help.axcms.netAxinom Logo
Save Save Chapter Send Feedback
Secure Installation of
Security considerations around an installation and best practices to follow

Authentication in Management System maintains its own User Store with user credentials, permissions and profiles. The Management System always requires an authenticated user. It supports Forms Authentication or Windows Authentication. HtmlForms-Authentication of ASP.NET is default and does not require any additional configuration (in IIS Anonymous Access should be activated, which is a default setting).

Configuring Windows Authentication in Management System

To switch to Windows Authentication you should do the following:

  • Ensure you have a user account in MS with administrative permissions and the username matching your windows login, incl. domain prefix (e.g. "DOMAIN\user"). Otherwise you will not be able to login into after successfull setup. You don't need any password for this user, because authentication will be done by windows. Even more: specifying your windows password as password can be considered a security hole.
  • In IIS enable "Integrated Windows Authentication" under Security
  • In IIS disable "Anonymous Authentication" (if it stays enabled, it has precedence over Windows Authentication)
  • The “identity impersonate” key in web.config must be set to true (default is false) under the system.web element (in IIS 7 you do it directly in IIS Configuration):

    <identity impersonate="true"/>
  • Set authentication mode to Windows in web.config (under system.web):

    <authentication mode="Windows">
  • Enable Windows Authentication for WCF service: add to <binding name="myServicesBinding"> section following:

              <security mode="TransportCredentialOnly">
                <transport clientCredentialType="Windows" />

    and ensure the element Services/Service looks as follows:

          <service behaviorConfiguration="AxCMS.AxCMSweb.ConceptBehavior" name="AxCMS.AxCMSweb.Concept">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="myServicesBinding" contract="AxCMS.AxCMSweb.IConcept" />
            <endpoint address="mex" binding="basicHttpBinding" bindingConfiguration="myServicesBinding" contract="IMetadataExchange" />
  • On the client if your browser asks for credentials: add MS website to trusted sites zone (for example in IE under Tools/Options/Security/Local Intranet/Sites).


Secure Communications using SSL

If you want to secure the communication between the client and the server, we suggest using SSL. You can run all communication with Management System over HTTPS. An SSL-certificate is needed for the Management System application.


Securing WebServices

WebServices are used to access the Live System from Management System, e.g. PublishWebService which is used to publish content. There are a few other services as well. WebServices run in a context of a separate Web Application "PublishService". Web Services are protected with a username/password, which is configured on the client (Management System) and server (PublishServicei). Transfering of the user credentials is secured with WSE 3.0 (Web-Service-Enhancements) from Microsoft in the application level. For an overview of WSE read Why WSE? in MSDN. SSL can be used as well for the communication with WebServices. You can also configure WebServices-application only to accept the requests from the known client IPs (=IP of the Management System).

Authentication in WebDAV

WebDAV is used to enable other applications, like Windows Explorer, to access using Files&Folders metaphor. WebDAV implementation supports both standard authentication (digest authentication is used to transfer credentials) anWindowsd -authentication. Read more under and WebDAV.



Authentication in Live System

In the Live System no authentication is required by default. You can use the same technique on the Live Side, which uses: HtmlForms-Authentication with the own User Store. offers support tools for that. There is no ActiveDirectory nor WebDAV support out of the box.

On the other side IP-Address Based Authentication is available. It lets you map client IP-addresses to particular users (members). If client IP is not found in the map and he tries to access a protected page, standard authentication (with a login page) is used.

Please consider, that in the we use the term User (german: Benutzer) for the user in Management System, but refer the users in Live System as Members (german: Teilnehmer). Other names you will probably encounter are: MS-user and LS-user.