Understanding Internet Information Services - Part 1
page 4 of 7
by Uday Denduluri
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 34135/ 18

IIS Authentication

Authentication is identifying a user before actually deciding whether he can be given access to the requested resource(s). IIS provides various authentication schemes. Let us see each one of them in brief.

·         Anonymous – This type of authentication gives users access to all the public areas of the web application without asking for a user ID or password. This kind of authentication is used where performance is a key and security is not a criterion. We can use this kind of authentication where we do not want to authenticate clients to the individual basis. By default, the anonymous authentication is enabled and uses the IUSR_machinename user account. The password for the user account is controlled by IIS.

·         Integrated Windows Authentication – This type of authentication can be used either with NTLM or Kerberos V5 authentication. This authentication can only work with Internet Explorer 2.0 and later.

·         Initially for the first response from IIS, Internet Explorer will try to recognize the header (Negotiate). Upon understanding the negotiate header the browser (IE) returns the information for both NTLM and Kerberos. Upon receiving the request IIS will decide whether to use Kerberos or NTLM based on the Internet Explorer version and windows type. This type of authentication is best suited for the Intranet applications.

·         Basic Authentication – Basic authentication is based on the HTTP 1.0 specification. When we use this type of authentication, the browser prompts the user for a user name and password. Once the user name and password are provided it is transmitted across HTTP in the form of plain text. To enhance security we can use SSL on top of basic authentication at the expense of some performance. The advantage of using this type of authentication is the ability to track the individual users, unlike the anonymous authentication.

·         Digest Authentication – Digest Authentication tries to address the weakness of Basic Authentication (sending user ID and password in plain text). Here instead of exposing the user ID and password in plain text, it will be sent by applying a hash function or a digest algorithm. Initially for the first request IIS sends a challenge to the client to create a digest and send it to the server. The client then applies a digest algorithm (specified by the server) to the combined data. The client sends the resulting digest to the server as the response to the challenge. The server then decrypts it to compare both.

View Entire Article

User Comments

Title: Thanks   
Name: harika
Date: 2011-08-04 5:29:40 PM
It is very nice, thank you so much..
Title: app support   
Name: pt
Date: 2009-10-09 4:58:14 PM
Thank you, this is defintely a start to understanding IIS.
Title: -   
Name: Dan
Date: 2007-08-17 3:58:35 AM
Nice read, well done

Product Spotlight
Product Spotlight 

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-07-23 2:40:49 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search