Saturday, April 7, 2012

IIS7 WinAuthentication



Some times ago, we developed a thick client application with windows login authentication.It was successfully running under IIS6 without any special treatment. On migrating this existing application from IIS6 to IIS7, Windows authentication was not working at all. Theroot cause is that IIS 7 misses the Windows Authentication provider on Windows Server 2008.

Windows authentication (formerly named NTLM, and also referred to as Windows NT Challenge/Response authentication) is a secure form of authentication because the user name and password are hashed before being sent across the network. When you enable Windows authentication, the client browser sends a strongly hashed version of the password in a cryptographic exchange with your Web server.

Windows authentication supports two authentication protocols, Kerberos and NTLM, which are defined in the element. When you install and enable Windows authentication on IIS 7, the default protocol is Kerberos. The element can also contain a useKernelMode attribute that configures whether to use the kernel mode authentication feature that is new to Windows Server 2008.

In general Windows authentication, which includes both NTLM and Kerberos v5 authentication, is best suited for an intranet environment.The default authentication configuration for IIS 7 enables Anonymous authentication only.

To install the missing Windows Authentication, you need to Open up Server Manager (one way to do this is by right clicking the computer node from within the start menu and choosing Manage). Expend the Roles node. Right click the Web Server (IIS) and choose Add Role Services. You will get the attached wizard, just scroll down a bit and check Windows Authentication under the security node. If you've done everything right, you should get the Windows option in IIS authentication panel.