microsoft.com Home  
Microsoft
http://www.microsoft.com/office/ork  
Administering Security with Office Server Extensions

Using Internet Information Server Authentication

All users are authenticated when they attempt to gain access to the Web sites, folders, and files on your Web server. You configure the authentication methods available to users with Microsoft Internet Information Server (IIS) administration tools.

Types of authentication

IIS supports the following types of authentication:

Anonymous

Anonymous access lets users who do not have Windows NT accounts connect to the server and use server resources. This type of access reduces the amount of time you spend managing accounts, and you do not have to identify the users who log on to your Web server.

During Setup, IIS creates a special anonymous account named IUSR_computer_name for Web services. By default, all Web client requests use this anonymous account to gain access to Web content.

When IIS receives an anonymous request to log on to a server or access a resource, it impersonates the IUSR_computer_name account. The request succeeds when the IUSR_computer_name account has permission to log on to the server, or use the requested resource. IIS stores resource access permission information in the resource access control lists (ACLs). When access is denied, the server prompts the user to enter a valid Windows NT user name and password.

Note   If you want to provide both restricted and unrestricted access areas on your server, you can enable both authenticated and anonymous logon methods at the same time. A user who wants to access the restricted areas of the server needs to provide a user name and password, while any user can access the areas that allow anonymous access.

Basic authentication

When you use Basic authentication, a client application such as the Web browser prompts a user for a Windows NT user name and password. Then the browser passes the user information through HTTP in encoded text for IIS to use for Basic authentication.

Basic authentication is fast, and when you use it with Secure Sockets Layer (SSL), you also have secure authentication because SSL encrypts the transmission. If you use Basic authentication without SSL, however, the user name and password are passed in clear, unencoded text, thereby compromising the security of the transmission.

With Basic authentication, a user must have the Log On Locally right on the IIS server. You use the Windows NT User Manager for Domains application to grant a user the Log On Locally right.

Note   A user who has the Log On Locally right can start an interactive session on the Windows NT or Windows 2000 server.

In the following situations, Basic authentication is the best option for providing access to your Web server:

Windows NT Challenge/Response authentication

Windows NT Challenge/Response (also called NTLM) is a more secure authentication method than Basic authentication. A user is authenticated when the user first logs on to the network. When the same user then logs on to the Web server, a client application such as the Web browser uses the credentials from the network logon. If those credentials are not valid, Windows NT Challenge/Response authentication requests a valid user name and password.

Windows NT Challenge/Response authentication provides the following advantages over other types of authentication:

Windows NT Challenge/Response authentication has the following limitations:

Tip   You can configure IIS with both Basic authentication and Windows NT Challenge/Response authentication enabled. If a user’s Web browser supports Windows NT Challenge/Response authentication, IIS uses that authentication method. Otherwise, IIS defaults to Basic authentication.

Top

Authenticating HTTP requests

When IIS receives an HTTP request from a Web browser, a Microsoft Office 2000 application, or another client, IIS processes the request in the following sequence:

  1. Tries the anonymous account, IUSR_computer_name.
  2. Uses Basic authentication or Windows NT Challenge/Response authentication to authenticate a user.
  3. Allows access to the file on the Web server. If the file is located on an NTFS volume, IIS allows access only when the authenticated account is on the ACL of the file and the folder in which the file is located.

Top

Using IP address or domain name to restrict access

You can use an IP address or domain name to control which computers connect to your Web site. Each client computer on an intranet or the Internet has an IP address, and in IIS you can create lists of IP addresses and domain names to grant or deny access to specific computers. You can configure the access restrictions at the Web site, folder, virtual directory, and file levels.

Top

Using Secure Sockets Layer

Secure Sockets Layer is a protocol that provides communications privacy, authentication, and message integrity for TCP/IP connections. By using the SSL protocol, clients and servers can communicate with almost no possibility of eavesdropping, tampering, or message forgery. SSL is typically used with Basic authentication to encrypt user name and password transmissions.

SSL ensures secure communication through a firewall, and it also provides security for remote administration of a Web server. You can specify that Office 2000 applications and Internet Explorer use SSL to open or publish documents on an OSE-extended web.

In IIS, you must install a security certificate to use SSL. Use the Key Manager utility included with IIS to obtain a certificate that is a collection of encoded data identifying the server.

Top

Using authentication with delegation applications

A delegation application passes on part of the Web server work to a secondary server application running on a different computer. For example, a Web server acting as a delegation application can use a database server running on a different host computer.

The various types of authentication handle delegation applications differently. If you use Basic authentication, a user logs on locally, and Windows NT security allows the secondary server to honor the user credentials.

However, if you use Windows NT Challenge/Response authentication, a secondary computer does not honor user credentials. In this case, both the secondary server and Web server must be running on the same host computer.

Top

See also

IIS provides considerable flexibility for secure access to your Web server. For more information about authentication methods, obtaining a security certificate, or using IP addresses and domain names to restrict access, see the online Help for IIS.



Topic Contents   |   Previous   |   Next   |   Top

Friday, March 5, 1999
© 1999 Microsoft Corporation. All rights reserved. Terms of use.

License