How Web Authentication works
Web authentication is the communication between Web browsers and web servers, involving a small number of Hypertext Transfer Protocol (HTTP) headers and error messages.
The communication process is as follows:
- The Web browser sends a request, such as HTTP-Get.
- The Web server performs an authentication check. If the authentication fails, the server returns an error message similar to the following: You are not authorized to view this webpage.
You do not have permission to use the creden。 you provided to view this directory or page.
The Web browser can use the information provided in this message to resubmit the request as an authenticated request.
- Web browsers use server responses to construct new requests that contain authentication information.
- The Web server performs an authentication check. If the check succeeds, the web server sends the data originally requested to the Web browser.
Note:: When using some of the following authentication methods, you must use a drive formatted with the NTFS file system, because the NTFS formatted drive has the highest security level.
IIS supports the following Web authentication methods.
IIS creates IUSR _ComputernameAccount (whereComputernameIs the name of the server running IIS), used to authenticate anonymous users when requesting Web content. This account grants the User Local logon permission. You can reset anonymous user access to any valid Windows account.
Note:: You can create different anonymous accounts for different websites, virtual directories, physical directories, and files.
If a computer based on Windows Server 2003 is an independent server, then IUSR _ComputernameThe account is located on the local server. If the server is a domain controller, then IUSR _ComputernameThe account is defined for this domain.
You can use basic authentication to restrict access to files on the NTFS-format web server. To use basic authentication, you must enter creden。 and access is based on the user ID. Both the user ID and password are sent between networks in plain text.
To use basic authentication, authorize each user to log on locally. To make management easier, add each user to a group that can access the required files.
Note:: User creden are base64 encoded, but they are not encrypted during network transmission. Therefore, basic authentication is considered insecure.
Windows integrated Authentication
Windows Integrated Identity Authentication is safer than basic identity authentication, and plays a role well in the Intranet environment where the user has a Windows domain account. In integrated Windows authentication, the browser attempts to use the creden used by the current user during domain login. If this attempt fails, the browser prompts the user to enter the user name and password. If you use integrated Windows authentication, your password will not be transferred to the server. If a user logs on to the local computer as a domain user, the user does not have to perform authentication again when accessing the network computer in the domain. Note that if you are using Windows integrated authentication, you must use Microsoft Internet Explorer 2.0 or later as a web browser.
Note:: You cannot use integrated Windows Authentication through the proxy server.
Digest authentication overcomes many disadvantages of basic authentication. When digest authentication is used, the password is not sent in plain text. In addition, you can use digest authentication on the proxy server. Digest authentication uses a question/Response Mechanism (integrated with the mechanism used for Windows Authentication), where the password is sent encrypted. To use digest authentication, note the following requirements:
- The user and the IIS server must be members of the same domain or be trusted by the same domain.
You must have a valid Windows User Account stored in Active Directory on the domain controller.
This domain must use a domain controller of Microsoft Windows 2000 or later.
The iissuba. dll file must be installed on the domain controller. This file will be automatically copied during Windows 2000 or Windows Server 2003 installation.
All user accounts must be configured to select the "Save Password with Reversible Encryption" account option. To select this account option, you must reset or re-enter the password.
Note:: If you are using digest authentication, you must use Microsoft Internet Explorer 5.0 or later as your web browser.
. NET Passport Authentication
Microsoft. NET Passport is a user authentication service that allows a single check-in security, making it safer for users to access. NET Passport-enabled websites and services. Websites with. NET Passport enabled rely on the. NET Passport central server to authenticate users. However, the central server does not authorize or deny specific users to access. NET Passport-enabled sites. The website is responsible for controlling user permissions. When this option is selected, IIS requests must contain valid. NET Passport creden。 in the query string or cookie. If IIS does not detect. NET Passport credensport, these requests are redirected to the. NET Passport logon page.
Customer certificate ing
Customer certificate ing is a method for creating mappings between certificates and user accounts. In this model, the user provides a certificate and the system checks this ing to determine which user account to log on. You can map a certificate to a Windows user account using either of the following methods:
- By Using Active Directory.
Use the rules defined in IIS.
For more information about how to map customer certificates to user accounts, search for "customer certificate ing" in the IIS documentation ". If IIS is installed, you can access the Help File in one of the following ways:
- Right-click any node in Internet Service Manager and click "help ".
Start Windows Resource Manager and findHard Disk: \ Windows \ Help folder, and then open lismmc. CHM.
You can configure various authentication methods to control access to the following items on the IIS server:
- All Web content hosted on the IIS server.
Websites hosted on the IIS server.
Each virtual directory or physical directory on the website.
Each webpage or file on the website.
How to configure IIS website Authentication
- Log on to the web server using the management account.
- Start the IIS manager or open the IIS Management Unit.
- Expand"SERVER_NAME", WhereSERVER_NAMEIs the name of the server, and then expand "website ". Use one of the following methods (depending on the situation) and click "properties ":
- To configure authentication for all web content hosted on the IIS server, right-click "website ".
- To configure authentication for a single website, right-click the desired website.
- To configure authentication for virtual or physical directories on the website, right-click the target website and choose the desired directory, such as _ vti_pvt ".
- To configure authentication for a single webpage or file in the website, click the desired website, click the folder containing the desired file or webpage, and right-click the desired file or webpage.
- In theItemnameProperties dialog box (whereItemnameIs the name of the selected project), click "Directory Security" or "file security" tab (as needed ).
- Under anonymous access and authentication control, click Edit ".
- Click to select the "Anonymous Access" check box to enable Anonymous Access. To disable anonymous access, click to clear this check box.
Note:: If anonymous access is disabled, you must configure some other forms of authentication access.
To change the account for anonymous access to this resource, Click Browse, click the user account you want to use, and then click OK ".
- Under "access authentication", to use integrated Windows authentication, click to select the "Windows integrated authentication" check box.
Note:: This authentication method was previously called Microsoft Windows NT question/response or nt lan administrator (NTLM ).
- To use digest authentication, click to select the "Digest authentication for Windows Domain servers" check box. Click Yes when you receive the following message: Digest authentication can only be used by Active Directory domain accounts. For more information about configuring Active Directory domain accounts to allow digest authentication, click Help ".
Are you sure you want to continue?
Enter the domain name in the fields field.
Note:: You must configure the user account to select the "Save Password with Reversible Encryption" account option. To use basic authentication, click to select the "Basic Authentication (send password in plaintext)" check box. When you receive the following message, click "yes ":The selected authentication method will cause the password to be transmitted on the network in unencrypted form. People who deliberately undermine system security can use protocol analysis programs to crack users and passwords during authentication. For more information about user authentication, see online help. This warning does not apply to HTTPS (or SSL) connections.
Are you sure you want to continue?
- To specify the domain used to authenticate the user who uses basic authentication, enter the required domain in the "default domain" box.
- In this case, you can enter a value in the field box.
- To use. NET Passport authentication, click to select the. NET Passport authentication check box.
Note:: If this option is selected, other authentication methods are unavailable. Click OK.Item NameIn the Properties dialog box, click OK ". If the "inherit overwrite" dialog box is displayed, follow these steps:
- Click Select All to apply the new Authentication Settings to all files or folders in the changed project.
- Click OK ".
- Exit the IIS manager or disable the IIS Management Unit.