Configure Windows Authentication (IIS 7)
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Use Windows authentication when you want clients to authenticate using the NTLM or Kerberos protocols. The default authentication configuration for IIS 7 enables Anonymous authentication only.
Windows authentication, which includes both NTLM and Kerberos v5 authentication, is best suited for an intranet environment for the following reasons:
Client computers and Web servers are in the same domain.
Administrators can make sure that every client browser is Internet Explorer 2.0 or later versions.
HTTP proxy connections, which are not supported by NTLM, are not required.
Kerberos v5 requires a connection to Active Directory, which is not feasible in an Internet environment.
Windows Authentication is not supported Home or Starter editions of Windows Vista® and Windows® 7. To see which IIS features are supported on your operating system, see one of the following:
- If you are using Windows Vista® or Windows Server® 2008 see Available Role Services in IIS 7.0.
- If you are using Windows® 7 or Windows Server® 2008 R2 see Available Web Server (IIS) Role Services in IIS 7.5.
Windows authentication is not appropriate for use in an Internet environment, because that environment does not require or encrypt user credentials.
The default setting for Windows authentication is Negotiate. This setting means that the client can select the appropriate security support provider. To force NTLM authentication, you must change the value of the <Provider> element under the <windowsAuthentication> element in the ApplicationHost.config file.
For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Authentication Feature Requirements (IIS 7).
Exceptions to Feature Requirements
To configure Windows authentication
You can perform this procedure by using the user interface (UI), by running Appcmd.exe commands in a command-line window, by editing configuration files directly, or by writing WMI scripts.
To use the UI
Open IIS Manager and navigate to the level you want to manage. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).
In Features View, double-click Authentication.
On the Authentication page, select Windows Authentication.
In the Actions pane, click Enable to use Windows authentication.
Optionally, you can disable Kernel-mode authentication by clicking Advanced Settings. As a best practice, you should not disable this setting if you use Kerberos authentication and a custom identity on the application pool.
To enable or disable Windows authentication, use the following syntax:
appcmd set config /section:windowsAuthentication /enabled:true | false
By default, IIS sets the enabled attribute to false, which disables Windows authentication. If you set the attribute to true, you enable Windows authentication. For example, to enable Windows Authentication, type the following at the command prompt, and then press ENTER:
appcmd set config /section:windowsAuthentication /enabled:true
Optionally, you can force Windows authentication to use NTLM, using the following syntax:
appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']
For more information about Appcmd.exe, see Appcmd.exe (IIS 7).
The procedure in this topic affects the following configuration elements:
For more information about IIS 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.
Use the following WMI classes, methods, or properties to perform this procedure:
- WindowsAuthenticationSection class
For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.