Authentication in IIS

This article is taken from MSDN:
Http://msdn.microsoft.com/library/chs/default.asp? Url =/library/CHS/vsent7/html/vxconiisauthentication. asp

Authentication and creden

An important part of many distributed applications is to identify a person (called a subject or client) and control the client's access to resources. Authentication is the act of verifying the client identity. In general, the client must provide some evidence, usually known as creden, to prove its identity. In general, creden include the user name and password pair. Internet Information Service (IIS) and ASP. NET both provide several authentication schemes.

Anonymous

Anonymous Authentication allows users to access the public area of the Web site without prompting users to enter their usernames and passwords. IIS uses a specific user account (IUSR_machinename) to provide the stored creden。 to Windows. By default, IIS controls the password of this account. Whether IIS controls the password affects anonymous user permissions.

Advantages

• Provides optimal performance because Anonymous Authentication does not require any system overhead.
• You do not need to manage personal user accounts.
• If IIS does not control the password, you can access network resources.

Disadvantages

The client cannot be authenticated individually.

• If IIS does not control the password, the account must be able to log on locally.
• ASP. NET Web. Config
• Use the Web. config file to configure ASP. NET and specify no authentication or Windows authentication.

Integrated Windows Authentication

Integrated Windows authentication can use NTLM or Kerberos V5 authentication. when Internet Explorer attempts to access protected resources, IIS sends two WWW authentication headers, Negotiate and NTLM. If Internet Explorer cannot recognize Negotiate, it uses NTLM. Therefore, the mechanism used is determined by the negotiation between Internet Explorer and IIS.

Integrating Windows authentication is the best authentication solution in the Intranet environment. Such users have Windows domain accounts, especially when using Kerberos. Like simple authentication, integrated Windows Authentication does not pass user passwords over the network, but exchanges hash values.

Advantages

• It can be used with Kerberos to enable delegation of Security creden.
• The best solution for using Windows Intranet environment.

Disadvantages

• You cannot use a proxy to verify your identity through the firewall unless you use it through the PPTP connection.
• If NTLM is selected, it does not support delegation to other servers.
• Only Internet Explorer 2.0 and later support it.
• Only IIS 5.0 and later versions support Kerberos.

Basic

IIS implements basic identity authentication, which is part of the HTTP 1.0 standard and uses Windows user accounts. When using basic authentication, the browser prompts the user to enter the user name and password. This information is then transmitted over HTTP and base64-encoded over HTTP. Basic authentication is inherently insecure. Because Base64 encoding data is easy to decode, the password is sent as plain text in basic authentication. By default, basic authentication requires the Windows User Account to have the local login permission on the Web server.

Advantages

• As it is part of the HTTP 1.0 specification, basic authentication is the most widely supported user authentication solution.
• You can use a proxy server to verify your identity.
• Individual users can be tracked.
• If your account has the permission to log on to the Web server locally, you can access network resources.
• It can be used with Kerberos to enable delegation of Security creden.

Disadvantages

• SSL/TLS is not secure. However, SSL/TLS may affect the performance.
• Create a personal Windows account for each user.

Summary

Simple authentication overcomes the primary weakness of Basic Authentication: sending passwords in plain text. Simple authentication is a query/response mechanism that sends a brief (also known as a hash) on the Internet rather than a password. When the client attempts to access resources that require brief authentication, IIS sends a question to the client, asking it to create a brief and send it to the server. The password and data that the client knows when connecting to the server and client. The client then applies a summary algorithm (specified by the server) to the combined data. The client sends the obtained information to the server as a response to the question. The server uses a copy of the client password obtained from Active Directory and uses the same process as the client to create a brief. Use reversible encryption to save passwords in Active Directory. If the server creation briefly matches the client creation briefly, IIS verifies the identity of the client.

Advantages

• Send a brief message on the network instead of a password.
• Used with the proxy server and firewall.
• SSL/TLS is not required for password protection.

Disadvantages

• Security creden cannot be delegated.
• Only Internet Explorer 5.0 and later support it.
• It is subject to replay attacks unless SSL/TLS is used.
• The Reversible Encryption Method is required to store passwords in plaintext.
• Create a domain account for each user in Active Directory.

ASP. NET Web. Config

1 <system. web>
2 <authentication mode = "Windows"/>
3 </system. web> 4