Microsoft Identity and Access Management Series

Extranet Access Management

Chapter 6: Testing the Solution

Published: May 11, 2004 | Updated: June 26, 2006

This chapter describes how to validate the implemented solution scenarios from the previous chapter. It also provides some troubleshooting steps to help with common implementation challenges. Comprehensive guidance for testing the end-to-end user and administrator experience is not provided.

Business to Employee Extranet Access

After the B2E extranet access scenario implementation is complete, you are ready to validate your implementation to ensure that the B2E Web single sign on (SSO) application meets the requirements for Contoso.

Validating the Implementation Prerequisites

Before testing the implementation guidance in this paper, there are a few basic verification tests that you should perform to ensure that you have correctly configured the required infrastructure for the solution. Use the following tests to validate these prerequisites.

Tests to validate the prerequisites include:

•	Basic Test 1: Verify Auto-enrollment Works in the Contoso Intranet Domain
•	Basic Test 2: Verify Intranet User Access to the Contoso Extranet Web Page
•	Basic Test 3: Verify Extranet Users Can Access the Contoso Web Page
•	Basic Test 4: Verify Intranet and External Users Can Access the CRL Site
•	Basic Test 5: Verify the CRL Is Updated on the Perimeter Web Server
•	Basic Test 6: Verify the Contoso B2E Application Can Use HTTPS
•	Basic Test 7: Verify the Sales and Contacts Application Runs Correctly
•	Basic Test 8: Verify User Provisioning in the Extranet Active Directory
•	Basic Test 9: Verify Sales Group User Accounts Are Mapped to Certificates

Basic Test 1: Verify Auto-enrollment in the Contoso Intranet Domain

Complete the following steps to verify that the sales users in the intranet Contoso domain will receive user authentication certificates through auto-enrollment.

To verify auto-enrollment for sales users in the Contoso intranet domain

1.	Ensure that the public key infrastructure (PKI) is in place and configured for auto-enrollment with a user certificate template.
2.	Create a new user who is a domain member in the Contoso domain.
3.	Have the user log on to the intranet domain using their domain credentials.

These steps should confirm that the domain user received the user authentication certificate through auto-enrollment from the Contoso issuing certification authority (CA).

Basic Test 2: Verify Intranet User Access to the Contoso Extranet Web Page

Complete the following steps to verify that members of the intranet domain can access the Contoso extranet Web page.

To verify intranet domain users can access the Contoso extranet Web page

1.	Log on to the intranet as a member of the domain.
2.	Open Microsoft® Internet Explorer.
3.	In the Address bar for the browser, type www.contoso.com and then click Go to test user access to the Web page.

This test should confirm that the user can view the Contoso HTML page in the browser.

Basic Test 3: Verify Extranet Users Can Access the Contoso Web Page

Complete the following steps to verify that extranet users via the Internet can access the Contoso Web page.

To verify extranet users via the Internet can access the Contoso Web page

1.	Open Internet Explorer.
2.	In the Address bar for the browser, type www.contoso.com and then click Go to test user access to the Web page.

This test should confirm that the user can view the HTML page in the browser.

Basic Test 4: Verify Intranet and Extranet Users Can Access CRL Site

Complete the following steps to verify that intranet and extranet users can access the certificate revocation list (CRL) site on the Contoso perimeter Web server.

To verify that intranet and extranet users can access the CRL site

1.	Open Internet Explorer.
2.	In the Address bar for the browser, type dp1.pki.contoso.com/pki and then click Go to access to the Web site.

This test should confirm that users in the Contoso intranet domain and extranet users can view the CRL site on the perimeter Web server.

Basic Test 5: Verify the CRL Is Updated on the Perimeter Web Server

Complete these steps to verify that the CRL is updated on the perimeter Web server.

To verify that the CRL is updated on the perimeter Web server

1.	Open Internet Explorer.
2.	In the Address bar for the browser, type dp1.pki.contoso.com/pki and then click Go to access to the Web site.
3.	Open the CRL from the issuing CA to verify the next update field in the details pane.

This test should confirm that the CRL on the issuing CA has not expired, and that it is the latest list.

Basic Test 6: Verify the Contoso B2E Application Can Use HTTPS

Complete the following steps to verify that the Contoso B2E application is enabled to use Hypertext Transfer Protocol, Secure (HTTPS).

To verify the Contoso B2E application is enabled to use HTTPS

1.	Install the B2E application on the extranet Web server and provide links for it on the Contoso home page.
2.	Install the Web server certificate on the extranet server running Microsoft Internet Information Server (IIS 6.0), and then enable HTTPS on the B2E virtual directory.
3.	From a client computer running Microsoft Windows® XP Professional, access the B2E link from the Contoso home page at: https://www.contoso.com/b2e.

This test should enable the client computer on the Internet to access the B2E Web page using the HTTPS protocol.

Basic Test 7: Verify the Sales and Contacts Application Runs Correctly

Complete the following steps to verify that the Sales and Contacts application runs correctly.

To verify that the Sales and Contacts application runs correctly

1.	Open Internet Explorer.
2.	In the Address bar for the browser, type https://www1.contoso.com and then click Go to test user access to the Web page.
3.	Click the Sales and Contacts application URL and verify that the HTTPS protocol appears in the Address bar at the beginning of this URL.
4.	Enter a sales user's user name and password.
5.	Run the application.

This test should confirm that the Sales and Contacts application runs on the extranet Web server.

Basic Test 8: Verify Provisioning in the Extranet Active Directory

Complete the following steps to verify that the Sales and Contacts application users are provisioned in the extranet Microsoft Active Directory® directory service.

To verify these users are provisioned in the extranet Active Directory

•	Use the DSA.msc file to verify that sales users are created and provisioned in the Sales group at: OU=Employees,OU=Accounts,DC=perimeter,DC=Contoso,DC=com.

This test should confirm that Sales and Contacts application users are provisioned in the extranet Active Directory.

Basic Test 9: Verify Sales Group User Accounts Are Mapped to Certificates

Complete the following steps to verify that users in the Sales group provisioned in the extranet Active Directory have their accounts mapped to their user certificates.

To verify Sales group user accounts are mapped to their user certificates

1.	Use the DSA.msc file to verify that users are created and provisioned in the Sales group at: OU=Employees,OU=Accounts,DC=perimeter,DC=Contoso,DC=com in the extranet Active Directory.
2.	Use the ADSIEDIT.msc file to locate the specific user object, and then right-click the object to view its properties.

Performing this test should confirm that the value in altSecurityIdentities matches the subject value in the user's authentication certificate. For example:
altSecurityIdentities equals X509<I>DC=com,DC=contoso,DC=corp,DC=na,CN=Users,CN=user01,E=user01@corp.contoso.com.

Validating the Implementation

You can use the information in the following sections to test the B2E access management scenario and validate your implementation of the guidance.

Tests to validate the implementation include:

•	Test 1: Verify SSO Access to the Sales and Contacts Application
•	Test 2: Verify Non-Sales Group Employees Cannot Access the Application
•	Test 3: Verify the Extranet Web Server Intercepts Authentication Requests
•	Test 4: Verify Certificate Revocation Works Correctly
•	Test 5: Verify Authenticated Users with the Authorization Manager Application
•	Test 6: Verify Authenticated, But Unauthorized Users Are Denied Access
•	Test 7: Verify Sales Group User Access Via the Contoso Intranet
•	Test 8: Verify Deprovisioned Users Cannot Access the Application

Test 1: Verify SSO Access to the Sales and Contacts Application

Complete the following steps to verify that a sales employee can access the Sales and Contacts application via the Internet using SSO.

To verify SSO access to the Sales and Contacts application

1.	Log on to the Internet on a client computer running Windows XP Professional using the cached credentials of a user who has membership in the domain.
2.	Access the Contoso Web page, and then click the link for the Sales and Contacts application.
3.	Verify that a message appears prompting the user to choose a user certificate from his or her user account certificate store.

This test should confirm that the user can successfully access the Sales and Contacts application using his or her user certificate.

Test 2: Verify Non-Sales Group Employees Cannot Access the Application

Complete the following steps to verify that employees who are not in the Sales group cannot access the Sales and Contacts application via the Internet.

To verify non-Sales Group employees cannot access the application

1.	Log on to the Internet on a client computer running Windows XP Professional using the cached credentials of a user who has membership in the domain.
2.	Access the Contoso Web page, and then click the link to the Sales and Contacts application.
3.	Verify that a message appears prompting the user to choose a user certificate from his or her user account certificate store.

This test should confirm that this user cannot access the Web page for the Sales and Contacts application.

Test 3: Verify the Extranet Web Server Intercepts Authentication Requests

Complete the following steps to verify that the extranet Web server intercepts Sales employee authentication requests via HTTPS, and that the server uses client authentication certificates from the issuing CA to authenticate users to the extranet Active Directory.

To verify the extranet Web server intercepts authentication requests via HTTPS

1.	Ensure the client has a valid user authentication certificate, and that the account maps correctly in the extranet Active Directory.
2.	Log on to the extranet domain using cached credentials.
3.	Access the Contoso Web page at https://www.contoso.com, and then click the link for the Sales and Contacts application to test it.
4.	Verify that a message appears prompting you to specify a user certificate.

This test should confirm that the Web server intercepts the authentication request, and then displays a message prompting for a user certificate.

Test 4: Verify Certificate Revocation Works Correctly

Complete the following steps to verify that Sales employee authentication requests fail when users attempt to authenticate from the Web server to the extranet Active Directory, and that the user certificates are revoked.

To verify Sales employee attempts to authenticate from the Web server fail

1.	Open the CA Microsoft Management Console (MMC) snap-in and navigate to the Issued Certificates folder. Revoke a certificate for a sales user who has access privileges to the Contoso Sales and Contacts application Web page.
2.	Publish a new CRL from the Contoso issuing CA, and then update it to both the internal and external HTTP CRL locations.
3.	Wait 24 hours for the CRL to refresh in the cached memory of the issuing CA.
4.	Attempt to authenticate against the Web page at www.contoso.com using the link for the Sales and Contacts application and the same user name.

This test should confirm that the user receives an error message saying that his or her certification has been revoked, and that the user cannot access the Sales and Contacts application Web page.

Test 5: Verify Authenticated Users with the Authorization Manager Application

Complete the following steps to verify that authenticated users attempting to access the Sales and Contacts application are authorized based on their membership profile for the User, Group, Roles, and Application Objects in the extranet Active Directory using the Authorization Manager application.

To verify authenticated users with the Authorization Manager application

1.	Ensure the client has a valid user authentication certificate, and that his or her account maps correctly to the extranet Active Directory. Also ensure the user ID is added to the Sales User group.
2.	Log on to the extranet domain using cached credentials.
3.	Access the Contoso Web page at www.contoso.com, and then click the link to the Sales and Contacts application.

This test should confirm that the user can access the Sales and Contacts Web page, unless he or she specifies a valid user certificate.

Test 6: Verify Authenticated But Unauthorized Users Are Denied Access

Complete the following steps to verify that authenticated but unauthorized users attempting URL access to the Sales and Contacts application are denied access based on their membership profile for User, Group, Roles and Application Objects in the extranet Active Directory using the Authorization Manager application.

To verify authenticated but unauthorized users are denied access

1.	Log on to a client computer as a user who is not a member of the Sales group.
2.	Access the Contoso Web page at www.contoso.com, click the link for the Sales and Contacts application, and attempt to log on.

This test should confirm that the user cannot log on to the site because he or she is not a member of the Sales group.

Test 7: Verify Sales Group User Access Via the Contoso Intranet

Complete the following steps to verify that users in the Sales group can access the Sales and Contacts application from the Contoso intranet.

To verify Sales Group user access via the Contoso intranet

1.	Log on to the intranet domain as a member of the Sales group.
2.	Open the CERTMGR.msc file and verify that the user has a client authentication certificate.
3.	Access the Sales and Contacts application using the following address via the Microsoft Internet Security and Acceleration (ISA) proxy Server: www.contoso.com/sales.

This test should confirm that the user can access the Sales and Contacts application on the organization's extranet Web server from the internal network with no issues.

Test 8: Verify Deprovisioned Users Cannot Access the Application

Complete the following steps to verify that deprovisioned users in the Sales group cannot access the Sales and Contacts application from the Internet.

To verify deprovisioned users cannot access the application

1.	Log on to the intranet domain on a computer running Windows XP Professional as a domain user who is a member of the Sales group.
2.	Open the CERTMGR.msc file and verify that the sales user has a client authentication certification.
3.	After the user account has been deprovisioned by Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1), attempt to log on as this user to his or her former computer via the Internet using cached credentials.
4.	Then, if the user could log on, attempt to access the Sales and Contacts application as the user by typing the following address into Internet Explorer: https://www.contoso.com/b2c.

This test should confirm that the user is blocked from accessing the site, the application, and cannot view the page.

Troubleshooting

This section of the chapter provides information about some common errors that you may encounter while testing this scenario and how to most likely resolve them. However, the information in the following table is not an exhaustive list of errors and troubleshooting procedures.

Table 6.1. Troubleshooting Information for the B2E Extranet Access Scenario

Error	Troubleshooting procedure
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials.	Verify the Internet user accessing the Sales and Contacts application is a member of the Sales Group in the extranet Active Directory.
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials.	Verify the mapping between the altsecurityIdentities account attribute in Active Directory and the user's subject name in the certificate is correct.
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials.	Verify that client certificates is set to the option for Require client certificates in the Sales and Contacts application's virtual directory. To browse to this location, click Properties on the virtual directory, click Directory Security, click Secure communications, and then click Edit to verify the information.
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials.	Verify the Sales group has been added as a Viewer role in the B2C role assignments in the Azman.msc file. To browse to this location, open the Azman.msc file and then under ContosoStore, click IIS 6.0 URL Authorization, click B2C, click Role Assignments, and then click Viewer.
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials.	Verify that Internet users can access the CRL hosted on the Contoso extranet Web server. Also verify that the user's authentication certificate is not revoked by the issuing CA.
HTTP Error 403.7 – Forbidden: SSL client certificate is required.	Verify that the user has a valid Contoso user authentication certificate in the user account certificate store.
HTTP Error 403.7 – Forbidden: Client certificate is ill formed or is not trusted by the Web server.	Verify that the steps given in the "Establishing Certificate Authority Trust in IIS 6.0" section have been followed correctly.
Service Unavailable.	Restart IIS on your Web server.

Top of page

Business to Customer Extranet Access

After the implementation section for the B2C extranet access scenario is complete, you are ready to validate your implementation to ensure that the B2C Web SSO application meets the requirements for Contoso.

Validating the Implementation Prerequisites

Tests to validate the prerequisites include:

•	Basic Test 1: Verify Extranet Users Can Access the Contoso Web Page
•	Basic Test 2: Verify the Contoso B2C Application Uses the HTTPS Protocol

Basic Test 1: Verify Extranet Users Can Access the Contoso Web Page

Complete the following steps to verify that extranet users via the Internet can access the Contoso Web page.

To verify extranet users can access the Contoso Web page

1.	Open Internet Explorer.
2.	In the Address bar for the browser, type www.contoso.com and then click Go to test user access to the Web page.

This test should confirm that the user can view the HTML page in the browser.

Basic Test 2: Verify the Contoso B2C Application Uses the HTTPS Protocol

Complete the following steps to verify that the Contoso B2C application is enabled to use the HTTPS protocol.

To verify the Contoso B2C application is configured to use the HTTPS protocol

1.	Install the B2C application on the extranet Web server and provide links for it on the Contoso home page.
2.	Install the Web server certificate on the perimeter server running IIS and enable HTTPS on the B2C virtual directory.
3.	From a client computer running Windows XP on the Internet, access the B2C link from the Contoso home page (for example, https://www.contoso.com/b2c).

This test should confirm that the client computer on the Internet can access the B2C Web page using the HTTPS protocol.

Validating the Implementation

You can use the information in the following sections to test the B2C extranet access scenario and validate your implementation of this guidance.

Tests to validate the implementation include:

•	Test 1: Verify New Customers Can Self-register for PPE Accounts
•	Test 2: Verify the PPE Self-registration Process Completes Successfully
•	Test 3: Verify Customers Have a Preproduction Passport Account
•	Test 4: Verify Information is Provisioned in the Extranet Active Directory
•	Test 5: Verify the Self-registration Process Generates Required Information
•	Test 6: Verify the Extranet Web Server Intercepts Requests Via HTTPS
•	Test 7: Verify with Authorization Manager Authenticated Customers Have Access
•	Test 8: Verify Authenticated, But Unauthorized Customers Have No Access
•	Test 9: Verify the Root User Can Log On to the UNIX Workstation
•	Test 10: Verify UNIX Users Cannot Log On Using Local Account Credentials

Test 1: Verify New Customers Can Self-register for PPE Accounts

Complete the following steps to verify that a new customer participating in the Contoso Customer Trial undergoes a self-registration process to obtain a new Preproduction Passport Environment (PPE) account.

To verify new customers can self-register for PPE accounts

1.	Ensure that the customer can access the Contoso home page via the Internet.
2.	Instruct the customer to click the link for the Customer Trial application at https://www.contoso.com/b2c.
3.	The customer's browser should display the welcome page for the Customer Trial application.
4.	Instruct the customer to click the Sign-In icon.

This test should confirm that the new customer undergoes a self-registration process to obtain a PPE account that he or she can use to access the Contoso Customer Trial application.

Test 2: Verify the PPE Self-registration Process Completes Successfully

Complete the following steps to verify that verify that the PPE self-registration process completes, that the Web SSO application's default.asp and subscribe.asp files create a customer user account in the external Active Directory under the Trial Users OU (OU=Trial Users,OU=Accounts,DC=perimeter,DC=Contoso,DC=com), and that the user account is added as a member of the Trial Users group.

To verify the PPE self-registration process completes successfully

1.	Ensure that a customer can access the Contoso home page via the Internet.
2.	Instruct the customer to click the link to the Customer Trial application at https://www.contoso.com/b2c.
3.	The customer's browser should display the welcome page for the Customer Trial application.
4.	Instruct the customer to click the Sign-In icon, complete the PPE registration process, and then click Submit on the subscribe.asp page.
5.	Use the Lightweight Directory Access Protocol (LDAP) utility ldp.exe or the ADSIEDIT.msc or DSA.msc files to verify that a new account for the user has been created in Active Directory.

Test 3: Verify Customers Have a Preproduction Passport Account

Complete the following steps to verify that a customer participating in the Contoso Customer Trial requires a Preproduction Microsoft Passport account to access the Customer Trial application Web page.

To verify customers require a Preproduction Passport account

1.	Ensure that the customer can access the Contoso home page via the Internet.
2.	The customer clicks the link for the Customer Trial application at https://www.contoso.com/b2c.
3.	The customer's browser should display the welcome page for the Customer Trial application.

This test should confirm that on the welcome page, the customer is required to sign in to their preproduction Passport account before they can access the Customer Trial application.

Test 4: Verify Information is Provisioned in the Extranet Active Directory

Complete the following steps to verify that the following information is provisioned in the extranet Active Directory for the trial user from the Preproduction Passport database:

•	First Name
•	Last Name
•	Telephone Number
•	User Logon Name

To verify information is provisioned in the extranet Active Directory

1.	Instruct the customer to complete the PPE self-registration process and click Submit on the subcribe.asp page.
2.	On an extranet domain controller, open the Active Directory Users and Computers MMC snap-in.
3.	Navigate to the Trial Users OU, and then right-click the user account to open it.

This test should confirm that the user account in the extranet Active Directory is provisioned with the information details retrieved from the user's PPE account.

Test 5: Verify Self-registration Process Generates Required Information

Complete the following steps to verify that the self-registration process generates the following information for users:

•	sAMAccountName equals Passport User ID (PUID), a numerical value that must be distinct within the external domain that is generated through the provisioning process.
•	The cn value is the same as sAMAccountName.
•	The user's password is a 12 character string containing random characters that is not set to expire.

To verify the self-registration process generates the required information

1.	Use LDP.exe, the ADSIEDIT.msc, or the DSA.msc file to browse to the Trial Users OU, and then to the Trial Users group.
2.	Click the user account and open its properties.

This test should confirm that the user's password property is not set to expire, and that the user's PUID sets the value for sAMAcountName and cn.

Test 6: Verify the Extranet Web Server Intercepts Requests Via HTTPS

Complete the following steps to verify that the extranet Web server intercepts customer authentication requests via HTTPS, and that it uses Passport to authenticate customers to the extranet Active Directory.

To verify the extranet Web Server intercepts requests via HTTPS

1.	Instruct a new customer to access the Contoso Web page via the Internet.
2.	Instruct the customer to click the link to the Customer Trial application on the Contoso Web page.

This test should confirm that the page redirects the customer to the Passport site because the customer cannot access the Contoso site without a valid Passport account.

Test 7: Verify with Authorization Manager Authenticated Customers Have Access

Complete the following steps to verify that authenticated customers are authorized to access the Customer Trial application based on their User, Group, and Roles and Application Objects profile in the extranet Active Directory using Authorization Manager.

To verify authenticated customers have access with Authorization Manager

1.	Obtain a valid Preproduction Passport account.
2.	Ensure that the account is a valid Active Directory account that is a member of the Trial Users group.
3.	Click the link for the Customer Trial application on the Contoso home page.

This test should confirm that the account can access the Customer Trial application page seamlessly.

Test 8: Verify Authenticated, But Unauthorized Customers Have No Access

Complete the following steps to verify that authenticated but unauthorized customers attempting URL access to the Customer Trial application are denied access based on their User, Group, Roles and Application Objects profile in the extranet Active Directory using Authorization Manager.

Verify that authenticated, but unauthorized customers have no access

1.	Ensure that the customer account for this test has obtained a valid Passport account.
2.	Ensure that the customer account is not a valid Active Directory account in the Trial Users group.
3.	Click the link on the Contoso home page to access the Customer Trial application.

This test should confirm that the customer account cannot access the page because it is not a member of the Trial Users group.

Test 9: Verify the Root User Can Log On to the UNIX Workstation

Complete the following steps to verify that the Root user can successfully log in to the UNIX workstation using his or her local account password.

To verify the root user can log on to the UNIX Workstation

1.	On the NA domain controller, open a command prompt.
2.	Telnet to the UNIX workstation using the fully qualified domain name (FQDN) of the workstation.
3.	At the login prompt, type root and then press ENTER.
4.	At the password prompt, enter the root user's local account password.

This test should confirm that the Root user can successfully log on to the workstation using his or her local account.

Test 10: Verify UNIX Users Cannot Log On Using Local Account Credentials

Complete the following steps to verify that logon fails for UNIX users if they enter local account credentials while logging on to the UNIX workstation.

To verify UNIX users cannot log on using local account credentials

1.	From the NA domain controller, open a command prompt.
2.	Telnet to the UNIX workstation using the FQDN of the workstation.
3.	At the login prompt, enter a local user account ID.
4.	At the password prompt, enter the local user account password and press ENTER.

This test should confirm that users cannot log on to their UNIX workstations using their local account credentials.

Troubleshooting

This section provides information about some common errors that you may see while testing this scenario and how you can likely resolve them. However, the information in the following table is not an exhaustive list of errors and troubleshooting procedures.

Table 6.2. Troubleshooting Information for the B2C Extranet Access Scenario

Error	Troubleshooting procedure
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials.	Verify that the Trial Users group has been added in the Viewer role of B2E Role Assignments. To verify this, open the AZMAN.msc file, navigate to ContosoStore , click IIS 6.0 URL Authorization, click B2E, click Role Assignments, and then click Viewer properties.
HTTP Error 401.2 – Unauthorized: Access is denied due to server configuration.	Verify that the check box for Passport Authentication is selected in the customer application virtual directory. To verify this information, open the IIS MMC snap-in, browse to the Customer Trial feedback application virtual directory, right-click and select Properties, click Directory Security, click Authentication and access control, and then click Authentication methods.
HTTP Error 403.20 – Forbidden: Passport logon failed.	Verify that the user trying to access the site has a valid Passport account.
The user on the Internet fails to see the Passport logon wizard prompt when he or she accesses the Contoso Customer Trial feedback application Web site at https://www.contoso.com/b2c.	Verify that the instructions have been followed, and that the suggested registry settings have been configured according to the instructions in Microsoft Knowledge Base article 816417, "A User Cannot Sign in to Microsoft Passport by Using Microsoft Windows XP in the Preproduction Environment".
The first name, last name and e-mail address fields on the Subscribe.asp page are blank.	Verify that the user's Passport profile information can be used by other applications on the Passport registration site.
The page does not appear.	In the Passport Manager Administration utility, verify the site ID you received from .NET Services Manager.
The user does not receive an encryption key to the site after registering for one to the site at .NET Services Manager.	Repeat the steps to obtain a Passport site ID and Encryption Key in Chapter 5, "Implementing the Solution."

Top of page

6 of 9

•	Chapter 1: Introduction to the Extranet Access Management Paper
•	Chapter 2: Approaches to Extranet Access Management
•	Chapter 3: Issues and Requirements
•	Chapter 4: Designing the Solution
•	Chapter 5: Implementing the Solution
•	Chapter 6: Testing the Solution
•	Chapter 7: Operational Considerations
•	Links
•	Acknowledgments

Extranet Access Management

Chapter 6: Testing the Solution

On This Page

Business to Employee Extranet Access

Validating the Implementation Prerequisites

Basic Test 1: Verify Auto-enrollment in the Contoso Intranet Domain

Basic Test 2: Verify Intranet User Access to the Contoso Extranet Web Page

Basic Test 3: Verify Extranet Users Can Access the Contoso Web Page

Basic Test 4: Verify Intranet and Extranet Users Can Access CRL Site

Basic Test 5: Verify the CRL Is Updated on the Perimeter Web Server

Basic Test 6: Verify the Contoso B2E Application Can Use HTTPS

Basic Test 7: Verify the Sales and Contacts Application Runs Correctly

Basic Test 8: Verify Provisioning in the Extranet Active Directory

Basic Test 9: Verify Sales Group User Accounts Are Mapped to Certificates

Validating the Implementation

Test 1: Verify SSO Access to the Sales and Contacts Application

Test 2: Verify Non-Sales Group Employees Cannot Access the Application

Test 3: Verify the Extranet Web Server Intercepts Authentication Requests

Test 4: Verify Certificate Revocation Works Correctly

Test 5: Verify Authenticated Users with the Authorization Manager Application

Test 6: Verify Authenticated But Unauthorized Users Are Denied Access

Test 7: Verify Sales Group User Access Via the Contoso Intranet

Test 8: Verify Deprovisioned Users Cannot Access the Application

Troubleshooting

Business to Customer Extranet Access

Validating the Implementation Prerequisites

Basic Test 1: Verify Extranet Users Can Access the Contoso Web Page

Basic Test 2: Verify the Contoso B2C Application Uses the HTTPS Protocol

Validating the Implementation

Test 1: Verify New Customers Can Self-register for PPE Accounts

Test 2: Verify the PPE Self-registration Process Completes Successfully

Test 3: Verify Customers Have a Preproduction Passport Account

Test 4: Verify Information is Provisioned in the Extranet Active Directory

Test 5: Verify Self-registration Process Generates Required Information

Test 6: Verify the Extranet Web Server Intercepts Requests Via HTTPS

Test 7: Verify with Authorization Manager Authenticated Customers Have Access

Test 8: Verify Authenticated, But Unauthorized Customers Have No Access

Test 9: Verify the Root User Can Log On to the UNIX Workstation

Test 10: Verify UNIX Users Cannot Log On Using Local Account Credentials

Troubleshooting

In This Article