Five types of authentication in IIS services

Source: Internet
Author: User
Tags microsoft iis

Reprint: http://os.51cto.com/art/201005/202380.htm

IIS services, one of Microsoft's most classic Web services, have roughly five ways to authenticate to the Web. Identity authentication is essential to ensure the security of IIS services, so it is important to master the IIS service authentication method skillfully and flexibly.

"51CTO exclusive feature" Microsoft IIS Services is a classic Web service that provides users with the ability to publish information and share resources. Authentication is the underlying mechanism for securing IIS services, and IIS supports the following 5 types of Web authentication methods:

Featured Topic: IIS Service "Speaking Academy"

First, anonymous identity authentication

If you enable anonymous access, you are not required to provide authenticated user credentials when you visit the site. This option is most appropriate when you need to have public access to information that does not have security requirements. IIS creates the IUSR_computername account, where ComputerName is the name of the IIS server that is running, and is used to authenticate anonymous users when they request Web content. This account grants the user local logon rights. Users can reset anonymous user access to use any valid Windows account. Users can create different anonymous accounts for different Web sites, virtual directories, physical directories, and files. If a Windows Server 2003-based computer is a stand-alone server, the IUSR_computername account is located on the local server. If the server is a domain controller, the IUSR_computername account is defined for that domain.

II. Basic Identity authentication

Use Basic authentication to restrict access to files on the NTFS-formatted WEB server. With basic authentication, the user must enter credentials, and access is based on the user ID. Both the user ID and password are sent across the network in clear text. To use Basic authentication, grant each user permission to log on locally, and to make management easier, add each user to a group that has access to the required files. Because user credentials are encoded using BASE64 encoding technology, they are not encrypted when they are transmitted over the network, so Basic authentication is considered an insecure way to authenticate.

Third, Windows integrated identity authentication

Windows Integrated authentication is more secure than basic authentication and works well in an intranet environment where users have Windows domain accounts. In integrated Windows authentication, the browser attempts to use the credentials that the current user uses during the domain logon process, and if this attempt fails, the user is prompted to enter a user name and password. If the user is using integrated Windows authentication, the user's password will not be delivered to the server. If the user is logged on to the local computer as a domain user, the user does not have to authenticate again when accessing the network computer in that domain. Integrated authentication, formerly known as NTLM or Windows NT Challenge/Response authentication, sends authentication information to the user over the network in the form of a Kerberos ticket and provides a high level of security. Windows Integrated identity authentication uses Kerberos version 5 and NTLM authentication. Note: If more than one authentication option is selected, the IIS service first attempts to negotiate the safest method, and then it tries the other protocol down by the list of available authentication protocols, until it finds some common authentication protocol that both the client and server support.

Iv. Digest-type identity authentication

Digest authentication requires a user ID and password, which provides a moderate level of security that can be used if a user wants to allow access to security information from a public network. This approach is identical to the functionality provided by basic identity authentication. Digest authentication overcomes many of the drawbacks of basic identity authentication. When using Digest authentication, the password is not sent in clear text. In addition, users can use Digest authentication through a proxy server. Digest authentication uses a challenge/response mechanism (the mechanism used to integrate Windows authentication) in which passwords are sent in encrypted form.

To use Digest authentication, the following requirements must be met:

Users and IIS servers must be members of the same domain or trusted by the same domain.

The user must have a valid Windows user account that is stored in active Directory on the domain controller.

The domain must use a Microsoft Windows 2000 or later domain controller.

The IISSuba.dll file must be installed on the domain controller. This file is automatically copied during the installation of Windows 2000 or Windows Server 2003.

All user accounts must be configured to select the Save password with reversible encryption account option. To select this account option, you must reset or re-enter the password.

V. Microsoft. NET Passport Identity Certification

. NET Passport Authentication provides a single sign-on security that gives users access to various services on the Internet. If you select this option, requests for the IIS service must contain valid. NET Passport credentials in the query string or Cookie. If the IIS service does not detect. NET Passport credentials, the request is redirected to the. NET Passport sign-in page. Also, if you select this option, all other authentication methods will not be available.

Five types of authentication in IIS services

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.