[This is preliminary documentation and subject to change]

Basic Authentication

The Basic authentication method is a widely used, industry-standard method for collecting user name and password information.

Client Authentication Process

  1. The Internet Explorer Web browser displays a dialog box where a user enters his or her previously assigned Windows account user name and password, also known as credentials.
  2. The Web browser then attempts to establish a connection to a server using the user's credentials. The clear text password is Base64 encoded before it is sent over the network.

    important Important    Base64 encoding is not encryption. If a Base64 encoded password is intercepted over the network by a network sniffer, unauthorized persons can easily decode and reuse the password.

  3. If a user's credentials are rejected, Internet Explorer displays an authentication dialog window for the user to re-enter his or her credentials. Internet Explorer allows the user three connection attempts before failing the connection and reporting an error to the user.
  4. When your Web server verifies that the user name and password correspond to a valid Microsoft Windows user account, a connection is established.

The advantage of Basic authentication is that it is part of the HTTP specification and is supported by most browsers. The disadvantage is that Web browsers using Basic authentication transmit passwords in an unencrypted form. By monitoring communications on your network, someone can easily intercept and decode these passwords using publicly available tools. Therefore, Basic authentication is not recommended unless you are confident that the connection between the user and your Web server is secure, such as with a dedicated line or a Secure Sockets Layer (SSL) connection. For more information, see Encryption.

note Note    Integrated Windows Authentication takes precedence over Basic authentication. The browser chooses integrated Windows authentication and attempts to use the current Windows logon information before prompting the user for a user name and password. Currently, only Internet Explorer versions 2.0 and later support Integrated Windows authentication.

Configuring Basic Authentication

Enabling Basic authentication does not automatically configure your Web server to authenticate users. Windows user accounts must be created and the NTFS permissions properly set, as described earlier.

To properly authenticate users with Basic authentication, the Windows user accounts must have Log On Locally user rights. This right must be assigned because Basic authentication impersonates a local user, or a user physically logged on to the server. By default, user accounts on a Windows primary domain controller (PDC) are not granted the Log On Locally user rights. You can grant users Log On Locally rights by using the Active Directory Service Interfaces (ADSI). For information, see the LogonMethod reference in the Active Server Pages Guide.

important Important    The Basic authentication method transmits user names and passwords across the network in an unencrypted form. You can use your Web server's encryption features, in combination with Basic authentication, to secure user account information transmitted across the network. For more information, see About Encryption.

To enable basic authentication

  1. In the IIS snap-in, select a site, directory, or file, and open its property sheets.
  2. Select the Directory Security or File Security property sheet. Either the Directory Security or File Security property sheet is present, depending upon what level you are changing the security settings.
  3. In the Authenticated Access section, select the Basic authentication check box.

You must select a default logon domain. For more information, see Setting the Default Logon Domain.

© 1997-2001 Microsoft Corporation. All rights reserved.