Security Authentication <authentication>
Overview
Authentication is the mechanism you use to verify the identity of visitors to your Web site or Web application. Typically, you do this by assigning a user name and password to a visitor or allowing a visitor to anonymously access public content on your site.
Although you use authentication to confirm the identity of a visitor, you use authorization to control the visitor's access to the different areas of your site or application.
IIS 7 supports Anonymous authentication, Basic authentication, Client Certificate Mapping authentication, Digest authentication, IIS Client Certificate Mapping authentication, and Windows authentication. Additional authentication modes can be provided by third-party authentication modules.
After you install one of the authentication modules, you must enable the selected authentication module for the Web site, Web application, or Web service on which you want to use it.
Also by default, IIS 7 enables kernel-mode authentication for the Windows (which use either Kerberos or NTLM), authentication scheme. Kernel-mode authentication provides the following advantages:
- Your Web applications can run using lower-privileged accounts.
- If you use Kerberos authentication, you can use a different account than the default account associated with the Service Principle Name (SPN) of the server.
- If you use kernel-mode authentication, you can use the Windows authentication Kerberos provider without performing explicit SPN configuration.
Compatibility
| Version | Notes |
|---|---|
| IIS 10.0 | The <authentication> element was not modified in IIS 10.0. |
| IIS 8.5 | The <authentication> element was not modified in IIS 8.5. |
| IIS 8.0 | The <authentication> element was not modified in IIS 8.0. |
| IIS 7.5 | The <authentication> element was not modified in IIS 7.5. |
| IIS 7.0 | The <authentication> element was introduced in IIS 7.0. |
| IIS 6.0 | N/A |
Setup
The <authentication> element is included in the default installation of IIS 7.
How To
How to disable anonymous authentication
Open Internet Information Services (IIS) Manager:
If you are using Windows Server 2012 or Windows Server 2012 R2:
- On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
If you are using Windows 8 or Windows 8.1:
- Hold down the Windows key, press the letter X, and then click Control Panel.
- Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
In the Connections pane, expand the server name, expand Sites, and go to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application.
Scroll to the Security section in the Home pane, and then double-click Authentication.
In the Authentication pane, select Anonymous Authentication, and then click Disable in the Actions pane.
How to change anonymous authentication credentials from the IUSR account
Open Internet Information Services (IIS) Manager:
If you are using Windows Server 2012 or Windows Server 2012 R2:
- On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
If you are using Windows 8 or Windows 8.1:
- Hold down the Windows key, press the letter X, and then click Control Panel.
- Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
In the Connections pane, expand the server name, expand Sites, and navigate to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application.
Scroll to the Security section in the Home pane, and then double-click Authentication.
In the Authentication pane, select Anonymous Authentication, and then click Edit... in the Actions pane.
In the Edit Anonymous Authentication Credentials dialog box, do one of the following:
Select Application pool identity to use the identity set for the application pool, and then click OK.
Click Set..., and then in the Set Credentials dialog box, enter the user name for the account in the User name box, enter the password for the account in the Password and Confirm password boxes, click OK, and then click OK again.
Note
If you use this procedure, only grant the new account minimal privileges on the IIS server computer.
How to enable Windows authentication for a Web site, Web application, or Web service
Open Internet Information Services (IIS) Manager:
If you are using Windows Server 2012 or Windows Server 2012 R2:
- On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
If you are using Windows 8 or Windows 8.1:
- Hold down the Windows key, press the letter X, and then click Control Panel.
- Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
In the Connections pane, expand the server name, expand Sites, and then the site, application, or Web service for which you want to enable Windows authentication.
Scroll to the Security section in the Home pane, and then double-click Authentication.
In the Authentication pane, select Windows Authentication, and then click Enable in the Actions pane.
Configuration
The <authentication> section group is defined in the <system.webServer> configuration section. This section group defines configuration sections for all user authentication types that you can install and enable on your server. You can configure it at the server level in the ApplicationHost.config file and at the application level in the Web.config file.
Attributes
None.
Child Elements
| Element | Description |
|---|---|
anonymousAuthentication |
Optional element. Specifies the settings for Anonymous authentication. |
basicAuthentication |
Optional element. Specifies the settings for Basic authentication. |
clientCertificateMappingAuthentication |
Optional element. Specifies the settings Client Certificate Mapping authentication using Active Directory. |
digestAuthentication |
Optional element. Specifies the settings for Digest authentication. |
iisClientCertificateMappingAuthentication |
Optional element. Specifies the settings Client Certificate Mapping authentication using IIS. |
windowsAuthentication |
Optional element. Specifies the settings for Windows authentication. |
Configuration Sample
The following configuration example disables Anonymous authentication for a site named Contoso, then enables both Basic authentication and Windows authentication for the site.
<location path="Contoso">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" defaultLogonDomain="Contoso" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Sample Code
The following examples disable Anonymous authentication for a site named Contoso, then enable both Basic authentication and Windows authentication for the site.
AppCmd.exe
appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/anonymousAuthentication /enabled:"False" /commit:apphost
appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/basicAuthentication /enabled:"True" /commit:apphost
appcmd.exe set config "Contoso" -section:system.webServer/security/authentication/windowsAuthentication /enabled:"True" /commit:apphost
Note
You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.
C#
using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample {
private static void Main() {
using(ServerManager serverManager = new ServerManager()) {
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection anonymousAuthenticationSection = config.GetSection("system.webServer/security/authentication/anonymousAuthentication", "Contoso");
anonymousAuthenticationSection["enabled"] = false;
ConfigurationSection basicAuthenticationSection = config.GetSection("system.webServer/security/authentication/basicAuthentication", "Contoso");
basicAuthenticationSection["enabled"] = true;
ConfigurationSection windowsAuthenticationSection = config.GetSection("system.webServer/security/authentication/windowsAuthentication", "Contoso");
windowsAuthenticationSection["enabled"] = true;
serverManager.CommitChanges();
}
}
}
VB.NET
Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample
Sub Main()
Dim serverManager As ServerManager = New ServerManager
Dim config As Configuration = serverManager.GetApplicationHostConfiguration
Dim anonymousAuthenticationSection As ConfigurationSection = config.GetSection("system.webServer/security/authentication/anonymousAuthentication", "Contoso")
anonymousAuthenticationSection("enabled") = False
Dim basicAuthenticationSection As ConfigurationSection = config.GetSection("system.webServer/security/authentication/basicAuthentication", "Contoso")
basicAuthenticationSection("enabled") = True
Dim windowsAuthenticationSection As ConfigurationSection = config.GetSection("system.webServer/security/authentication/windowsAuthentication", "Contoso")
windowsAuthenticationSection("enabled") = True
serverManager.CommitChanges()
End Sub
End Module
JavaScript
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var anonymousAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/anonymousAuthentication", "MACHINE/WEBROOT/APPHOST/Contoso");
anonymousAuthenticationSection.Properties.Item("enabled").Value = false;
var basicAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/basicAuthentication", "MACHINE/WEBROOT/APPHOST/Contoso");
basicAuthenticationSection.Properties.Item("enabled").Value = true;
var windowsAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/windowsAuthentication", "MACHINE/WEBROOT/APPHOST/Contoso");
windowsAuthenticationSection.Properties.Item("enabled").Value = true;
adminManager.CommitChanges();
VBScript
Set adminManager = CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set anonymousAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/anonymousAuthentication", "MACHINE/WEBROOT/APPHOST/Contoso")
anonymousAuthenticationSection.Properties.Item("enabled").Value = False
Set basicAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/basicAuthentication", "MACHINE/WEBROOT/APPHOST/Contoso")
basicAuthenticationSection.Properties.Item("enabled").Value = True
Set windowsAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/windowsAuthentication", "MACHINE/WEBROOT/APPHOST/Contoso")
windowsAuthenticationSection.Properties.Item("enabled").Value = True
adminManager.CommitChanges()