Back to the top of the FAQ

Q. With Cookie based protection, I've protected a directory //servername/dirname, however when I go to //servername/dirname it prompts for a password even though I have got in successfully to //servername/dirname/ (with the slash included).
A.

In your equivalent of loginNow.asp, set the protectedDirectory to be protectedDirectory = "/asp/ACookieLogin/example2/members" instead of protectedDirectory = "/asp/ACookieLogin/example2/members/"

Back to the top of the FAQ

Q. I am using IIS4/5 (and above), and a virtual web site in its own memory space. I am getting the error reason=denied_cookie_timed_out, even if I am using Basic Authentication!
A.

Running the web site in its own virtual memory space is causing this problem. Switch this off.

Separate memory space for web-applications should be restricted to development phase only.

Q. During installation, I get an error regarding the Virtual Device Driver. It gives an option to Quit, or Ignore.
A.

Ignoring this error lets the install continue, without problems. I believe it is related to another vendor's previous Installshield install, which did not clean up properly after itself. Microsoft also has exactly this: http://support.microsoft.com/support/kb/articles/Q254/9/14.ASP

Back to the top of the FAQ

Q. I notice that once authenticated, I am able to view any directory - even those which I do not have permission to view. How do I fix this?
A.

Create a setting in the registry, using regedt32.exe:
HKEY_LOCAL_MACHINE
/Software
/Flicks Software
/AuthentiX
/1.0
/AuthentiXConfig


of type REG_DWORD with the name "optimizeAuthSteps" (without the quotes) make its value 0. Restart IISAdmin.

Back to the top of the FAQ

Q. I am using AuthentiX/WebQuota ISP, however I cannot get into any of my websites when AuthentiX is installed. I turned on the Option to "Show reason in Access Denied message", and I get DENIED_INVALID_3b

A. This message means "cannot find serverhome". When you run the AuthentiX windows GUI, make sure the full list of your machines IP Addresses come up. Make sure you are using static IP addresses, not DHCP. With IIS4/5 (and above) make sure that the IISAdmin is running. Make sure the filter is loaded at the machine level and not on a sub-web.

Also see here.

Q. ODBC Case Insensitive passwords: I use Access as a database, and the username lookup is case insensitive which I like. How do I get the password to be case insensistive too?

A. Goto the Options/ODBC dialog and unset the Case Sensitive checkbox.

Also, this is an interesting MSSQL statement which may be of assistance:

SELECT * FROM PHONE WHERE {fn UCASE(LAST)} LIKE 'URWILER%'

Q. I want to change the dialog box the user sees when logging in using Basic Authentication. Where in AuthentiX do I set this up?

A.

The login dialog box presented to the user is part of the browser. The only way to change it is to modify the browser source code. AuthentiX cannot change it at all. You can however modify the realm and the message the user sees when the login fails.

If you need to control exactly what the user sees when logging in, then change to protection by cookie, and create an html form that suits.

Back to the top of the FAQ

Q. Basic Authentication: can I set the username and password on the browser, so the user does not have to see the popup login dialog?

A.

Unfortunately not, the protocol does not allow a server to directly modify a browser's cache. Instead use cookie based login.

Back to the top of the FAQ

Q. I am concerned about encryption/encoding. Does AuthentiX encrypt passwords with Basic Authentication? How about with cookie-based AuthentiX authentication?

A.

Basic Authentication uses Base64 encoding to encode the username and password between the browser and the server. Adequate for most purposes, Base64 encoding can be enhanced to become very secure if you use it in combination with SSL.

If you are concerned about encoding/encrypting the passwords in the internal or ODBC database, then you can use the Options/Password dialog to set an encoder/encrypter dll. The software comes with Base64 encoding dll, or you can build your own.

With cookies, there are now two AuthentiX flavors, one using http://www.flicks.com/authentix/CookieLoginValue.htm which encodes the cookies (proprietary encoding loosely built on base64) and one using http://www.flicks.com/authentix/cookieSWValue.htm which uses MD5 hashing so the password can in theory never be cracked.
Note that using a form to login (as is done with cookies) means that the username and password will be passed to the server once only in the form POST. Although this is in clear text, the chances of interception are very small. However, if this is still a concern, put just the login page and asp script under SSL, thus securly protecting the clear text posted data, then redirect to non-ssl pages. Browsers should pass a cookie from SSL pages to non-SSL on the same site (note that the reverse is not always true).

With any of these methods using SSL (https) will add a level of encryption which is virtually unbreakable.

Back to the top of the FAQ

Q. I'm using cookie-based login. A user bookmarks a page, then the following week she returns to it and is sent to the login page. Now I want to redirect her to her original bookmarked page.

A. When they try to go to the bookmarked page and the login page comes up, the URL should look something like this:
https://www.flicks.com/?reason=denied_cookie_timed_out&script_name=/secure/scripts/acookielogin/members/authentix.GIF
Grab the script_name out of the QueryString, pass it on to loginnow.asp, and redirect to the script_name in loginnow.asp.

If there are parameters (eg protectedfile.htm?x=1&t=2) then these will be passed to the login page too (at least with 5.3 and above).

Back to the top of the FAQ

Q. How do I get the user's name and password from within a C++ ISAPI DLL?

A. Assuming you are using Visual C, bring up the class-wizard (Ctrl-W),
Click on Add Class/From a Type library,
Select authxocx.ocx
Click OK.

then call CurrentUserName

Don't forget to put

HRESULT hresult = OleInitialize(NULL);
AfxEnableControlContainer();
_DAuthXOCX AuthX;
AuthX.CreateDispatch("AUTHXOCX.AuthXOCXCtrl.1");

// AuthX.CreateDispatch("AUTHXISP.AuthXOCXCtrl.1"); 


in your code before you call the OCX.

Your cgi should have HTTP_AUTHORIZATION passed to it, so be sure to read the docs on CurrentUserName carefully.

The correct place to put the CoInitialize in an ISAPI extension is in GetExtensionVersion and CoUninitialize should go in TerminateExtension (so they only get called once.

Back to the top of the FAQ

Q. I am trying to use server.MapPath on an AuthentiX protected directory but I cannot get it to work!

A. I have run up against this problem with mappath also. I use this to get around it:


PROTECTED_SUBDIRECTORY = "members"
fakeOutMapper = "nuuh9x8820zz9s9332098" 
' needed because MapPath seems to actually fetch the mapped directory!
protectedAbsPath = server.MapPath(PROTECTED_SUBDIRECTORY & fakeOutMapper)
protectedAbsPath = Left(protectedAbsPath,
InStrRev(protectedAbsPath,fakeOutMapper) - 1) ' remove fakeout

Back to the top of the FAQ

Q. ASP 0115 a Trappable Error Has Occurred

A. http://support.microsoft.com/support/kb/articles/Q194/1/90.ASP

Back to the top of the FAQ

Q. In the event log, I am getting Failed to Create/Open File (1): filename.

A. In one of the directories you are protecting with Basic Authentication, you have specified to get the access denied message from a text file. This file either does not exist, or cannot be opened because of its NTFS permissions.

Make sure you specify a text file that exists and that IIS can access.

Back to the top of the FAQ

Q. In the event log, I am getting Accept raw header overflow.

A. This means that the http header (which is the part of an http request that comes before the content of the request) is more than 4k in length. Conventionally, URL's are less than 2k in length.

So long as the username/password credentials are in the first 4k (which is always the case) then the AuthentiX filter will be able to validate and accept the user.

This overflow can usually only happen if you are using a "GET" to post a form, in which case all the form fields are put into the URL after the "?" as the query part of the URL.

It is better to use the "POST" method for submitting forms, in which case the form fields come after the header part, and won't overflow the header.

Version 5.2c and above outputs the offending request in the Event Log, to better help you track down the problem.

Potentially, this message indicates a cracking attack on your server. You may find that the server crashes shortly after such an attack. Check your service packs. :-(

Some upload programs can cause this error. Turning off "HTTP Keep-Alives" can resolve this issue in this case.

Back to the top of the FAQ

Q. In the event log, I am getting "(!m_directory.IsEmpty())", "(!m_codeName.IsEmpty()", or "AXISP (7726725) error, directory not set"

A.

AuthentiX Standard

Some operations using the AuthentiX COM component are not specifying the protected directory first.

AuthentiX ISP
Some operations using the AuthentiX COM component are not specifying the ipaddress of the administrator first:

protectedDomain = Request.ServerVariables("LOCAL_ADDR")
auth.SetVirtualDomain protectedDomain, Request.ServerVariables("SCRIPT_NAME")

Check which asp files are causing the problem and add the appropriate lines as above. If the problem is occurring in script files supplied by us, please let us know and we will address the issue.

See also SetVirtualDomain.

Back to the top of the FAQ

Q. When I login, all my ASP session variables seem to disappear!

A. If the protected directory is in a different ASP "application" than the non-protected directory, then ASP session variables will be lost. If you want to keep the session variables between the non-protected and protected areas, then make sure they are both in the same ASP "application". Consult your Microsoft documentation for more details.

Back to the top of the FAQ

Q. In the Application Event Log, I keep getting messages like "Successfully Loaded Configuration Data". What's wrong?

A. Nothing's wrong, this is just information from AuthentiX.

If you see:

Authentix Wrap The description for Event ID ( 0 ) in Source ( Authentix:Wrap ) could not be found. It contains the following insertion string(s): Successfully Loaded Configuration Data.

This means that AuthentiX has Successfully Loaded Configuration Data.

AuthentiX The description for Event ID ( 0 ) in Source ( AuthentiX ) could not be found. It contains the following insertion string(s): AuthentiX Started.

This means that AuthentiX has Started.

AuthentiX The description for Event ID ( 0 ) in Source ( AuthentiX ) could not be found. It contains the following insertion string(s): AuthentiX Finished.

This means that AuthentiX has Finished.

By the way, if you need to telephone tech-support with an unusual Event Log message, you don't need to read out "The description for Event ID ( 0 ) in Source ( AuthentiX ) could not be found. It contains the following insertion string(s):".
Just the information after the colon will suffice.

Back to the top of the FAQ

Q. How to protect a directory that is specified via UNC like this:
\\theweb\$d\inetpub\wwwroot

A. david.hart@nscorp.net tells us:

We got Authentix to work by making our drive mappings in IIS and Authentix exactly the same. For example, here was our situation..

IIS Map: \\web1\$d\inetpub\wwwroot
Auth Map: \\web1\d - web1\inetpub\wwwroot

We changed the IIS Map to match the Auth maps. Works great.

Hope this helps.
Thanks,
Dave

Kev's note: Generally, UNC's like this:
\\sql1\puresafety\inetpub\wwwroot\clients\d4\
work fine. Perhaps David was having some special issues.

Back to the top of the FAQ

Q. I am getting "Invalid License (Code4)!, The software has not been installed correctly. Invalid license (Code5)!

A. Take a look at the registry, using regedt32.exe, and check that it is readable and ok: HKEY_LOCAL_MACHINE /Software /Flicks Software /AuthentiX /1.0 /AuthentiXConfig

If it is greyed out, then reboot. This will solve the problem.

Then run AuthentiX and look in the About Box. Send us your serial number and version of the software, with a description of the problem. support@flicks.com

Back to the top of the FAQ

Q.

I recently purchased and installed a copy of AuthentIX for our departmental Win2K/IIS server. The installation went fine, but I'm having trouble making the authentication via the NT database work at all. After I create the "template" file and place it in the appropriate web source directory, I am unable to login via the appropriate NT username and password. I've tried using the "Test" button on the NT tab, and even if I test using my Administrator account and password, the program replies "Unable to login as Administrator" (or something similar).

A.

Open up interactive logins for *everyone* at the domain console.

Allow interactive logins at the domain console, since its physically located in a secure place. It's *not* the default setup for Windows 2000 though, and it's not an easy setting to find buried in the domain security policy.

If that doesn't solve it, try turning on Security Auditing on the template file, and see which account is trying to access it. I'm pretty sure this is a setup issue, since it normally works fine.

Back to the top of the FAQ

Q. I have two websites that have differently named domains: www.economics101.com and www.economicsToday.com. How do I get a single logon, that permits the browser to go to both domains, but doesn't popup a second login dialog when I go to the second domain?

A. One way to do this is to protect by referrer, with failover. See the dialog here:
http://www.flicks.com/authentix/discover/access/byReferrer.htm
On each domain, protect by referrer in the usual way, allowing referrals from both domains. Check the checkbox saying "If locked out by referrer, authenticate by database, and if not locked out, don't authenticate." and set up the database protections as normal.

This will allow links from one domain to the other, while checking permissions on both.

This will work for two or more domains.

An alternative method (useful if you have different groups with overlapping sets of users permitted to the different domains' protected areas) is the following:

Set the protect by referrer to protect anyone that is referred from the -existing- site, then any links on the other should link with the following:
http://username:password@www.domain.com/members - but see here

Use
http://www.flicks.com/fbeta/q_and_a.htm/TechnicalSupport/who_is_the_current_user.asp
to get the current username and password.

Back to the top of the FAQ

Q. I am using Windows 2000, IIS5, and the log files are not reporting the correct filesize, so that the reported number of bytes sent is incorrect.

A. This is a known problem with IIS5.

The Microsoft internal tracking number is SRX 001017604315

As a workaround, set the following registry entry to be 0 (zero), using regedt32.exe,

HKEY_LOCAL_MACHINE
	/Software
	/Flicks Software
	/AuthentiX
	/1.0
	/AuthentiXConfig
create a value called SF_NOTIFY_SEND_RAW_DATA, of type DWORD, and set it to be 0. Then restart IISAdmin.

This will have the unfortunate side effect of disabling Kbyte throttling in WebQuota, but until a fix from Microsoft is forthcoming, this is the best that can be done.

Back to the top of the FAQ

Q. I am using AuthentiX ISP, and the IP addresses on my machine don't show up!

A. AuthentiX ISP looks in the registry for:

HKEY_LOCAL_MACHINE 
/System
/CurrentControlSet
/Services
/* 
/Parameters
/Tcpip
/IPAddress

or

HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Services\
Tcpip\
Parameters\
Interfaces\
{NIC INTERFACE}
\IPAddress

this last is of type REG_MULTI_SZ and contains the list of IP Addresses configured for that network card on the machine.

Using regedt32.exe, if those registry areas do not exist, contain no IP addresses, or do not have correct read permissions for IIS, then the IP addresses will not appear in AuthentiX ISP.

For security reasons, AuthentiX ISP will only allow requests on IP addresses that it knows about.

As a workaround, you can manually create the entries AuthentiX is expecting to see.

Also, this from Bart Verbeek:

If you change the ip addresses in the registry key described above Authentix does not see them. (editing this key can be usefull if you want to assign multiple ip addresses to a single network controller)

Workaround:
After changing the ip addresses in the registry key and rebooting the machine, open the network properties --> TCP/IP --> Button Advanced...
delete one of the new ip addresses, and close all network property sheets. directly after that reopen the network properties --> TCP/IP / Button Advanced... and add the ip address which you deleted a few seconds ago.
close all network property sheets. open the Authentix Admin Program, and TADAAH there are your lost ip addresses :)

Thanks Bart!

Back to the top of the FAQ

Q. I am using the Extensibility SDK with a COM object written in Perl for authentication. However I am getting Could not AfxOleInit (2) and RPC_E_CHANGED_MODE in the event log, and I cannot get access with a valid username password.

A. The Win32 implementation of Perl is initialized to COINIT_MULTITHREADED by default. However for robustness and security, the Extensibility SDK calls the COM object on a thread that is COINIT_APARTMENTTHREADED.

If you are using Perl for other applications on the same machine, then they will initialize Perl as multithread and the above conflict will occur.

Set Perl to initialize as COINIT_APARTMENTTHREADED to solve this problem.

Note:
Perl starts out with a dispatch id of 0, which AuthentiX won't accept.
Make a dummy function and the second function will be number 1 - use that one.
You can use OleViewer to find the dispatch id of functions you create.

Another thing to try:
Set HKEY_LOCAL_MACHINE /Software /Flicks Software /AuthentiX /1.0 /AuthentiXConfig / omitoleinit to be 1 and reboot. This skips the OleInit call before calling the COM component.

Back to the top of the FAQ

Q. I would like to use AuthentiX in combination with LDAP, How can I do this?

A. While there is no built-in support for LDAP at the present time, (in part because requirements seem to vary so widely) , special thanks go out to Jennifer Trotts for this LDAP sample.
Flicks Software presents this as is, with no warranty

Using the Extensibility SDK helped Jennifer set this up , and can help you set this up for your particular requirements.

Back to the top of the FAQ

Q. Mac client problem with Frames not showing graphics or images?

A. What you do to fix this, is just place an absolute url in the page ( <img src="http://whatever.com/images/ha.jpg" ) and it will then show the graphics and images.

Back to the top of the FAQ

Q. The adb file has been trashed! What happened and how do I fix it???

A. Likely another application or ASP file has opened the file via the OCX and then died, locking out the file. Or perhaps it has been opened by another application directly for writing, thereby locking everyone else out.

To avoid a reboot when restoring your backup copy of the adb file:

Stop IISAdmin (not just IIS), the Windows GUI, and any other software using the product (including the event viewer if you have it open).

Then replace, then restart the services.

See also "SaveLockMuteX Failed"

Back to the top of the FAQ

Q. I am getting saveLoadMutexLock failed in the event log.

A. This means that several updates of the internal database occured simultaneously and the internal locking mechanism was overloaded and could not complete a task. Probably a new user failed to be added. If this occurs frequently, then you need to move to using a commercial database such as SQL server. The internal database is intended to help beginners get started easily, and is not supported for 10's of thousands of users, or exceptionally heavy load.

Back to the top of the FAQ

Q. I am getting ugly bitstreams in IE, instead of my Word/Excel/otherApp document? Why?

A.

It seems the IE browser likes to cache the content-type for documents such that in a scenario where you may request a file from a protected directory, such as myFile.exe, if you are denied for whatever reason (resulting in HTML 'denied' response), then a subsequent successful authenticated request for the same file from the same session is treated as an HTML response and results in the binary streaming into the page as opposed to eliciting the 'Open/Save' dialog.
This is a bug in the browser and should be reported.

Back to the top of the FAQ

Q. PHP sample.

A.

<?php
$AuthX = new COM("AUTHXOCX.AuthXOCXCtrl.1") ;
$currentUser = $AuthX->CurrentUserName($HTTP_SERVER_VARS["REMOTE_HOST"],
		$HTTP_SERVER_VARS["URL"],
		$HTTP_SERVER_VARS["HTTP_AUTHXAUTHORIZATION"] ); 

echo $currentUser;
?>

Note, use HTTP_AUTHORIZATION instead of HTTP_AUTHXAUTHORIZATION above, if you are not using the workaround.

AND


<?php
        $AuthX = new COM("AUTHXISP.AuthXOCXCtrl.1");
        $currentUser =
$AuthX->CurrentUserName($HTTP_SERVER_VARS["REMOTE_HOST"],
$HTTP_SERVER_VARS["HTTP_HOST"],
$HTTP_SERVER_VARS["HTTP_AUTHORIZATION"] ); 


$AuthX->Release();
unset($AuthX);
unset($CurrentUserName);
?>


courtesy Richard Burton - www.atomwide.com

Back to the top of the FAQ

Q. I want the user to be redirected to a sign up page, if they fail to login with Basic Authentication.

A.

In the Basic Authentication "Access Denied Message" area place the following java code:

< SCRIPT LANGUAGE = "JavaScript" >
window.location = "http://www.yourdomain.com/signup.htm";
< /SCRIPT >
Sign up < br >
< h1 > < a href="http://www.yourdomain.com/signup.htm" > Sign up here </a > < /h1 >

Back to the top of the FAQ

Q. I want the option of using my existing NT or Active Directory Accounts as well.

A.

Sure you can do this. Use the By NT tab dialog. You can do this by creating a "template" file, containing nothing (important). The permissions you set on the file (eg Windows NT "Internet Group") will determine who can access the corresponding folder.
See also here.

Back to the top of the FAQ

Q. ASP and session ids.

A.

What people usually do is merge the AuthentiX cookie-based login with the existing ASP login and not worry about session ids.

Back to the top of the FAQ

Q. How do I use the OCX in other languages such as Cold Fusion, SQL, Visual Basic etc?

A.

Here is a sample using Cold Fusion.

I don't have any examples with AuthentiX for other languages, however for OCXMail there are some examples, for Perl , Visual Basic , ASP , SQL , and this should be a good guide as to how to do it.

Back to the top of the FAQ

Q. I am using the AuthentiX OCX module and I am getting error 50.

A.

Error code 50 indicates that the trial version of the software you are using has expired. You need to purchase a registered version.

Or are you using Windows 2000?

Back to the top of the FAQ

Q. Why is the FAQ in one great huge file?

A.

  • It is easier to print it all out at once.
  • You can use the browser's built-in search ability to quickly find keywords.
  • It is easier to update because it is all in one place.
  • Each of the FAQ items also have their own web-page.

Back to the top of the FAQ

Q. Text file: Permission Issues.

A.

If you are having problems authenticating against a text file, check the Application Event Log to see if there are access errors. If so:

The ROOT of the drive that will have the passwordfile.txt files has to have advanced permissions set for the Everyone group. Right click on the drive, security, ADVANCED, add:
Add the Everyone group with the following advanced permissions:
Traverse Folder / Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions

Apply onto: This Folder Only (drop down box at the top)

Back to the top of the FAQ

Q. I am using files that are played with Real Video and Real Player When they are protected with AuthentiX and Basic Authentication, Real Player cannot access them!

A. Instead of using the (small) .ram file, link to the (large) .rm file instead

This problem does not occur with Netscape.

Back to the top of the FAQ

Q. I have multiple protected directories and each are subdirectories of each other, ie /paid/, /paid/b/, /paid/c/, /paid/c/d/, etc. They are all separately protected by the same group. When a browser goes straight first to /paid/c/ he is prompted once. Then when going to /paid/b/ he is prompted again for the same username/password! I want him prompted only once!

A. Make sure that all of the protected directories have the exact same Realm. The default Realm is always the same, so it will work as you want unless you have changed the realms to be different on each directory by hand.

Back to the top of the FAQ

Q. I have a "webfarm", of 15 web server machines. I want to have a single location in which to manage my users and groups. How can I protect directories on each machine from a single location?
A. With ODBC, you can manage access to multiple webservers in a web-farm from a single database. Set up each AuthentiX directory you want to protect on each webserver, protect by ODBC and set the DSN to the single remote ODBC server. You can use the "Standard Select", "Custom Select" or "Advanced ODBC" to configure your ODBC SELECT statements.

When you update the directory protections (adding a new directory), then make the changes in both .adb files on both machines. If you make a lot of complex changes, then you can copy the adb file from one machine to another, as here.

Also see here .


Back to the top of the FAQ

Q. I am using the remote admin tool with an ODBC database,
however I am getting 31, ODBC error with statement, error number is: 3704 The operation requested by the application is not allowed if the object is closed.
A. This is likely a permissions issue accessing the database. You need to grant access to the database to the IUSR_MachineName or IWAM_machinename accounts, or modify the login parameters in the DSN string.

Back to the top of the FAQ

Q. Stored procedure example for use with ODBC - Advanced.
A. Here is an example:

EXEC sp_Login '$USERNAME$', '$PASSWORD$' , '$IPADDRESS$'

Also see here.

Back to the top of the FAQ

Q. I'm getting error 1450 in the event log.
A. This means that insufficient resources exist to complete a request. Some versions of NT only allow a program to access a registry key up to 64k times, after which all accesses to the key fail, producing unpredictable results. Microsoft recognises this problem, and recommends rebooting.

Prior to Version 5.1f1, the software checked the registry every minute. For Versions 5.1f1 and above, the software checks registry keys only once. This may mean rebooting when some program options are changed (adding users, protecting directories etc will not be affected - no reboot is required).

There is more information on this problem in at the MS website:

I am using Windows NT SP4!

Is the system running short of memory?

I have plenty of memory, however I am running out of Paged-Pool memory

Do you have a large, busy site, with many many files?

I'm repeatedly logging in and out again. I am using "Impersonate User" for access files.

Service pack 6 may address this. (search for 1450).

Back to the top of the FAQ

Q. I'm using Version 5.3f1 and I am getting
>Microsoft VBScript runtime error '800a000d'
>Type mismatch: '[string: ""]'
in the remote admin.

A. This version had a bad build of the ocx component. This version was only available for two weeks in February of 2001. We gave free upgrades for 18 months, however this free offer has now expired. Please upgrade here.

Back to the top of the FAQ

Q. I've got thousands of files, each of which I want to have different permissions. Customers can buy access to any number of these individual files, and this information is stored in an ODBC database. Do I have to individually protect each file with a different SELECT statement, or is there an alternative.

A. Each file or directory that has different access requirements will need its own protection entry. For lots of files, this can be problematic, impracticable, or impossible.

An alternative is to use the Extensibility SDK . One of the parameters is the script name (ie requested file), and you can use this to construct your ODBC statement according to your own database schema. Protect the directory containing the files using the "By COM" tab and refer to the tutorial. . Make sure you check the call on every request option.

See here also.

Back to the top of the FAQ

Q. Is there a way to check for the script_name, the file requested, in the custom select statement? I can't seem to get it to work?

A. No there is not. There is the risk that you will spend time doing this only to find it does not work properly: the software caches username/passwords on a per-protected directory basis. So if you try and differentiate access on sub-files or sub-directories, once they are in, they are in for them all. Probably not what you want.

See above for an alternative method.

Back to the top of the FAQ

Q. I have a bunch of users in the internal database, and I want to convert to using an SQL database. (Convert to SQL).
A.

You can export the users to a text file
http://www.flicks.com/authentix/discover/group/groupadd.htm
and import this into your db.
Also there is a sample vbs script in the ODBCExport which you could use.

Then proceed to connecting up to your database.

Back to the top of the FAQ

Q. I cannot access any WMS files! I am getting an NSUnicast Error in the application event log, with the message "The Windows Media Unicast Service Plugins encountered a catastrophic failure." in plugin: "VQTrack ErrorCode=0x80040154."
A.

Likely you are missing a file that should previously have been on your system: MSVCP60.DLL (in the system32 directory).

Download the latest MSVCP60.DLL: http://www.flicks.com/mfc/MSVCP60.DLL and save it into your system32 directory.

Then, using a DOS or Command Line prompt, go to the VideoQuota installation directory and type
regsvr32 vqtrack.dll
This should now successfully register the dll.

Then restart WMS Unicast service.

Make sure that you are using the entire URL, and not just links to child directories or files.

For example, you would use "http://www.flicks.com/macintosh.htm" rather than "/macintosh.htm"

Back to the top of the FAQ

Q. How do I change the VideoQuota realm?
A.

With WMS4.1 this needs to be done via the registry, using regedt32.exe. In

HKEY_LOCAL_MACHINE
	/Software
	/Flicks Software
	/AuthentiX
	/1.0
	/AuthentiXConfig
create a value called defaultRealm, of type REG_SZ, and set it to be the string you want.

Then restart WMS.

With WMS9 it works as normal from the Directory protection realm definition.

Back to the top of the FAQ

Q. I want to protect both WMS served video, and IIS served webpages with Basic Authentication, but I only want the user prompted once.
A.

Since IIS and WMS use a different protocol, and different browser/server player/server combinations, the first time they access web pages they will be prompted for password, and the first time they access video, they will be prompted.

You could try VideoQuota protecting by referrer, and only allow referrers from your own website, and see if that works for you. That won't prompt for videos, but still restrict their access.

The latest version of VideoQuota (5/5/08) does allow for single sign-on! Contact us for details...

Back to the top of the FAQ

Q. VideoQuota and protecting By Referrer.
A.

You need to embed the WMP call inside IE, otherwise WMP does not correctly include the REFERER field (bug MS about this?). So instead of a raw link in your ASP file like this:

<a href=mms://yourserver.com/video300.wmv>video300.wmv</a>

Do this:

<OBJECT ID="MediaPlayer" WIDTH=320 HEIGHT=240 classid="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
codebase="http://activex.microsoft.com/activex/ controls/mplayer/en/nsmp2inf.cab#Version=6,4,7,1112"
standby="Loading Microsoft Windows Media Player components..."
type="application/x-oleobject">
<PARAM NAME="FileName" VALUE="mms://yourserver.com/video300.wmv">
<PARAM NAME="ShowControls" VALUE="1">
<PARAM NAME="ShowDisplay" VALUE="1">
<PARAM NAME="ShowStatusBar" VALUE="1">
<PARAM NAME="AutoSize" VALUE="1">
<Embed type="application/x-mplayer2"
pluginspage="http://www.microsoft.com/windows/windowsmedia/download/"
filename="Station1.asx"
src="Station1.asx"
Name=MediaPlayer
ShowControls=1
ShowDisplay=1
ShowStatusBar=1
width=320
height=240>
</embed>
</OBJECT>

Or even better:

<%
On Error Resume Next
lngMP70 = IsObject(CreateObject("WMPlayer.OCX"))


' Windows Media Player 7 Code
If (lngMP70) Then
response.write "<OBJECT ID=MediaPlayer "
response.write " CLASSID=CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6"
response.write 
" standby=""Loading Microsoft Windows Media Player components..."" "
response.write 
" TYPE=""application/x-oleobject"" width=""286"" height=""225"">"
response.write "<PARAM NAME=""url"" 
	VALUE=""mms://0.0.0.0/BBurns/Ballowe_Closingbell.asf"">"
response.write "<PARAM NAME=""AutoStart"" VALUE=""true"">"
response.write "<PARAM NAME=""ShowControls"" VALUE=""1"">"
response.write "<PARAM NAME=""uiMode"" VALUE=""mini"">"
response.write "</OBJECT>"

' Windows Media Player 6.4 Code
Else
response.write "<OBJECT ID=MediaPlayer "
response.write " CLASSID=CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
response.write "CODEBASE=http://activex.microsoft.com/
activex/controls/mplayer/en/nsmp2inf.cab#Version=6,4,5,715"
response.write 
" standby=""Loading Microsoft Windows Media Player components..."" "
response.write 
" TYPE=""application/x-oleobject"" width=""286"" height=""225"">"
response.write "<PARAM NAME=""FileName"" 
VALUE=""mms://0.0.0.0/BBurns/Ballowe_Closingbell.asf"">"
response.write "<PARAM NAME=""AutoStart"" VALUE=""true"">"
response.write "<PARAM NAME=""ShowControls"" VALUE=""1"">"
response.write "</OBJECT>"
End If
response.End
%>

Back to the top of the FAQ
Or to simply embed the video:

<object data="/pdf/copycd.wmv" type="video/x-ms-wmv" 
width="320" height="320">
<param name="ShowStatusBar" value="1">
<param name="src" value="/pdf/copycd.wmv.wmv">
<param name="autostart" value="0">
<param name="volume" value="0">
</object>

<p>Press play when media is ready.</p>
NOTE:You can use these as a template for an asp file, passing in the video url you want to embed.

If you know a better way, let me know...

Back to the top of the FAQ

Q. In the Event Log, I have a message that just says "No g_pServer."
A.

This means that a Global Memory Pointer has been deleted, corrupted, or cannot be created.

If you are experiencing problems with VideoQuota operation, reboot. This should fix the problem.

Top

Back to the top of the FAQ

Q. Loading up the AuthentiX COM object in .Net

A. Here is a sample of loading up the AuthentiX COM object in .Net:

Add the following refrence to my asp.net project (vb.net) :

< Reference
	Name = "AUTHXOCXLib"
	Guid = "{2C3A2917-E7FA-11D0-BC0F-02608CAD9C7D}"
	VersionMajor = "1"
	VersionMinor = "0"
	Lcid = "0"
	WrapperTool = "tlbimp"
/>

then use the AUTHXOCXLib.AuthXOCXClass.

I have got the problem solved perfectly on my local server (!!) by following your instructions:

- Adding the AUTHXOCXLib COM object to the project.

Here's how Microsoft suggests:
In Solution Explorer, right-click References, and then click Add Reference.
Click the COM tab, and then click Browse.
Locate Project1.dll, and then click Open.
On the Add Reference window, click OK.
Instead of locating "Project1.dll" locate "AuthCOM ActiveX Control module" and NOT the "AXSupport ActiveX Control module"

- And using the following lines in my code behind file:

Dim auth As New AUTHXOCXLib.AuthXOCXClass()

Label1.Text = auth.CurrentUserName(Request.ServerVariables("LOCAL_ADDR"),
Request.ServerVariables("SCRIPT_NAME"),
Request.ServerVariables("HTTP_AUTHXAUTHORIZATION"))

Note, use HTTP_AUTHORIZATION instead of HTTP_AUTHXAUTHORIZATION above, if you are not using the workaround.

Here is a complete VB .NET project, which uses the AuthentiX COM component in a "code-behind" page. Protect the directory with AuthentiX. The sample calls CurrentUserName from Page_Load.

Download codebehind cb_samp.zip now.

How to call classic ASP COM components from a asp.net page

When using the AuthentiX "Impersonate User" functionality:
In the .NET application file web.config, you MUST put in the tag
<identity impersonate="true">
under the <system.web>
tag, otherwise .NET impersonates the user ASPNET.
You mustn't put in the user name/password with the identity tag either.
Then everything works as expected.

Back to the top of the FAQ

Q. Example of use in an aspx page

A.

<%@ Page Language="vb"%>
<%@ Page aspcompat=true %> 
<HTML>
<body>
<%
dim auth, pathname, result
auth = Server.CreateObject("AUTHXOCX.AuthXOCXCtrl.1")
pathname="c:\inetpub\wwwroot\customer2\"
result = auth.AuthAdd(pathname)
auth.AuthDataAuthentiXDBEnabled(pathname) = False
auth.AuthDataODBCEnabled(pathname) = True
auth.AuthDataCustomSelect(pathname) = 2
auth.AuthDataODBCAdvancedUsage(pathname) = 1
auth.AuthDataODBCConnectString(pathname) =  "DSN=test;uid=test;pwd=test;"
auth.AuthDataODBCAdvancedString(pathname) 
	= "aulogin '$USERNAME$', $PASSWORD$', 'customer1'" 
auth.AuthDataODBCImpersonate(pathname) = False
auth.AuthDataODBCOverrideEnabled(pathname) = False
auth=nothing
response.Write( result)
%>
</body>
</HTML> 

Note the use of <%@ Page aspcompat=true %> . Without this you will get the error: "The component 'AUTHXOCX.AuthXOCXCtrl.1' cannot be created. Apartment threaded components can only be created on pages with an <%@ Page aspcompat=true %> page directive."

Back to the top of the FAQ

Q. Example of use with "code-behind"

A.

Running in .NET code in a "code-behind":

dim pathname as string
dim result as integer
pathname = "d:\customer1\"
Dim auth As New AUTHXOCXLib.AuthXOCXClass()
result = auth.AuthAdd(pathname) 
auth.flush()
auth.AuthDataAuthentiXDBEnabled(pathname) = False
auth.AuthDataODBCEnabled(pathname) = True
auth.AuthDataCustomSelect(pathname) = 2
auth.AuthDataODBCAdvancedUsage(pathname) = 1
auth.AuthDataODBCConnectString(pathname) =  "DSN=test;uid=test;pwd=test;"
auth.AuthDataODBCAdvancedString(pathname) 
	= "aulogin '$USERNAME$', $PASSWORD$', 'customer1'" 
auth.flush() 

Be sure that pathname = "d:\customer1\" has a trailing backslash, and be sure to use auth.flush().

Also, see above.

Back to the top of the FAQ

Q. The sample aspx code your provide doesn't work with .NET!!


A.
I am developing this page using Visual Studio.NET

I have tried this with Application Protection set to Low.

I have tried giving permissions to the ASPNET account for the registry HKEY_LOCAL_MACHINE /Software /Flicks Software (ala the Win2k recommended fix)

I have tried giving permissions to the ASPNET account for the directory c:\program files\flicks (ala the Win2k recommended fix)

I have enabled the mutexTrace in the registry. Using your ASP pages to add access, I see these events in the app log.

*********************************


Event Type: Information
Event Source: AuthXocx
Event Category: Flicks
Event ID: 100
Date: 1/24/2003
Time: 12:40:01 PM
User: N/A
Computer: LAPTOP
Description:
Message from: "AX Mutex Trace"
Message:
Global\C:/Program Files/Flicks Software/AuthentiX/authx.adb_KWXB_DOC_MUTEX_KDBPULSE awakened (in CTimerUpdate::InitInstance), called from: OCXModule

Version 5.5j



Event Type: Information
Event Source: AuthXocx
Event Category: Flicks
Event ID: 100
Date: 1/24/2003
Time: 12:40:01 PM
User: N/A
Computer: LAPTOP
Description:
Message from: "AX Mutex Trace"
Message:
Global\C:/Program Files/Flicks Software/AuthentiX/authx.adb_KWXB_DOC_MUTEX_KDBPULSE awakened (in CTimerUpdate::InitInstance), called from: ISAPI Filter

Version 5.5j


*****************


Using my .NET page I see only this entry.


********
Event Type: Information
Event Source: AuthXocx
Event Category: Flicks
Event ID: 100
Date: 1/24/2003
Time: 12:41:07 PM
User: N/A
Computer: LAPTOP
Description:
Message from: "Authentix:Wrap"
Message:
Successfully Loaded Configuration Data. (from: OCXModule). This message is not an error. Just letting you know that the software has started.

Version 5.5j

**********


SOLUTION

When I added the page directive, everything worked, just like in an ASP page.

Test 2:
When I run this .NET code in a code-behind:

dim pathname as string
dim result as integer
pathname = "d:\customer1"
Dim auth As New AUTHXOCXLib.AuthXOCXClass()
result = auth.AuthAdd(pathname)
auth.flush()
auth.AuthDataAuthentiXDBEnabled(pathname) = False
auth.AuthDataODBCEnabled(pathname) = True
auth.AuthDataCustomSelect(pathname) = 2
auth.AuthDataODBCAdvancedUsage(pathname) = 1
auth.AuthDataODBCConnectString(pathname) = "DSN=test;uid=test;pwd=test;"
auth.AuthDataODBCAdvancedString(pathname) = "aulogin '$USERNAME$', $PASSWORD$', 'customer1'"
auth.flush()

the directory is added and shows up immediately in the GUI and the aspadmin web tool. But the ODBC properties and AuthentixDBenabled do not get recorded. note the use of the flush method.
then I tried the following change

pathname = "d:\customer1\"


works great!

Thanks Glenn Gordon!

Back to the top of the FAQ

Q. GroupAddNewUser - how do I make the expiration zero or null?
A.

I want to replace the last argument with a zero so the user doesn't expire, but VS.NET insists that this last argument has to be of type System.DateTime which doesn't allow null values, and won't convert from an integer.

I actually managed to work out how to make a zero expiry - I used DateTime.FromOADate(0) and it seems to work just fine. The only other thing I noticed using .NET is that the 'optional' arguments for the method (Description, Expiry) aren't optional - you have to enter all the parameters, but I think that's fine for what I need so far.

Thanks Mike Taylor!

Back to the top of the FAQ

Q. How do I suppress duplicate event log entries?
A.

The COM sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\Ole\EventLog.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Back to the top of the FAQ

Q. VB.Net sample

A.

'
' Send:
'   Username as string
' Return:
'   Nothing
' Action:
'   Deletes the user and logs the Authentix Return code
'
Public Sub DeleteAuthentix(ByVal sLogin As String)
Dim Auth = CreateObject("AUTHXOCX.AuthXOCXCtrl.1")
Dim iTemp As Integer = Auth.UserDelete(sLogin)
Auth.Flush()
Auth = Nothing
PrintRecurLog("Auth.UserDelete return code:" & iTemp.ToString)
End Sub
 

Back to the top of the FAQ


WINDOWS DEVELOPER RESOURCES

Windows 2000 and XP error list

For additional information regarding ASP development, Flicks Software recommends that you visit the following websites. Each are excellent tools for Windows developers.


Copyright © 1998
Flicks Software

All rights reserved.
Certain names, logos,
designs, titles, words
or phrases on this page may
constitute trademarks
or tradenames of Kevin
Flick Software, or
other organisations. Click here
to view a list
of trademarks and
attributions.

/fbeta/regen.asp