This topic contains a generalized procedure for enabling authentication and more detailed information on configuring the Anonymous, Basic, Digest, and integrated Windows authentication methods. It includes requirements for using the method, special configuration issues, and more. If you are unfamiliar with these authentication methods, you might want to read more detailed information before enabling and configuring authentication on your server. For more information about these methods, see About Authentication.
Enabling
Authentication
Configuring Anonymous
Authentication
Configuring Basic
Authentication
Configuring Digest
Authentication
Configuring Integrated
Windows Authentication
Any authentication method, or multiple methods, can be enabled for any Web or FTP site, virtual directory, or file.
Note Authentication can be set only at the site level for FTP sites.
Note Password synchronization can be used only with anonymous user accounts defined on the local computer, and will not work with anonymous accounts on other computers on the network.
Note
Your Web server will use the Basic, Digest, or integrated Windows authentication methods only under the following conditions:
Important When you attempt to change properties for your Web site or virtual directory, your Web server will prompt you for permission to reset the properties of individual sub-directories and files under that site or directory. If you choose to reset these properties, your previous settings will be replaced by the new settings. For more information about setting properties, see Properties and Inheritance of Properties on Sites in About Web and FTP Sites.
By default, the IUSR_computername account is included in the Windows user group Guests. You can create multiple anonymous accounts, one for each Web or FTP site, directory, or file. By giving these account differing access permissions, or by assigning these accounts to different Windows user groups, you can grant users anonymous access to your different areas of your public Web and FTP content.
The anonymous account must have the user right to log on locally. If the account does not have the Log On Locally permission, IIS will not be able to service any anonymous requests. The IUSR_computername accounts on domain controllers are not assigned this right by default and must be changed to Log On Locally to allow anonymous requests.
You can also change the security privileges for the IUSR_computername account in Windows. However, if the anonymous user account does not have permission to access a specific resource, your Web server will refuse to establish an anonymous connection for that resource. For more information, see Setting Web Server Permissions.
Important If you change the IUSR_computername account, the changes will affect every anonymous request that is serviced by a Web server. Use caution if you modify this account.
Enabling Basic authentication does not automatically configure your Web server to authenticate users. Windows user accounts must be created and the NTFS permissions properly set, as described earlier.
To properly authenticate users with Basic authentication, the Windows user accounts being used for Basic authentication must have Log On Locally user rights. This right must be assigned because Basic authentication impersonates a local user (that is, a user physically logged on to the server). By default, user accounts on a Windows primary domain controller (PDC) are not granted the Log On Locally user rights.
Note You can change the requirement for Log On Locally rights by using the Active Directory Service Interfaces (ADSI). For information, see the LogonMethod reference in the Active Server Pages Guide.
You must select a default logon domain. For more information, see Setting the Default Logon Domain.
Caution The Basic authentication method transmits user names and passwords across the network in an unencrypted form. A computer vandal could use a network monitoring tool to intercept this information. You can use your Web server's encryption features, in combination with Basic authentication, to secure user account information transmitted across the network. For more information, see About Encryption.
Microsoft Internet Explorer version 5 is the only browser that currently supports Digest authentication.
Digest authentication will work only for domains with a Windows 2000 domain controller. The domain controller must have a plain-text copy of the passwords being used, because it must perform a hashing operation and compare the results with the hash sent by the browser. For more information about where these passwords are stored and other issues, see the Windows 2000 Server documentation
Important Because the domain controller has plain-text copies of all of the passwords, it should be kept secure from physical or network attacks. For information about securing a server, see the Microsoft Windows 2000 Server Resource Kit.
Integrated Windows authentication does not work across proxy servers or other firewall applications.
If integrated Windows authentication fails, due to improper user credentials or some other problem, the browser will prompt the user to enter their user name and password.
Only Microsoft Internet Explorer, version 2.0 or later, supports integrated Windows authentication.