Basic authentication prompts the client for a user name and password that are then Base64-encoded and passed to IIS. IIS receives the user name and password credentials and verifies them against the Microsoft® Windows NT®-user database on the computer or the applicable domain controllers in any trusted Windows NT domains. If the credentials are valid, IIS will impersonate the specified user when allowing access to resources by IIS or any applications that the request is launching. Thus, the application being executed, whether it is an ISAPI extension DLL, a CGI application, or a scripting mechanism, will be executed with the permissions of the corresponding user account passed by Basic authentication.
Because Basic authentication provides the user name and password credentials to IIS, access to items that require credential knowledge can be performed successfully when using Basic authentication. For example, if an ISAPI application mapped a drive letter across a network, it would require knowledge of the current user's credentials. Because IIS is given the user name and password credentials as part of Basic authentication, this task will succeed if the account specified has access to the network resource.
The advantage of Basic authentication is that it is part of the HTTP specification, and is thus supported by most browsers. The disadvantage of Basic authentication is that if someone is monitoring packets on your network, they could easily intercept and decipher your password using publicly available algorithms. This is not possible with Windows NT Challenge/Response authentication because the actual password is never sent over the network. Instead, the browser returns a custom token that satisfies the server's authentication request.