Содержание

Security Authentication Overview Authentication is the mechanism you use to verify the identity of visitors to your Web site or Web application. Typically, you do this by assigning a user name and password to a visitor or allowing a visitor to anonymously access public content on your site. Although you use authentication to confirm the identity of a visitor, you use authorization to control the visitor’s access to the different areas of your site or application. IIS 7 supports Anonymous authentication, Basic authentication, Client Certificate Mapping authentication, Digest authentication, IIS Client Certificate Mapping authentication, and Windows authentication. Additional authentication modes can be provided by third-party authentication modules. After you install one of the authentication modules, you must enable the selected authentication module for the Web site, Web application, or Web service on which you want to use it. Also by default, IIS 7 enables kernel-mode authentication for the Windows (which use either Kerberos or NTLM), authentication scheme. Kernel-mode authentication provides the following advantages: Your Web applications can run using lower-privileged accounts. If you use Kerberos authentication, you can use a different account than the default account associated with the Service Principle Name (SPN) of the server. If you use kernel-mode authentication, you can use the Windows authentication Kerberos provider without performing explicit SPN configuration. Compatibility Setup How To How to disable anonymous authentication Open Internet Information Services (IIS) Manager: If you are using Windows Server 2012 or Windows Server 2012 R2: On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager. If you are using Windows 8 or Windows 8.1: Hold down the Windows key, press the letter X, and then click Control Panel. Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager. If you are using Windows Server 2008 or Windows Server 2008 R2: On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. If you are using Windows Vista or Windows 7: On the taskbar, click Start, and then click Control Panel. Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

Overview
Compatibility
Setup
How To
How to disable anonymous authentication
How to change anonymous authentication credentials from the IUSR account
How to enable Windows authentication for a Web site, Web application, or Web service
Configuration
Attributes
Child Elements
Configuration Sample
Sample Code
Adding Windows Authentication Providers Overview collection in the element specifies a unique authentication provider that is used with the Internet Information Services (IIS) 7 Windows authentication module. Compatibility collection was introduced in IIS 7.0. IIS 6.0 The collection replaces the IIS 6.0 NTAuthenticationProviders metabase property. Setup The default installation of IIS 7 and later does not include the Windows authentication role service. To use Windows authentication on IIS, you must install the role service, disable Anonymous authentication for your Web site or application, and then enable Windows authentication for the site or application. After you install the role service, IIS 7 commits the following configuration settings to the ApplicationHost.config file. Windows Server 2012 or Windows Server 2012 R2 On the taskbar, click Server Manager. In Server Manager, click the Manage menu, and then click Add Roles and Features. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Windows Authentication. Click Next. . On the Select features page, click Next. On the Confirm installation selections page, click Install. On the Results page, click Close. Windows 8 or Windows 8.1 On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows features on or off. Expand Internet Information Services, expand World Wide Web Services, expand Security, and then select Windows Authentication. Click OK. Click Close. Windows Server 2008 or Windows Server 2008 R2 On the taskbar, click Start, point to Administrative Tools, and then click Server Manager. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS). In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services. On the Select Role Services page of the Add Role Services Wizard, select Windows Authentication, and then click Next. On the Confirm Installation Selections page, click Install. On the Results page, click Close. Windows Vista or Windows 7 On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Security. Select Windows Authentication, and then click OK. How To There is no user interface for Windows authentication providers for IIS 7. For examples of how to modify the list of Windows authentication providers programmatically, see the Code Samples section of this document. Configuration Attributes Attribute Description Value Optional String attribute. Specifies the name of the security provider. By default, there are two providers: Negotiate and NTLM. Child Elements Configuration Sample The following default element is configured at the root ApplicationHost.config file in IIS 7.0, and disables Windows authentication by default. It also defines the two Windows authentication providers for IIS 7.0. The following example enables Windows authentication and disables Anonymous authentication for a Web site named Contoso. Sample Code The following code examples will enable Windows authentication and remove the Negotiate provider for a site named Contoso.
Overview
Compatibility
Setup
Windows Server 2012 or Windows Server 2012 R2
Windows 8 or Windows 8.1
Windows Server 2008 or Windows Server 2008 R2
Windows Vista or Windows 7
How To
Configuration
Attributes
Child Elements
Configuration Sample
Sample Code

Security Authentication

Overview

Authentication is the mechanism you use to verify the identity of visitors to your Web site or Web application. Typically, you do this by assigning a user name and password to a visitor or allowing a visitor to anonymously access public content on your site.

Although you use authentication to confirm the identity of a visitor, you use authorization to control the visitor’s access to the different areas of your site or application.

IIS 7 supports Anonymous authentication, Basic authentication, Client Certificate Mapping authentication, Digest authentication, IIS Client Certificate Mapping authentication, and Windows authentication. Additional authentication modes can be provided by third-party authentication modules.

After you install one of the authentication modules, you must enable the selected authentication module for the Web site, Web application, or Web service on which you want to use it.

Also by default, IIS 7 enables kernel-mode authentication for the Windows (which use either Kerberos or NTLM), authentication scheme. Kernel-mode authentication provides the following advantages:

Your Web applications can run using lower-privileged accounts.
If you use Kerberos authentication, you can use a different account than the default account associated with the Service Principle Name (SPN) of the server.
If you use kernel-mode authentication, you can use the Windows authentication Kerberos provider without performing explicit SPN configuration.

Compatibility

Setup

How To

How to disable anonymous authentication

Open Internet Information Services (IIS) Manager:

If you are using Windows Server 2012 or Windows Server 2012 R2:

On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows 8 or Windows 8.1:

Hold down the Windows key, press the letter X, and then click Control Panel.
Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

If you are using Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows Vista or Windows 7:

On the taskbar, click Start, and then click Control Panel.
Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

In the Connections pane, expand the server name, expand Sites, and go to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application.

Scroll to the Security section in the Home pane, and then double-click Authentication.

In the Authentication pane, select Anonymous Authentication, and then click Disable in the Actions pane.

How to change anonymous authentication credentials from the IUSR account

Open Internet Information Services (IIS) Manager:

If you are using Windows Server 2012 or Windows Server 2012 R2:

On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows 8 or Windows 8.1:

Hold down the Windows key, press the letter X, and then click Control Panel.
Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

If you are using Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows Vista or Windows 7:

On the taskbar, click Start, and then click Control Panel.
Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

In the Connections pane, expand the server name, expand Sites, and navigate to the level in the hierarchy pane that you want to configure, and then click the Web site or Web application.

Scroll to the Security section in the Home pane, and then double-click Authentication.

In the Authentication pane, select Anonymous Authentication, and then click Edit. in the Actions pane.

In the Edit Anonymous Authentication Credentials dialog box, do one of the following:

Select Application pool identity to use the identity set for the application pool, and then click OK.

Click Set. , and then in the Set Credentials dialog box, enter the user name for the account in the User name box, enter the password for the account in the Password and Confirm password boxes, click OK, and then click OK again.

If you use this procedure, only grant the new account minimal privileges on the IIS server computer.

How to enable Windows authentication for a Web site, Web application, or Web service

Open Internet Information Services (IIS) Manager:

If you are using Windows Server 2012 or Windows Server 2012 R2:

On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows 8 or Windows 8.1:

Hold down the Windows key, press the letter X, and then click Control Panel.
Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

If you are using Windows Server 2008 or Windows Server 2008 R2:

On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

If you are using Windows Vista or Windows 7:

On the taskbar, click Start, and then click Control Panel.
Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.

In the Connections pane, expand the server name, expand Sites, and then the site, application, or Web service for which you want to enable Windows authentication.

Scroll to the Security section in the Home pane, and then double-click Authentication.

In the Authentication pane, select Windows Authentication, and then click Enable in the Actions pane.

Configuration

Attributes

Child Elements

Element	Description
anonymousAuthentication	Optional element.

Specifies the settings for Anonymous authentication. basicAuthentication Optional element.

Specifies the settings for Basic authentication. clientCertificateMappingAuthentication Optional element.

Specifies the settings Client Certificate Mapping authentication using Active Directory. digestAuthentication Optional element.

Specifies the settings for Digest authentication. iisClientCertificateMappingAuthentication Optional element.

Specifies the settings Client Certificate Mapping authentication using IIS. windowsAuthentication Optional element.

Specifies the settings for Windows authentication.

Configuration Sample

The following configuration example disables Anonymous authentication for a site named Contoso, then enables both Basic authentication and Windows authentication for the site.

Sample Code

The following examples disable Anonymous authentication for a site named Contoso, then enable both Basic authentication and Windows authentication for the site.

Adding Windows Authentication Providers

Overview

collection in the element specifies a unique authentication provider that is used with the Internet Information Services (IIS) 7 Windows authentication module.

Compatibility

collection was introduced in IIS 7.0. IIS 6.0 The

collection replaces the IIS 6.0 NTAuthenticationProviders metabase property.

Setup

The default installation of IIS 7 and later does not include the Windows authentication role service. To use Windows authentication on IIS, you must install the role service, disable Anonymous authentication for your Web site or application, and then enable Windows authentication for the site or application.

After you install the role service, IIS 7 commits the following configuration settings to the ApplicationHost.config file.

Windows Server 2012 or Windows Server 2012 R2

On the taskbar, click Server Manager.
In Server Manager, click the Manage menu, and then click Add Roles and Features.
In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Windows Authentication. Click Next.
.
On the Select features page, click Next.
On the Confirm installation selections page, click Install.
On the Results page, click Close.

Windows 8 or Windows 8.1

On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.
In Control Panel, click Programs and Features, and then click Turn Windows features on or off.
Expand Internet Information Services, expand World Wide Web Services, expand Security, and then select Windows Authentication.
Click OK.
Click Close.

Windows Server 2008 or Windows Server 2008 R2

On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
On the Select Role Services page of the Add Role Services Wizard, select Windows Authentication, and then click Next.
On the Confirm Installation Selections page, click Install.
On the Results page, click Close.

Windows Vista or Windows 7

On the taskbar, click Start, and then click Control Panel.
In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
Expand Internet Information Services, then World Wide Web Services, then Security.
Select Windows Authentication, and then click OK.

How To

There is no user interface for Windows authentication providers for IIS 7. For examples of how to modify the list of Windows authentication providers programmatically, see the Code Samples section of this document.