Few Days back I was a part of the debate with few ASP.NET developers where we were discussing the pros and cons of various web servers available in the market and types of authentication methods supported by them, why quite often public facing sites uses form based authentication and not any other types of authentication.I have been the fan of IIS since its 5x days and have learned a quite a bit about it from IIS product team members.( I am also huge fan of Apache Webserver, only think I hate about them is that they stopped giving binaries to Windows Users and its pain to built it from source unless we are on .nix platform).
I call Authentication as something where users supply their credential in order to identify themselves to the server and servers based on the roles configured in some system it determines their authorization powers as what type of operations users are entitled to do in the application.Authorization always happens after Authentication and almost at the same time.
Latest version of IIS provides around 6 ways for doing authentication and they are ,
- Anonymous Authentication: In this type end user do not supply credentials, effectively making an anonymous request. IIS 7 impersonates a fixed user account when attempting to process the request.This type of authentication is mostly used for public-facing web sites where visitors are not required to supply credentials.Users can access the site freely and browsers will not prompt the users for any kind of challenge. Its enabled by default in IIS 7.0 version. One of the best way to prevent users from accessing any resource which requires credentials is to create separate group and assign appropriate permission levels to it. Also execute permission levels should be denied to Anonymous users on windows directories.
- Basic Authentication: In this type end users is prompted to supply credentials, which are then transmitted unencrypted in base 64 format across the network. Basic Authentication is supported by all major browsers. This type of Authentication should be used only when traffic flows entirely on SSL so that the data flowing in the wire is encrypted.Anonymous Authentication should be disabled in case we want to use Basic Authentication.
- Digest Authentication: Over here end user are prompted to supply credentials, however not like in Basic authentication, the user’s password is not passed in clear text across the wire but it’s hashed using MD5.It’s mostly used along with Windows Domain Controller.Browsers needs to http 1.1 compliant in order to use this type of authentication.In addition to this Anonymous Authentication should be disabled. Quite a few intranet application in the large companies uses this type of Authentication internally for their application.
- Integrated Windows Authentication: It contains two separate authentication schemes: NTLM v2 (NT Challenge/Response) and Kerberos. Enabling Integrated Windows authentication using IIS Manager enables support for both of these two schemes. NTLM works similar to to Digest authentication (it hashes users password). Kerberos relies on shared secrets between the client, ADC, and the IIS server to authenticate the user. Kerberos is only available for Windows Active Directory accounts, whereas NTLM can be used for local accounts as well. IIS 7.0 does not present Kerberos as a discrete authentication option to the client, instead sending a “Negotiate” option, allowing the client to choose Kerberos or NTLM. NTLM can be presented as a discrete authentication option to the client. Microsoft recommends using this type of authentication for Intranet Applications since client and servers share the same domain. This type of authentication is not useful for internet because there is no encryption in the internet.
- Client Certificate Authentication:When using this type of authentication, the client presents a certificate to the server. The server is configured to map certificates to one or more Windows user accounts (it is possible to map multiple certificates to a single user account or to map each certificate to an individual user account). IIS logs on the mapped user account.Client Certificate authentication requires that SSL/TLS be enabled for the resource being secured.Mapping client certificates lets you automatically authenticate users who log on with client certificates, without requiring the use of other supported authentication methods such as Basic, Digest, or Integrated Windows authentication.
- UNC Authentication : When Server needs to retrieve files from a remote network resource e g file share, a virtual directory in IIS can be mapped to a UNC path. When configuring this virtual directory, it is possible to specify a some fixed user account that will be used to connect to that file share, irrespective of the identity of the end user.
- Form Based Authentication:It relies on the supply of credentials via html form as part of the HTTP traffic.In this way, the request for the login form is an anonymous request. After authenticating via the HTML form, an authentication cookie is set by the server.The client must return this cookie with each subsequent request in order for the request to be authenticated. Although this authentication can be configured using IIS Manager, it is effectively ASP.NET’s Form Based Authentication.Forms Based Authentication can be combined with either ASP.NET’s authorization features
(available with previous versions of ASP.NET) or IIS 7.0 new inbuilt URL Authorization feature to protect access to resources.
All these types of Authentication can be configured at directory level, website level or at file level. Maybe sometimes later I will write some posts as how to configure these types of Authentication in IIS.