microsoft.com Home | |||
http://www.microsoft.com/office/ork |
All users are authenticated when they attempt to gain access to the Web sites, folders, and files on your Web server. You configure the authentication methods available to users with Microsoft Internet Information Server (IIS) administration tools.
IIS supports the following types of authentication:
Anonymous access allows users to log on to a server without having a Microsoft Windows NT account. Users do not have to enter a user name and password. All Web browsers support anonymous access.
Basic authentication requires all users to have a Windows NT account to log on to a server. Users must enter a user name and password. Most Web browsers support Basic authentication.
By using Windows NT Challenge/Response authentication, the Web browser automatically passes on the encrypted user name and password for a Windows NT account. Users do not have to enter a user name and password when they log on to a server. Only Microsoft Internet Explorer supports Windows NT Challenge/Response authentication.
Anonymous access lets users who do not have Windows NT accounts connect to the server and use server resources. This type of access reduces the amount of time you spend managing accounts, and you do not have to identify the users who log on to your Web server.
During Setup, IIS creates a special anonymous account named IUSR_computer_name for Web services. By default, all Web client requests use this anonymous account to gain access to Web content.
When IIS receives an anonymous request to log on to a server or access a resource, it impersonates the IUSR_computer_name account. The request succeeds when the IUSR_computer_name account has permission to log on to the server, or use the requested resource. IIS stores resource access permission information in the resource access control lists (ACLs). When access is denied, the server prompts the user to enter a valid Windows NT user name and password.
Note If you want to provide both restricted and unrestricted access areas on your server, you can enable both authenticated and anonymous logon methods at the same time. A user who wants to access the restricted areas of the server needs to provide a user name and password, while any user can access the areas that allow anonymous access.
When you use Basic authentication, a client application such as the Web browser prompts a user for a Windows NT user name and password. Then the browser passes the user information through HTTP in encoded text for IIS to use for Basic authentication.
Basic authentication is fast, and when you use it with Secure Sockets Layer (SSL), you also have secure authentication because SSL encrypts the transmission. If you use Basic authentication without SSL, however, the user name and password are passed in clear, unencoded text, thereby compromising the security of the transmission.
With Basic authentication, a user must have the Log On Locally right on the IIS server. You use the Windows NT User Manager for Domains application to grant a user the Log On Locally right.
Note A user who has the Log On Locally right can start an interactive session on the Windows NT or Windows 2000 server.
In the following situations, Basic authentication is the best option for providing access to your Web server:
Windows NT Challenge/Response (also called NTLM) is a more secure authentication method than Basic authentication. A user is authenticated when the user first logs on to the network. When the same user then logs on to the Web server, a client application such as the Web browser uses the credentials from the network logon. If those credentials are not valid, Windows NT Challenge/Response authentication requests a valid user name and password.
Windows NT Challenge/Response authentication provides the following advantages over other types of authentication:
Windows NT Challenge/Response authentication has the following limitations:
Tip You can configure IIS with both Basic authentication and Windows NT Challenge/Response authentication enabled. If a user’s Web browser supports Windows NT Challenge/Response authentication, IIS uses that authentication method. Otherwise, IIS defaults to Basic authentication.
When IIS receives an HTTP request from a Web browser, a Microsoft Office 2000 application, or another client, IIS processes the request in the following sequence:
You can use an IP address or domain name to control which computers connect to your Web site. Each client computer on an intranet or the Internet has an IP address, and in IIS you can create lists of IP addresses and domain names to grant or deny access to specific computers. You can configure the access restrictions at the Web site, folder, virtual directory, and file levels.
Secure Sockets Layer is a protocol that provides communications privacy, authentication, and message integrity for TCP/IP connections. By using the SSL protocol, clients and servers can communicate with almost no possibility of eavesdropping, tampering, or message forgery. SSL is typically used with Basic authentication to encrypt user name and password transmissions.
SSL ensures secure communication through a firewall, and it also provides security for remote administration of a Web server. You can specify that Office 2000 applications and Internet Explorer use SSL to open or publish documents on an OSE-extended web.
In IIS, you must install a security certificate to use SSL. Use the Key Manager utility included with IIS to obtain a certificate that is a collection of encoded data identifying the server.
A delegation application passes on part of the Web server work to a secondary server application running on a different computer. For example, a Web server acting as a delegation application can use a database server running on a different host computer.
The various types of authentication handle delegation applications differently. If you use Basic authentication, a user logs on locally, and Windows NT security allows the secondary server to honor the user credentials.
However, if you use Windows NT Challenge/Response authentication, a secondary computer does not honor user credentials. In this case, both the secondary server and Web server must be running on the same host computer.
IIS provides considerable flexibility for secure access to your Web server. For more information about authentication methods, obtaining a security certificate, or using IP addresses and domain names to restrict access, see the online Help for IIS.
Topic Contents | Previous | Next | Top Friday, March 5, 1999 © 1999 Microsoft Corporation. All rights reserved. Terms of use. | ||
License
|