Enabling and Configuring Authentication

This topic provides a general procedure to enable authentication and more detailed procedures to configure the Anonymous, Basic, Digest, Advanced Digest, and Integrated Windows authentication settings. If you are unfamiliar with these authentication methods, you should read About Authentication before enabling and configuring these authentication settings on your server.

Enabling Authentication

You can enable any authentication setting or multiple settings for any Web or FTP site, virtual directory, or file. Anonymous and Integrated Windows authentication are enabled by default.

To enable a WWW authentication method

  1. Create a Windows user account appropriate for the authentication method. If appropriate, add the account to a Windows user group. For more information about creating Windows user accounts, see Securing Your Files with NTFS.
  2. Configure NTFS permissions for the directory or file for which you want to control access. For more information, see Setting NTFS Permissions for a Directory or File.
  3. In the IIS snap-in, select a site, directory, or file, and open its property sheets.
  4. Select the appropriate Directory Security or File Security property sheet. Under Anonymous Access and Authentication Control, click Edit.
  5. In the Authentication Methods dialog box, select one or more settings.

Notes

To enable an FTP authentication method

Digest and Integrated Windows authentication cannot be used with FTP sites. Available authentication settings must be set at the site level for FTP sites.

  1. Follow steps 1 through 3 in To enable a WWW authentication method.
  2. Select the Security Accounts property sheet, and select the Allow Anonymous Connections check box.
  3. In the Username and Password text boxes, enter the anonymous logon user name and password you want to use. The user name is the name of the anonymous user account, which is typically designated as IUSR_computername. Clear the Allow IIS to control password check box to change the password.
  4. Select the Allow IIS to control password check box to sychronize the password with the Windows user account.

    Note   Password synchronization can only be used with anonymous user accounts defined on the local computer and does not work with anonymous accounts on other computers on the network.

  5. Select the Allow only anonymous connections check box to require all users to log on as anonymous users.
  6. Click OK.
  7. Set the appropriate NTFS permissions for the anonymous account. For more information, see Setting NTFS Permissions for a Directory or File.

Important   If you change the security settings for your Web site or virtual directory, your Web server prompts you for permission to reset the security settings for the child levels of under that site or directory. If you choose to accept these settings, the child levels inherit the security settings from the parent site or directory. For more information about setting properties, see "Properties and Inheritance of Properties on Sites" in About Web and FTP Sites.

Configuring Anonymous Authentication

By default, the Windows user group Guests includes the IUSR_computername account. You can create multiple anonymous accounts; one for each Web or FTP site, directory, or file. By giving these account different access permissions or by assigning these accounts to different Windows user groups, you can grant users anonymous access to different areas of your public Web and FTP content.

The anonymous account must allow the user to log on locally. If the account does not have the Log On Locally permission, IIS cannot service anonymous requests. The IUSR_computername accounts on domain controllers are not assigned this right by default and must be changed to Log On Locally to allow anonymous requests.

You can also change the security privileges for the IUSR_computername account in Windows. However, if the anonymous user account does not have permission to access a specific resource, your Web server refuses to establish an anonymous connection for that resource. For more information, see Setting Web Server Permissions.

To enable anonymous authentication

  1. In the IIS snap-in, select a site, directory, or file, and open its property sheets.
  2. Select the Directory Security or File Security property sheet. Either the Directory Security or File Security property sheet is present, depending upon what level you are changing the security settings.
  3. In the Anonymous Access and authentication Control section, click Edit. The Authentication Methods dialog box appears.
  4. Select the Anonymous access check box.

To change the account used for anonymous authentication

  1. In the IIS snap-in, select a site, directory, or file, and open its property sheets.
  2. Select the Directory Security or File Security property sheet. Either the Directory Security or File Security property sheet is present, depending upon what level you are changing the security settings.
  3. In the Anonymous Access and authentication Control section, click Edit. The Authentication Methods dialog box appears.
  4. Select the Anonymous access check box and click Edit. The Anonymous User Account dialog box appears.
  5. Type or Browse to the valid Windows user account you want to use for anonymous access.
  6. Clear the Allow IIS to control password check box to enter the account's password.

Important   When you change the IUSR_computername account, the changes affect every anonymous request that is serviced by a Web server. Use caution if you modify this account.

Configuring Basic Authentication

Enabling Basic authentication does not automatically configure your Web server to authenticate users. Windows user accounts must be created and the NTFS permissions properly set, as described earlier.

To properly authenticate users with Basic authentication, the Windows user accounts must have Log On Locally user rights. This right must be assigned because Basic authentication impersonates a local user, or a user physically logged on to the server. By default, user accounts on a Windows primary domain controller (PDC) are not granted the Log On Locally user rights. You can grant users Log On Locally rights by using the Active Directory Service Interfaces (ADSI). For information, see the LogonMethod reference in the Active Server Pages Guide.

Important   The Basic authentication method transmits user names and passwords across the network in an unencrypted form. You can use your Web server's encryption features, in combination with Basic authentication, to secure user account information transmitted across the network. For more information, see About Encryption.

To enable basic authentication

  1. In the IIS snap-in, select a site, directory, or file, and open its property sheets.
  2. Select the Directory Security or File Security property sheet. Either the Directory Security or File Security property sheet is present, depending upon what level you are changing the security settings.
  3. In the Authenticated Access section, select the Basic authentication check box.

You must select a default logon domain. For more information, see Setting the Default Logon Domain.

Configuring Digest Authentication

For information about the minimum requirements for using Digest authentication, see Requirements for Digest. Enabling Digest authentication on the IIS server requires the following two tasks:

To enable Digest Authentication for Windows domain servers

  1. Open the IIS snap-in.
  2. Select a Web site, virtual directory, or folder.
  3. Select Properties from the Action menu.
  4. Select the Directory Security property sheet.
  5. Click Edit in the Anonymous access and authentication control section.
  6. Select the Digest authentication for Windows domain servers check box.

Configuring the Realm Name

You can configure the realm name at any level of the metabase, shown in Table 1. If a child node is not specifically configured, it inherits its configuration from the next highest configured level.

Table 1
Metabase Level Description
W3SVC The W3SVC level, also known as the IISWebService level, is the highest level in the metabase where Advanced Digest can be configured. Configurations set at this level are inherited by lower levels that do not have specific configuration settings.
W3SVC/n The W3SVC/n level, also known as the IISWebServer level, is a specific Web site, where n is the number of the site. Sites are numbered starting at 1. The default Web site is 1.
W3SVC/n/root The W3SVC/n/Root level, known as the IISWebVirtualDir level, is the starting point for a Web Site, where n is the number of the site.
W3SVC/n/root/vdir The W3SVC/n/ROOT/WebVirtualDir level, known as the IISWebVirtualDir level, is a virtual directory within a Web Site, where n is the number of the site.
W3SVC/n/root/vdir/webdir The W3SVC/n/Root/WebVirtualDir/WebDir level, also known as the IISWebDirectory level, is a physical directory within a virtual directory within a Web Site, where n is the number of the site.
W3SVC/n/root/vdir/file This is an individual within the W3SVC/n/ROOT/WebVirtualDir level, where n is the number of the site.
W3SVC/n/root/vdir/webdir/file This is an individual file within the W3SVC/n/Root/WebVirtualDir/WebDir level, where n is the number of the site.

It is possible to configure either one or multiple realm names on an IIS server. If multiple realm names are used, they must be configured at different levels of the metabase. You may want to configure multiple realm names, for instance, to allow access to the sales virtual directory to members of domain1 and access to the engineering virtual directory to members of domain2. This is particularly useful if domain1 and domain2 do not have a trust relationship. See the online Windows XP documentation for more information about domains.

If a child node in the metabase is not configured with a realm name, that child node inherits the realm name from the next higher level that has the realm name configured. If the realm name is not configured, IIS sends its own machine name as the realm name. If IIS sends its own name as the realm name and IIS is not running on a Windows XP domain controller with Active Directory, Digest authentication will fail. Although possible, it is not recommended to run IIS on a Domain Controller due to security risks and performance issues.

To configure the realm name

  1. Open the command prompt window.
  2. Type cscript.exe x:\inetpub\adminscripts\adsutil.vbs set level/realm realm_name.

  3. Press ENTER.

Example

You decide to configure your default Web site (the default Web site is 1) with redmond as the realm name, and you know that IIS is installed on drive c:.
  1. In the command prompt window, type cscript.exe c:\inetpub\adminscripts\adsutil.vbs set w3svc/1/realm redmond.
  2. Press ENTER.

The command window displays:
   realm         : <string>    "redmond".

Configuring Advanced Digest Authentication

For information about the minimum requirements for using Advanced Digest authentication, see Requirements for Advanced Digest. Enabling Advanced Digest on your IIS server requires three procedures:

Important   If you follow the first two procedures but do not configure the UseDigestSSP metabase key, you will be using Digest authentication, not Advanced Digest authentication.

To enable Advanced Digest authentication for Windows domain servers

  1. Open the IIS snap-in.
  2. Select a Web site, virtual directory, or folder.
  3. Select Properties from the Action menu.
  4. Select the Directory Security property sheet.
  5. Click Edit in the Anonymous access and authentication control section.
  6. Select the Digest authentication for Windows domain servers check box.

Configuring the Realm Name

You can configure the realm name at any level of the metabase, shown in Table 2. If a child node is not specifically configured, it inherits its configuration from the next highest configured level.

Table 2
Metabase Level Description
W3SVC The W3SVC level, also known as the IISWebService level, is the highest level in the metabase where Advanced Digest can be configured. Configurations set at this level are inherited by lower levels that do not have specific configuration settings.
W3SVC/n The W3SVC/n level, also known as the IISWebServer level, is a specific Web site, where n is the number of the site. Sites are numbered starting at 1. The default Web site is 1.
W3SVC/n/root The W3SVC/n/Root level, known as the IISWebVirtualDir level, is the starting point for a Web Site, where n is the number of the site.
W3SVC/n/root/vdir The W3SVC/n/ROOT/WebVirtualDir level, known as the IISWebVirtualDir level, is a virtual directory within a Web Site, where n is the number of the site.
W3SVC/n/root/vdir/webdir The W3SVC/n/Root/WebVirtualDir/WebDir level, also known as the IISWebDirectory level, is a physical directory within a virtual directory within a Web Site, where n is the number of the site.
W3SVC/n/root/vdir/file This is an individual file within the W3SVC/n/ROOT/WebVirtualDir level, where n is the number of the site.
W3SVC/n/root/vdir/webdir/file This is an individual file within the W3SVC/n/Root/WebVirtualDir/WebDir level, where n is the number of the site.

It is possible to configure either one or multiple realm names on an IIS server. If multiple realm names are used, they must be configured at different levels of the metabase. You may want to configure multiple realm names for instance, to allow access to the sales virtual directory to members of domain1 and access to the engineering virtual directory to members of domain2. This is particularly useful if domain1 and domain2 do not have a trust relationship. See the online Windows XP documentation for more information about domains.

If a child node in the metabase is not configured with a realm name, that child node inherits the realm name from the next higher level that has the realm name configured. If the realm name is not configured, IIS sends its own machine name as the realm name. If IIS sends its own name as the realm name and IIS is not running on a Windows XP domain controller with Active Directory, Advanced Digest authentication will fail. Although possible, it is not recommended to run IIS on a Domain Controller due to security risks and performance issues.

To configure the realm name

  1. Open the command prompt window.
  2. Type cscript.exe x:\inetpub\adminscripts\adsutil.vbs set level/realm realm_name
    3. .
  3. Press ENTER.

Example

You decide to configure your default Web site (the default Web site is 1) with redmond as the realm name, and you know that IIS is installed on drive c:.
  1. In the command prompt window, type cscript.exe c:\inetpub\adminscripts\adsutil.vbs set w3svc/1/realm redmond.
  2. Press ENTER.

    3. The command window displays:
       realm         : <string>    "redmond".

Setting the UseDigestSSP Metabase Property

Advanced Digest uses a metabase key called UseDigestSSP. This metabase key is a switch between Digest and Advanced Digest Security Support Provider Interface (SSPI) code. After the key has been set, the only valid property values are 1 (TRUE), 0 (FALSE), or empty. If the property is set to TRUE, the new SSPI code for Advanced Digest is used. In all other cases (FALSE, empty, or not set), IIS uses the Digest SSPI code.

You can configure the UseDigestSSP metabase property at any level of the metabase, shown in Table 2. If a child node is not specifically configured, it inherits its configuration from the next highest configured level.

To configure the UseDigestSSP metabase property

  1. Open the command prompt window.
  2. Type cscript /nologo %SystemDrive%\inetpub\adminscripts\adsutil.vbs SET level/UseDigestSSP True.
  3. Press ENTER.

For more information about the UseDigestSSP metabase key, see the UseDigestSSP in the Alphabetical Property List.

Example

Use this example to test whether the UseDigestSSP metabase key has been configured at the w3svc/1 level.

  1. Open the command prompt window.
  2. Type    cscript /nologo %SystemDrive%\inetpub\adminscripts\adsutil.vbs GET w3svc/1/UseDigestSSP.
  3. Press ENTER.

Configuring Integrated Windows Authentication

Only Microsoft Internet Explorer versions 2.0 or later support Integrated Windows authentication. Integrated Windows authentication does not work across proxy servers or other firewall applications. If Integrated Windows authentication fails, due to improper user credentials or some other problem, the browser prompts the user to enter their user name and password.

© 1997-2001 Microsoft Corporation. All rights reserved.