Authentication

 

Applies To: Windows Server 2012 R2, Windows Server 2012

Use the Authentication feature page to configure the authentication methods that clients can use to gain access to your content.

Sort the list by clicking one of the feature page column headings or select a value from the Group by drop-down list to group similar items.

Related scenarios

In this document

UI Elements for Authentication

The following tables describe the UI elements that are available on the Authentication feature page.

Element Name

Description

AD Client Certificate Authentication

AD Client Certificate authentication allows you to use Active Directory directory service features to map users to client certificates for authentication. Mapping users to client certificates lets you automatically authenticate users, without other authentication methods such as Basic, Digest, or Integrated Windows authentication.

This kind of authentication is not available on Windows Vista Home Premium.

Anonymous Authentication

Anonymous authentication allows any user to access any public content without providing a user name and password. By default, Anonymous authentication is enabled in IIS 8.

Note

 Use Anonymous authentication when you want all clients who visit your site to be able to view its content.

ASP.NET Impersonation

ASP.NET impersonation allows you to run ASP.NET applications under a context other than the default ASPNET account. Use impersonation with other IIS authentication methods or set up an arbitrary user account.

Basic Authentication

Basic authentication requires that users provide a valid user name and password to gain access to content.

Note

Basic authentication transmits passwords across the network with weak encryption. Use Basic authentication only when you know that the connection between the client and the server is secure.

Digest Authentication

Digest authentication uses a Windows domain controller to authenticate users who request access to content on your server. Consider using Digest authentication when you need improved security over Basic authentication.

This kind of authentication is not available on Windows Vista Home Premium.

Note

Any browser that does not support the HTTP 1.1 protocol cannot support Digest authentication.

Forms Authentication

Forms authentication uses client-side redirection to forward unauthenticated users to an HTML form where they can enter their credentials, which are usually a user name and password. After the credentials are validated, users are redirected to the page they originally requested.

Important

Because Forms authentication sends the user name and password to the web server as plain text, use Secure Sockets Layer (SSL) encryption for the logon page and all other pages in your application.

Windows Authentication

Windows authentication uses NTLM or Kerberos protocols to authenticate clients. Windows authentication is best suited for an intranet environment. Windows authentication is not suited for use on the Internet because that environment does not require or encrypt user credentials.

This kind of authentication is not available on Windows Vista Home Premium.

Important

The default setting for Windows authentication is Negotiate. This setting means that the client can select the appropriate security support provider.

Active Directory Client Certificate Authentication

Use Active Directory (AD) Client Certificate authentication to map client certificate information across many servers.

Note

Wildcard mapping with AD Client Certificate authentication is less efficient than the native IIS wildcard mapping.

If you select AD Client Certificate authentication, you cannot use IIS certificate mapping for any other sites hosted on the selected server.

Feature Page Elements

Element Name

Description

Active Directory Client Certificate Authentication

Select to manage Active Directory Client Certificate authentication.

Actions Pane Elements

Element Name

Description

Enable

Turns on Active Directory Client Certificate authentication.

Disable

Turns off Active Directory Client Certificate authentication.

Anonymous Authentication

Use Anonymous authentication to allow any user to access any public content without providing a user name and password challenge to the client browser. By default, Anonymous authentication is enabled in IIS 7.0.

If only selected users should view some content and you intend to use Anonymous authentication, configure the appropriate NTFS file system permissions to prevent anonymous users from accessing that content. If you want only registered users to view selected content, configure an authentication method for that content that requires a user name and password, for example, Basic or Digest authentication.

Feature Page Elements

Element Name

Description

Anonymous Authentication

Select to manage Anonymous authentication.

Actions Pane Elements

Element Name

Description

Disable

Turns off Anonymous authentication.

Enable

Turns on Anonymous authentication.

Edit

Displays the Edit Anonymous Authentication Credentials dialog box where you can set the security principle that anonymous users will use to connect to the site. You can perform this action only when you select Anonymous Authentication from the list on the feature page.

Edit Anonymous Authentication Credentials Dialog Box

Use the Edit Anonymous Authentication Credentials dialog box to change the account that IIS uses to access your sites and applications.

Element Name

Description

Specific user

Type the specific account name that you want IIS to use to access your site or application. By default, IIS 8 uses IUSR as the user name for anonymous access. This user name is created when you install IIS 8.

Set

Opens the Set Credentials dialog box, where you can specify an account name and password for IIS to use for Anonymous authentication.

Application pool identity

Select Application pool identity to enable IIS processes to run using the account that is currently specified on the property page for the application pool. By default, this is the Network Service account.

Important

If you use the Network Service account, you grant anonymous users all the internal network access associated with that account.

Set Credentials Dialog Box (Anonymous)

Use the Set Credentials dialog box to change the account that IIS uses for anonymous access to your sites and applications. By default, IIS 8 uses IUSR as the account for anonymous access. This account is created when you install IIS 8.

Element Name

Description

User name

Type the name of the account that you want IIS to use to access your sites and applications.

Important

Changing the anonymous user account from IUSR to another network account may affect security because you are giving anonymous users the administrative credentials associated with that account.

Password

Type the password associated with the account that you want IIS to use for anonymous access to your sites and applications.

Important

If the password associated with this account is changed, you must also change the password in the Set Credentials dialog box. If the password on the account and the password in the Set Credentials dialog box do not match, the associated site or application is disabled.

Confirm password

Retype the password associated with the account that you want IIS to use for anonymous access to your sites and applications.

Basic Authentication

Use Basic authentication to require that users provide a valid user name and password to access content. All major browsers support this authentication method and it works across firewalls and proxy servers. The disadvantage of Basic authentication is that it transmits passwords across the network by using weak encryption. Use Basic authentication only when you know that the connection between the client and the server is secure.

Disable Anonymous authentication if you use Basic authentication. The first request that all browsers send to a server is for anonymous access to server content. If you do not disable Anonymous authentication, users can anonymously access all the content on your server, including restricted content.

Feature Page Elements

Element Name

Description

Basic Authentication

Select to manage Basic authentication.

Actions Pane Elements

Element Name

Description

Enable

Turns on Basic authentication.

Disable

Turns off Basic authentication.

Edit

Displays the Edit Basic Authentication Settings dialog box where you can set the default domain and realm. You can perform this action only when you select Basic Authentication the list on the feature page.

Edit Basic Authentication Settings Dialog Box

Use the Edit Basic Authentication Settings dialog box to configure Basic authentication for a site.

Element Name

Description

Default domain

Type the name of a domain against which you want users to be authenticated by default. Any users who do not provide a domain name when they log on to your site are authenticated against this domain.

Realm

Type the DNS domain name or address that uses the credentials that have been authenticated against the default domain. Providing a Realm is optional for Basic authentication.

Important

If you enter the default domain name in the Realm box, your internal Microsoft Windows domain name may be exposed to external users during the user name and password challenge.

Digest Authentication

Use Digest authentication to offer authentication that is significantly more secure than Basic authentication. Digest authentication is also supported by all modern browsers, and works through proxy and firewall servers.

To use Digest authentication successfully, disable Anonymous authentication. The first request that all browsers send to a server is for anonymous access to server content. If you do not disable Anonymous authentication, users can anonymously access all the content on your server, including restricted content.

Feature Page Elements

Element Name

Description

Digest Authentication

Select to manage Digest authentication.

Actions Pane Elements

Element Name

Description

Enable

Turns on Digest authentication.

Disable

Turns off Digest authentication.

Edit

Opens the Edit Digest Authentication Settings dialog box where you can set the realm against which the credentials should be authenticated. You can perform this action only when you select Digest Authentication from the list on the feature page.

Edit Digest Authentication Settings Dialog Box

Use the Edit Digest Authentication Settings dialog box to define the realm name.

Element Name

Description

  • Realm

Type the DNS domain name or address that uses the credentials that have been authenticated against your internal Windows domain. Providing a Realm is mandatory for Digest authentication.

Forms Authentication

Use Forms authentication to provide authentication for high-traffic sites or applications on public servers. This authentication mode lets you manage client registration and authentication at the application level, instead of relying on the authentication mechanisms provided by the operating system.

Feature Page Elements

Element Name

Description

Forms Authentication

Select to manage Forms authentication.

Actions Pane Elements

Element Name

Description

Enable

Turns on Forms authentication.

Disable

Turns off Forms authentication.

Edit

Opens the Edit Forms Authentication Settings dialog box where you can set various parameters for Forms authentication, such as cookie settings and the login URL that will redirect unauthenticated clients. You can perform this action only when you select Forms Authentication from the list on the feature page.

Edit Forms Authentication Settings Dialog Box

Use Forms authentication to manage client registration and authentication at the application level, instead of relying on the authentication mechanisms provided by the operating system.

Important

Because Forms authentication sends the user name and password to the server as plaintext, use Secure Sockets Layer (SSL) encryption for the logon page and for all other pages in your application except the home page.

Element Name

Description

Login URL

Specifies the URL to which the request is redirected for logon if no valid authentication cookie is found. The default value is login.aspx.

Authentication cookie time-out (in minutes)

Specifies the time, in integer minutes, after which the cookie expires. The default value is 30. If the SlidingExpiration attribute is true, the time-out attribute is a sliding value, expiring at the specified number of minutes after the time the last request was received. To prevent compromised performance, and to avoid multiple browser warnings for users who have cookie warnings turned on, the cookie is updated when more than half the specified time has elapsed.

Mode

Specifies where to store the Forms authentication ticket. The options are:

  • Do not use cookies - Cookies are not used.

  • Use cookies - Cookies are always used, regardless of device.

  • Auto Detect - Cookies are used if the device profile supports cookies. Otherwise, no cookies are used. For desktop browsers that are known to support cookies, ASP.NET checks to determine whether cookies are enabled.

  • Use device profile - Cookies are used if the device profile supports cookies. Otherwise, no cookies are used. ASP.NET does not check to determine whether cookies are enabled on devices that support cookies. This setting is the default.

Name

Sets the name of the Forms authentication cookie. The default is .ASPXAUTH.

Protection mode

Specifies the type of encryption, if any, to use for cookies. The options are:

  • Encryption and validation - Specifies that both data validation and encryption are used to help protect the cookie. This option uses the configured data validation algorithm (based on the <machineKey> element). Triple-DES (3DES) is used for encryption, if available and if the key is long enough (48 bytes or more). Encryption and validation is the default, and recommended, value.

  • None - Specifies that both encryption and validation are disabled for sites that use cookies only for personalization and that have weaker security requirements. Microsoft does not recommend that you use this setting; however, it is the least resource-intensive way to enable personalization by using the .NET Framework.

  • Encryption - Specifies that the cookie is encrypted using Triple-DES or DES, but data validation is not performed on the cookie. Cookies used in this manner might be subject to plaintext attacks.

  • Validation - Specifies that a validation scheme verifies that the contents of an encrypted cookie have not been changed in transit. The cookie is created using cookie validation by concatenating a validation key with the cookie data, computing a message authentication code (MAC), and appending the MAC to the outgoing cookie.

Requires SSL

Specifies whether an SSL connection is required to transmit the authentication cookie. By default, this setting is disabled.

Extend cookie expiration on every request

Specifies whether sliding expiration is enabled. Sliding expiration resets an active authentication cookie's time to expire upon each request during a single session. By default, this setting is enabled.

Windows Authentication

Use Windows authentication only in an intranet environment. This authentication enables you to use authentication on your Windows domain to authenticate client connections.

Feature Page Elements

Element Name

Description

Windows Authentication

Select to manage Windows authentication.

Actions Pane Elements

Element Name

Description

Enable

Turns on Windows authentication.

Disable

Turns off Windows authentication.

Advanced Settings

Opens the Advanced Settings dialog box where you can enable or disable kernel mode authentication. You can perform this action only when you enable Windows Authentication from the list on the feature page.

Advanced Settings Dialog Box (Windows)

Use the Advanced Settings dialog box to specify whether Windows authentication is performed in kernel mode. By default, IIS enables kernel-mode authentication, which may improve authentication performance and prevent authentication problems with application pools configured to use a custom identity.

As a best practice, do not disable this setting if you use Kerberos authentication and have a custom identity on the application pool.

ASP.NET Impersonation

Use ASP.NET Impersonation authentication when you want to run your ASP.NET application under a security context different from the default.

If you enable impersonation for an ASP.NET application, that application can run in one of two different contexts: either as the user authenticated by IIS or as an arbitrary account that you set up. For example, if you were using Anonymous authentication and chose to run the ASP.NET application as the authenticated user, the application would run under an account setup for anonymous users (typically, IUSR). Likewise, if you chose to run the application under an arbitrary account, it would run under whatever security context was set up for that account.

Feature Page Elements

Element Name

Description

ASP.NET Impersonation

Select to manage ASP.NET Impersonation authentication.

Actions Pane Elements

Element Name

Description

Enable

Turns on ASP.NET Impersonation authentication.

Disable

Turns off ASP.NET Impersonation authentication.

Edit

Opens the Edit ASP.NET Impersonation Settings dialog box where you can specify the identity under which the ASP.NET application should run. You can perform this action only when you select ASP.NET Impersonation from the list on the feature page.

ASP.NET Impersonation Settings Dialog Box

Use the ASP.NET Impersonation Settings dialog box to specify the account your ASP.NET application should impersonate.

Element Name

Description

Specific user

Type the name of the specific account that you want your ASP.NET application to impersonate.

Set

Opens the Set Credentials dialog box, where you can specify an account name and password for IIS to use for ASP.NET impersonation.

Authenticated user

Select Authenticated user to enable the ASP.NET application to run under the security context of the user account authenticated by IIS.

Set Credentials Dialog Box (Impersonation)

Use the Set Credentials dialog box to specify the account that ASP.NET should impersonate.

Element Name

Description

User name

Type the name of the account that you want ASP.NET to impersonate.

Password

Type the password associated with the account that you want ASP.NET to impersonate.

Confirm password

Retype the password associated with the account that you want ASP.NET to impersonate.