Frequently Asked Questions

The most recent version of this FAQ is here.

Q. Beginner's Step by Step.

A. If you are running the software for the first time, here are the steps you need to take to protect a directory:


Q. How do I protect individual files?

A. You can use the following tip: Hi,
Downloaded your software and it looks great. I will be purchasing it today. By the way, I typed in the full pathname of a filename into the Browse edit box in the Authorization dialog - and guess what - it protects just that file!

Thanks Jon! The software adds a slash to the end of the filename, aside from that it works just like you say!


Q. I'm having problems with ASP remote admin,
A. Check out the Remote Admin Component Problem solver


Q. When I have set up protection for a directory, I can get in with Internet Explorer when it prompts me for the Username and Password. However when I use Netscape, I type in the Username and Password, then it gives me another dialog to type in the username/password, this time with no Realm. When I cancel out it says "Error - access denied".

A. Looks like the directory is protected with NTFS. IE will use your login name behind your back (especially if you are on the same machine or local network) to let you in. Use Netscape Navigator and try to access the directory without any protection with the software. Free up the permissions on that directory so that Netscape can get in. Then put the software protection back. That should fix you up.

Q. I still cannot get in!

A. If a directory is protected with NTFS (ie IUSR_machinename has no access) AND the directory is protected with the software, then nobody will be able to get in (UNLESS you have a username and password that also has access as an NT User to this directory). Use only one protection mechanism for each directory.

Q. I am using the ODBC interface, and when I hit the Test button, it says there are 243 record, which is right. The directory I have protected prompts for a login and Internal Database users can get in, but users in my ODBC database cannot! What is going on - why doesn't it work like it says it should?

A. Likely the database field are set up as fixed width chars. The database will pad them with spaces at the end. So what looks like "User1" is in fact "User1         ". Of course, this won't match the name supplied by the user in the dialog prompt. Make sure your username and password fields are variable chars. Then they won't be padded with spaces.

Alternatively, set the Trim spaces option in the Options/ODBC-options dialog.

Q. The test button works fine, but I cannot login. I turned on "Show Reason in Access Denied Message" and it just says "Bad Password" :-(

A. Make sure that the DSN you are using is a System DSN. Other DSN's are not accessible to system processes such as IIS.
Also note that the "Test ODBC" button may work properly with non-text or multiple-word fields, but the web authentication may fail. Make sure you are using text fields and that the field names do not contain spaces.


Q. I am using the ODBC interface with Oracle, and when I hit the Test button it doesn't work :-(

A. The DSN setup does not automatically add the password field to the DSN string. Try adding
after the last semicolon in the DSN string, where password is the password you use to access the database.

Q. When I add a new user, how can I assign him to a particular group without >going to "Group" menu?

A. If you are using the Windows GUI then use the "New User To Group" button, which does precisely what you ask. The Browser Based Remote Administration will has this ability also (Version 1.2 and above).

Q. How are ODBC and Internal Database groups related?

A. ODBC users and Internal Database Groups are not related at all!

If you are using ODBC and you want groups, then make groups a part of your database, and the use the custom select statement for each directory
eg for the directory /specialMembers
select password from customers where group='Special Member' and username=suppliedusername
(forgive my SQL)

Q. 2. I understand that I can use ASP to let the user create his own UID and Password. Can you point me where I can get the sample code :-) ?


There are several samples in the aspocxsamples subdirectory of the installation directory. More are being added over time.

The aspAdmin directory contains a comprehensive ASP working example of remote administration.

If you have some ASP files working with that you are proud of and would like to share, let us know and we'll see if we can get them in the next release.

Q. Separate Admin
Say .. there are 2 groups: sale and support. Anyone in sale group can access to /sale Anyone in support group can access to /support. "Sale Admin" can administer only sale group. "Support Admin" can administer only support group. "Super User" can adminster all groups.

Q. Can I run multiple copies of of the software (each with its own adb file) on one machine?

A. The product AuthentiX ISP may address the need behind this question. Take a look at .

Q. What kind of performance hit is there with the software loaded?


Performance statistics for IIS Website with 
600,000 hits per day. 12 Virtual Directories.	
Mostly static pages. Your mileage may vary.

System: Pentium 90 with 64 Mb Ram. 
IDE Hard disk drives.

Without the software

	Processor time      27%
	Bytes Total/Sec     60000
	Anon Users          160

With the software

	Processor time      35%
	Bytes Total/Sec     60000
	Anon Users          160


Q. Single user name, multiple passwords with the Internal Database?

A. Currently, there can be only 1 unique user name across all groups. However, group 'sale' can have user 'win', group 'support' can have user 'win' too.

AuthentiX ISP has separate adb files.

Q. Single user name, multiple passwords with ODBC database?

A. It is normally best to have the username as a unique key. However, if you have multiple users with the same name but different passwords (ie the username field is not a unique key), then you can set a switch to tell the software to add " AND passwordField='passwordEntered' at the end of the select statement (standard or custom select).

You can set the registry key
of type DWORD
to be 1
then restart IIS.

Q. HTTP/1.0 403 Access Forbidden.

A. You might encounter this in trying to set up the software. This is a message from IIS saying that there is no default file in the directory you are looking at, AND you do not have directory browsing enabled. While you are setting up new web directories, it is often easier to enable directory browsing, just in case you mistype the default file when you are saving for example.

Q. ODBC Case Insensitive passwords: I use Access as a database, and the username lookup is case insensitive which I like. How do I get the password to be case insensistive too?

A. Goto the Options/ODBC dialog and unset the Case Sensitive checkbox.


Q. Am I using the right SQL syntax?

A. Make sure that your field names do not have spaces in them. Also, the fields should all be of type VarChar (text) and not numeric, Boolean, Date or other types.

Q. I have some questions about ODBC caching. I understand that the ODBC user requests are cached and there are settings to control expiration etc. If the request is authenticated from the cache does it look it up again real-time? (i.e. if a currently logged-on user changes password and the user id is located in the cache, will it re-validate or what will happen?

A. From the windows help file:

If you have set up and enabled an ODBC authorization database (see Set Up ODBC), you can adjust the following options:

You can use the ODBCRemoveUserFromCache OCX method to force a user to be removed from the cache,

Q. Are there any log files generated by the software?

A. The software notifies IIS of the username of each authenticated request, and then IIS will place this info in the IIS configured logfile.


Q. Current user: how do I determine who the current user is?

A. This question get asked quite frequently :-).
Use the OCX component to find out who is logged in, You should be able to add the component to your cgi or asp program, or you can get it out of HTTP_AUTHORIZATION and then base64 decode it.

Please call Microsoft and add you name to the list of people who have an issue with IIS4 bug SR X980 2166010 644. More details here.


Q. The REMOTE_USER environment variable is not being set for CGIs if a directory is protected by the software. How do I get the login name?

A. This is to be expected. If REMOTE_USER was set, then IIS would try to authenticate against NTFS, which would disallow all entry. Instead, you can use the OCX component to find out who is logged in, You should be able to add the component to your cgi program. or you can get it out of HTTP_AUTHORIZATION and then base64 decode it.


Q. Also what is the proper way to un-install Authentix?

A. Go to control-panel, Add-Remove Programs, and select the software from there. (look for Membership Systems or AuthentiX

DO NOT run uninstall.exe in the installation directory.


Q. I have tried to install the latest version of the software, however it still comes up with the old version!

A. Are you sure you installed the correct zipfile? If you have just purchased the software and are installing over the trial version, are you sure you are installing the software sent to you?
If you are sure you are installing the correct version, then perhaps the old files are still 'hanging' around.
There are several reasons this could happen, for example you may have forgotten to stop IIS before the installation procedure, or the Windows console app was still running.
To make sure you have a clean re-install, copy the manualdelete.bat from the installation directory to a separate directory, stop IIS and the console app, and uninstall from the control panel.
Modify the manualdelete.bat file to reflect the directories of your installation/machine configuration, and run it.
If any of the files fail to be deleted, then they are still being held open by another process. Rename the offending files, and reboot. This should guarantee that the old files are gone. Then install the software.


Q. Where is the remote administration dll?

A. The remote administration dll is no longer used for remote administration. Check out the aspRemote ASP pages instead!


Q. How do I set things up for FrontPage?

A. Turn on Allow Anonymous, Turn off Basic Authentication, Turn on NTCR (Integrated Windows Authentication in Windows 2000). In the Options dialog turn on "Don't Authenticate Frontpage subdirectories". Make sure that the anonymous user can access the actual directory, without the software having protection for that directory, then Add protection.


Q. IIS4 filter installation problems with MS PWS

A. If you're installing the software with Microsoft PWS (Personal Web Server or Peer Web Services depending on who's speaking), the installation procedure varies from the documentation.
The Peer Web Manager application that ships with PWS doesn't have an option to install filter DLLs, so it has to be done manually.
To install, run REGEDIT or REGEDT32 and locate HKEY_LOCAL_MACHINE/SYSTEM/ CurrentControlSet/Services/W3SVC/Parameters
and add a value "Filter DLLs" (note the space between FILTER and DLLs and leave out the quotes) of type REG_SZ with a string of the full path to the filter dll eg:
A stop and restart of the web service and a check of the Event Log show everything to be running correctly.


Q. IIS4 filter installation problems

A. Make sure you followed the installation instructions you saw when you installed the software.
Here they are again for your reference.

Go to the Microsoft Management Console for IIS.
Click on the item with your machine name.
Right click on it and select Properties.
Click on edit and select the ISAPI Filters tab.
Click on add and type in
Membership Protection Software
in the filter name field.
Click the browse button and select the filter
in the installation directory
You may have to type in authxflt.dll by hand.
Press OK until you return to the ISAPI filters tab.

The filter should now be installed.
If the filter's priority is unknown, exit the
filters dialog, then stop and restart the WWW
service from the Control-Panel/Services.
Return to the ISAPI filters tab again.

Are you sure you are installing the filter at the machine level (in the MMC tree) and not on a sub-web? And then checking the same place?
In the application event log, when you start IIS, there should be a message containing "Memsys Started". If it not there then the filter is not installed properly.
Try stopping and restarting the WWW service from the control panel. If that doesn't work try a reboot (this can make the difference!).

In order to first make sure that permissions are not an issue in the correct operation of the software, make sure IIS_machineName has full access to the installation directory and the system32 directory. You may wish to experiment with reducing the amount of access granted to these directories, in accordance with any security policy. Likely you will need at least write access to the installation directory, so that the ASP based remote Administration can update its configuration files held there. Also you will definitely need at least read permission on system32!


Q. I'm using IIS4 and I think I've loaded the filter, but it doesn't seem to be working!

A. Check the event log. If you get a message like:

"An attempt was made to load filter 
on a server instance but it 
requires the SF_NOTIFY_READ_RAW_DATA filter notification so it must be 
loaded as a global filter."
Then that means that you have tried to load the filter on a sub-web. It needs to be loaded at the machine-level, as described in the installation instructions. Try loading it as a global filter at the machine-level, as suggested.


Q. With Remote Administration I get Code is [5] Access is denied. The file could not be accessed.
And I cannot get ASP to add users, or get any changes to 'stick'.

A. Make sure that IUSR_machinename has full access to the installation directory.


Q. When I use the Software to protect a subdirectory of a frontpage directory, I cannot edit it with Frontpage!

A. In Internet Service Manager, Turn off Basic (Clear Text), and turn on NT Challenge response. The Software will validate for Basic, and let through NTCR (Integrated Windows Authentication in Windows 2000) requests that Frontpage uses.
If for some reason you must use Basic (Clear Text) for Frontpage editing, look in the Options dialog. You will see "Don't authenticate Frontpage subdirectories (with _vti_ in them) even if they are in a protected directory."
Check it.


Q. Limit logins? Details, restrictions?

A. Due to the connectionless architecture of the http protocol, certain conventions are commonly used to identify a 'user' and a 'login session'. With http, every request for a page or a picture is separate and distinct. The common convention to define a 'user' is a sequence of requests from the same IP address. This is further refined as being a request from the same IP address in combination with the username. There is no way for any web server software to differentiate between a single IP address with the same username and password, which can happen if the two users are on the other side of a proxy (their side).
An exception is with the HTTP 1.1 protocol, which allows multiple requests using the same TCP/IP connection. However not all browsers support this. Additionally, proxy servers usually disable HTTP 1.1 and dumb it down to HTPP 1.0.

In HTTP a 'login session' is typically defined as a series of requests from a single IP address with no break in requests for 10 minutes. This is the convention the software uses also (adding the username into the mix).


Q. What is the process that takes place to validate a user.

A. With Basic Authentication when a request comes in that is for a protected directory, and there is no Base 64 encoded authentication header, then a 401 Access Denied message is returned. This should tell the browser to prompt for a username password and send the results in a Base 64 encoded authentication header. If there is a Base 64 encoded authentication header, then it is decoded and matched against the Internal Database database. This happens for each request. If you are using ODBC, then the user is looked up and the username/password is cached (for a period you specifiy in Options). The cache can be purged if you change ODBC passwords on the fly and want the change to be immediate, using the ASP/OCX method ODBCRemoveUserFromCache.

With cookie protection, once the user has entered their credentials via a form, OCX methods set a cookiename and a cookievalue (both encoded but not with Base 64) and apply it to the protected directory. When the cookie protected directory is accessed, the Software looks for these special cookies, and validates against them.


Q. I have content which is license-restricted to 15 concurrent users - can you help?
I need a way to establish sessions which allows N number of users access for a defined period (example 10 minutes), after which they would need to establish a new session (with a wait if all N licenses were in use).
However, under this scheme I do not wish to assign usernames/passwords as the entire community has equal access rights.

A. Go with Cookie-based authentication, especially since the Software allows you to make various extra settings, such as timeout.
Browsers that do not have cookies enabled will be denied access. See the dialog here:

The Software comes with samples to help you get started with cookie authentication. What you can do is have a login page that does not require a username and password, just hard-code a username and password into the asp page.
Then set limit logins limitl.htm to allow 15 concurrent users.


Q. I notice that once I have entered a username and password to access a directory, I don't have to enter it again. Because several people share each computer/browser that access the directory, how do I turn this caching off?

A. You are using Basic Authentication, and the browser caches the username and password. Browsers differ in their behaviour, but they will always cache a username/password for a URL directory until they are closed. Some will save the cached information for when they are restarted, although this is usually configurable. If you could turn caching off, you would be prompted for your username and password on every request for each file and image!

You can achieve what you want to do using cookie based authentication and setting a timeout. Click here for more info


Q. With Cookie based protection, I am trying to get the cookies to be persistent, but they always seem to expire with the session. I don't want the user to log in each time they come to the site. How do I make the cookies persistent?

To make the cookies persistent, set the date you want the cookie to expire in in the loginNow.asp (or equivalent) script, eg:
response.Cookies(cookieName).Expires = #July 4, 1999#


  • Q. I am protecting a directory called "secure" with cookies - it works with IE but not with Netscape!

    Netscape doesn't transmit cookies to directories called "secure". Bizarre but true.
    Rename the directory and protect that instead (remember to change the values in loginnow.asp).


    Q. With Cookie based protection, I've protected a directory //servername/dirname, however when I go to //servername/dirname it prompts for a password even though I have got in successfully to //servername/dirname/ (with the slash included).

    In your equivalent of loginNow.asp, set the protectedDirectory to be protectedDirectory = "/asp/ACookieLogin/example2/members" instead of protectedDirectory = "/asp/ACookieLogin/example2/members/"


    Q. With Cookie based protection, I want the user to login once, then have access to multiple different directories.

    What you need to do, is determine what groups and directories a particular user has permissions for when the user first logs in (loginnow.asp). Then set the correct cookies for all the appropriate directories. So you would do something like this:

    ' lookup up the user in the database,
    ' figure out which directories+URLs he has access to
    ' for each directory+URL do this:
    	protectedAbsPath = "c:\aspmail\ACookieLogin\example2\members\"
    	protectedDirectory = "/aspmail/ACookieLogin/example2/members/"
    	cookieName = AuthX.CookieLoginCookieName(protectedAbsPath, _
    				protectedDirectory  _
    	cookieValue = AuthX.CookieLoginValue(serverName, _
    				protectedAbsPath, _
    				Request.Form("USERNAME"), _
    				Request.Form("PASSWORD")  _
    	response.Cookies(cookieName) = cookieValue
    	response.Cookies(cookieName).Path = protectedDirectory
    Cookie-based protection must actively set the cookie on the browser for each protected directory via ASP, rather than Basic which passively rejects unauthorized access with a 401 reject message.

    With Basic Authentication, the browser automatically caches the username and password for each directory. With cookie-based protection it is necessary to emulate this behaviour.


    Q. I am using IIS4, and a virtual web site in its own memory space. I am getting the error reason=denied_cookie_timed_out, even if I am using Basic Authentication!
    A. Running the web site in its own virtual memory space is causing this problem. Switch this off.


    Q. I have multiple protected directories and each are subdirectories of each other, ie /paid/, /paid/b/, /paid/c/, /paid/c/d/, etc. They are all separately protected by the same group. When a browser goes straight first to /paid/c/ he is prompted once. Then when going to /paid/b/ he is prompted again for the same username/password! I want him prompted only once!

    A. Make sure that all of the protected directories have the exact same Realm. The default Realm is always the same, so it will work as you want unless you have changed the realms to be different on each directory by hand.


    Q. How can I protect access to two dbWeb "schemas"?
    A. discovered that it is possible to protect dbWeb Schemas.

    In using dbWeb, and the difference between two "pages" of information (schemas as they are called by dbWeb) is just in the "command" line. ie)
    one is

    as you can see the directories are the same, just the commands to the .dll are different.

    The validation works great, but you just have to leave the parameters off (every thing including and after the question mark) So you can control access to two dbWeb schemas by authenticating the following.


    Q. I am using Oracle, where are the latest drivers?
    A. The latest Oracle drivers are here:

    Q. I am trying to authenticate with the Software and IIS against a database on another machine on my LAN. It doesn't appear to work. What do I need to do?
    A. If you are using an Access database (mdb) on another machine, or an SQL Server on another machine using "Integrated" security, then you will need to tell the Software to impersonate a user that has access to that database.

    Go to Options/ODBC, check the "Impersonate user when accessing database" checkbox, and enter the username and password of the user that has permission to access the remote database.

    If you are using SQL server with Standard or Mixed security, and you have the username and password in the DSN, you will not experience this problem.

    Q. I cannot find the remote administration dll!
    A. Note that the ASP/OCX remote administration method is now the preferred method of remote administration. Drop the aspAdmin directory (from the installation directory) into an execute enabled subdirectory of your webroot. Then load index.htm.

    Help Index