HOW TO: Configure Internet Information Services Web Authentication in Windows Server 2003

This step-by-step article describes how to configure authentication for Web-based requests in Microsoft Internet Information Services (IIS) 6.0.

How Web Authentication Works

Web authentication is a communication between the Web browser and the Web server that involves a small number of Hypertext Transfer Protocol (HTTP) headers and error messages.

The flow of communication is as follows:

1. The Web browser makes a request, such as HTTP-GET.
2. The Web server performs an authentication check. If this is not successful because authentication is required, the server responds with an error message similar to the following:
   You are not authorized to view this page
   
   You do not have permission to view this directory or page using the credentials you supplied.
   Information is included in this message that the Web browser can use to resubmit the request as an authenticated request.
3. The Web browser uses the server's response to construct a new request that contains authentication information.
4. The Web server performs an authentication check. If the check is successful, the Web server sends the data that was initially requested back to the Web browser.

Authentication Methods

Note: With some of the following authentication methods, you must use drives that you have formatted with the NTFS file system because NTFS-formatted drives maintain the highest level of security.

IIS supports the following Web authentication methods.

Anonymous Authentication

IIS creates the IUSR_ComputerName account (where ComputerName is the name of the server that is running IIS) to authenticate anonymous users when they request Web content. This account gives the user the right to log on locally. You can reset anonymous user access to use any valid Windows account.

Note: You can set up different anonymous accounts for different Web sites, virtual directories or physical directories, and files.

If the Windows Server 2003-based computer is a stand-alone server, the IUSR_ComputerName account is on the local server. If the server is a domain controller, the IUSR_ComputerName account is defined for the domain.

Basic Authentication

Use basic authentication to restrict access to files on an NTFS-formatted Web server. With basic authentication, the user must enter credentials, and access is based on the user ID. Both user ID and password are sent across the network in clear text.

To use basic authentication, grant each user the right to log on locally, and to make administration easier, add each user to a group that has access to the necessary files.

Note: Because user credentials are encoded with Base64 encoding but they are not encrypted when they are transmitted over the network, basic authentication is not considered a secure form of authentication.

Windows Integrated Authentication

Windows Integrated authentication is more secure than basic authentication, and it functions well in an intranet environment where users have Windows domain accounts. In integrated Windows authentication, the browser tries to use the current user's credentials from a domain logon, and if this attempt is unsuccessful, the user is prompted to enter a user name and password. If you use integrated Windows authentication, the user's password is not transmitted to the server. If the user has logged on to the local computer as a domain user, the user does not have to authenticate again when the user accesses a network computer in that domain. Note that you must use Microsoft Internet Explorer 2.0 or later as your Web browser if you are using Windows Integrated authentication.

Note: You cannot use integrated Windows authentication through a proxy server.

Digest Authentication

Digest authentication addresses many of the weaknesses of basic authentication. The password is not sent in clear text when you use digest authentication. Additionally, you can use digest authentication through a proxy server. Digest authentication uses a challenge/response mechanism (which integrated Windows authentication uses) where the password is sent in an encrypted format. To use digest authentication, note the following requirements:

• The user and IIS server must be members of, or trusted by, the same domain.
• Users must have a valid Windows user account stored in Active Directory on the domain controller.
• The domain must use a Microsoft Windows 2000-or-later domain controller.
• You must install the IISSuba.dll file on the domain controller. This file is copied automatically during Windows 2000 Setup or Windows Server 2003 Setup.
• You must configure all user accounts with the Store password using reversible encryption account option selected. To select this account option, the password must be reset or re-entered.

Note: You must use Microsoft Internet Explorer 5.0 or later as your Web browser if you are using digest authentication.

.NET Passport Authentication

Microsoft .NET Passport is a user-authentication service that permits single sign-in security, which provides users with security-enhanced access to .NET Passport-enabled Web sites and services. .NET Passport-enabled sites rely on the .NET Passport central server to authenticate users. However, the central server does not authorize or deny a specific user's access to individual .NET Passport-enabled sites. It is the responsibility of the Web site to control users' permissions. When you select this option, requests to IIS must contain valid .NET Passport credentials on either the query string or in the cookie. If IIS does not detect .NET Passport credentials, requests are redirected to the .NET Passport logon page.

Client Certificate Mapping

Client certificate mapping is a method where a mapping is created between a certificate and a user account. In this model, a user presents a certificate and the system looks at the mapping to determine which user account should be logged on. You can map a certificate to a Windows user account in one of two ways:

• By using Active Directory.
  
  -or-
• By using rules that are defined in IIS.

For additional information about how to map client certificates to user accounts, search on "Client Certificate Mapping" in the IIS documentation. If you have IIS installed, you can access the Help files by either of the following methods:

• Right-click any node in Internet Service Manager, and then click Help.
  
  -or-
• Start Windows Explorer, locate the hard disk:\Windows\Help folder, and then open Lismmc.chm.

You can configure each authentication method to control access to the following items on the IIS server:

• All Web content that is hosted on the IIS server.
• Individual Web sites that are hosted on the IIS server.
• Individual virtual directories or physical directories that are in a Web site.
• Individual pages or files that are in a Web site.

How to Configure IIS Web Site Authentication

1. Use an administrative account to log on to the Web server.
2. Start IIS Manager or open the IIS snap-in.
3. Expand Server_name, where Server_name is the name of the server, and then expand Web Sites.
4. Use one of the following methods (as appropriate to your situation), and then click Properties:
   • To configure authentication for all Web content that is hosted on the IIS server, right-click Web Sites.
   • To configure authentication for an individual Web site, right-click the Web site that you want.
   • To configure authentication for a virtual directory or a physical directory in a Web site, click the Web site that you want, and then right-click the directory that you want, such as _vti_pvt.
   • To configure authentication for an individual page or file in a Web site, click the Web site that you want, click the folder that contains the file or the page that you want, and then right-click the file or the page that you want.
5. In the ItemName Properties dialog box (where ItemName is the name of the item that you selected), click the Directory Security or the File Security tab (as appropriate).
6. Under Anonymous access and authentication control, click Edit.
7. Click to select the Anonymous access check box to turn on anonymous access. To turn off anonymous access, click to clear this check box.
   
   Note: If you turn off anonymous access, you must configure some other form of authenticated access.
   
   To change the account that is used for anonymous access to this resource, click Browse, click the user account that you want to use, and then click OK.
8. Under Authenticated access, click to select the Windows Integrated authentication check box if you want to use integrated Windows authentication.
   
   Note: This authentication method was formerly known as Microsoft Windows NT Challenge/Response or NT LAN Manager (NTLM).
9. Click to select the Digest authentication for Windows domain servers check box if you want to use digest authentication. When you receive the following message, click Yes:
   Digest authentication only works with Active Directory domain accounts. For more information about configuring Active Directory domain accounts to allow digest authentication, click Help.
   
   Are you sure you wish to continue?
   Type the realm name in the Realm box.
   
   Note: You must configure user accounts with the Store password using reversible encryption account option selected.
10. Click to select the Basic authentication (password is sent in clear text) check box if you want to use basic authentication. When you receive the following message, click Yes:
    The authentication option you have selected results in passwords being transmitted over the network without data encryption. Someone attempting to compromise your system security could use a protocol analyzer to examine user passwords during the authentication process. For more detail on user authentication, consult the online help. This warning does not apply to HTTPS (or SSL) connections.
    
    Are you sure you want to continue?
    1. To specify a domain with which to authenticate users who are using basic authentication, type the domain that you want in the Default domain box.
    2. You also have the option to enter a value in the Realm box at this point.
11. Click to select the .NET Passport authentication check box if you want to use .NET Passport authentication.
    
    Note: When you select this option, the other authentication methods are unavailable.
12. Click OK, and then in the Item Name Properties dialog box, click OK. If the Inheritance Overrides dialog box opens, follow these steps:
    1. Click Select All to apply the new authentication settings to all of the files or the folders that are located in the item that you changed.
    2. Click OK.
13. Quit IIS Manager or close the IIS snap-in.

For additional information about configuring IIS Web site authentication in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about how to troubleshoot a Web server in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base: