Muqeet's blog

IIS 6 Authentication vs Authorization

Monday, June 16, 2008
Authentication Authorization IIS 6
No Comments

I have been wanting to write a blog on this topic like forever. Finally I have got down to write down the brief explanation.

IIS 6 authentication is of different types and is capable of delivering the needs of various scenarios.This blog is going to provide you with the best way to learn concepts of IIS 6 authentication.

Well from then on, it depends on how you want to take this article too. Put down your comments and I will try and stitch the various questions to another blog on this topic. I am pretty sure IIS authentication raises a lot of questions in the mind of the reader. So here it goes.

The 2 concepts which often confuses a lot of people are - authentication and authorization. Lets start by 1st differentiating them

Authentication is the process of obtaining credentials from the users and using those to verify the user's identity. These credentials can be received in many ways and can be of many types. Whereas, Authorization is the process of allowing an authenticated user access to resources.For example, in IIS 6 if you use Basic Authentication then the username and password are transmitted over the network in plain text format.

Lets understand this with the help of an example. I am going to consider that we are working with anonymous access. The usual misconception that people have is that with Anonymous access everyone can view anything on the server. Well that is not true!

Authentication always precedes Authorization; even if your application lets anonymous users connect and use the application, it still authenticates them as being anonymous.

Assume, if the authenticated user does not have privileges on the content that is to be viewed, the user is not authorized to view the content.The important point to understand here is that the user is never the less still authenticated.

The different types of Authentication available in IIS 6 are:
(For the sake of me not typing duplicate material, I have given the appropriate links which explains the phenomenon the best ;) )
- Anonymous Authentication. (Microsoft Explains)
- Digest Authentication for Windows Domain Users. (Microsoft Explains)
- Integrated Windows Authentication. (Microsoft Explains)
- Basic Authentication. (Microsoft Explains)
- .Net Passport authentication. (Microsoft Explains)
In case of configuring websites which deal with content located on UNC paths, we come across UNC authentication or UNC pass through authentication. This authentication method is not listed along with other authentication methods in website properties but comes into picture only when we deal in UNC path. For more, (Microsoft Explains)

Incorrect settings may lead to certain errors depending upon the configuration that may have gone wrong. But mostly you may come across a 401.x or 403.x errors. For description on these errors view my previous blog on understanding the status and substatus code

Will be coming about with a few more articles on IIS authentication in the near future. Just need to decide how to go about it :D

Read more...