Then you have created two virtual sites for your customers:

• Site1 - placed in the subtree of c:\hosting\site1 and answering only on http://www.site1.com
• Site2 - placed in the subtree of c:\hosting\site2 and answering only on http://www.site2.com

To do so in the MMC you was created these two sites by choosing "new site" and then editing properties - Site identification to set sites to answer on port 80 and host www.site1.com , www.site2.com respectively (Button "Advanced" on WEB site tab).

Then you are going to install filter and give to the site1 and site2 owners ability to manage its own authorities for user access.

To install filter you create directory c:\ISAPIFILTERS and give acces only for you and system to this directory. Then you must copy authenticator1.dll to this directory and go to the general WWW properties in the MMC (Microsoft Management Console). In the ISAPI filters tab you must install the filter (see usage and installation for details).

Then you created directory c:\authconfig and make it accessible for system, you and site1 and site2 owners. Then you must copy empty configuration file AUTH.CFG here.

Now you create special directory c:\webadmintools and restrict access to it only for you )and potential additional administrators). Copy here the AUTHADMINCGI.EXE and share this directory in the Administration WEB site as virtual directory - for example /webadmin

Then using your browser you are going to the admin site http:/1.1.1.1:some_port/webadmin/AUTHADMINCGI.EXE (see IIS configuration to determine port) and continue with configuration:

•   Admin tool will generate an error that means that no configuration was specified - enter path to it (c:\authconfig\auth.cfg) and continue.
• In the general options enter your serial number

Now minimal configuration required by filter was set and you must define what it will do with sites. While nothing else was specified it will pass all requests through (to IIS and NT security) i.e. no change of default behaviuor.

• Now you must create two authorities - Authority1 and Authority2.
• Add two bindings:
  for www.site1.com to Authority1 and for www.site2.com to Authority2
• Create one user in every authority with the same name as site owners are registeres in the NT user manager - for example User1 and User2 and specify do not map in their accounts - filter will pass them through.
• Create several users that will be used for mapping of the authenticated users and restrict access to the subdirectories of the hosted sites as their owners wish using newly created users.
• Create directory c:\hostingtools for example and make it avalable in site1 and site2 as virtual directory - for example /authadmin. This directory must be accessible for USer1 and User2 but it must not be accessible for other users (except administrators of course)
• Instruct User1 and User2 how to use these tools and to not change MapTo flag for their own accounts (It is possible to exist more than one owner of one site)

Now User1 and User2 are able to add/delete/change users in their authorities using /authadmin/AUTHMANCUSTOMERCGI.EXE directory in their sites. Tool will automaticaly determine bindings and expose only bundled authority to them.

What filter will restrict depends on security in site1 and site2 subtrees. Using created for mapping purposes users you can make some subdirectories accessible for users mapped to one and not accessible to users mapped to another. You can these specialy created users as groups for the Authenticator filter. There is no problem to leave some directories accessible for the world. Another recommended task is to set IIS to accept clear text authentication on these sites. Filter will not cause problems itself but browsers like Netscape do not support NT chalenge response authentication and in the other hand this type of authentication drives IE to try with local username and password (hash) first.