Authentication Methods Supported in IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Using authentication with IIS is critical if your Web server contains resources that are not meant for anonymous or public access, but approved users must be able to access the Web server over the Internet. For example, if you run Microsoft® Outlook® Web Access (OWA) or the Microsoft Terminal Services Advanced Client on your Web server, you must configure an appropriate authentication method to control access to those applications. You can require users to confirm their identity by providing a valid Microsoft® Windows® name and password before they access any information on your Web server. This identification process is called authentication, and, like many features of IIS, authentication can be set at the Web site, directory, or file level.

IIS 6.0 supports the following authentication methods:

  • Anonymous authentication. This authentication method allows everyone access to the public areas of your Web sites, without asking for a user name or password.

  • Basic authentication. This authentication method prompts the user for a user name and a password, also called credentials, which are sent unencrypted over the network.

  • Digest authentication. This authentication method operates much like Basic authentication, except that passwords are sent across the network as a hash value for additional security. Digest authentication is available only on domains with domain controllers running Windows server operating systems.

  • Advanced Digest authentication. This authentication method is identical to Digest authentication, except Advanced Digest authentication stores the client credentials as a Message Digest (MD5) hash in Active Directory on your domain controller running Windows Server 2003.

  • Integrated Windows authentication. This authentication method uses hashing technology to scramble user names and passwords before sending them over the network.

  • UNC authentication. This authentication method passes users' credentials through to the computer with the Universal Naming Convention (UNC) share.

  • .NET Passport Authentication. This authentication method is a user-authentication service that lets Web site users create a single sign-in name and password for access to all .NET Passport–enabled Web sites and services. .NET Passport–enabled sites rely on the .NET Passport central server to authenticate users; .NET Passport–enabled sites do not host and maintain their own proprietary authentication systems.

  • Certificate authentication. This authentication method uses Secure Sockets Layer (SSL) certificates to authenticate servers and clients.

Table 5.2 compares the Web site authentication methods that are discussed in this chapter.

Table 5.3 Comparison of Web Site Authentication Methods

Method Security Level How Passwords Are Sent Crosses Proxy Servers and Firewalls Client Requirements

Anonymous authentication

None

N/A

Yes

Any browser

Basic authentication

Low

Base64 encoded clear text

Yes, but sending passwords across a proxy server or firewall in clear text is a security risk because Base64 encoded clear text is not encrypted.

Most browsers

Digest authentication

Medium

Hashed

Yes

Internet Explorer 5 or later

Advanced Digest authentication

Medium

Hashed

Yes

Internet Explorer 5 or later

Integrated Windows authentication

High

Hashed when NTLM is used; Kerberos ticket when Kerberos is used.

No, unless used over a PPTP connection

Internet Explorer 2.0 or later for NTLM; Windows 2000 or later with internet Explorer 5 or later for Kerberos

Certificate authentication

High

N/A

Yes, using an SSL connection

Internet Explorer and Netscape

.NET Passport authentication

High

Encrypted

Yes, using an SSL connection

Internet Explorer and Netscape

If you configure multiple authentication methods, IIS attempts to negotiate the most restrictive method first, and then it works down the list of available authentication protocols until finding an authentication method that is supported by both the client and the server.

You can also provide security for FTP sites by using one of the following authentication methods:

  • Anonymous FTP authentication. This authentication method gives users access to the public areas of your Web site without prompting them for a user name and password.

  • Basic FTP authentication. This authentication method requires users to log on with a user name and password corresponding to a valid Windows user account.

You can use these authentication methods to grant access to public areas of your site while minimizing the risk of unauthorized access to your private files and directories. Each authentication method is covered in detail in the following sections.