IIS6.0 UI vs. IIS7.x UI Series: Basic Authentication

This week in the blog series (Introduction to the series – here), let’s talk about Basic Authentication feature in IIS6 UI and compare it to IIS7.x UI.

Basic Authentication feature in IIS6.0

Basic Authentication prompts the user for a username and password which is then sent unencrypted over the network. The password is sent in plain text Base64-encoding. If this password is intercepted over the network by a network sniffer, an unauthorized user can decide the username and password and re-use it. This authentication method is not recommended unless you (the user) are sure that the connection between the user and the web server is secured (using SSL or a direct connection for example)

IIS6 UI – Basic Authentication

To enable, disable basic authentication, you would

- Launch IIS Manager (run inetmgr)

- Select and expand the local computer node in the tree view

- Right click on the site, folder or file that you would like to enable basic authentication for and click on “Properties” from the context menu. 

- Click on Directory Security or File Security (for a file) tab.

- In the Authentication and access control section, Click on the button “Edit…”

- You can now Enable/Disable basic authentication by checking/un-checking the checkbox next to “Basic authentication (password is sent in clear text)”

- Click “Yes” on the pop-up dialog to confirm that you know the password will be sent across unencrypted and would like to proceed.

- In the “Default domain” textbox: either type the domain name you want to use or Select one using the Browse button. If the domain name is left blank, IIS uses the domain of the computer/server that is running IIS as the default domain.

- Click on all the “Ok” buttons

Basic Authentication feature in IIS 7.x

The key difference between IIS 6.x and IIS7.x: Basic authentication is not part of the default IIS install. You can install it from the Security feature category through Windows Feature On and Off on Client SKUs. You can also install it from Security role service of Web Server (IIS) role in Server Manager on Server SKUs.

IIS7 UI – Basic Authentication

To enable, disable basic authentication, you would

- Launch IIS Manager (run inetmgr)

- Select and expand the local computer node in the tree view

- Select the site, folder or file that you would like to enable basic authentication for in the tree view and click.

- Open “Authentication” feature from the Home Page.

- Select “Basic Authentication” from the Authentication page list view, you can now Enable/Disable basic auth by clicking on the Enable/Disable (toggle)link label in the Actions Pane

- If you would like to change the Default domain or Realm (will be indicated to the client for information only, not used by web server for logon), click the “Edit…” link label from the Actions pane.

- Click Ok on the Edit Basic Authentication Settings dialog when done.

Next blog in the series: Digest Authentication

As always, please drop a comment if there are any specific UI modules/properties you would like to be compared next and also if you have any feedback on the level of detail.