Recipe12.8.Configuring Web Site Authentication

Recipe 12.8. Configuring Web Site Authentication

Problem

You want to authenticate users before they can access content on your web server.

Solution

Using a graphical user interface

Open Internet Information Services (IIS) Manager.
In the left pane, browse to the web site, directory, or file you want configure, right-click it, and select Properties.
Select the Directory Security tab and click Edit under Authentication and access control.
Select the authentication methods you want to enable on your web server and click OK.
If the Inheritance Overrides dialog box appears, click Select All and click OK (repeat if this box appears again).

Using VBScript

' This code configurations authentication for a web site. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ServerName>" strSiteID = "<SiteID>"     intFlag = 1 + 4 ' Here are the available authentication values: '     1 = Anonymous '     2 = Basic '     6 = MD5 '     4 = NTLM '    64 = Passport ' For the intFlag variable, simply add together the ' numbers that represent the auth settings you want ' to configure. ' ------ END CONFIGURATION ---------     set objweb site = GetObject("IIS://" & strComputer & "/W3SVC/" & strSiteID) objweb site.AuthFlags = intFlag objweb site.SetInfo WScript.Echo "Successfully modified auth settings for: " & _              objweb site.ServerComment

Discussion

Authentication complements permissions as another tool for controlling access to content on IIS. When a user tries to access a web site, the user must first be authenticated. For a publicly hosted site designed for Internet users, anonymous access is the usual authentication method. For private intranets, some form of credential-based authentication must be used to guard against unauthorized access to company files. As Table 12-5 shows, IIS supports a number of different authentication methods to control access to your web server's content.

Table 12-5. IIS authentication methods
Authentication method	Description	Level of security	Usage
Anonymous Access	Uses the IUSR_servername account to grant guest access to users without the need to have them supply credentials	None	Content on public-facing Internet servers
Basic Authentication	Transmits users' credentials in clear text over the network	Low	Use only in conjunction with SSL
Digest Authentication	Uses an encrypted challenge/response scheme to authenticate the user's credentials	Medium	Public content on private intranet servers
Integrated Windows Authentication	Uses Kerberos or NTLM to authenticate Windows accounts of users	High	Content on private intranet servers
.NET Passport Authentication	Requires that users sign up for .NET Passport	Highest	Servers that require Passport authentication

If you enable multiple authentication methods including Anonymous Access, only Anonymous Access will be used. If you enable multiple authentication methods and Anonymous Access is not enabled, the most secure authentication method is attempted first and continues until reaching the least secure method unless the user successfully authenticates.

If authentication must take place through a proxy server, use Digest Authentication instead of Integrated Windows Authentication. Note that Digest Authentication requires Internet Explorer 5 or higher on the client end.

Unlike web sites, which support all five of the authentication methods described in Table 12-5, FTP sites on IIS support only Anonymous Access and Basic Authentication.

Using VBScript

Configuring authentication settings via ADSI is straightforward. You just need to set the AuthFlags property on a web site or virtual directory object. AuthFlags is a bit flag, which means you have to add the values associated with the desired settings and use that total as the value for AuthFlags. I included in the code the list of possible authentication settings and their corresponding values.