Flexible Use of five authentication methods in IIS

BKJIA exclusive Article] Microsoft IIS service is a classic Web service that provides information publishing and resource sharing functions for users. Identity Authentication is the basic mechanism to ensure IIS Service Security. IIS supports the following five Web identity authentication methods:

Recommended topic: "lecture hall" of IIS service"

1. Anonymous Identity Authentication

If anonymous access is enabled, user creden。 that have been authenticated are not required to access the site. This option is most suitable when you need to publicly access information without security requirements. In the IUSR_ComputerName Account Created by IIS, ComputerName is the name of the running IIS server. It is used to authenticate anonymous users when they request Web content. This account grants the User Local logon permission. Users can reset anonymous user access to any valid Windows account. You can create different anonymous accounts for different websites, virtual directories, physical directories, and files. If a computer based on Windows Server 2003 is an independent Server, the IUSR_ComputerName account is located on the local Server. If the server is a domain controller, the IUSR_ComputerName account is defined for the domain.

Ii. Basic Identity Authentication

You can use basic identity authentication to restrict access to files on the NTFS-format Web server. To use basic identity authentication, you must enter creden。 and access is based on the user ID. Both the user ID and password are sent between networks in plain text. To use basic identity authentication, authorize each user to log on locally. To make management easier, add each user to a group that can access the required files. User creden are base64-encoded, but they are not encrypted during network transmission. Therefore, basic identity authentication is considered as an insecure identity authentication method.

Iii. Windows Integrated Identity Authentication

Windows Integrated Identity Authentication is safer than basic identity authentication, and plays a role well in the Intranet environment where the user has a Windows domain account. In integrated Windows identity authentication, the browser attempts to use the creden used by the current user during domain login. If this attempt fails, the browser prompts the user to enter the user name and password. If you use integrated Windows identity authentication, your password will not be transferred to the server. If a user logs on to the local computer as a domain user, the user does not have to perform authentication again when accessing the network computer in the domain. Integrated Identity Authentication is previously called NTLM or Windows NT question/response identity authentication. This method sends authentication information to users through the network in the form of Kerberos tickets, and provides a high level of security. Windows Integrated Identity Authentication uses Kerberos version 5 and NTLM identity authentication. NOTE: If multiple authentication options are selected, the IIS service first tries to negotiate the safest method, and then tries to try other Protocols one by one based on the list of available authentication protocols, until you find a common authentication protocol supported by both the client and server.

Iv. Digest Identity Authentication

Digest identity authentication requires the user ID and password, which can provide medium security levels. This method can be used if the user wants to allow access to security information from the public network. This method provides the same functions as basic identity authentication. Abstract Identity Authentication overcomes many shortcomings of basic identity authentication. When digest authentication is used, the password is not sent in plaintext. In addition, you can use digest authentication on the proxy server. Abstract Identity Authentication uses a question/response mechanism integrated with Windows identity authentication. The password is encrypted.

To use digest authentication, you must meet the following requirements:

The user and the IIS server must be members of the same domain or be trusted by the same domain.

You must have a valid Windows User Account stored in Active Directory on the domain controller.

This domain must use a domain controller of Microsoft Windows 2000 or later.

The IISSuba. dll file must be installed on the domain controller. This file will be automatically copied during Windows 2000 or Windows Server 2003 installation.

All user accounts must be configured to select the "Save Password with Reversible Encryption" account option. To select this account option, you must reset or re-enter the password.

V. Microsoft. NET Passport Identity Authentication

. NET Passport Identity Authentication Provides Single login security, allowing users to access various services on the Internet. If this option is selected, requests to the IIS service must contain valid. NET Passport creden。 in the query string or Cookie. If the IIS service does not detect. NET Passport credensport, the request will be redirected to the. NET Passport logon page. If this option is selected, all other authentication methods are unavailable.

BKJIA exclusive Article. For details about the cooperation site, please indicate the original author and source .]