IIS Authentication and SSL
IIS Authentication and SSL
IIS 5.0 supports several authentication methods to control access to web content and applications.
Authentication Methods
| Method | Description | Security |
|---|---|---|
| Anonymous | Uses the IUSR_computername account. No credentials required. | None — content is public |
| Basic | Username/password sent as Base64. Works with all browsers. | Low — use only with SSL |
| Digest | Password sent as MD5 hash. Requires AD accounts. | Medium |
| Integrated Windows | NTLM or Kerberos. Browser negotiates automatically. | High — no password on wire |
| Client Certificates | X.509 certificate presented by the browser. | Very High |
Configuring Authentication
- Right-click the site or directory → Properties → Directory Security tab.
- Click Edit under "Anonymous access and authentication control".
- Uncheck Anonymous access to require authentication.
- Check the desired authentication method(s).
Setting Up SSL
- Generate a certificate request: Directory Security tab → Server Certificate → Create a new certificate.
- Submit the request to a Certificate Authority (Windows 2000 Certificate Services or a public CA like VeriSign).
- Install the issued certificate: Server Certificate wizard → Process the pending request.
- Enable SSL: Directory Security → Edit under Secure Communications → check Require secure channel (SSL).
Forcing HTTPS Redirect in ASP
<%
If Request.ServerVariables("HTTPS") = "off" Then
Dim strSecureURL
strSecureURL = "https://" & Request.ServerVariables("SERVER_NAME") & _
Request.ServerVariables("URL")
If Request.QueryString <> "" Then
strSecureURL = strSecureURL & "?" & Request.QueryString
End If
Response.Redirect strSecureURL
End If
%>