Authentication is the process of determining the identity of the user making the request to the Web server. Authorization features can then use this identity to allow or reject the request to specific resources or parts of the application. In some cases, the Web server or the application can impersonate it to access resources. Finally, the application can use the identity to personalize the application experience for the requesting user.
IIS 7.0 includes the following authentication features:
Anonymous Authentication This authentication method provides a configured Windows identity for all anonymous users of the application without the need to provide any client credentials. It is used to allow anonymous (unauthenticated) access.
Basic Authentication This authentication method enables the client to provide the user name and password to the Web server in clear text. Basic Authentication is defined in RFC 2617, and virtually all browsers support it.
Digest Authentication This authentication method is a more secure version of Basic Authentication, and it enables the client to provide user credentials via a hash of the user name and password. Digest Authentication is defined in RFC 2617, and most browsers support it. The implementation used in IIS 7.0 was known as the Advanced Digest Authentication method in IIS 6.0.
IIS Client Certificate Mapping Authentication This authentication method enables client SSL certificates to be mapped to Windows accounts via one-to-one or many-to-one mappings stored in IIS configuration.
UNC Authentication Though this is not a true authentication method in the sense that it does not help to establish the identity of the requesting client, IIS 7.0 uses UNC Authentication to establish an identity to access remote content located on a UNC share.
In addition, IIS 7.0 applications using ASP.NET Integrated mode use a unified authentication model between IIS and ASP.NET. This enables existing ASP.NET authentication modules or new managed authentication modules developed with ASP.NET APIs to be used for all content in the application. When ASP.NET is installed, the following authentication methods are also available:
Forms Authentication This ASP.NET authentication method supports forms-based authentication against pluggable credentials stores via the ASP.NET Membership service. For more information on using ASP.NET Forms Authentication to protect all Web site content, see http://www.iis.net/articles/view.aspx/IIS7/Extending-IIS7/Getting-Started/How-to-Take-Advantage-of-the-IIS7-Integrated-Pipel.
Developers can also provide custom authentication features developed with the new IIS 7.0 native module API or with ASP.NET APIs for applications using the Integrated mode. In fact, applications running in Integrated mode can use most existing custom ASP.NET authentication modules immediately to provide site-wide authentication.
You can configure one or more authentication methods for your Web site, application, or part thereof to protect it with user-based authorization, enable impersonation for resource access, or allow for application personalization.
Anonymous authentication enables clients to access public areas of your Web site without requiring the client to provide any credentials. Anonymous authentication is the default authentication method enabled in IIS 7.0.
Anonymous authentication is part of the default IIS install and is enabled by default. You can manually install or uninstall it by installing or uninstalling the AnonymousAuthnenticationModule module.
Anonymous authentication applies for all requests that do not have an authenticated user identity determined by other authentication methods. It works by setting the authenticated user identity for such requests to be a Windows identity corresponding to the configured anonymous user account.
By default, anonymous authentication is configured to use the new built-in IUSR account. It no longer uses the custom IUSR_ComputerName account that is used by default with anonymous authentication in IIS 6.0. Because IUSR is a built-in account, it does not have a password that must be periodically changed or synchronized between multiple servers. In addition, because it is built in, the IUSR account has the same SID on all machines. Therefore, ACLs that reference it remain valid when copied from one IIS 7.0 server to another.
Use the built-in IUSR account. This is the default.
You can use the application pool identity option to simplify resource access management. This ensures that that resource access is always made under the application pool identity, both when the Web server accesses application resources using the application pool identity and when the Web server or application access resources while impersonating the authenticated user. This way, you only need to manage access rights for a single identity.
You can use IIS Manager to enable or disable anonymous authentication and set the anonymous user options. Select the desired node in the tree view and double-click Authentication. Then, select Anonymous Authentication in the list and use the Enable, Disable, and Edit commands in the Actions pane to configure it.
You can also set anonymous authentication configuration directly; use Appcmd.exe from the command line, or use configuration APIs to configure the system.webServer/security/anonymousAuthentication section. You do this with Appcmd by using the following syntax.
%systemroot%\system32\inetsrv\Appcmd set config [ConfigurationPath] /section:system.webServer/security/anonymousAuthentication [/enabled:bool] [/username:string] [/password:string] [/logonMethod:enum]
The parameters of this command are shown in Table 1.
|ConfigurationPath||The configuration path at which to set the specified configuration. If you specify this parameter, you may also need to specify the /commit:apphost parameter to avoid locking errors when applying configuration to Web site or URL levels.|
|enabled||Whether to enable or disable anonymous authentication.|
|username||The user name to use for anonymous authentication. Set to “” to use the application pool identity. Default is IUSR.|
|password||The password to use when specifying a custom account for anonymous authentication.|
|logonMethod||The logon method to use for the anonymous user. Allowed values are Interactive, Batch, Network, ClearText. Default is ClearText. See http://msdn2.microsoft.com/en-us/library/aa378184.aspx for more information about logon types.|
Basic authentication implements the Basic Authentication protocol, a standard HTTP authentication scheme defined in RFC 2617 and supported by most HTTP client software. It enables the client to pass both the user name and the password in clear text, and it uses these credentials to log on locally at the Web server or the Web server’s domain. The credentials, therefore, must correspond to a valid local or domain account, and they result in the request being authenticated with a Windows token corresponding to this account.
Basic authentication is a challenge-based authentication scheme. When a client makes the initial request to a resource that requires authentication, and basic authentication is enabled, the request will be rejected with a 401 unauthorized status that will include a “WWW-Authenticate: basic” response header. If the client supports basic authentication, it will usually prompt the user for credentials and then reissue the request with the credentials included. The basic authentication module will see that credentials are present on the subsequent request and attempt to authenticate the request by logging on with those credentials. The client will typically send these credentials again on every request to the same URL or any URL that is below the URL included in the initial authenticated request.
Basic authentication is not secure because it passes the credentials in clear text, and therefore may enable an attacker to steal them by eavesdropping on the request packets at the network level. This can be mitigated by using SSL to secure the communication channel between the client and the server. If SSL is used to protect all requests that include the credentials, basic authentication may be a secure option.
Because basic authentication performs the logon locally at the Web server, the resulting Windows token can be used to access resources on a remote server without configuring delegation or Protocol Transition.
By default, basic authentication caches the logon token for the corresponding user name and password in the token cache. During this time, the token may be available inside that process. If the worker process is compromised, malicious code can use this token to elevate privileges if the token represents a user with high privileges. If you do not trust the code in the process, you can either disable token caching by uninstalling the token cache module or reduce the amount of time the tokens are cached by setting the HKLM\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters\UserTokenTTL value to the number of seconds to cache tokens for.
You can use IIS Manager to enable or disable basic authentication and set the logon method options. Select the desired node in the tree view and double-click Authentication. Then, select Basic Authentication from the list and use the Enable, Disable, and Edit commands in the Actions pane to configure it.
You can also set basic authentication configuration directly; use Appcmd.exe from the command line, or use configuration APIs to configure the system.webServer/security/basicAuthentication section. You do this with Appcmd by using the following syntax.
%systemroot%\system32\inetsrv\Appcmd set config [ConfigurationPath] /section:system.webServer/security/basicAuthentication [/enabled:bool] [/realm:string] [/defaultLogonDomain:string] [/logonMethod:enum]
The parameters of this command are shown in Table 2.
|ConfigurationPath||The configuration path at which to set the specified configuration. If you specify this parameter, you may also need to specify the “/commit:apphost” parameter to avoid locking errors when applying configuration to Web site or URL levels.|
|enabled||Whether to enable or disable basic authentication.|
|realm||The basic authentication realm that will be indicated to the client for informational purposes. The Web server does not use the realm during the logon process.|
|defaultLogonDomain||The domain that will be used by the server to log on using the credentials provided by the client. If the client user name specifies the domain, it will be used instead. If empty, the computer domain is used. The default value is “”.|
|logonMethod||The logon method to use for the logon. Allowed values are Interactive, Batch, Network, and ClearText. Default is ClearText. See http://msdn2.microsoft.com/en-us/library/aa378184.aspx for more information about logon types.|
- IIS 7.0 : Implementing Access Control – Authentication (part 2) – Digest Authentication & Windows Authentication
- IIS 7.0 : Implementing Access Control – Authentication (part 3) – IIS Client Certificate Mapping Authentication
- IIS 7.0 : Implementing Access Control – Authentication (part 4)