Authentication
Authentication
is the process of determining the identity of the user making the
request to the Web server. Authorization features can then use this
identity to allow or reject the request to specific resources or parts
of the application. In some cases, the Web server or the application can
impersonate it to access resources. Finally, the application can use
the identity to personalize the application experience for the
requesting user.
IIS 7.0 includes the following authentication features:
Anonymous Authentication
This authentication method provides a configured Windows identity for
all anonymous users of the application without the need to provide any
client credentials. It is used to allow anonymous (unauthenticated)
access.
Basic Authentication
This authentication method enables the client to provide the user name
and password to the Web server in clear text. Basic Authentication is
defined in RFC 2617, and virtually all browsers support it.
Digest Authentication
This authentication method is a more secure version of Basic
Authentication, and it enables the client to provide user credentials
via a hash of the user name and password. Digest Authentication is
defined in RFC 2617, and most browsers support it. The implementation
used in IIS 7.0 was known as the Advanced Digest Authentication method
in IIS 6.0.
Windows Authentication This authentication method supports the NT LAN Manager (NTLM) or Kerberos Windows authentication protocols.
Client Certificate Mapping Authentication
This authentication method enables client SSL certificates to be mapped
to Windows accounts by using Active Directory directory services.
IIS Client Certificate Mapping Authentication
This authentication method enables client SSL certificates to be mapped
to Windows accounts via one-to-one or many-to-one mappings stored in
IIS configuration.
UNC Authentication
Though this is not a true authentication method in the sense that it
does not help to establish the identity of the requesting client, IIS
7.0 uses UNC Authentication to establish an identity to access remote
content located on a UNC share.
In addition, IIS 7.0
applications using ASP.NET Integrated mode use a unified authentication
model between IIS and ASP.NET. This enables existing ASP.NET
authentication modules or new managed authentication modules developed
with ASP.NET APIs to be used for all content in the application. When
ASP.NET is installed, the following authentication methods are also
available:
The following IIS 6.0 authentication methods are no longer supported:
IIS 6.0 Digest Authentication IIS 7.0 Advanced Digest Authentication method is now provided as the only digest authentication method.
.NET Passport Authentication The Passport support is not included in Windows Server 2008, and therefore this method is also no longer supported.
Developers can also
provide custom authentication features developed with the new IIS 7.0
native module API or with ASP.NET APIs for applications using the
Integrated mode. In fact, applications running in Integrated mode can
use most existing custom ASP.NET authentication modules immediately to
provide site-wide authentication.
You can
configure one or more authentication methods for your Web site,
application, or part thereof to protect it with user-based
authorization, enable impersonation for resource access, or allow for
application personalization.
Note
IIS
7.0 requires that each request is authenticated. Because of this, at
least one authentication method must be enabled and be able to provide
an authenticated user for each request. |
In the remainder of this section, we will review each of the authentication methods.
Anonymous Authentication
Anonymous
authentication enables clients to access public areas of your Web site
without requiring the client to provide any credentials. Anonymous
authentication is the default authentication method enabled in IIS 7.0.
Note
Anonymous
authentication is part of the default IIS install and is enabled by
default. You can manually install or uninstall it by installing or
uninstalling the AnonymousAuthnenticationModule module.
|
Anonymous
authentication applies for all requests that do not have an
authenticated user identity determined by other authentication methods.
It works by setting the authenticated user identity for such requests to
be a Windows identity corresponding to the configured anonymous user
account.
Caution
Be sure to disable anonymous authentication for parts of your Web site that you do not want to be accessed by anonymous users. You must do this even if you have other authentication methods enabled. |
By default, anonymous authentication is configured to use the new built-in IUSR account. It no longer uses the custom IUSR_ComputerName
account that is used by default with anonymous authentication in IIS
6.0. Because IUSR is a built-in account, it does not have a password
that must be periodically changed or synchronized between multiple
servers. In addition, because it is built in, the IUSR account has the
same SID on all machines. Therefore, ACLs that reference it remain valid
when copied from one IIS 7.0 server to another.
When using anonymous authentication, you have the following options:
Use the built-in IUSR account. This is the default.
Use a custom account. You can configure a custom account that should be used for anonymous requests instead of the IUSR account.
Use the application pool identity.
You can configure anonymous authentication to use the identity of the
IIS worker process (application pool identity) instead of a separate
anonymous account.
You can use the
application pool identity option to simplify resource access management.
This ensures that that resource access is always made under the
application pool identity, both when the Web server accesses application
resources using the application pool identity and when the Web server
or application access resources while impersonating the authenticated
user. This way, you only need to manage access rights for a single
identity.
You can use IIS Manager
to enable or disable anonymous authentication and set the anonymous
user options. Select the desired node in the tree view and double-click
Authentication. Then, select Anonymous Authentication in the list and
use the Enable, Disable, and Edit commands in the Actions pane to configure it.
You can also set
anonymous authentication configuration directly; use Appcmd.exe from the
command line, or use configuration APIs to configure the system.webServer/security/anonymousAuthentication section. You do this with Appcmd by using the following syntax.
%systemroot%\system32\inetsrv\Appcmd set config [ConfigurationPath]
/section:system.webServer/security/anonymousAuthentication [/enabled:bool]
[/username:string] [/password:string] [/logonMethod:enum]
The parameters of this command are shown in Table 1.
Table 1. Parameters to Set Anonymous Authentication and Anonymous User Options
| Parameter | Description |
|---|
| ConfigurationPath | The
configuration path at which to set the specified configuration. If you
specify this parameter, you may also need to specify the /commit:apphost parameter to avoid locking errors when applying configuration to Web site or URL levels. |
| enabled | Whether to enable or disable anonymous authentication. |
| username | The user name to use for anonymous authentication. Set to “” to use the application pool identity. Default is IUSR. |
| password | The password to use when specifying a custom account for anonymous authentication. |
| logonMethod | The logon method to use for the anonymous user. Allowed values are Interactive, Batch, Network, ClearText. Default is ClearText. See http://msdn2.microsoft.com/en-us/library/aa378184.aspx for more information about logon types. |
Basic Authentication
Basic
authentication implements the Basic Authentication protocol, a standard
HTTP authentication scheme defined in RFC 2617 and supported by most
HTTP client software. It enables the client to pass both the user name
and the password in clear text, and it uses these credentials to log on
locally at the Web server or the Web server’s domain. The credentials,
therefore, must correspond to a valid local or domain account, and they
result in the request being authenticated with a Windows token
corresponding to this account.
Note
Basic
authentication is not part of the default IIS install. You can manually
install it from the Security feature category through Windows Features
On And Off on Windows Vista. You can also install it from the Security
role service category of the Web Server (IIS) role in Server Manager on
Windows Server 2008.
|
Basic
authentication is a challenge-based authentication scheme. When a client
makes the initial request to a resource that requires authentication,
and basic authentication is enabled, the request will be rejected with a
401 unauthorized status that will include a “WWW-Authenticate: basic”
response header. If the client supports basic authentication, it will
usually prompt the user for credentials and then reissue the request
with the credentials included. The basic authentication module will see
that credentials are present on the subsequent request and attempt to
authenticate the request by logging on with those credentials. The
client will typically send these credentials again on every request to
the same URL or any URL that is below the URL included in the initial
authenticated request.
Caution
Just
enabling basic authentication does not mean that authentication is
required for your application. You must either disable anonymous
authentication and/or configure URL authorization rules or NTFS
permissions that deny access to the anonymous user. |
Basic
authentication is not secure because it passes the credentials in clear
text, and therefore may enable an attacker to steal them by
eavesdropping on the request packets at the network level. This can be
mitigated by using SSL to secure the communication channel between the
client and the server. If SSL is used to protect all requests that
include the credentials, basic authentication may be a secure option.
Caution
Basic
authentication may enable user credentials to be leaked because it
sends them to the Web server in an unencrypted form. When using basic
authentication, use SSL to secure the Web site. |
Because basic
authentication performs the logon locally at the Web server, the
resulting Windows token can be used to access resources on a remote
server without configuring delegation or Protocol Transition.
By default, basic
authentication caches the logon token for the corresponding user name
and password in the token cache. During this time, the token may be
available inside that process. If the worker process is compromised,
malicious code can use this token to elevate privileges if the token
represents a user with high privileges. If you do not trust the code in
the process, you can either disable token caching by uninstalling the
token cache module or reduce the amount of time the tokens are cached by
setting the HKLM\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters\UserTokenTTL value to the number of seconds to cache tokens for.
You can use IIS
Manager to enable or disable basic authentication and set the logon
method options. Select the desired node in the tree view and
double-click Authentication. Then, select Basic Authentication from the
list and use the Enable, Disable, and Edit commands in the Actions pane to configure it.
You can also
set basic authentication configuration directly; use Appcmd.exe from the
command line, or use configuration APIs to configure the system.webServer/security/basicAuthentication section. You do this with Appcmd by using the following syntax.
%systemroot%\system32\inetsrv\Appcmd set config [ConfigurationPath]
/section:system.webServer/security/basicAuthentication [/enabled:bool]
[/realm:string] [/defaultLogonDomain:string] [/logonMethod:enum]
The parameters of this command are shown in Table 2.
Table 2. Parameters for Setting Basic Authentication Configuration Directly
| Parameter | Description |
|---|
| ConfigurationPath | The
configuration path at which to set the specified configuration. If you
specify this parameter, you may also need to specify the “/commit:apphost” parameter to avoid locking errors when applying configuration to Web site or URL levels. |
| enabled | Whether to enable or disable basic authentication. |
| realm | The
basic authentication realm that will be indicated to the client for
informational purposes. The Web server does not use the realm during the
logon process. |
| defaultLogonDomain | The
domain that will be used by the server to log on using the credentials
provided by the client. If the client user name specifies the domain, it
will be used instead. If empty, the computer domain is used. The
default value is “”. |
| logonMethod | The logon method to use for the logon. Allowed values are Interactive, Batch, Network, and ClearText. Default is ClearText. See http://msdn2.microsoft.com/en-us/library/aa378184.aspx for more information about logon types. |
