↑ Return to IIS Concept

Print this Page

IIS Authentication

How IIS Authentication works and what are the types of IIS Authentication?

It helps in providing a secure connection between the client & server.
1.  Anonymous Authentication: - Anonymous authentication allows user to access web sites and FTP sites without providing username and password. When a user accesses a site, IIS uses the Internet Guest Account to authenticate that user. This account is created when IIS is installed, & its named IUSR_Computer name

Note: If your computer is renamed, the Internet Guest Account does not change and continues to use the old machine name. Because user accounts use security identifiers (SIDs) to identify themselves, changing the computer name doesn’t affect the account name.

When IIS receives a request, it automatically attempts anonymous authentication first. If anonymous authentication fails, it attempts to log on the user using another logon method. If no other authentication methods are enabled, IIS sends a “401 Access Denied” HTTP error message to the client.

2. Basic Authentication: - In Basic Authentication user needs to provide username & Password, for Authentication. Then IIS verifies that the username and password which has been sent in plain text are valid or not, and then they have access to the resources. To use Basic authentication, grant each user the right to log on locally in domain. For using basic authentication Enable check box of Basic Authentication in directory security tab and also provide Domain Name if don’t provide, it will use default domain of system on which your IIS is configures, and also provide (its optional) realm name (If the Realm property is set, its value appears on the client’s logon dialog box, when Basic authentication is used). The value of Realm is sent to the client for informational purposes only, and is not used to authenticate clients using Basic authentication)

3. Digest Access Authentication:- Digest authentication is available, if you are using Active Directory accounts. In addition to AD, Digest authentication requires use of HTTP 1.1 also and Realm (Optional)

Digest authentication requires that the domain controller keep a plaintext copy of each password, so it can check that password against the hash sent by the client, Therein lies the security risk. Having plaintext passwords stored anywhere is a security risk, so if you choose this form of authentication, you will need to make sure that the domain controller is secure

It is a password based system (on the server side).
This method verifies that both the parties must know a shared secret (a password).
To use this method, client must use Microsoft IE 5.0 or later version

4. Advanced Digest Authentication:- Advanced Digest authentication is exactly like Digest authentication with one important difference: In Advanced Digest authentication, passwords are stored on the domain controller as an MD5 hash, rather than as clear text. Advanced Digest authentication is supported in HTTP 1.1, so any HTTP 1.1-compliant browser should work. Advanced Digest authentication is a better choice than Digest authentication because of the extra security provided.

  • You must be running Active Directory.
  • Both the IIS server and a domain controller must be running on WS03.
  • The clients using Advanced Digest authentication must be running at least IE 5.
  • The user account must be in an Active Directory domain that is trusted to the IIS server.

If the domain controller and the IIS server are not both running WS03, IIS will automatically fall back to using regular Digest authentication.

Steps to enabling Advanced Digest Authentication:-

Advanced Digest authentication is enabled in the meta base , and you can apply it at any level in the W3SVC. (W3SVC is the name the Web Server Service goes by in the Meta base.) . The meta-base property for Advanced Digest authentication is UseDigestSSP. Here’s how to enable it:

  • Open the Meta-base.xml file in Notepad.
  • Go to the level at which you want to enable Advanced Digest authentication.
  • Type in UseDigestSSP=’TRUE’.
  • Then open the Directory Security tab and check Digest Authentication.
  • Following is the process that the client and server go through when using Advanced Digest authentication:
  • The server sends the client a note that Digest auth. is required for this resource.
  • The server also sends the realm name.
  • Then client takes the username and password, combines them with name of realm, and creates an MD5 hash. Then submits a request for the resource to the server.
  • The IIS server sends this hash to the domain controller for verification.
  • The domain controller verifies this hash against the hash stored in Active Directory. If they match, the domain controller sends the IIS server an acknowledgment.

4.  Integrated Window Authentication:-

Integrated Windows authentication supports both the Kerberos v5 and the NTLM (NT LAN Manager) protocols for authentication.If you are using Active Directory, and the browser supports it (IE 5 or above with Windows 2000), Kerberos is used; otherwise, NTLM is used.

Kerberos generally works with proxy servers, but it tends to have a hard time with firewalls. NTLM generally works through firewalls, but hard time with proxy servers.

Is a secure form of Authentication because the username & password are hashed being sent to the network.

  • IWA enable by default on Window server2003.
  • IWA disable by default in WindowServer2003 SP1 .
  • To use this method, client must use Microsoft IE 2.0 or later version.
  • IWA uses Kerberos 5 NTLM authentication.
  • This Authentication is best for the Intranet, where both user & Web Server computer are in same domain.

5 .Net Passport Access Authentication:-

The .Net passport provides a single Sign–in service, that enable organization to deliver a fast & convenient way for consumer to sign-in and make transaction on a website.

Establishing .NET Passport Service:-
Go to the following URL to begin the process: http://www.microsoft.com/net/services/passport/ developer. asp. Here, you need to fill out forms and complete a .NET Passport Wizard with information about yourself and your web site. On successful registration, your site is assigned an ID and registered with a pending status. Microsoft will attempt to replicate the site on its server and approve your site.
If your site meets the standards, you will be required to enter into a contractual agreement with .NET Passport services.
Launch the site. Obtain the encryption keys for the production site and roll in the production code required to support the .NET Passport integration.
Setting Up the Site for .NET Passport:-If you set up a web site or virtual directory to authenticate users via .NET Passport, the users will get .NET Passport login prompt, when they request a file for the first time from the web site. After the user enters a valid login and password, they are allowed to access the requested file.

To set up IIS to provide .NET Passport authentication, follow these steps:

Directory Security tab .Click the Edit buttonàcheck the .NET Passport Authentication checkbox. All other authentication methods will be disabled, since using .NET Passport authentication. Anonymous access can still be selected.

Using Multiple Authentication Schemes:-

If Anonymous authentication is enabled, it is always attempted first. If Anonymous authentication fails or is disabled.
First, Integrated Windows authentication is tried, if enabled and supported by the browser.
If Integrated Windows authentication is not available, Digest or Advanced Digest authentication is used if enabled and supported.
Finally, Basic authentication is used as a last resort.

Permanent link to this article: http://www.techxpress.in/iis-6-0-2/iis-concept/iis-authentication/

Leave a Reply

Bookmark this page