Let's begin with a quick overview of the client authentication types. Internet Information Server (IIS) supports the following authentication schemes:
Each of these authentication methods can be enabled or disabled on the Directory Security page of the Virtual Directory properties in the Microsoft Management Console. A typical IIS configuration has Anonymous enabled, as well as either, or both, of the other methods. Anonymous authentication is the least secure method, while Basic and Microsoft® Windows NT® Challenge/Response provide increasingly greater levels of security for your Web pages. Each of these authentication schemes has a different impact on the security context of an application launched by IIS. This includes ISAPI extension agents, CGI applications, IDC scripts, and future scripting capabilities.