Microsoft KB Archive/287537

= Using Basic authentication to generate Kerberos tokens =

Article ID: 287537

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q287537



SUMMARY
When you use Basic authentication to connect to a Web site that is hosted by Internet Information Services (IIS), you can take advantage of the delegation features of Kerberos to authenticate on multiple back-end servers, such as a Microsoft SQL Server that is called from Active Server Pages (ASP) running on IIS. To generate a Kerberos token, IIS must be a member of a Windows 2000 domain and have access to that domain's active directory.

Note A Windows 2000 domain does not generate a Kerberos token when the domain authenticates UPN credentials against a trusted Massachusetts Institute of Technology (MIT) Kerberos realm and when you use Basic authentication. This behavior is by design.

Because Basic authentication transmits user information (user name and password) in clear text, Basic authentication should only be used over Secure Socket Layer (SSL) connections.



MORE INFORMATION
When IIS authenticates users it does so by calling the LsaLogonUser function, which in turn calls an authentication package (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 for Basic authentication). When Basic authentication occurs, the following event is written to the security log IIS 5.0 server, assuming the Audit Logon Events policy is enabled: Event Type: Success Audit Event Source:  Security Event Category: Logon/Logoff Event ID:  528 Date:      1/5/2001 Time:      6:11:04 PM User:       Win2kDomain\rvittal Computer:  IIS5server Description: Successful Logon: User Name:         rvittal Domain:    Win2kDomain Logon ID:      (0x0,0x148D0AC) Logon Type:             2 Logon Process: IIS Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:  IIS5server After a user has logged into IIS with Basic authentication, IIS has that user's credentials (username:password), and can use those credentials to generate a token that can be used to impersonate the user on other computers. When a user requests a Web page that references resources on another Windows 2000 server, the IIS server generates a Kerberos security token and an event similar to the following is written in the security log on the remote server:

Event Type: Success Audit Event Source:  Security Event Category: Logon/Logoff Event ID:  540 Date:      1/5/2001 Time:      1:16:06 PM User:       Win2kDomain\rvittal Computer:  SQLbox Description: Successful Network Logon: User Name:              rvittal Domain:    Win2kDomain Logon ID:      (0x0,0x13A667F) Logon Type:             3 Logon Process:              Kerberos Authentication Package: Kerberos Workstation Name: Note that using Kerberos is not limited to Basic authentication. By default, if a Windows 2000 client attaches to an IIS5 server that is configured with Integrated authentication, Kerberos authentication is used.

