Article ID: 308160 - View products that this article applies to.
This article was previously published under Q308160
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspxFor more information about IIS 7.0, visit the following Microsoft Web site:
NoticeThis article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
This step-by-step article describes how to configure authentication for Web-based requests in Microsoft Internet Information Services (IIS) 5.0.
The flow of communication is:
Authentication methodsNOTE: With some of the following authentication methods, you need to use drives that you have formatted with the NTFS file system because NTFS-formatted drives maintain the highest level of security.
IIS supports the five following Web authentication methods:
Anonymous authenticationIIS creates the IUSR_computername account (where computername is the name of the computer) to authenticate anonymous users when they request Web content. This account gives the user the right to log on locally. You can reset anonymous user access to use any valid Windows account.
NOTE: You can set up different anonymous accounts for different Web sites, virtual directories or physical directories, and files.
If the Windows 2000-based computer is a stand-alone server, the IUSR_computername account is on the local server. If the server is a domain controller, the IUSR_computername account is defined for the domain.
Basic authenticationUse basic authentication to restrict access to files on an NTFS-formatted Web server. With basic authentication, the user must enter credentials and access is based on the user ID.
To use basic authentication, grant each user the right to log on locally and to make administration easier, add them to a group that has access to the necessary files.
NOTE: Because user credentials are encoded with Base64 encoding but they are not encrypted when they are transmitted over the network, basic authentication is considered an insecure form of authentication.
Integrated Windows authenticationIntegrated Windows authentication is more secure than basic authentication and it functions well in an Intranet environment where users have Windows domain accounts. In integrated Windows authentication, the browser attempts to use the current user's credentials from a domain logon and if this fails, the user is prompted to enter a user name and password. If you use integrated Windows authentication, the user's password is not transmitted to the server. If the user has logged on to the local computer as a domain user, the user does not have to authenticate again when the user accesses a network computer in that domain.
NOTE: You cannot use integrated Windows authentication through a proxy server.
Digest authenticationDigest authentication addresses many of the weaknesses of basic authentication. The password is not sent in clear text when you use digest authentication. In addition, you can use digest authentication through a proxy server. Digest authentication uses a challenge/response mechanism (which integrated Windows authentication uses) where the password is sent in an encrypted format. To use digest authentication:
Client certificate mappingClient certificate mapping is a method where a "mapping" is created between a certificate and a user account. In this model, a user presents a certificate and the system looks at the mapping to determine which user account should be logged on. You can map a certificate to a Windows user account in one of two ways:
http://localhost/iisHelp/iis/misc/default.aspFor more information about how to use certificates, click the following article number to view the article in the Microsoft Knowledge Base:
290625You can configure each authentication method to control access to the following items on the IIS server:
(http://support.microsoft.com/kb/290625/ )How to configure SSL in a Windows 2000 IIS 5 test environment using Certificate Server 2.0
How to configure IIS Web site authentication
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/297954/ )How to troubleshoot the Web Server in Windows 2000
(http://support.microsoft.com/kb/299970/ )How to use NTFS permissions to protect a Web Page running on IIS 4.0 or 5
(http://support.microsoft.com/kb/216705/ )How to set permissions on a FrontPage Web on IIS
(http://support.microsoft.com/kb/222028/EN-US/ )Setting Up Digest Authentication for Use with Internet Information Services 5.0
Article ID: 308160 - Last Review: July 3, 2008 - Revision: 4.2