Enabling and Configuring Authentication

This topic contains a generalized procedure for enabling authentication and more detailed information on configuring the Anonymous, Basic, Digest, and integrated Windows authentication methods. It includes requirements for using the method, special configuration issues, and more. If you are unfamiliar with these authentication methods, you might want to read more detailed information before enabling and configuring authentication on your server. For more information about these methods, see About Authentication.

Enabling Authentication
Configuring Anonymous Authentication
Configuring Basic Authentication
Configuring Digest Authentication
Configuring Integrated Windows Authentication

Enabling Authentication

Any authentication method, or multiple methods, can be enabled for any Web or FTP site, virtual directory, or file.

To enable a WWW authentication method

  1. Create a Windows user account appropriate for the authentication method. If appropriate, add the account to a Windows user group. For more information about creating Windows user accounts, see Securing Your Files with NTFS.
  2. Configure NTFS permissions for the directory or file for which you want to control access. For more information, see Setting NTFS Permissions for a Directory or File.
  3. In the Internet Information Services snap-in, select a site, directory, or file, and open its property sheets.
  4. Select the appropriate Directory Security or File Security property sheet. Under Anonymous Access and Authentication Control, click Edit.
  5. In the Authentication Methods dialog box, select one or more appropriate methods.

To enable an FTP authentication method

  1. Follow steps 1 through 3 above.
  2. Select the Security Accounts property sheet. Select the Allow Anonymous Connections check box.

    Note   Authentication can be set only at the site level for FTP sites.

  3. In the Username and Password text boxes, enter the anonymous logon user name and password you want to use. The user name is the name of the anonymous user account and is typically designated as IUSR_computername. If the Allow IIS to control password check box is selected, you need to clear it to change the password.
  4. Select the Allow IIS to control password check box to match passwords with Windows user accounts.

    Note   Password synchronization can be used only with anonymous user accounts defined on the local computer, and will not work with anonymous accounts on other computers on the network.

  5. Select the Allow only anonymous connections check box to require all users to log on as anonymous users.
  6. Click OK.
  7. Set appropriate NTFS permissions for the anonymous account. For more information, see Setting NTFS Permissions for a Directory or File.

Note

Important   When you attempt to change properties for your Web site or virtual directory, your Web server will prompt you for permission to reset the properties of individual sub-directories and files under that site or directory. If you choose to reset these properties, your previous settings will be replaced by the new settings. For more information about setting properties, see Properties and Inheritance of Properties on Sites in About Web and FTP Sites.

Configuring Anonymous Authentication

By default, the IUSR_computername account is included in the Windows user group Guests. You can create multiple anonymous accounts, one for each Web or FTP site, directory, or file. By giving these account differing access permissions, or by assigning these accounts to different Windows user groups, you can grant users anonymous access to your different areas of your public Web and FTP content.

The anonymous account must have the user right to log on locally. If the account does not have the Log On Locally permission, IIS will not be able to service any anonymous requests. The IUSR_computername accounts on domain controllers are not assigned this right by default and must be changed to Log On Locally to allow anonymous requests.

You can also change the security privileges for the IUSR_computername account in Windows. However, if the anonymous user account does not have permission to access a specific resource, your Web server will refuse to establish an anonymous connection for that resource. For more information, see Setting Web Server Permissions.

To change the account used for anonymous authentication

  1. In the Internet Information Services snap-in, select a site, directory, or file, and open its property sheets.
  2. Select the appropriate Directory Security or File Security property sheet. Under Anonymous Access and Authentication Control, click Edit.
  3. In the Authentication Methods dialog box, under Anonymous access, click Edit.
  4. In the Anonymous User Account dialog box, either type in, or Browse to, the valid Windows user account you want to use for anonymous access.
  5. Clear the Allow IIS to control password check box to enter the account's password.

Important   If you change the IUSR_computername account, the changes will affect every anonymous request that is serviced by a Web server. Use caution if you modify this account.

Configuring Basic Authentication

Enabling Basic authentication does not automatically configure your Web server to authenticate users. Windows user accounts must be created and the NTFS permissions properly set, as described earlier.

To properly authenticate users with Basic authentication, the Windows user accounts being used for Basic authentication must have Log On Locally user rights. This right must be assigned because Basic authentication impersonates a local user (that is, a user physically logged on to the server). By default, user accounts on a Windows primary domain controller (PDC) are not granted the Log On Locally user rights.

Note   You can change the requirement for Log On Locally rights by using the Active Directory Service Interfaces (ADSI). For information, see the LogonMethod reference in the Active Server Pages Guide.

You must select a default logon domain. For more information, see Setting the Default Logon Domain.

Caution   The Basic authentication method transmits user names and passwords across the network in an unencrypted form. A computer vandal could use a network monitoring tool to intercept this information. You can use your Web server's encryption features, in combination with Basic authentication, to secure user account information transmitted across the network. For more information, see About Encryption.

Configuring Digest Authentication

Microsoft Internet Explorer version 5 is the only browser that currently supports Digest authentication.

Digest authentication will work only for domains with a Windows 2000 domain controller. The domain controller must have a plain-text copy of the passwords being used, because it must perform a hashing operation and compare the results with the hash sent by the browser. For more information about where these passwords are stored and other issues, see the Windows 2000 Server documentation

Important   Because the domain controller has plain-text copies of all of the passwords, it should be kept secure from physical or network attacks. For information about securing a server, see the Microsoft Windows 2000 Server Resource Kit.

Configuring Integrated Windows Authentication

Integrated Windows authentication does not work across proxy servers or other firewall applications.

If integrated Windows authentication fails, due to improper user credentials or some other problem, the browser will prompt the user to enter their user name and password.

Only Microsoft Internet Explorer, version 2.0 or later, supports integrated Windows authentication.


© 1997-1999 Microsoft Corporation. All rights reserved.