Digest Authentication
Digest Authentication
Available in IIS 4?
No. This is a new IIS 5 authentication scheme.
What privileges are required?
All accounts must have the Network Logon logon right.
Supports delegation?
No. The client account cannot leave the Web server computer because a Windows subauthentication DLL is used to log on the account.
Delegation capabilities diagram
Requires Active Directory?
Yes. All accounts using Digest authentication must have the Store Password Using Reversible Encryption option enabled.
Browser support
Although Digest authentication is part of the HTTP 1.1 protocol, presently only Microsoft Internet Explorer 5 supports it.
Works through proxies and firewalls?
Yes.
Other notes
Digest authentication is defined in RFC 2617 (available at http://www.ietf.org/rfc/rfc2617.txt ).
Integrated Windows Authentication
Available in IIS 4?
Yes, but only NTLM was supported; Kerberos is not supported.
What privileges are required?
The Logon Across The Network logon right is required; also, the
account must not be
Supports delegation?
Yes, if Kerberos is
Delegation capabilities diagram (when Kerberos is used)
Delegation capabilities diagram (when NTLM is used)
Requires Active Directory?
If Active Directory is not installed, NTLM will be used. Refer to Chapter 5 for details about what's required for Kerberos to work.
Browser support
All versions of Internet Explorer after version 1 support NTLM. Internet Explorer 5 and later support NTLM and Kerberos.
Works through proxies and firewalls?
Partially. The protocol will work through firewalls so long as
the appropriate ports are opened. However, this is discouraged
because of the security
Other notes
Integrated Windows authentication uses a negotiation mechanism to determine the authentication mechanism, NTLM or Kerberos, depending on the capabilities of the Web browser and client operating system as well as the Web server and server operating system.
Client Certificate Mapping (IIS Mapping)
Available in IIS 4?
Yes.
What privileges are required?
The Logon Locally logon right is required for all accounts.
Supports delegation?
Limited. The request can leave the Web server and access resources on a remote computer so long as the account exists on both computers and the passwords are the same, or domain accounts are used.
Delegation capabilities diagram
Requires Active Directory?
No.
Browser support
Any browser that supports client authentication certificates; this includes all current versions of Netscape and Microsoft browsers.
Works through proxies and firewalls?
Yes.
Other notes
IIS contains the mapping information as well as the account and password to map on to. Requires SSL3 or TLS 1 and the server configured to accept or require client authentication certificates.
Client Certificate Mapping (Windows 2000 Active Directory Mapping)
Available in IIS 4?
No.
What privileges are required?
The Logon Across The Network privilege is required for all accounts.
Supports delegation?
No.
Delegation capabilities diagram
Requires Active Directory?
Yes. The certificates are held in Active Directory.
Browser support
Any browser that supports client authentication certificates; this includes all current versions of Netscape and Microsoft browsers.
Works through proxies and firewalls?
Yes.
Other notes
The mapping is automatically performed by Active Directory; there is no need to perform any password administration. Requires SSL3 or TLS 1 and the server configured to accept or require client authentication certificates.
Similar products
- Essential ASP.NET With Examples in C#
Asp.net c# - formsauthentication.redirectfromloginpage perhaps is not working - Internet and Intranet Security
Network security protocols ebooks - QuantumPM - Microsoft Office Project Server 2003 Unleashed
Project server 2003 portfolio analyzer - Microsoft Small Business Server 2003 Unleashed
Most significant threat to network security - Oracle Application Server 10g Essentials
Oracle application server 10g - Windows Admin Scripting Little Black Book
Windows nt logon scripts