How does the new security update (Microsoft Certification Based Authentication - MC316448) will affect Basic Authentication feature in IIS?

Indrani Gajjarapu 1 Reputation point


I have a scenario where a couple of web apps are hosted on Windows servers of our customer base. All the articles point to the changes for security defaults in Office 365 after March. I understand this is just for Exchange and other Microsoft apps.

I have the following queries regarding this security update:

  1. Does this mean that the "Basic Authentication" feature in IIS will be deprecated?
  2. How does this affect web apps which support multiple authentication methods? Basic, Windows and Azure AD? Should the Windows and Azure AD be the only available login options?

Thank you

Internet Information Services
A set of technologies in the .NET Framework for building web applications and XML web services.
3,769 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Bruce Zhang-MSFT 3,731 Reputation points

    Hi @Indrani Gajjarapu ,

    Compared to other authentication methods, basic authentication only requires an account and password. At present, it seems that its security and anti-attack is unreliable. I believe Microsoft's decision to deprecate this feature is also with these in mind.

    Currently the IIS documentation has not updated the instructions for this section, so this means that the IIS team is still considering or a decision has been made but no updated documentation. I think you can be patient and wait for the documentation to be updated.

    Regarding your second question, I don't think this affects apps with multiple authentication enabled. The site in IIS chooses the correct authentication based on the client. Even if basic authentication cannot be used, other available authentications will be selected.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments No comments