Using Basic authentication to generate Kerberos tokens (287537)
The information in this article applies to:
- Microsoft Internet Information Services 5.0
This article was previously published under Q287537 SUMMARY
When you use Basic authentication to connect to a Web site that is hosted by Internet Information Services (IIS), you can take advantage of the delegation features of Kerberos to authenticate on multiple back-end servers, such as a Microsoft SQL Server that is called from Active Server Pages (ASP) running on IIS. To generate a Kerberos token, IIS must be a member of a Windows 2000 domain and have access to that domain's active directory.
Note A Windows 2000 domain does not generate a Kerberos token when the domain authenticates UPN credentials against a trusted Massachusetts Institute of Technology (MIT) Kerberos realm and when you use Basic authentication. This behavior is by design.
Because Basic authentication transmits user information (user name and password) in clear text, Basic authentication should only be used over Secure Socket Layer (SSL) connections.REFERENCES
This article is based on the information provided on page 109 of the following book:
Howard, Michael, Richard Waymire, and Marc Levy. Designing Secure Web-Based Applications for Microsoft Windows 2000 (Redmond: Microsoft Press, July 2000), p. 109.
For more information about authentication methods in IIS, click the following article numbers to view the articles in the Microsoft Knowledge Base:
264921
How IIS authenticates browser clients
229694 How to install and use the IIS Security "What If" tool
For more information about Kerberos, click the following article numbers to view the articles in the Microsoft Knowledge Base:
217098
Basic overview of Kerberos user authentication protocol in Windows 2000
266080 Answers to frequently asked Kerberos questions
231789 Local logon process for Windows 2000
Modification Type: | Major | Last Reviewed: | 3/1/2006 |
---|
Keywords: | kbinfo KB287537 |
---|
|