How to Configure IIS User Authentication

The authentication protocol is any process the web server uses to verify the identity of a user to ascertain whether or not to grant the user access to network resources.

The authentication process can be grouped based on the way the user’s information is transferred across the network.

Authentication is a basic and significant practice on the web server particularly when the web server is hosting private data or a notable business app.

IIS 6.0 offers support to four different user-authentication methods. The features of these four fundamental authentication methods vary.

Therefore, you need to select an authentication method based on the requirements of the specific app. You can also choose an authentication method based on the intention. The four authentication methods include the following:

Basic Authentication

This type of authentication method transfers passwords unencrypted over the network. This is just basic and not secure.

Digest Authentication For Windows Domain Servers

This authentication method functions merely with Active Directory user accounts and transfers encrypted passwords across the network with the use of hash values. This authentication system is secure.  It can work with proxy servers and firewalls, and it is also supported by Web Distributed Authoring and Versioning (WebDAV).

Integrated Windows Authentication

This authentication method includes the NT LAN Manager (NTLM) authentication protocol as well referred to as Windows NT Challenge/Response authentication, the Kerberos version 5 authentication systems and the Negotiate authentication protocol. This collective approach offers secure authentication via firewalls and proxy servers, while only Kerberos is commonly blocked by firewalls and when NTLM is the only authentication implemented, it is commonly inhibited by proxy servers. This authentication method is secure.

NET Passport Authentication

NET Passport authentication makes use of the Microsoft.NET Passport user authentication service to recognize and authenticate users. It utilizes Internet standards like SSL, HTTP redirects, cookies, JScript and well-built symmetric key encryption to offer users one login access to resources secured by the .NET Passport authentication system. This authentication system is secure.

Microsoft Internet Information Services (II6.0)

IIS 6.0 also lets you set up user or server certificates. These certificates make use of SSL encryption to provide a secure network system.

Client Certificates

This lets the server accurately recognize the user based on private data that is present in every user’s certificate.

Server Certificates

This certificate helps the user to accurately recognize the server based on particular data that is present in each server's certificate.

You can adjust how users are authenticated and offered access to Websites under IIS either collectively or individually for every Website hosted by the IIS server. The pre-set configuration commonly allows anonymous access. Thus, guest users gain access without any need to key-in a username or password to visit IIS server hosted Websites.

Microsoft Internet Information Services 7.0 (IIS)

IIS 7 comes with many authentication options. These include all the authentications in 6.0 versions and also incorporate fresh new options and updates on the authentications that come with older IIS versions. A great improvement in IIS 7.0 is that these authentication protocols aren’t automatically accessible on every IIS 7.0 setup the way they are in version 6.0 and IIS 5.0. Microsoft refers to these authentication protocols as componentization.

This new development is as a result of the efforts Microsoft is making to further minimize the attacks on its web server’s surface. Componentization implies that when you install new IIS 7.0, Windows installs just a minimal number of software modules, which allow the server to function as static web content to anonymous users. The implication of this is that IIS 7 does not come with all the authentication method we specified earlier by default. You need to plainly incorporate authentication methods you want when you are installing the IIS.

You can choose the authentication systems you want to make accessible on your IIS 7.0 server from your chosen Role Services page in the Add Roles Wizard when you are installing the web server.

IIS 7.0 Authentication Methods

Just like the earlier versions IIS 7.0 supports the standard HTTP authentication protocols which include the basic and digest authentication, the standard Windows authentication protocols which include the NTLM and Kerberos, and client certificate-based authentication. It also comes with the time-honored authentication option, the anonymous or unauthenticated access.

An update in IIS 7.0 is that it offers support for a login redirection–based authentication system known as forms authentication. Besides, in IIS 7.0 Microsoft eliminated the support for Microsoft Passport-based authentication. Passport, the earlier Microsoft cookie-based web single sign-on (SSO) system for MSN and equivalent Microsoft and partner websites, preceded the Windows Live ID, the fresh Microsoft Web SSO system for Windows Live and connected websites which is not supported by IIS 7.0.

How to Configure IIS User Authentication

User Access and authentication settings can be set-up at the Website node level, the single Website level, the Website virtual directory level or at the single file level within each virtual directory. Follow the steps below to configure IIS user authentication access:

Step 1: Click to Open IIS Manager

As soon as you open the IIS manager, right-click on the Web Sites node, one of the Websites from the list, a virtual directory, or a file inside a virtual directory, and then click on Properties.

Step 2: Click on the Directory Security or on the File Security

Which one among them you’ll click depends on which one is suitable.

Step 3: Go To the Authentication and Access Control Section

When you get there, click on Edit to open the Authentication Methods dialog box. When it is opened to make the adjustments below:

•    To alter the user account for providing anonymous access, key-in the user account and the password in the Username and Password check boxes.

•    To disable anonymous access, uncheck the Enable Anonymous Access check box.

•    To specify authenticated access methods, check or clear the check box for every authentication method you wish to allow or disallow: the Integrated Windows Authentication which comes out of the box, the Digest Authentication for Windows Domain Servers, Basic Authentication (which commonly sends the password in Clear Text), and .NET Passport Authentication.

•    To enable Digest Authentication, you can choose or key-in the name of a realm in the Realm box.

•    To enable Basic Authentication, you can choose or key in the name of a realm in the Realm box or the name of a default domain in the Default Domain box.

•    To enable .NET Passport Authentication, you can choose or key in the name of a pre-configured domain in the Default Domain box.

Step 4: Finish The Configuration By Clicking Okay

When you're done with selecting the authentication protocols, click on OK to save your settings, then click on OK to exit the properties window


That’s all you need to configure IIS user authentication. You should be able to set up user authentication if you follow all the steps we presented in this article. If you get stuck on the way feel free to leave a comment. We will  do our best to ensure you are put on the right track. Happy coding!

Check out these top 3 Best web hosting services

Was this article helpful?