Authentication
Applies To: Windows Server 2012 R2, Windows Server 2012
Use the Authentication feature page to configure the authentication methods that clients can use to gain access to your content.
Sort the list by clicking one of the feature page column headings or select a value from the Group by drop-down list to group similar items.
Related scenarios
In this document
The following tables describe the UI elements that are available on the Authentication feature page.
Element Name |
Description |
||
---|---|---|---|
AD Client Certificate Authentication |
AD Client Certificate authentication allows you to use Active Directory directory service features to map users to client certificates for authentication. Mapping users to client certificates lets you automatically authenticate users, without other authentication methods such as Basic, Digest, or Integrated Windows authentication. This kind of authentication is not available on Windows Vista Home Premium. |
||
Anonymous Authentication |
Anonymous authentication allows any user to access any public content without providing a user name and password. By default, Anonymous authentication is enabled in IIS 8.
|
||
ASP.NET Impersonation |
ASP.NET impersonation allows you to run ASP.NET applications under a context other than the default ASPNET account. Use impersonation with other IIS authentication methods or set up an arbitrary user account. |
||
Basic Authentication |
Basic authentication requires that users provide a valid user name and password to gain access to content. Note Basic authentication transmits passwords across the network with weak encryption. Use Basic authentication only when you know that the connection between the client and the server is secure. |
||
Digest Authentication |
Digest authentication uses a Windows domain controller to authenticate users who request access to content on your server. Consider using Digest authentication when you need improved security over Basic authentication. This kind of authentication is not available on Windows Vista Home Premium. Note Any browser that does not support the HTTP 1.1 protocol cannot support Digest authentication. |
||
Forms Authentication |
Forms authentication uses client-side redirection to forward unauthenticated users to an HTML form where they can enter their credentials, which are usually a user name and password. After the credentials are validated, users are redirected to the page they originally requested. Important Because Forms authentication sends the user name and password to the web server as plain text, use Secure Sockets Layer (SSL) encryption for the logon page and all other pages in your application. |
||
Windows Authentication |
Windows authentication uses NTLM or Kerberos protocols to authenticate clients. Windows authentication is best suited for an intranet environment. Windows authentication is not suited for use on the Internet because that environment does not require or encrypt user credentials. This kind of authentication is not available on Windows Vista Home Premium. Important The default setting for Windows authentication is Negotiate. This setting means that the client can select the appropriate security support provider. |
Use Active Directory (AD) Client Certificate authentication to map client certificate information across many servers.
Note
Wildcard mapping with AD Client Certificate authentication is less efficient than the native IIS wildcard mapping.
If you select AD Client Certificate authentication, you cannot use IIS certificate mapping for any other sites hosted on the selected server.
Element Name |
Description |
---|---|
Active Directory Client Certificate Authentication |
Select to manage Active Directory Client Certificate authentication. |
Element Name |
Description |
---|---|
Enable |
Turns on Active Directory Client Certificate authentication. |
Disable |
Turns off Active Directory Client Certificate authentication. |
Use Anonymous authentication to allow any user to access any public content without providing a user name and password challenge to the client browser. By default, Anonymous authentication is enabled in IIS 7.0.
If only selected users should view some content and you intend to use Anonymous authentication, configure the appropriate NTFS file system permissions to prevent anonymous users from accessing that content. If you want only registered users to view selected content, configure an authentication method for that content that requires a user name and password, for example, Basic or Digest authentication.
Element Name |
Description |
---|---|
Anonymous Authentication |
Select to manage Anonymous authentication. |
Element Name |
Description |
---|---|
Disable |
Turns off Anonymous authentication. |
Enable |
Turns on Anonymous authentication. |
Edit |
Displays the Edit Anonymous Authentication Credentials dialog box where you can set the security principle that anonymous users will use to connect to the site. You can perform this action only when you select Anonymous Authentication from the list on the feature page. |
Use the Edit Anonymous Authentication Credentials dialog box to change the account that IIS uses to access your sites and applications.
Element Name |
Description |
||
---|---|---|---|
Specific user |
Type the specific account name that you want IIS to use to access your site or application. By default, IIS 8 uses IUSR as the user name for anonymous access. This user name is created when you install IIS 8. |
||
Set |
Opens the Set Credentials dialog box, where you can specify an account name and password for IIS to use for Anonymous authentication. |
||
Application pool identity |
Select Application pool identity to enable IIS processes to run using the account that is currently specified on the property page for the application pool. By default, this is the Network Service account.
|
Use the Set Credentials dialog box to change the account that IIS uses for anonymous access to your sites and applications. By default, IIS 8 uses IUSR as the account for anonymous access. This account is created when you install IIS 8.
Element Name |
Description |
||
---|---|---|---|
User name |
Type the name of the account that you want IIS to use to access your sites and applications.
|
||
Password |
Type the password associated with the account that you want IIS to use for anonymous access to your sites and applications. Important If the password associated with this account is changed, you must also change the password in the Set Credentials dialog box. If the password on the account and the password in the Set Credentials dialog box do not match, the associated site or application is disabled. |
||
Confirm password |
Retype the password associated with the account that you want IIS to use for anonymous access to your sites and applications. |
Use Basic authentication to require that users provide a valid user name and password to access content. All major browsers support this authentication method and it works across firewalls and proxy servers. The disadvantage of Basic authentication is that it transmits passwords across the network by using weak encryption. Use Basic authentication only when you know that the connection between the client and the server is secure.
Disable Anonymous authentication if you use Basic authentication. The first request that all browsers send to a server is for anonymous access to server content. If you do not disable Anonymous authentication, users can anonymously access all the content on your server, including restricted content.
Element Name |
Description |
---|---|
Basic Authentication |
Select to manage Basic authentication. |
Element Name |
Description |
---|---|
Enable |
Turns on Basic authentication. |
Disable |
Turns off Basic authentication. |
Edit |
Displays the Edit Basic Authentication Settings dialog box where you can set the default domain and realm. You can perform this action only when you select Basic Authentication the list on the feature page. |
Use the Edit Basic Authentication Settings dialog box to configure Basic authentication for a site.
Element Name |
Description |
||
---|---|---|---|
Default domain |
Type the name of a domain against which you want users to be authenticated by default. Any users who do not provide a domain name when they log on to your site are authenticated against this domain. |
||
Realm |
Type the DNS domain name or address that uses the credentials that have been authenticated against the default domain. Providing a Realm is optional for Basic authentication.
|
Use Digest authentication to offer authentication that is significantly more secure than Basic authentication. Digest authentication is also supported by all modern browsers, and works through proxy and firewall servers.
To use Digest authentication successfully, disable Anonymous authentication. The first request that all browsers send to a server is for anonymous access to server content. If you do not disable Anonymous authentication, users can anonymously access all the content on your server, including restricted content.
Element Name |
Description |
---|---|
Digest Authentication |
Select to manage Digest authentication. |
Element Name |
Description |
---|---|
Enable |
Turns on Digest authentication. |
Disable |
Turns off Digest authentication. |
Edit |
Opens the Edit Digest Authentication Settings dialog box where you can set the realm against which the credentials should be authenticated. You can perform this action only when you select Digest Authentication from the list on the feature page. |
Use the Edit Digest Authentication Settings dialog box to define the realm name.
Element Name |
Description |
---|---|
|
Type the DNS domain name or address that uses the credentials that have been authenticated against your internal Windows domain. Providing a Realm is mandatory for Digest authentication. |
Use Forms authentication to provide authentication for high-traffic sites or applications on public servers. This authentication mode lets you manage client registration and authentication at the application level, instead of relying on the authentication mechanisms provided by the operating system.
Element Name |
Description |
---|---|
Forms Authentication |
Select to manage Forms authentication. |
Element Name |
Description |
---|---|
Enable |
Turns on Forms authentication. |
Disable |
Turns off Forms authentication. |
Edit |
Opens the Edit Forms Authentication Settings dialog box where you can set various parameters for Forms authentication, such as cookie settings and the login URL that will redirect unauthenticated clients. You can perform this action only when you select Forms Authentication from the list on the feature page. |
Use Forms authentication to manage client registration and authentication at the application level, instead of relying on the authentication mechanisms provided by the operating system.
Important
Because Forms authentication sends the user name and password to the server as plaintext, use Secure Sockets Layer (SSL) encryption for the logon page and for all other pages in your application except the home page.
Element Name |
Description |
---|---|
Login URL |
Specifies the URL to which the request is redirected for logon if no valid authentication cookie is found. The default value is login.aspx. |
Authentication cookie time-out (in minutes) |
Specifies the time, in integer minutes, after which the cookie expires. The default value is 30. If the SlidingExpiration attribute is true, the time-out attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed. |
Mode |
Specifies where to store the Forms authentication ticket. The options are:
|
Name |
Sets the name of the Forms authentication cookie. The default is .ASPXAUTH. |
Protection mode |
Specifies the type of encryption, if any, to use for cookies. The options are:
|
Requires SSL |
Specifies whether an SSL connection is required to transmit the authentication cookie. By default, this setting is disabled. |
Extend cookie expiration on every request |
Specifies whether sliding expiration is enabled. Sliding expiration resets an active authentication cookie's time to expire upon each request during a single session. By default, this setting is enabled. |
Use Windows authentication only in an intranet environment. This authentication enables you to use authentication on your Windows domain to authenticate client connections.
Element Name |
Description |
---|---|
Windows Authentication |
Select to manage Windows authentication. |
Element Name |
Description |
---|---|
Enable |
Turns on Windows authentication. |
Disable |
Turns off Windows authentication. |
Advanced Settings |
Opens the Advanced Settings dialog box where you can enable or disable kernel mode authentication. You can perform this action only when you enable Windows Authentication from the list on the feature page. |
Use the Advanced Settings dialog box to specify whether Windows authentication is performed in kernel mode. By default, IIS enables kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity.
As a best practice, do not disable this setting if you use Kerberos authentication and have a custom identity on the application pool.
Use ASP.NET Impersonation authentication when you want to run your ASP.NET application under a security context different from the default.
If you enable impersonation for an ASP.NET application, that application can run in one of two different contexts: either as the user authenticated by IIS or as an arbitrary account that you set up. For example, if you were using Anonymous authentication and chose to run the ASP.NET application as the authenticated user, the application would run under an account setup for anonymous users (typically, IUSR). Likewise, if you chose to run the application under an arbitrary account, it would run under whatever security context was set up for that account.
Element Name |
Description |
---|---|
ASP.NET Impersonation |
Select to manage ASP.NET Impersonation authentication. |
Element Name |
Description |
---|---|
Enable |
Turns on ASP.NET Impersonation authentication. |
Disable |
Turns off ASP.NET Impersonation authentication. |
Edit |
Opens the Edit ASP.NET Impersonation Settings dialog box where you can specify the identity under which the ASP.NET application should run. You can perform this action only when you select ASP.NET Impersonation from the list on the feature page. |
Use the ASP.NET Impersonation Settings dialog box to specify the account your ASP.NET application should impersonate.
Element Name |
Description |
---|---|
Specific user |
Type the name of the specific account that you want your ASP.NET application to impersonate. |
Set |
Opens the Set Credentials dialog box, where you can specify an account name and password for IIS to use for ASP.NET impersonation. |
Authenticated user |
Select Authenticated user to enable the ASP.NET application to run under the security context of the user account authenticated by IIS. |
Use the Set Credentials dialog box to specify the account that ASP.NET should impersonate.
Element Name |
Description |
---|---|
User name |
Type the name of the account that you want ASP.NET to impersonate. |
Password |
Type the password associated with the account that you want ASP.NET to impersonate. |
Confirm password |
Retype the password associated with the account that you want ASP.NET to impersonate. |