Configure Windows Authentication (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Use Windows authentication when you want clients to authenticate using the NTLM or Kerberos protocols. The default authentication configuration for IIS 7 enables Anonymous authentication only.

Windows authentication, which includes both NTLM and Kerberos v5 authentication, is best suited for an intranet environment for the following reasons:

  • Client computers and Web servers are in the same domain.

  • Administrators can make sure that every client browser is Internet Explorer 2.0 or later versions.

  • HTTP proxy connections, which are not supported by NTLM, are not required.

  • Kerberos v5 requires a connection to Active Directory, which is not feasible in an Internet environment.

ImportantImportant
Windows Authentication is not supported Home or Starter editions of Windows Vista® and Windows® 7. To see which IIS features are supported on your operating system, see one of the following:

Windows authentication is not appropriate for use in an Internet environment, because that environment does not require or encrypt user credentials.

ImportantImportant
The default setting for Windows authentication is Negotiate. This setting means that the client can select the appropriate security support provider. To force NTLM authentication, you must change the value of the <Provider> element under the <windowsAuthentication> element in the ApplicationHost.config file.

Prerequisites

For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Authentication Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None

Modules

  • WindowsAuthenticationModule

To configure Windows authentication

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

To use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click Authentication.

  3. On the Authentication page, select Windows Authentication.

  4. In the Actions pane, click Enable to use Windows authentication.

noteNote
Optionally, you can disable Kernel-mode authentication by clicking Advanced Settings. As a best practice, you should not disable this setting if you use Kerberos authentication and a custom identity on the application pool.

Command Line

To enable or disable Windows authentication, use the following syntax:

appcmd set config /section:windowsAuthentication /enabled:true | false

By default, IIS sets the enabled attribute to false, which disables Windows authentication. If you set the attribute to true, you enable Windows authentication. For example, to enable Windows Authentication, type the following at the command prompt, and then press ENTER:

appcmd set config /section:windowsAuthentication /enabled:true

Optionally, you can force Windows authentication to use NTLM, using the following syntax:

appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).

Configuration

The procedure in this topic affects the following configuration elements:

<windowsAuthentication>

For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.

WMI

Use the following WMI classes, methods, or properties to perform this procedure:

  • WindowsAuthenticationSection class

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also

Tags :


Community Content

Lex Li
I still need to configure Windows authentication in Internte environment.
I don't understand why it is suggested not to use Win Authentication over the internet. <br /><br /> It is a common requirement to provide access to corporate file systems for users through the internet, in fact that is what sharepoint does anyways.<br /><br /> I need to expose a shared folder in another domain member server using WebAV and I don't see another way than using Win Auth.<br /><br /> My qustion is, since my configuration is not working becuasse for some reason my users are not authenticaed using kerberos but NTML, How can I force kerberos authentication in my IIS 7web site? <br /><br /><pre>Esther Fan, MSFT: Thank you for your feedback. To get a quicker response to questions like this, please try the following forums:<br />IIS: <mtps:InstrumentedLink NavigateUrl="http://forums.iis.net/" runat="server" xmlns:mtps="http://msdn2.microsoft.com/mtps">http://forums.iis.net</mtps:InstrumentedLink><br /><br />Lex Li: Learn about what is Kerberos, and you will see in Internet case, unless you expose your domain controllers publicly <br />(which is a worst practice), Kerberos is by design to fail. As NTLM is always used for your Internet clients, and NTLM can be brute <br />forced, Windows authentication is of course not recommended.<br /></pre>
Tags :

Esther Fan
HTTP Error 401.1 - Unauthorized
<p>I host site at local IIS 7.5(OS 2008 R2). It has Host Name like &lt;some_domain.net&gt; and configured for Windows Authentication. I set "127.0.0.1 &lt;some_domain.net&gt;" in c:\windows\system32\drivers\ets\hosts file.<br />Now I'm getting that error when I'm trying to open site .<br /><br />How can I fix that?<br /><br /></p> <pre>Esther Fan, MSFT: Thank you for your feedback. To get a quicker response to questions like this, please try the following forums:<br />IIS: <mtps:InstrumentedLink NavigateUrl="http://forums.iis.net/" runat="server" xmlns:mtps="http://msdn2.microsoft.com/mtps">http://forums.iis.net</mtps:InstrumentedLink></pre>

nestoren
So... what if you don't have a "Windows Authentication" option?
<p>Not finding much help here for my problem. On my Vista machine, I'm only seeing three Authentication options for some reason (while my coworker's got the full 6 or so):</p> <ul> <li>Anonymous <li>ASP.net Impersonation <li>Forms Auth </li></li></li> </ul> <p>What I'm trying to do is to debug some webservices and setup the project to run with IIS rather than the VS "Development Server". When I try to run debug, I'm getting the error </p> <blockquote dir="ltr"> <p dir="ltr">---------------------------<br />Microsoft Visual Studio<br />---------------------------<br />Unable to start debugging on the web server. Debugging failed because integrated Windows authentication is not enabled. Please see Help for assistance.<br />---------------------------<br />OK Help <br />---------------------------<br /></p> </blockquote> <p dir="ltr">... and hence my problem.</p> <p>Any ideas?</p> <p>(few minutes later...)</p> <p>Found my problem. Found article (<mtps:InstrumentedLink NavigateUrl="http://mvolo.com/blogs/serverside/archive/2006/12/28/Fix-problems-with-Visual-Studio-F5-debugging-of-ASP.NET-applications-on-IIS7-Vista.aspx" runat="server" xmlns:mtps="http://msdn2.microsoft.com/mtps">http://mvolo.com/blogs/serverside/archive/2006/12/28/Fix-problems-with-Visual-Studio-F5-debugging-of-ASP.NET-applications-on-IIS7-Vista.aspx</mtps:InstrumentedLink>) which let me to discover that when I had installed IIS 7 (many months ago) I had left off the authentication module. Turns out every single authentication mode is also an optionally installed module. </p>

Thomas Lee
Typo in documentation
The statement above <div><br /></div><div>appcmd set config /section:windowsAuthentication -/providers.[value='Negotiate']<br /></div><div><br /></div><div>is not correct. This should be:</div><div><br /></div><div>appcmd set config /section:windowsAuthentication -providers.[value='Negotiate'].value<br /></div><div><br /></div>
Tags : contentbug

Page view tracker