SUMMARY
This step-by-step article describes how to configure
authentication for Web-based requests in Microsoft Internet Information
Services (IIS) 6.0.
back to the top
How Web Authentication Works
Web authentication is a communication between the Web browser and
the Web server that involves a small number of Hypertext Transfer Protocol
(HTTP) headers and error messages.
The flow of communication is as
follows:
- The Web browser makes a request, such as
HTTP-GET.
- The Web server performs an authentication check. If this is
not successful because authentication is required, the server responds with an
error message similar to the following:
You are not
authorized to view this page
You do not have permission to view this
directory or page using the credentials you supplied.
Information is
included in this message that the Web browser can use to resubmit the request
as an authenticated request. - The Web browser uses the server's response to construct a
new request that contains authentication information.
- The Web server performs an authentication check. If the
check is successful, the Web server sends the data that was initially requested
back to the Web browser.
back to the top
Authentication Methods
Note: With some of the following authentication methods, you must use
drives that you have formatted with the NTFS file system because NTFS-formatted
drives maintain the highest level of security.
IIS supports the
following Web authentication methods.
Anonymous Authentication
IIS creates the IUSR_
ComputerName
account (where
ComputerName is the name of the
server that is running IIS) to authenticate anonymous users when they request
Web content. This account gives the user the right to log on locally. You can
reset anonymous user access to use any valid Windows account.
Note: You can set up different anonymous accounts for different Web
sites, virtual directories or physical directories, and files.
If the
Windows Server 2003-based computer is a stand-alone server, the
IUSR_
ComputerName account is on the local server. If
the server is a domain controller, the
IUSR_
ComputerName account is defined for the
domain.
back to the top
Basic Authentication
Use basic authentication to restrict access to files on an
NTFS-formatted Web server. With basic authentication, the user must enter
credentials, and access is based on the user ID. Both user ID and password are
sent across the network in clear text.
To use basic authentication,
grant each user the right to log on locally, and to make administration easier,
add each user to a group that has access to the necessary files.
Note: Because user credentials are encoded with Base64 encoding but
they are not encrypted when they are transmitted over the network, basic
authentication is not considered a secure form of
authentication.
back to the top
Windows Integrated Authentication
Windows Integrated authentication is more secure than basic
authentication, and it functions well in an intranet environment where users
have Windows domain accounts. In integrated Windows authentication, the browser
tries to use the current user's credentials from a domain logon, and if this
attempt is unsuccessful, the user is prompted to enter a user name and
password. If you use integrated Windows authentication, the user's password is
not transmitted to the server. If the user has logged on to the local computer
as a domain user, the user does not have to authenticate again when the user
accesses a network computer in that domain. Note that you must use Microsoft
Internet Explorer 2.0 or later as your Web browser if you are using Windows
Integrated authentication.
Note: You cannot use integrated Windows authentication through a proxy
server.
back to the top
Digest Authentication
Digest authentication addresses many of the weaknesses of basic
authentication. The password is not sent in clear text when you use digest
authentication. Additionally, you can use digest authentication through a proxy
server. Digest authentication uses a challenge/response mechanism (which
integrated Windows authentication uses) where the password is sent in an
encrypted format. To use digest authentication, note the following
requirements:
- The user and IIS server must be members of, or trusted by,
the same domain.
- Users must have a valid Windows user account stored in
Active Directory on the domain controller.
- The domain must use a Microsoft Windows 2000-or-later
domain controller.
- You must install the IISSuba.dll file on the domain
controller. This file is copied automatically during Windows 2000 Setup or
Windows Server 2003 Setup.
- You must configure all user accounts with the Store
password using reversible encryption account option selected. To
select this account option, the password must be reset or
re-entered.
Note: You must use Microsoft Internet Explorer 5.0 or later as your
Web browser if you are using digest authentication.
back to the top
.NET Passport Authentication
Microsoft .NET Passport is a user-authentication service that
permits single sign-in security, which provides users with security-enhanced
access to .NET Passport-enabled Web sites and services. .NET Passport-enabled
sites rely on the .NET Passport central server to authenticate users. However,
the central server does not authorize or deny a specific user's access to
individual .NET Passport-enabled sites. It is the responsibility of the Web
site to control users' permissions. When you select this option, requests to
IIS must contain valid .NET Passport credentials on either the query string or
in the cookie. If IIS does not detect .NET Passport credentials, requests are
redirected to the .NET Passport logon page.
back to the top
Client Certificate Mapping
Client certificate mapping is a method where a mapping is created
between a certificate and a user account. In this model, a user presents a
certificate and the system looks at the mapping to determine which user account
should be logged on. You can map a certificate to a Windows user account in one
of two ways:
- By using Active Directory.
-or- - By using rules that are defined in IIS.
For additional information about how to map client certificates
to user accounts, search on "Client Certificate Mapping" in the IIS
documentation. If you have IIS installed, you can access the Help files by
either of the following methods:
- Right-click any node in Internet Service Manager, and then
click Help.
-or- - Start Windows Explorer, locate the hard
disk:\Windows\Help folder, and then open Lismmc.chm.
You can configure each authentication method to control
access to the following items on the IIS server:
- All Web content that is hosted on the IIS
server.
- Individual Web sites that are hosted on the IIS
server.
- Individual virtual directories or physical directories that
are in a Web site.
- Individual pages or files that are in a Web
site.
back to the top
How to Configure IIS Web Site Authentication
- Use an administrative account to log on to the Web
server.
- Start IIS Manager or open the IIS snap-in.
- Expand
Server_name, where
Server_name is the name of the server, and then
expand Web Sites.
- Use one of the following methods (as appropriate to your
situation), and then click Properties:
- To configure authentication for all Web content that is
hosted on the IIS server, right-click Web Sites.
- To configure authentication for an individual Web site,
right-click the Web site that you want.
- To configure authentication for a virtual directory or
a physical directory in a Web site, click the Web site that you want, and then
right-click the directory that you want, such as
_vti_pvt.
- To configure authentication for an individual page or
file in a Web site, click the Web site that you want, click the folder that
contains the file or the page that you want, and then right-click the file or
the page that you want.
- In the ItemName
Properties dialog box (where ItemName is
the name of the item that you selected), click the Directory
Security or the File Security tab (as
appropriate).
- Under Anonymous access and authentication
control, click Edit.
- Click to select the Anonymous access check
box to turn on anonymous access. To turn off anonymous access, click to clear
this check box.
Note: If you turn off anonymous access, you must configure some other
form of authenticated access.
To change the account that is used for
anonymous access to this resource, click Browse, click the
user account that you want to use, and then click
OK. - Under Authenticated access, click to
select the Windows Integrated authentication check box if you
want to use integrated Windows authentication.
Note: This authentication method was formerly known as Microsoft
Windows NT Challenge/Response or NT LAN Manager (NTLM). - Click to select the Digest authentication for
Windows domain servers check box if you want to use digest
authentication. When you receive the following message, click
Yes: Digest authentication only works
with Active Directory domain accounts. For more information about configuring
Active Directory domain accounts to allow digest authentication, click Help.
Are you sure you wish to continue?Type the realm name in
the Realm box.
Note: You must configure user accounts with the Store password
using reversible encryption account option selected. - Click to select the Basic authentication (password
is sent in clear text) check box if you want to use basic
authentication. When you receive the following message, click
Yes:The authentication option you have
selected results in passwords being transmitted over the network without data
encryption. Someone attempting to compromise your system security could use a
protocol analyzer to examine user passwords during the authentication process.
For more detail on user authentication, consult the online help. This warning
does not apply to HTTPS (or SSL) connections.
Are you sure you want
to continue? - To specify a domain with which to authenticate users
who are using basic authentication, type the domain that you want in the
Default domain box.
- You also have the option to enter a value in the
Realm box at this point.
- Click to select the .NET Passport
authentication check box if you want to use .NET Passport
authentication.
Note: When you select this option, the other authentication methods
are unavailable. - Click OK, and then in the
Item Name Properties dialog box,
click OK. If the Inheritance Overrides dialog
box opens, follow these steps:
- Click Select All to apply the new
authentication settings to all of the files or the folders that are located in
the item that you changed.
- Click OK.
- Quit IIS Manager or close the IIS snap-in.
back to the top