Selecting a Web Site Authentication Method

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

The authentication method that you select varies based on the level of protection it provides for user credentials (user account and password information), and on the relationship of the user to your organization. Select the strongest authentication method possible to help ensure that the credentials of your users are protected.

Web site authentication methods can be divided into two categories:

  • Methods that do not require or encrypt user credentials

  • Methods that encrypt user credentials

Authentication Methods that Do Not Require or Encrypt User Credentials

For Internet-based Web sites and applications, the most commonly used authentication methods do not require or encrypt user credentials. Select one of these authentication methods when any combination of the following is true:

  • Access to the Web sites and applications needs to be anonymous.

  • Access to the Web sites and applications needs to be independent of the client configuration and relationship of the user to your organization.

Anonymous access

Anonymous access requires no authentication whatsoever. Anonymous access is used for intranet and Internet Web sites when you want unauthenticated users to be able to access the information provided by the Web sites and applications. The majority of Internet Web sites use anonymous access.

Authentication that is independent of the client configuration and user

Use Basic authentication when you want to require authentication to access a Web site or application, but need to use an authentication method that provides any combination of the following:

  • No special configuration is required on the client. For example, the client can run any operating system or Web browser.

  • The users have no close affiliation with your organization, and they are typically not employees or employees of partner organizations. As a result, you cannot require them to use an authentication method that encrypts user credentials.

  • Your network infrastructure does not support encrypted authentication methods. For example, to use Windows Integrated authentication, you need the connection between requests to be maintained. Most proxy servers do not support such keep-alive connections.

Because Basic authentication does not encrypt user credentials, use a Secure Sockets Layer (SSL)-secured channel to encrypt user credentials. If you cannot encrypt Basic authentication traffic by using a SSL-secured channel, use one of the authentication methods that encrypt user credentials. These authentication methods are described in Table 3.9.

Authentication Methods That Encrypt User Credentials

Authentication methods that encrypt user credentials typically require some level of control over the client computer, and the user is usually an employee of your organization or a partner organization. Table 3.9 provides a comparison of the Web site authentication methods for Web sites and applications that encrypt user credentials.

Table 3.9 Web Site Authentication Methods That Encrypt User Credentials

Authentication Method Advantages Disadvantages

Digest
  • Supports authentication through firewalls and proxies.

  • Encrypts user credentials.

  • Requires Active Directory running on Microsoft Windows® 2000 Server or later.

  • Provides medium security.
  • Requires Microsoft Internet Explorer 5.0 or later.

  • Stores user password unencrypted in Active Directory.

  • Cannot be used to authenticate local accounts.

  • Requires the associated Application Pool identity to be configured as LocalSystem.

Advanced digest
  • Supports authentication through firewalls and proxies.

  • Encrypts user credentials.

  • Stores hash of the user credentials in Active Directory.

  • Provides medium security.
  • Requires Internet Explorer 5.0 or later.

  • Requires Active Directory running on Windows Server 2003.

  • Cannot be used to authenticate local accounts.

Integrated Windows
  • Encrypts user credentials.

  • Provides high security.

  • Requires Internet Explorer 2.0 or later.
  • Requires Microsoft clients.

Client Certificates
  • For server authentication (certificates stored on the server), your organization obtains certificates from a trusted certification authority.

  • For client authentication, map certificates to user accounts stored in Active Directory running on Windows 2000 Server or later.

  • Provides high security.
  • For client authentication (certificates stored on the clients), your organization has, or is willing to deploy, a public key infrastructure (PKI).

  • For client authentication, you have a method of securely distributing the certificates to the clients.

Microsoft .NET Passport
  • Supports authentication through firewalls and proxies.

  • Encrypts user credentials.

  • Requires Internet Explorer 4.0 or later and Netscape Navigator 4.0 or later.
  • Requires Active Directory when account mapping is used.

  • Requires your organization to license the .NET Passport authentication service.