Commerce Server 2007 Authentication with ASP.NET Authentication
There have been a couple of questions about how to use and integrate MSCS Authentication with ASP.NET Authentication. For those of you that don't know, MSCS Authentication is Microsoft Commerce Server's authentication cookie/ticket that is used to identify Commerce Server Profile users. With Commerce Server 2007, we recommend you use the ASP.NET's membership provider but then the question arises, how does our web analytics use and decode this cookie?
It doesn't! For a site to be able to use Commerce Server 2007 web analytics, the site must also write the MSCSAuthenticiation ticket to the IIS web logs. This enables the web analytics to map the IIS web user to the Commerce Server profile user. This allows for some powerful reports to be generated against users and their activity (more on reports on a later post).
Here is how to enable the MSCSAuth ticket, in addition to your ASP.NET Authentication ticket, in your Commerce Server site. Thanks to David Messner for providing this content!
The CommerceDataWarehouseAuthenticationModule is used for exactly this purpose! Here is a description of the actions it performs in the OnPreRequestHandlerExecute handler:
/// Called when a PreRequestHandlerExecute event is triggered. This method contains the main logic for the Auth Module,
/// This method takes the username from CommerceContext.Current.UserID and creates an encrypted Ticket
/// string from it. If the user is authenticated (i.e. the UserID is not null), this string is logged as the
/// MSCSAuth ticket in the IIS logs. Note that no actual cookie is created in this case.
/// If the user is not authenticated, an actual MSCSProfile session cookie is created with a random guid. In this case,
/// the cookie automatically gets logged to the IIS log because it is set on the response.
Be sure you have the userIdSource attribute of the userProfile element in Web.config set to “ASP.NET” and not “UPM”. This will cause the CommerceContext.Current.UserID property to be set by accessing HttpContext.Current.User. From that it retrieves the profile and looks up the UserID from the profile. It does this by using the configured userIdKey property (default is GeneralInfo.email_address) to retrieve the user profile for the user and accesses the property specified by the configured userIdTarget (default is GeneralInfo.user_id) as the actual user ID.
Therefore as long as HttpContext.Current.User is set before the above module event handler runs (can be set either by ASP.NET Authentication modules or by a custom authentication module), the CommerceDataWarehouseAuthenticationModule will log the cookie to the IIS log in a format that Commerce analytics will recognize. Another option is to use a custom module to set CommerceContext.Current.UserID manually before this module runs and then the complexity of how CommerceContext.Current.UserID gets set by Commerce Server is removed.
You will also need to add this to your httpModules section of the web.config file.
<add name="CommerceDataWarehouseAuthenticationModule" type="Microsoft.CommerceServer.Runtime.CommerceDataWarehouseAuthenticationModule, Microsoft.CommerceServer.Runtime, Version=6.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
Now your site will write out both the ASP.NET Authentication ticket as well as the MSCSAuth ticket thus allowing web analytics to resolve IIS web users to Commerce Server profile users.
Hope this helps!
