Understanding IIS 7.0 Authentication

Authentication is the process that helps a web server confirm the identity of the clients who request access to the server’s websites and applications. Authentication is a fundamental and crucial service—especially if the web server hosts private information or mission-critical applications. Microsoft Internet Information Services 7.0 (IIS)—the web server that’s bundled with Windows Vista and Windows Server 2008—includes several authentication options, both new options and updates to those in earlier IIS versions. We’ll look at how the new authentication features compare with those in previous IIS versions and how they can help you improve control of IIS authentication and your web server’s security. Table 1 compares the different IIS 7.0 authentication protocols. (To learn more about other security-related changes in IIS 7.0, see “Unleash the Power of Microsoft Internet Information Services 7.0's Security Features,” October 2007.)

IIS 7.0 Authentication Methods
Like its predecessors, IIS 7.0 supports the classic HTTP authentication protocols (basic and digest authentication), the typical Windows authentication protocols (NTLM and Kerberos), and client certificate–based authentication. Another long-standing authentication option that’s still around in IIS 7.0 is anonymous or unauthenticated access.

New in IIS 7.0 is support for a logon redirection–based authentication method called forms authentication. Also, in IIS 7.0 Microsoft removed the support for Microsoft Passport–based authentication. Passport, the former Microsoft cookie-based web single sign-on (SSO) solution for MSN and related Microsoft and partner websites, is the predecessor to Windows Live ID, the new Microsoft Web SSO solution for Windows Live and related websites (which IIS 7.0 doesn’t support, either).

A significant change in IIS 7.0 is that these authentication mechanisms aren’t automatically available on each IIS 7.0 installation, as they were in IIS 6.0 and IIS 5.0. Microsoft calls this feature componentization, and it’s a direct consequence of Microsoft’s efforts to further reduce the attack surface of its web server. Componentization means that when you do a fresh IIS 7.0 installation, Windows installs only a bare minimum of software modules, which enable the server to serve static web content to anonymous users. This means that none of the previously mentioned authentication options is available by default. You must explicitly add the authentication options you want during the IIS installation process.

You can select the authentication components you want to make available on your IIS 7.0 server from the Select Role Services page in the Add Roles Wizard during the web server installation, as Figure 1 shows. (See “Unleash the Power of Microsoft Internet Information Services 7.0’s Security Features” for more information about IIS 7.0’s componentization.)

Configuring IIS Authentication
All IIS 7.0 authentication methods—except for client certificate–based authentication—can be configured from the Authentication icon in the Microsoft Management Console (MMC) Internet Information Services (IIS) 7.0 Manager snap-in. You can find this icon in the IIS section in the middle frame, as Figure 2 shows. If you double-click the Authentication icon, you’ll get a list of all available authentication methods, as you can see in Figure 3. To set the client certificate–based authentication options for a web server or site, you must use the SSL Settings icon in the IIS pane, as in Figure 2.

IIS lets you enable one or more authentication methods per web server or site. For example, an administrator could allow anonymous access to most web server content and require authenticated access only to certain websites on the server. To do so, the admin would enable anonymous authentication at the web server level and enable, for example, only Windows authentication for the websites that host more important information or applications. To enable an authentication method in IIS 7.0 Manager, you select the authentication method, right-click it, and select Enable, or click the Enable action in the Actions pane.

On a fresh IIS 7.0 installation, only anonymous authentication is enabled by default. To actually authenticate a user to your web server, you must first disable Anonymous Authentication in IIS Manager, then enable one or more of the other authentication methods.

An important restriction that you should be aware of when enabling different authentication methods is that you can’t enable both a challenge-based and a logon redirection–based authentication method at the same time. In other words, you can’t enable forms authentication (which is redirection-based) while basic, digest, or Windows authentication (which are challenge-based) is also enabled.

An easy and powerful option for automating configuration of IIS 7.0 authentication methods is to use the Appcmd (appcmd.exe) command-line utility. For instance, you can use appcmd.exe in a batch file to configure the web servers of a web farm. The Appcmd tool is available on all IIS 7.0 installations. To disable anonymous access, you’d use an Appcmd command like this:

appcmd set config -section:anonymousAuthentication -enabled:false

The -section switch points Appcmd to the IIS anonymous authentication configuration section, and the -enabled:false switch disables anonymous authentication. Note that appcmd.exe is located in the %systemroot%\system32\inetsrv\ directory. Because this file system location isn’t automatically part of a Server 2008 or Vista system’s PATH environment variable, you must use the full path to the appcmd.exe executable when executing Appcmd commands. You can also manually add the Inetsrv directory to your machine’s PATH environment variable, so that you can access appcmd.exe directly from any file system location. (For more information about Appcmd, you can find a good introduction to using the tool at http://learn.iis.net/page.aspx/114/getting-started-with-appcmdexe.)

Two other options for configuring IIS 7.0 authentication are either to edit the IIS configuration files directly or to leverage Windows Management Instrumentation (WMI)–based scripting to configure IIS 7.0 authentication. The IIS configuration files are the ApplicationHost.config file, which is IIS 7.0’s main configuration file for storing web server configuration settings, and the Web.config files, which contain website- and application-specific configuration settings.