12/6/2006 -- Internet Information Services (IIS) provides several authentication methods to control users' access to Web and FTP sites. The authentication is the process of requiring users to provide a valid Windows user account and password. An administrator can configure authentication at several levels, such as directory level in IIS, Web or FTP site level, or NTFS file level. If you are responsible for managing Web sites on your network, it is important that you not only fully understand these authentication methods individually, but also know the effect they will have when they are enabled in various combinations.

Let's look at these authentication levels in more detail and see which one might be the best authentication level for you to use in your environment, and how you might be able to enable multiple authentication methods to manage user access.

The authentication methods are configured on the Directory Security tab of the Web site's properties, as shown in Figure 1.

Figure 1: IIS 6.0 authentication methods.

There are a couple of additional authentication methods in IIS 6.0, such as FTP site and Universal Naming Convention (UNC). However, in this article we will focus on the primary Web authentication methods shown above.

Anonymous
This authentication doesn't require a logon and is used to give users access to general areas on the Web sites that are open to the public. Anonymous authentication is not really an authentication method because users are not being asked to log on and get authenticated. It simply gives access to any user who connects to the Web site and wants to access your Web pages. That's why you will notice that it's listed in its own area, which is separate from the “Authentication access” area in Figure 1.

By default, IIS uses a specific Internet user account for anonymous access called IUSR_ computername , where computername is the name of your computer that's running IIS. This account is added to the Guests group on the computer where IIS is installed. If you are used to working with previous versions of IIS, you probably know that this user account needed “Allow log on locally” user right. IIS 6.0 no longer requires that right for this account. Anonymous access is supported by all browsers.

Basic
Basic authentication prompts users for an account name and password. Although the passwords are stored on the server in an encrypted format, the information that's sent across the network is sent in clear text. However, when you use this method in combination with secure socket layer (SSL), you can secure the information that's transmitted across the network. Using Basic with SSL is the most common method of providing authentication to users. One of the reasons why it's the industry standard is that it works with all the popular browsers.

With Basic authentication, a user always has to provide authentication credentials, even if the user is logged on to the domain with the same account and password that is used to access the Web pages. When you close your browser and revisit the same Web site, you have to reenter your credentials, unless you selected the option to remember passwords, which is not recommended.

Digest
This authentication method only works with Active Directory domain accounts, and since it is not supported by all browsers, it is obviously not a good choice for hosting public Web sites on the Internet. It is more practical for an intranet Web site. It works similar to Basic authentication, except that the users' credentials are sent across the network as an MD5 hash, or message digest. Because only the hash is sent instead of the passwords, Digest method offers good security because even if someone captures the packets on the Internet he/she can't decipher the password.

Advanced Digest
This type of authentication is very secure because the user credentials are stored on the domain controller as an MD5 hash, or message digest, making it difficult to discover the user passwords.

Advanced Digest authentication relies on HTTP 1.1 protocol. It is not listed specifically in the authentication access box in Figure 1 but can essentially be configured in the same manner as you configure Digest authentication. The only difference is that in addition to configuring Digest authentication and the realm name, you also need to set the UseDigestSSP metabase property to “true” and restart the World Wide Web Publishing Service when you want to configure Advanced Digest authentication. According to Microsoft, the Advanced Digest method is preferred over Digest authentication.

For more information on configuring Advanced Digest authentication, go here.

Integrated Windows
In earlier versions of IIS, this method used to be referred to as NTLM, or Windows NT Challenge/Response authentication method. It requires a user to have a Windows account and password. This method is more secure than the Anonymous and Basic methods because the user name and password are hashed before they are sent across the network. However, there are tools that can crack the hash if it's captured on the Internet.

This authentication method is not supported by all browsers. For example, Internet Explorer and Mozilla's Firefox support Windows Integrated authentication but Netscape does not. Therefore, it won't be a good choice for a public Web site.

.NET Passport
Microsoft .NET Passport is a user-authentication service which maps user names to information in your databases. This allows you to offer .NET Passport members a personal Web experience through targeted ads and specific content.

The .NET Passport service is compatible with Internet Explorer version 4.0 or later, Netscape Navigator version 4.0 or later, and some Unix versions. This authentication method is fairly complicated to set up and is not used very commonly.

Using Multiple Authentication Methods
Now that we've looked at the common Web authentication methods in IIS 6.0, let's see what happens when we use a combination of two or more authentication methods. Since .NET Passport is rarely used, we will look at Anonymous, Basic, Windows Integrated and Digest methods. The following table summarizes what you should expect when you use multiple authentication methods.

If you notice the pattern in the above table, Anonymous access is always used first, even if it is used in combination with another authentication method, because the browser assumes that Anonymous will be the first method that will be used. In all other combinations, the more secure authentication level is used first followed by the less secure authentication level. For example, if you use both Basic and Digest, it will first use Digest then Basic. If you use Basic, Digest and Windows Integrated then Windows Integrated will be used first, followed by Digest and then Basic.

Now that you have a basic understanding of IIS authentication methods, you can be better prepared to set the authentication you need for your next Web project.