[This is preliminary documentation and subject to change]
You can require users to provide a valid Microsoft Windows user-account name and password before they access any information on your server. This identification process is called authentication. Authentication, like many of the features in IIS, can be set at the Web site, directory, or file level. IIS provides the following authentication methods to control access to the content on your server:
| Method | Security Level | Sends Passwords How? | Usable Across Proxy Servers and Firewalls? | Client Requirements |
| Anonymous Authentication | None | N/A | Yes | Any browser |
| Basic Authentication | Low | Base64 encoded clear text | Yes; however, sending passwords across a proxy server or firewall in clear text is a security risk because Base64 encoded clear text is not encrypted | Most browsers |
| Digest Authentication | Medium | Hashed | Yes | Internet Explorer 5.0 or later |
| Advanced Digest Authentication | Medium | Hashed | Yes | Internet Explorer 5.0 or later |
| Integrated Windows Authentication | High | Hashed when NTLM is used. Kerberos ticket when Kerberos is used | No, unless used over a PPTP connection | Internet Explorer 2.0 and later for NTLM, and Windows 2000 or later with Internet Explorer 5.0 or later for Kerberos |
| Certificates | High | N/A | Yes, using an SSL connection | Internet Explorer and Netscape |
| Anonymous FTP Authentication | None | N/A | Yes | Any FTP client |
| Basic FTP Authentication | Low | Clear text | Yes | Any FTP client |