Authentication Methods in IISBy Akhilesh
|For More Information...|
|For more information on authentication, be sure to check out the 4Guys Authentication Article Index! You'll find numerous articles on methods for allowing Web access to only a certain set of users.|
In IIS you can setup various authentication methods for entire sites or virtual directories. These authentication methods determine who can access the Web pages in the site/virtual directory. The three Authentication methods available are:
1. Anonymous Access - This authentication method requires NO username or password
to access the site. Anyone can just type in the URL and access the site. This is the
default access method for IIS sites/virtual directories and is the authentication mode for
99.9999% of the World Wide Web.
2. Basic Authentication - The authentication method requires you to type in a valid NT login and password to gain access to the system (the NT login must be a valid NT login for the NT domain that the Web server is on). Where Basis Authentication is enabled you will get a popup window asking for the username and password when trying to first visit a resource in that protected site/virtual directory. After you enter the required information the username and password will be transmitted over the network WITHOUT any encryption. This will enable anyone trying to compromise your site examine passwords during the authentication process.
3. Windows NT Challenge/Response (referred to as Integrated Windows Authentication in IIS 5) - This is supposedly the most secure form of Authentication in IIS. When you login, NT validates your login and ONLY the username is transmitted over the network. No password is transmitted. So under no circumstances can your password be compromised. Note that this method will NOT work with Netscape!
By default when you create a Web site/virtual directory in IIS you will have Anonymous
Access AND Windows NT Challenge/Response enabled.
Now in order to identify the user accessing your site through their login you can get the
Request.ServerVariables("LOGON_USER"). This will return a value only if
Anonymous Access is DISABLED and you only have Basic Authentication OR Windows NT
In such a case,
Request.ServerVariables("LOGON_USER") will give you both the
domain name and username in the format:
domainName\username. If you just want
the username there are a few ways of getting it. For example, you could use:
Or, to make life a little easier just use the split function
(For more information on
split be sure to check out:
In most cases you would want to save this username in a database and have it associated to a
UserID of some sort. This way, when a user enters your site you associate the
username retrieved using
with what you have in the Database and get his
UserId. So if a username is not
in your Database then you know that this user is accessing your site for the first time.
(There may be times when you don't need to use this database approach. If you have a secure
area on your site where you just want those folks who have a user account on your NT domain to
be able to access the site, then you just need to disable Allow Anonymous and not worry
about any sort of database tie-in.)
Now that we've looked at an overview of IIS's available authentication modes, let's examine how to setup IIS to handle such authentication. In Part 2 we'll look at the process of setting up these various authentication modes!