SUMMARY

This article describes how to configure Internet Information Server (IIS) 5.0 Web site authentication in a Windows 2000 server environment. IIS 5.0 Web sites can be configured to authenticate users before they are allowed access to the site, a folder in the site, or even a particular document contained with a folder at the site. IIS 5.0 authentication can be used to strengthen the level of security on sites, folders, and documents that are not for the general public.

Web site authentication is critical when resources are not meant for anonymous or public access but the Web server needs to be on the Internet to be accessible to approved users over the Internet. Examples of Web site applications that require authentication access control include Microsoft Outlook Web Access (OWA) and the Microsoft Terminal Services Advanced Client.

back to the top

Configure Authentication in the IIS 5.0 Web Server

1. On the Administrative Tools menu, click Internet Services Manager.
2. In the Internet Information Services console, click to expand your server name, and then click to expand the Web site.
3. Right-click your server name, click Properties, and then click the Internet Information Services tab.
4. In the Master Properties box, click WWW Service in the Master Properties box, and then click Edit.
   

In the WWW Server Master Properties dialog box, you can set the default values for all the Webs on the IIS server. You can change the values on new Webs as they are created. If there are existing Webs on which you have already created custom configurations, you are prompted to confirm if you want to overwrite the configurations on those Webs.

1. Click the Directory Security tab, and then click Edit in the Anonymous access and authentication control box.
2. In the Authentication Methods dialog box, confirm that the default settings are Anonymous access and Integrated Windows authentication.
3. Click one of the following authentication methods, and then click OK:
   • Anonymous access: When Anonymous access is enabled, no credentials are required to access the site unless NTFS permissions are placed on the Web site folders to control access. To edit the properties of the anonymous user account, click Edit in the Anonymous access box.
   • Basic authentication: If Basic authentication is enabled, the user credentials are sent in clear text. This format provides a low level of security because the password can be read by almost all protocol analyzers. However, it is compatible with the widest number of Web clients. If Basic authentication is enabled, you can click Edit and set a default domain for user accounts.
   • Digest authentication: Digest authentication works for Internet Explorer 5.0 and later Web clients and for Web servers that belong to a Windows 2000 domain. It has the advantage of not sending user credentials in clear text.
   • Integrated Windows authentication: Integrated Windows authentication can use both the Kerberos v5 authentication protocols and its own challenge/response authentication protocol. This option is a more secure authentication option. However, it only works for Internet Explorer 2.0 or later and Kerberos authentication does not work over HTTP connections.
     

NOTE: If multiple authentication options are selected, IIS attempts to negotiate the most secure method first, and then it works down the list of enabled authentication protocols until a mutual authentication protocol is supported by both client and server.

1. Another type of authentication is based on the requesting host rather than on user credentials. To configure this authentication, click Edit in the IP Address and Domain Name Restrictions box.
2. In the IP Address and Domain Name Restrictions dialog box, you can limit access based on source IP address, source network ID, or source domain name. After you configure your settings, click OK, and then click OK in the IP Address and Domain Name Restrictions dialog box.
3. In the WWW Service Master Properties dialog box, click Apply, and then click OK.
4. In the Server Properties dialog box, click OK.

back to the top

Troubleshooting

• You may be prompted to apply any changes you have made to existing sites. If you want the authentication changes applied to other content, click the content from the list of child nodes, and then click OK. If you do not want the changes applied to any of the child nodes, do not select any, and then click OK.
• You can set authentication options separately for each Web site, each folder, or each file. The same principles that are discussed in this article apply to each.

back to the top