Windows Authentication method on IIS6

  • Thread starter Thread starter Neko-
  • Start date Start date
N

Neko-

I know this is probably posted in the wrong group, but seeing I have
no group available on my newsserver dealing with IIS6 or Windows 2003,
this group is bound to have the closest knowledge on answering the
question I have.

I've been studying the II6 authentication process, but I fail to
understand one minor detail in that process. If one would open the
properties for the website, and enter the security tab, then select
the authentication button, you get a few choices.

These include Anonymous, Integrated Windows, Basic, .NET and Digest
authentication.

When using the Digest and/or Basic method of authenticating, the
either one or both boxes below that labeled "Default Domain" and
"Realm" become available.

The question I have is: Is there an actual difference between the two
(likely) and if so, what specifically is that difference?

I know these can be used for authentication on a server in a different
domain, but I'm wondering what the exact difference between the two
is. The microsoft help files and documentation on the web provide lots
of info, but hardly explain what these two actually mean. And if they
do, it's usually done with large bits of text that are a bit hard to
follow in some cases.

If anyone can answer this question for me, I'd appreciate it.

Neko-
 
Neko- said:
I know this is probably posted in the wrong group, but seeing I have
no group available on my newsserver dealing with IIS6 or Windows 2003,
Click to expand...

The microsoft.public.windows.server.* groups deal with Windows 2003
The microsoft.public.inetserver.* groups deal with IIS
this group is bound to have the closest knowledge on answering the
question I have.

I've been studying the II6 authentication process, but I fail to
understand one minor detail in that process. If one would open the
properties for the website, and enter the security tab, then select
the authentication button, you get a few choices.

These include Anonymous, Integrated Windows, Basic, .NET and Digest
authentication.

When using the Digest and/or Basic method of authenticating, the
either one or both boxes below that labeled "Default Domain" and
"Realm" become available.

The question I have is: Is there an actual difference between the two
(likely) and if so, what specifically is that difference?

I know these can be used for authentication on a server in a different
domain, but I'm wondering what the exact difference between the two
is. The microsoft help files and documentation on the web provide lots
of info, but hardly explain what these two actually mean. And if they
do, it's usually done with large bits of text that are a bit hard to
follow in some cases.

If anyone can answer this question for me, I'd appreciate it.

Neko-
Click to expand...

Basic's Default domain (i.e. a Windows domain)
(note that Default domain is not used by Digest authentication)
from
http://www.microsoft.com/resources/...tandard/proddocs/en-us/sec_auth_basicauth.asp
<quote>
In the Default domain box, either type the domain name you want to use, or
click Select to browse to a new default logon domain. If the Default domain
box is filled in, the name is used as the default domain. If the Default
domain box is left empty, IIS uses the domain of the computer that is
running IIS as the default domain. IIS configures the value of the
DefaultLogonDomain property, which determines the default domain used to
authenticate clients accessing your IIS server using Basic authentication.
However, the domain specified by the DefaultLogonDomain property is used
only when a client does not specify a domain in the logon dialog box that
appears on the client computer.
</quote>

Digest's Realm
(something of a logical "domain", but it is also sent to
the client authentication dialog and displayed there)
from
http://www.microsoft.com/resources/...andard/proddocs/en-us/sec_auth_digestauth.asp
<quote>
You can configure either one or multiple realm names on a server running IIS
.. You may want to configure multiple realm names, for instance, to allow
access to the sales virtual directory to members of domain1 and access to
the engineering virtual directory to members of domain2. This is
particularly useful if domain1 and domain2 do not have a trusted
relationship. If you configure multiple realm names, they must be configured
at different levels of the metabase. See Windows Server 2003 family Help for
more information about domains.
If a child key in the metabase is not configured with a realm name, that
child key inherits the realm name from the next parent key that has the
realm name configured. If the realm name is not configured, IIS sends its
own computer name as the realm name. If IIS sends its own name as the realm
name and IIS is not running on a Windows Server 2003 family domain
controller with Active Directory, Digest authentication will fail. Although
possible, it is not recommended to run IIS on a domain controller due to
security risks and performance issues.
</quote>


You might also find the first few links, if not more, of interest at
http://support.microsoft.com/search...title=false&mdt=&pwt=False&comm=1&query=iis+d
igest+authentication+realm&srch=sup&x=12&y=11
 
Back
Top