Authentication is identifying a user before actually
deciding whether he can be given access to the requested resource(s). IIS
provides various authentication schemes. Let us see each one of them in brief.
·
Anonymous – This type of authentication gives users access to all
the public areas of the web application without asking for a user ID or
password. This kind of authentication is used where performance is a key and
security is not a criterion. We can use this kind of authentication where we do
not want to authenticate clients to the individual basis. By default, the
anonymous authentication is enabled and uses the IUSR_machinename user account.
The password for the user account is controlled by IIS.
·
Integrated Windows Authentication – This type of authentication
can be used either with NTLM or Kerberos V5 authentication. This authentication
can only work with Internet Explorer 2.0 and later.
·
Initially for the first response from IIS, Internet Explorer will
try to recognize the header (Negotiate). Upon understanding the negotiate
header the browser (IE) returns the information for both NTLM and Kerberos.
Upon receiving the request IIS will decide whether to use Kerberos or NTLM
based on the Internet Explorer version and windows type. This type of
authentication is best suited for the Intranet applications.
·
Basic Authentication – Basic authentication is based on the HTTP
1.0 specification. When we use this type of authentication, the browser prompts
the user for a user name and password. Once the user name and password are
provided it is transmitted across HTTP in the form of plain text. To enhance
security we can use SSL on top of basic authentication at the expense of some
performance. The advantage of using this type of authentication is the ability
to track the individual users, unlike the anonymous authentication.
·
Digest Authentication – Digest Authentication tries to address
the weakness of Basic Authentication (sending user ID and password in plain
text). Here instead of exposing the user ID and password in plain text, it will
be sent by applying a hash function or a digest algorithm. Initially for the
first request IIS sends a challenge to the client to create a digest and send
it to the server. The client then applies a digest algorithm (specified by the
server) to the combined data. The client sends the resulting digest to the
server as the response to the challenge. The server then decrypts it to compare
both.