5down

vote

accepted

Basically windows handles everything, you never store usernames or passwords,

AD and IIS do all the work for you
add this to your web.config

<system.web>
...
<authentication mode="Windows"/>
...
</system.web>

To configure Windows authentication

1.

Start Internet Information Services (IIS).

2.

Right-click your application's virtual directory, and then click Properties.

3.

Click the Directory Security tab.

4.

Under Anonymous access and authentication control, click Edit.

5.

Make sure the Anonymous access check box is not selected and
that Integrated Windows authentication is the only selected check box.
You can then deal with the business or authorization using web.config again. for
example
<authorization>
<deny users="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>

Windows Authentication <windowsAuthentication>

Overview

Compatibility

Setup

How To

Configuration

Sample Code

Overview
The <windowsAuthentication> element defines configuration settings for the Internet
Information Services (IIS) 7 Windows authentication module. You can use Windows
authentication when your IIS 7 server runs on a corporate network that is using
Microsoft Active Directory service domain identities or other Windows accounts to
identify users. Because of this, you can use Windows authentication whether or not
your server is a member of an Active Directory domain.

Windows authentication (formerly named NTLM, and also referred to as Windows NT

Challenge/Response authentication) is a secure form of authentication because the user
name and password are hashed before being sent across the network. When you enable
Windows authentication, the client browser sends a strongly hashed version of the
password in a cryptographic exchange with your Web server.
Windows authentication supports two authentication protocols, Kerberos and NTLM,
which are defined in the <providers> element. When you install and enable Windows
authentication on IIS 7, the default protocol is Kerberos.
The <windowsAuthentication> element can also contain a useKernelMode attribute that
configures whether to use the kernel mode authentication feature that is new to
Windows Server 2008.
Windows authentication is best suited for an intranet environment for the following
reasons:
Client computers and Web servers are in the same
domain.

 Administrators can make sure that every client browser

is Internet Explorer 2.0 or later.
HTTP proxy connections, which are not supported by
NTLM, are not required.
Kerberos version 5 requires a connection to Active
Directory, which is not feasible in an Internet
environment.

This article describes how to configure Internet Information Server (IIS) 5.0 Web
site authentication in a Windows 2000 server environment. IIS 5.0 Web sites can
be configured to authenticate users before they are allowed access to the site, a
folder in the site, or even a particular document contained with a folder at the
site. IIS 5.0 authentication can be used to strengthen the level of security on
sites, folders, and documents that are not for the general public.
Web site authentication is critical when resources are not meant for anonymous
or public access but the Web server needs to be on the Internet to be accessible
to approved users over the Internet. Examples of Web site applications that
require authentication access control include Microsoft Outlook Web Access (OWA)
and the Microsoft Terminal Services Advanced Client.
back to the top

Configure Authentication in the IIS 5.0 Web Server

1.

On the Administrative Tools menu, click Internet Services

Manager.

2.

In the Internet Information Services console, click to expand your server

name, and then click to expand the Web site.

3.

Right-click your server name, click Properties, and then click

the Internet Information Services tab.

4.

In the Master Properties box, click WWW Service in the Master

Properties box, and then click Edit.
In the WWW Server Master Properties dialog box, you can set the default
values for all the Webs on the IIS server. You can change the values on new Webs
as they are created. If there are existing Webs on which you have already created
custom configurations, you are prompted to confirm if you want to overwrite the
configurations on those Webs.

5.

Click the Directory Security tab, and then click Edit in the Anonymous
access and authentication control box.

6.

In the Authentication Methods dialog box, confirm that the default

settings are Anonymous access and Integrated Windows authentication.

7.

Click one of the following authentication methods, and then click OK:

Anonymous access: When Anonymous access is enabled, no

credentials are required to access the site unless NTFS permissions are placed on

the Web site folders to control access. To edit the properties of the anonymous
user account, click Edit in the Anonymous access box.

Basic authentication: If Basic authentication is enabled, the user

credentials are sent in clear text. This format provides a low level of security
because the password can be read by almost all protocol analyzers. However, it is
compatible with the widest number of Web clients. If Basic authentication is
enabled, you can click Edit and set a default domain for user accounts.

Digest authentication: Digest authentication works for Internet

Explorer 5.0 and later Web clients and for Web servers that belong to a Windows
2000 domain. It has the advantage of not sending user credentials in clear text.

Integrated Windows authentication: Integrated Windows

authentication can use both the Kerberos v5 authentication protocols and its own
challenge/response authentication protocol. This option is a more secure
authentication option. However, it only works for Internet Explorer 2.0 or later and
Kerberos authentication does not work over HTTP connections.
NOTE: If multiple authentication options are selected, IIS attempts to negotiate the
most secure method first, and then it works down the list of enabled
authentication protocols until a mutual authentication protocol is supported by
both client and server.

8.

Another type of authentication is based on the requesting host rather than

on user credentials. To configure this authentication, click Edit in the IP Address
and Domain Name Restrictions box.

9.

In the IP Address and Domain Name Restrictions dialog box, you can
limit access based on source IP address, source network ID, or source domain
name. After you configure your settings, click OK, and then click OK in the IP
Address and Domain Name Restrictions dialog box.

10.
In the WWW Service Master Properties dialog box, click Apply, and
then click OK.
11.
In the Server Properties dialog box, click OK.
back to the top

Troubleshooting

You may be prompted to apply any changes you have made to existing
sites. If you want the authentication changes applied to other content, click the
content from the list of child nodes, and then click OK. If you do not want the
changes applied to any of the child nodes, do not select any, and then click OK.

You can set authentication options separately for each Web site, each
folder, or each file. The same principles that are discussed in this article apply to
each.
back to the top

Properties
Article ID: 310344 - Last Review: 06/19/2014 13:57:00 - Revision: 3.0
Keywords:

kbhowto kbhowtomaster KB310344

How to configure IIS Web site authentication in Windows Server

2003

Email

Print

Support for Windows Server 2003

ended on July 14, 2015
Microsoft ended support for Windows Server 2003 on July 14, 2015. This change
has affected your software updates and security options. Learn what this means
for you and how to stay protected.
This article was previously published under Q324274
For a Microsoft Windows 2000 version of this article, see 310344.

SUMMARY

This article describes how to configure Microsoft Internet Information Services

(IIS) Web site authentication in Windows Server 2003. You can configure IIS to
authenticate users before they are permitted access to a Web site, a folder in the
site, or even a particular document contained in a folder in the site.
Authentication in IIS can be used to strengthen the level of security on sites,
folders, and documents that are not to be viewed by the general public.
Authentication in IIS is critical when resources are not meant for anonymous or
public access, but when the Web server must be accessible to approved users
over the Internet. Examples of Web site applications that require authentication
access control include Microsoft Outlook Web Access (OWA) and the Microsoft
Terminal Services Advanced Client.

How to configure Authentication in IIS

1.

Start IIS Manager or open the IIS snap-in.

2.

Expand Server_name, where Server_name is the name of the server, and

then expand Web Sites.

3.

In the console tree, right-click the Web site, virtual directory, or file for
which you want to configure authentication, and then click Properties.

4.

Click the Directory Security or File Security tab (as appropriate),

and then under Anonymous and access control, click Edit.

5.

Click to select the check box next to the authentication method or methods
that you want to use, and then click OK.
The authentication methods that are set by default are Anonymous
access and Integrated Windows authentication:

Anonymous access: When anonymous access is turned on, no

authenticated user credentials are required to access the site. This option is best
used when you want to grant public access to information that requires no
security. When a user tries to connect to your Web site, IIS assigns the connection
to the IUSER_ComputerName account, where ComputerName is the name of the
server on which IIS is running. By default, the IUSER_ ComputerName account is a
member of the Guests group. This group has security restrictions, imposed by
NTFS file system permissions, that designate the level of access and the type of
content that is available to public users. To edit the Windows account used for
anonymous access, click Browse in the Anonymous access box.

Important If you turn on anonymous access, IIS always tries to authenticate

users by using anonymous authentication first, even if you turn on additional
authentication methods.

Integrated Windows authentication: Formerly

named NTLM or Windows NT Challenge/Response authentication, this method
sends user authentication information over the network as a Kerberos ticket, and
provides a high level of security. Windows Integrated authentication uses
Kerberos version 5 and NTLM authentication. To use this method, clients must use
Microsoft Internet Explorer 2.0 or later. Additionally, Windows Integrated
authentication is not supported over HTTP proxy connections. This option is best
used for an intranet, where both the user and Web server computers are in the
same domain, and administrators can make sure that every user is using Internet
Explorer 2.0 or later.

Note If multiple authentication options are selected, IIS tries to negotiate the
most secure method first, and then it works down the list of available
authentication protocols until a mutual authentication protocol is supported by
both client and server.

Digest authentication for Windows domain servers: Digest

authentication requires a user ID and password, provides a medium level of
security, and may be used when you want to grant access to secure information
from public networks. This method offers the same functionality as basic
authentication. However, this method transmits user credentials across the
network as an MD5 hash, or message digest, in which the original user name and
password cannot be deciphered from the hash. To use this method, clients must
use Microsoft Internet Explorer 5.0 or later.

If you turn on digest authentication, type the realm name in the Realm box.

Basic authentication (password is sent in clear text): Basic

authentication requires a user ID and password, and provides a low level of
security. User credentials are sent in clear text across the network. This format
provides a low level of security because the password can be read by almost all
protocol analyzers. However, it is compatible with the widest number of Web
clients. This option is best used when you want to grant access to information
with little or no need for privacy.
If you turn on basic authentication, type the domain name that you want to use in
the Default domain box. You can also optionally enter a value in
the Realm box.

Microsoft .NET Passport authentication: .NET Passport

authentication provides single sign-in security, which provides users with access
to diverse services on the Internet. When you select this option, requests to IIS
must contain valid .NET Passport credentials on either the query string or in the
cookie. If IIS does not detect .NET Passport credentials, requests are redirected to
the .NET Passport logon page.

Note When you select this option, all other authentication methods are
unavailable (appear dimmed).
6.

Another type of authentication is based on the requesting host instead of

on user credentials. You can limit access based on source IP address, source
network ID, or source domain name. To configure this type of authentication,
follow these steps:

a. Under IP Address and Domain Name Restrictions, click Edit.

b. Do one of the following:

To deny access, click Granted Access, and then click Add. In

the Deny Access On dialog box that appears, specify the option that you want,
and then click OK.
The computer, group of computers, or domain that you specified is added to the
list.

To grant access, click Denied Access, and then click Add. In

the Grant Access On dialog box that appears, select the option that you want,
and then click OK.

The computer, group of computers, or domain that you selected is added to the
list.
c. Click OK.
2 Click OK, and then quit IIS Manager or close the IIS snap-in.

Troubleshooting

You may be prompted to apply any changes that you have made to existing
sites. If you want the authentication changes applied to other content, click the
content from the list of child nodes, and then click OK. If you do not want the
changes applied to any of the child nodes, do not select any items on the list, and
then click OK.

In IIS, you can set authentication options at the Web site, directory, or file
level. The same principles that are discussed in this article apply to each.

Properties
Article ID: 324274 - Last Review: 12/03/2007 22:04:44 - Revision: 6.6
Applies to
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft
Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server
2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Web Edition,
Microsoft Windows Server 2003, 64-Bit Datacenter Edition, Microsoft Windows
Server 2003, Enterprise x64 Edition, Microsoft Internet Information Services 6.0
Keywords:

kbwebservices kbappservices kbhowto kbhowtomaster KB324274

Feedback

User Authentication in IIS

Authenticating users in IIS is one of the initial steps in securing IIS. When a user attempts
to access a website or an FTP site on an IIS machine, authentication is the process that
verifies whether the user can indeed access the site. Authentication and permissions are
closely coupled. After a user is authenticated, NTFS permissions determine whether the
user can access folders and files and Web permissions indicate whether a Web or FTP
client can read the websites home or virtual directory.
The authentication methods that authenticate users in IIS 6 are listed below. Each
authentication method authenticates users attempting to access websites. However, only
Anonymous access and Basic Authentication can be enabled for FTP sites.

Anonymous access.
Basic Authentication.
Integrated Windows Authentication.
Digest Authentication.
.NET Passport Authentication.
An authentication method for a website can be configured at the following levels:

Web Sites node: The Directory Security tab is used.

Specific websites: The Directory Security tab is used.
Virtual directory: The Directory Security tab is used.
Specific files: The File Security tab is used.
An authentication method can be configured for an FTP site at the following levels:

FTP Sites node: The Security Accounts tab is used.

Specific FTP site: The Security Accounts tab is used.
When more than one authentication method is configured for a website, virtual directory,
or a file, the order in which the authentication methods supported in IIS are applied, is
listed below:

1.
2.

The Anonymous access authentication method is applied first.

When the Anonymous access authentication method is not configured or
supported, the Windows Integrated Authentication method is attempted, the Digest
Authentication method is attempted next, and the Basic Authentication method is
attempted last.
3.
No other authentication methods are available when the .NET Passport
Authentication method is configured.
The Integrated Windows Authentication method is the standard authentication method
utilized for authenticating users attempting to log on to a Windows 2000 or Windows
Server 2003 computer or network. Integrated Windows Authentication is the
recommended authentication method for authenticating users attempting to access web

and FTP sites on IIS machines.

Integrated Windows Authentication consists of the following two methods of the
authentication:

The NTLMv2 method is used when the IIS machine is running in a network that
contains Windows NT domain controllers or when the IIS machine belongs to a workgroup.
Kerberos authentication is used when the IIS machine belongs to a domain no
Windows NT domain controllers exist.
The Integrated Windows Authentication methods requirements are listed below:

Internet Explorer 3.01 or later.

Integrated Windows Authentication could experience problems with firewalls and
proxy servers. Users may therefore need to configure Web clients to access the Web
server through a tunneled connection, such as Point-to-Point Tunneling Protocol (PPTP).
Digest Authentication can only be enabled if Active Directory is used. Digest
Authentication sends the user credentials over the network by utilizing an encrypted MD5
hash, and is therefore more secure than the Basic Authentication method.
The Digest Authentication methods requirements are listed below:

Internet Explorer 5 or later.

Active Directory must be used with domain controllers running Windows 2000 or
Windows Server 2003.
Domain user accounts must be configured for users.
Users and the IIS machine should belong to the same domain. If not, the same
domain should trust them.
The IIS machine must use the LocalSystem account when worker process isolation
mode is enabled.
Basic Authentication is considered the most insecure authentication method that can be
used for authenticating users in IIS because it uses a clear-text username and password.
Basic Authentication functions over proxy servers and works with all browser clients.
Basic Authentication is enabled for FTP sites by default.
With .NET Passport Authentication, .NET passports are utilized for authentication and
authentication occurs via a single sign on method. When enabled, users credentials have
unique Passport accounts. The Passport accounts are located on Passport servers that are
connected to the Internet. Microsoft manages the Passport servers. IIS sends the users
Passport information to the Passport servers for authentication when a user attempts to
access an IIS website.
The steps that should be used to enable .NET Passport Authentication are listed below:

1.

Set up a site ID and all necessary Passport configuration settings on the IIS
machine. Use the Passport Manager Administration Utility, msppcnfg.exe, to perform this
task.

2.

Acquire a server certificate for the website. This certificate identifies the website
when user authentication requests are forwarded to the Passport servers.
3.
Register the website with Microsofts Passport site.

How to Configure Authentication Settings at the Website Level

1.
2.

menu.

Open the IIS Manager.

Right-click a website in the console tree and select Properties from the shortcut

3.
4.

When the websites Properties dialog box opens, click the Directory Security tab.
In the Authentication and Access Control section of the Directory Security tab, click
the Edit button.
5.
The Authentication Methods dialog box opens. Configure the settings listed below
on this dialog box:

The websites Enable anonymous access checkbox can be enabled or

disabled. Anonymous access is typically used for public sites.

The options that can be configured in the Authenticated Access area of the
Authentication Methods dialog box are:

Integrated Windows Authentication: This is the most secure option

that can be used for authentication in IIS. Kerberos version 5 is utilized if the client
browser includes support for the protocol. NTLM authentication is used when the client
browser does not support Kerberos version 5.

Digest Authentication For Windows Domain Servers: This option can

only be enabled if Active Directory is used. Digest Authentication sends the user
credentials over the network by utilizing an encrypted MD5 hash.

Basic Authentication: This is the weakest authentication method

available for IIS and should be utilized when no other authentication method can be used.
Basic authentication uses a clear-text username and password.

.NET Passport Authentication: When enabled, .NET passports are

utilized for authentication and authentication occurs via a single sign on method.
6.
Click OK.

How to Configure an Authentication Method at the FTP Site Level

1.
2.
3.
4.
1.

5.

Open the IIS Manager.

Right-click an FTP site in the console tree and select Properties from the shortcut
menu.
tab.

When the Properties dialog box for the FTP site opens, click the Security Accounts
The Security Accounts tab has the following two checkboxes:

Allow Anonymous Connections.

Allow Only Anonymous Connections.
To only enable the Anonymous Access authentication method, select both the
Allow Anonymous Connections checkbox and the Allow Only Anonymous Connections
checkbox.
6.
To enable both the Anonymous Access authentication method and the Basic
authentication method, only select the Allow Anonymous Connections checkbox.
Anonymous Access authentication will be automatically attempted before Basic
authentication is attempted.

7.

To only enable Basic authentication, ensure that the Allow Anonymous

Connections and Allow Only Anonymous Connections checkboxes are cleared (not
selected).
8.
Click OK.

How to Configure Authentication Settings at the IP Address Level

Restrict Web access at the IP address level by only allowing users to access a site that is
using an IP address from a predefined list of approved IP addresses.
To do this:
1.
2.
3.
4.
5.
6.
7.
8.

menu.

Open the IIS Manager.

Right-click a website in the console tree and select Properties from the shortcut

When the websites Properties dialog box opens, click the Directory Security tab.
In the IP Address and Domain Name Restrictions section of the Directory Security
tab, click the Edit button.
The Address and Domain Name Restrictions dialog box opens.
Using the dialog box, specify that all computers are granted access or specify
those computers that should not be granted access by listing their IP address or domain
name.
Click the Add button to include particular users IP addresses in a list.
Click OK.
FOLLOW US!

Rate this article:

User Authentication in IIS, 0 / 5 (0 votes)

Mail this article
Print this article