Security

IIS 5.0 Authentication Modes

All users must be authenticated before they can gain access to resources in IIS 5.0. Each HTTP request from a browser runs on IIS 5.0 in the security context of a user account on the Windows operating system. IIS 5.0 executes the request in a thread that impersonates the user’s security context. An application, such as IIS 5.0, can have many simultaneous threads of execution internally, each acting on behalf of different users.

The operations that are performed during the execution of the HTTP request are limited by the capabilities granted to that user account in Windows. The user account needs to be created either on the IIS 5.0 server or in a domain of which the server running IIS 5.0 is a member. The latter is more common in intranet applications.

IIS 5.0 supports five Web authentication models:

• Anonymous
• Basic
• Integrated Windows authentication
• Digest
• Client Certificate Mapping

There are also two FTP authentication models:

• Anonymous
• Do Not Allow Anonymous

Before looking at each authentication scheme in detail, an explanation of Web authentication is necessary.

See the following:

• How Web Authentication Works
• Anonymous Web Authentication
• Basic Authentication
• Integrated Windows Authentication
• Digest Authentication
• Client Certificate Mapping
• A Brief Overview of Certificate Services
• Web Authentication Summary
• FTP Authentication

© 1997-1999 Microsoft Corporation. All rights reserved.