Configure Basic Authentication (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Basic authentication requires that users provide a valid user name and password to access content. This authentication method does not require a specific browser, and all major browsers support it. Basic authentication also works across firewalls and proxy servers. For these reasons, it is a good choice when you want to restrict access to some, but not all, content on a server.

However, the disadvantage of Basic authentication is that it transmits unencrypted base64-encoded passwords across the network. You should use Basic authentication only when you know that the connection between the client and the server is secure. The connection should be established either over a dedicated line or by using Secure Sockets Layer (SSL) encryption and Transport Layer Security (TLS). For example, to use Basic authentication with Web Distributed Authoring and Versioning (WebDAV), you should configure SSL encryption.

Important

You must disable Anonymous authentication if you want to use Basic authentication. The first request that all browsers send to a Web server is for anonymous access to server content. If you do not disable Anonymous authentication, users can access all the content on your server anonymously, including restricted content.

Prerequisites

For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Authentication Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None

Modules

  • BasicAuthModule

  • TokenCacheModule

To configure Basic authentication

You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.

User Interface

To use the UI

  1. Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click Authentication.

  3. On the Authentication page, select Basic Authentication.

  4. In the Actions pane, click Enable to use Basic authentication with the default settings.

  5. Optionally, in the Actions pane, click Edit to type the default domain and realm.

  6. In the Edit Basic Authentication Settings dialog box, in the Default domain text box, type a default domain or leave it blank. Users who do not provide a domain when they log on to your site are authenticated against this domain.

  7. In the Realm text box, type a realm or leave it blank. In general, you can use the same value for the realm name as you used for the default domain.

Important

If you enter the default domain name in the Realm text box, your internal Microsoft Windows domain name may be exposed to external users during the user name and password challenge.

  1. Click OK to close the Edit Basic Authentication Settings dialog box.

Command Line

To enable or disable Basic authentication, use the following syntax:

appcmd set config /section:basicAuthentication /enabled:true | false

By default, IIS sets the enabled attribute to false, which disables Basic authentication. If you set the attribute to true, you enable Basic authentication. For example, to enable Basic authentication, type the following at the command prompt, and then press ENTER:

appcmd set config /section:basicAuthentication /enabled:true

Optionally, you can set the default domain and realm by using the following syntax:

**appcmd set config /section:basicAuthentication /defaultLogonDomain:**string **/realm:**string

The variable defaultLogonDomain string is the Default Domain IIS uses for Basic authentication. The variable realm string is the realm. For example, to use Basic authentication with a Default Domain named Contoso and a Realm of Public, type the following at the command prompt, and then press ENTER:

appcmd set config /section:basicAuthentication /defaultLogonDomain:Contoso /realm:Public

For more information about Appcmd.exe, see Appcmd.exe (IIS 7).

Configuration

The procedure in this topic affects the following configuration elements:

<basicAuthentication>

For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.

WMI

Use the following WMI classes, methods, or properties to perform this procedure:

  • BasicAuthenticationSection class

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also

Concepts

Configuring Authentication in IIS 7