IIS User Authentication
IIS 6.0 supports four different methods of user-authentication and you can also configure client or server certificates, which use SSL encryption for secure communications:
- Client certificates allow the server to positively identify the client based on personal information contained in each client's certificate.
- Server certificates allow the client to positively identify the server based on specific information contained in each server's certificate.
Each of the four basic authentication methods offers different features, so you need to select an authentication method based on the requirements of a particular application or purpose. The authentication methods available are as follows:
- Basic authentication: sends passwords in unencrypted clear text over the network. This authentication method is not secure.
- Digest authentication for Windows domain servers: works only with Active Directory user accounts and sends encrypted passwords over the network using hash values. This authentication method is secure. It can work through proxy servers and firewalls, and it works with Web Distributed Authoring and Versioning (WebDAV).
- Integrated Windows authentication: incorporates the NT LAN Manager (NTLM) authentication protocol (also known as Windows NT Challenge/Response authentication), the Kerberos version 5 authentication protocol and the Negotiate authentication method. This combined approach provides secure authentication through firewalls and proxy servers, whereas Kerberos alone is generally blocked by firewalls and NTLM alone is generally blocked by proxy servers. This authentication method is secure.
- .NET Passport authentication: uses the Microsoft .NET Passport user authentication service to identify and verify users. It uses Internet standards such as SSL, HTTP redirects, cookies, JScript and strong symmetric key encryption to provide a single logon for users to access resources that are secured by the .NET Passport authentication method. This authentication method is secure.
You can modify the way in which users are authenticated and granted access to Web sites under IIS either globally or individually for each Web site hosted by the IIS server. Anonymous Access is normally enabled by default, so that guest users do not need to enter a username or password to visit Web sites hosted by an IIS server.