Analysis of common authentication modes in IIS, such as anonymous, bisic, digest, and Windows Authentication

Source: Internet
Author: User

Basic Authentication:

Step 1:

The client requests the service through anonymouse authentication.

Step 2:

After the server receives the request, it specifies its Authentication Mode in its HTTP header, Which is basic authentication. Therefore, the client is required to provide a valid credential. The Header Format is shown in, and 401 is returned to the client.

Step 3:

After the client accepts the response returned by the server, it learns from its header that its authentication mode is basic authentication. Therefore, in the corresponding dialog box displayed on the client, it is required to enter username & password to form a valid client credential, the credential is written in the HTTP header in plain text and sent to the server.

Step 4:

After the server receives the request, it extracts valid client credential from the header and verifies the credential. If the request passes, process the request. Otherwise, 401 is returned to the client.

Note: domain environment is not required for client credential verification.In iis7, We can customize a basic authentication module to verify the credential's validity.

Digest Authentication

Step 1:

The client requests the service through anonymouse authentication.

Step 2:

After the server receives the request, it specifies in its HTTP header that its authentication mode is digest authentication, which requires the client to provide a valid credential and specify the credential provided by the client to generate a message digestAlgorithmAs shown in. Shows the Header Format and returns 401 to the client.

Therefore, digest authentication cannot see the password provided by the client, and can only see the message digest generated for its credential. Even if it is intercepted, these are meaningless to the 3rd party. In this way, credential is much safer than plaintext transmission of basic authentication.

Step 3:

After the client accepts the response returned by the server, it learns from its header that its authentication mode is digest authentication. Therefore, in the corresponding dialog box displayed on the client, it is required to enter username & password to form a valid client credential, the credential is encrypted into the HTTP header Through the message digest secret algorithm, and then transmitted to the server together with the request. the package sent out is shown in:

Step 4:

After the server receives the request, it extracts valid client credential from the header and connects to the DC Through the LDAP service to find the domain user with the matching username and digest information. If it is found, the credential is valid, and process the request is started. Otherwise, 401 is returned to the client.

 

Integrated Windows Authentication

Step 1:

The client requests the service through anonymouse authentication.

Step 2:

After the server receives the request, it specifies in its HTTP header that its authentication mode is integrated Windows authentication. The Header Format is shown in, and 401 is returned to the client. Integrated Windows authentication can be used in two ways: NTLM and Kerberos authentication, while negotiate is actually used in NTLM and Kerberos wrapper. Kerberos authentication is used in priority conditions.

Step 3:

Verify whether the TGS provided by the customer is valid through the established Kerberos or NTLM Authentication mode. If yes, the request is processed. Otherwise, put it back to 401.

 

Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.