How to configure Basic/Clear Text authentication for IIS 5.0 in Windows 2000 (262233)

MORE INFORMATION

Web sites can use use several different forms of authentication; however, the focus of this article is specifically Basic/Clear Text authentication.

301457 How to view or change Authentication methods in IIS

Note When you use Basic authentication, we strongly recommend that you use Secure Sockets Layer (SSL). In Basic authentication, the user name and the password are sent in clear text and may be captured by network-monitoring software. Therefore, we strongly recommend that you use SSL so that the user name and the password are encrypted and cannot be read if they are captured by network-monitoring software.

The steps to configure Basic/Clear Text authentication are described in the following three sections:

Configuring Basic/Clear Text Authentication (Required)
Configuring the Log On Locally User Right (Required)
Configuring the Default Logon Domain (Optional)

Configuring Basic/Clear Text and User Authentication (Required)

Although Web sites may use several different forms of authentication, file transfer protocol (FTP) sites are limited to Anonymous or User authentication. The steps that are detailed below only focus on the steps that are required for Basic/Clear Text authentication for Web sites and User authentication for FTP sites.

Configuring all Web sites To configure all Web sites, follow these steps:

Open the Internet Services Manager.
Right-click the computer name and click Properties.
Under Master Properties, select WWW Service and click Edit.
Click the Directory Security tab. Under Anonymous access and authentication control, click Edit.
Select Basic authentication (password is sent in clear text). When you receive the Are you sure you want to continue? dialog box, click Yes.
Click OK, then click OK again.
If you receive the Inheritance Overrides dialog box, click Select All and click OK.
Click OK to exit the Master Properties.

Configuring a specific Web site To configure a specific Web site, follow these steps:

Open the Internet Services Manager.
Expand the tree next to the computer name.
Right-click the specific Web site and click Properties.
Click the Directory Security tab. Under Anonymous access and authentication control, click Edit.
Select Basic authentication (password is sent in clear text). When you receive the Are you sure you want to continue? dialog box, click Yes.
Click OK, then click OK again.
If you receive the Inheritance Overrides dialog box, click Select All and click OK.

Configuring the "Log On Locally" User Right (Required)

Web users that need Basic/Clear Text authentication and FTP users that need authentication in IIS both require the "Log on locally" user right. In Microsoft Windows NT 4.0 the "Log on locally" user right was assigned through User Manager, but in Microsoft Windows 2000 this is configured through policies.

Configuring a stand-alone server To configure the "Log on locally" right on a stand-alone server, follow these steps:

In the Microsoft Management Console (MMC), open the Local Computer Policy snap-in. To do this, follow these steps:
1. Click Start, type MMC, and click OK.
2. Click Console, click Add/Remove Snap-in, and then click Add.
3. Select Group Policy and click Add.
4. Ensure that the Group Policy object says Local Computer and click Finish.
5. Click Close, then click OK.
Grant users or groups the "Log on locally" right. To do this, follow these steps:
1. Expand the following path in the MMC:
  Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
2. Double-click Log on Locally.
3. Add any users or groups that will use Basic/Clear Text authentication.

Configuring a domain controllerNOTE: It is not recommended that you install an IIS Web server on a Windows 2000 domain controller. The following steps describe how to configure "Log on locally" right by using Group Policy if it is necessary that you install an IIS Web server on a Windows 2000 domain controller.

To configure the "Log on locally" right on a domain controller, follow these steps:

In MMC, open the Default Domain Controllers Policy snap-in. To do this, follow these steps:
1. Click Start, type MMC, and click OK.
2. Click Console, click Add/Remove Snap-in, and then click Add.
3. Select Group Policy and click Add.
4. Click Browse.
5. Double-click the domain controller for the domain.
6. Double-click Default Domain Controllers Policy and click Finish.
7. Click Close, then click OK.
Grant users or groups the "Log on locally" right. To do this, follow these steps:
1. Expand the following path in the MMC:
  Default Domain Controllers Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
2. Double-click Log on Locally.
3. Add any users or groups that will use Basic/Clear Text authentication.
Refresh the policy. To do this, open a command prompt, type secedit /refreshpolicy machine_policy, and then close the command prompt.

Configuring the Default Logon Domain (Optional)

An optional step in configuring clear text forms of authentication is to configure the Default Logon Domain. Setting this optional value prevents domain users from being required to enter their domain name when prompted for authentication.

Configuring all Web sites To configure the default logon domain for all Web sites, follow these steps:

Open the Internet Services Manager.
Right-click the computer name and click Properties.
Under Master Properties, select WWW Service and click Edit.
Click the Directory Security tab. Under Select a default domain, click Edit.
Type your domain name, or click Browse to search for your domain.
Click OK, then click OK again.
If you receive the Inheritance Overrides dialog box, click Select All and click OK.
Click OK to exit the Master Properties.

Configuring a specific Web site To configure the default logon domain for a specific Web site, follow these steps: