User Authentication in IIS

Overview on IIS User Authentication

Authenticating users in IIS is one of the initial steps in securing IIS. When a user attempts to access a Web site or a FTP site on an IIS machine, authentication is the process which verifies whether the user can indeed access the site. Authentication and permissions are closely coupled. After a user is authenticated, NTFS permissions determine whether the user can access folders and files, and Web permissions indicate whether a Web client or FTP client can read the home directory or virtual directory of the website.

The authentication methods which can be used to authenticate users in IIS 6 are listed below. Each authentication method can be used to authenticate users attempting to access Web sites. However, only Anonymous access and Basic Authentication can be enabled for FTP sites.

You can configure an authentication method for a Web site at the following levels:

You can configure an authentication method for a FTP site at the following levels:

When more than one authentication method is configured for a website, virtual directory or a file; the order in which the authentication methods supported in IIS are applied, is listed below:

  1. The Anonymous access authentication method is applied first.
  2. When the Anonymous access authentication method is not configured or supported, then the Windows Integrated Authentication method is attempted, the Digest Authentication method is attempted next, and the Basic Authentication method is attempted last (in that order).
  3. No other authentication methods are available when the .NET Passport Authentication method is configured.

The Integrated Windows Authentication method is the standard authentication method utilized for authenticating users attempting to log on to a Windows 2000 or Windows Server 2003 computer or network. Integrated Windows Authentication is the recommended authentication method for authenticating users attempting to access Web sites and FTP sites on IIS machines.

Integrated Windows Authentication consists of the following two methods of the authentication:

The requirements of the Integrated Windows Authentication method are listed below:

Digest Authentication can only be enabled if Active Directory is used. Digest Authentication sends the user credentials over the network by utilizing an encrypted MD5 hash, and is therefore more secure than the Basic Authentication method.

The requirements of the Digest Authentication method are listed below:

Basic Authentication is considered the most insecure authentication method that can be used for authenticating users in IIS because it uses a clear-text username and password. Basic Authentication functions over proxy servers, and works with all browser clients. Basic Authentication is enabled for FTP sites, by default.

With .NET Passport Authentication, .NET passports are utilized for authentication, and authentication occurs via a single sign on method. When enabled, the credentials of users have unique Passport accounts. The Passport accounts are located on Passport servers which are connected to the Internet. The Passport servers are managed by Microsoft. IIS sends the Passport information of the user to the Passport servers for authentication when a user attempts to access an IIS Web site.

The steps that should be used to enable .NET Passport Authentication is listed below:

  1. You first have to set up a site ID and all necessary Passport configuration settings on the IIS machine. You can use the Passport Manager Administration Utility, msppcnfg.exe, to perform this task.
  2. You next have to acquire a server certificate for the Web site. This certificate would identify the Web site when user authentication requests are forwarded to the Passport servers.
  3. You have to register the Web site with the Passport site of Microsoft.

How to configure authentication settings at the Web site level

  1. Open the IIS Manager.
  2. Right-click a Web site in the console tree, and select Properties from the shortcut menu.
  3. When the Properties dialog box of the Web site opens, click the Directory Security tab.
  4. In the Authentication and Access Control section of the Directory Security tab, click the Edit button.
  5. The Authentication Methods dialog box opens. You can configure the settings listed below on this dialog box.
    • The Enable anonymous access checkbox can be enabled or disabled for the Web site. Anonymous access is typically used for public sites.
    • The options which you can configure in the Authenticated Access area of the Authentication Methods dialog box are:
      • Integrated Windows Authentication: This is the most secure option that can be used for authentication in IIS. Kerberos version 5 is utilized if the client browser includes support for the protocol. NTLM authentication is used when the client browser does not support Kerberos version 5.
      • Digest Authentication For Windows Domain Servers: This option can only be enabled if Active Directory is used. Digest Authentication sends the user credentials over the network by utilizing an encrypted MD5 hash.
      • Basic Authentication: This is the weakest authentication method available for IIS, and should be utilized when you cannot use any other authentication method. Basic authentication uses a clear-text username and password.
      • .NET Passport Authentication: When enabled, .NET passports are utilized for authentication, and authentication occurs via a single sign on method.
  6. Click OK

How to configure an authentication method at the FTP site level

  1. Open the IIS Manager.
  2. Right-click a FTP site in the console tree, and select Properties from the shortcut menu.
  3. When the Properties dialog box for the FTP site opens, click the Security Accounts tab.
  4. The Security Accounts tab has the following two checkboxes:
    • Allow Anonymous Connections
    • Allow Only Anonymous Connections
  1. If you only want to enable the Anonymous Access authentication method, select both the Allow Anonymous Connections checkbox, and the Allow Only Anonymous Connections checkbox.
  2. If you want to enable both the Anonymous Access authentication method and the Basic authentication method, only select the Allow Anonymous Connections checkbox. Anonymous Access authentication will be automatically attempted before Basic authentication is attempted.
  3. If you only want to enable Basic authentication, ensure that the Allow Anonymous Connections and Allow Only Anonymous Connections checkboxes are cleared (not selected).
  4. Click OK

How to configure authentication settings at the IP Address level

You can restrict Web access at the IP address level by only allowing users to access a site who are using an IP address from a predefined list of approved IP addresses.

To do this,

  1. Open the IIS Manager.
  2. Right-click a Web site in the console tree, and select Properties from the shortcut menu.
  3. When the Properties dialog box of the Web site opens, click the Directory Security tab.
  4. In the IP Address and Domain Name Restrictions section of the Directory Security tab, click the Edit button.
  5. The Address and Domain Name Restrictions dialog box opens.
  6. Using the dialog box, you can specify that all computers are granted access, or you can specify those computers which should not be granted access by listing their IP address or domain name.
  7. Click the Add button to include particular users’ IP addresses in a list.
  8. Click OK.

Find more guides about computer network just visit and find Complete Computer Networking Guide Also Read here Online Money Making Tips



Top 5 Free Networking Tools

Bookmark User Authentication in IIS

Latest Blog Posts


English English GermanGerman SpanishSpanish FrenchFrench ItalianItalian PortuguesePortuguese RussianRussian DutchDutch
GreekGreek HindiHindi JapaneseJapanese KoreanKorean ChineseChinese Chinese (Simplified)Chinese (Simplified) ArabicArabic

Copyright 2009 Tech-FAQ. All rights reserved. Privacy Policy.