Subject: IIS Authentication Settings
Author: SteveHB
Posted on: 06/01/2006 03:57:39 PM
IIS can be configured as to how a request is authenticated. Based on the security risk level of your resource, the following four authentication methods are available to choose:
Anonymous access. By selecting this option everyone can access the Web site, virtual directory, or individual file configured with this setting. This method uses a local machine or designated domain account to access resources.
Basic authentication. Users must enter a valid Windows 2000 user account and password in response to a logon dialog box in order to access the Web site, virtual directory, or individual file configured with this setting. This method is supported by Netscape Navigator and Internet Explorer. Ideally suited for the Internet environment where you do not have control over the browser accessing your site. One major drawback of Basic Authentication is the username and password is passed over the Internet as clear-text meaning no encryption is used. Use this method in conjunction with Secure Sockets Layers (SSL), which will provide an encryption layer to ensure a secure login..
Digest authentication. This method sends the password over the network as hash value, commonly known as Radius. This option can only be used for a Windows 2000 domain. This method can be used for passing logins over a network firewall or proxy. Currently this method can only be used if the browser is Internet Explorer 5 or higher.
Integrated Windows Authentication. This method is only supported by Microsoft Internet Explorer. This allows a user to pass through their logon credentials to the Web site and authenticate them based upon their Windows logon. This method is ideally suited for the intranet where you have control over the browser accessing the site.
You can choose multiple options in case of one of them does not work properly. Multiple options always send back to client in the order of stronger authentication mechanism coming first. For example, the combination of: Basic authentication + Integrated Windows Authentication will trigger the HTTP response header:
www-Authenticate: Negotiate
www-Authenticate: NTLM
www-Authenticate: Basic realm="mycompany.com"
On the client's side, if the Kerberos authentication (Windows Logon) failed, NTLM will be the next candidate; if NTLM is not available, Basic will be the last resort.
References:
