Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Using Basic authentication to generate Kerberos tokens


Summary

When you use Basic authentication to connect to a Web site that is hosted by Internet Information Services (IIS), you can take advantage of the delegation features of Kerberos to authenticate on multiple back-end servers, such as a Microsoft SQL Server that is called from Active Server Pages (ASP) running on IIS. To generate a Kerberos token, IIS must be a member of a Windows 2000 domain and have access to that domain's active directory.

Note A Windows 2000 domain does not generate a Kerberos token when the domain authenticates UPN credentials against a trusted Massachusetts Institute of Technology (MIT) Kerberos realm and when you use Basic authentication. This behavior is by design.

Because Basic authentication transmits user information (user name and password) in clear text, Basic authentication should only be used over Secure Socket Layer (SSL) connections.

↑ Back to the top


More information

When IIS authenticates users it does so by calling the LsaLogonUser function, which in turn calls an authentication package (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 for Basic authentication). When Basic authentication occurs, the following event is written to the security log IIS 5.0 server, assuming the Audit Logon Events policy is enabled:
Event Type:	Success Audit
Event Source:	Security
Event Category:	Logon/Logoff 
Event ID:	528
Date:		1/5/2001
Time:		6:11:04 PM
User:		Win2kDomain\rvittal
Computer:	IIS5server
Description:
Successful Logon:
 	User Name:       	rvittal
 	Domain:		Win2kDomain
 	Logon ID:		(0x0,0x148D0AC)
 	Logon Type:	             2
 	Logon Process:	IIS     
 	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 	Workstation Name:	IIS5server<BR/>
				
After a user has logged into IIS with Basic authentication, IIS has that user's credentials (username:password), and can use those credentials to generate a token that can be used to impersonate the user on other computers. When a user requests a Web page that references resources on another Windows 2000 server, the IIS server generates a Kerberos security token and an event similar to the following is written in the security log on the remote server:


Event Type:	Success Audit
Event Source:	Security
Event Category:	Logon/Logoff 
Event ID:	540
Date:		1/5/2001
Time:		1:16:06 PM
User:		Win2kDomain\rvittal
Computer:	SQLbox
Description:
Successful Network Logon:
 	User Name:	             rvittal
 	Domain:		Win2kDomain
 	Logon ID:		(0x0,0x13A667F)
 	Logon Type:	             3
 	Logon Process:	             Kerberos
 	Authentication Package: Kerberos
 	Workstation Name:	
				
Note that using Kerberos is not limited to Basic authentication. By default, if a Windows 2000 client attaches to an IIS5 server that is configured with Integrated authentication, Kerberos authentication is used.

↑ Back to the top


References

This article is based on the information provided on page 109 of the following book:

Howard, Michael, Richard Waymire, and Marc Levy. Designing Secure Web-Based Applications for Microsoft Windows 2000 (Redmond: Microsoft Press, July 2000), p. 109.

For more information about authentication methods in IIS, click the following article numbers to view the articles in the Microsoft Knowledge Base:
264921 How IIS authenticates browser clients
229694 How to install and use the IIS Security "What If" tool
For more information about Kerberos, click the following article numbers to view the articles in the Microsoft Knowledge Base:
217098 Basic overview of Kerberos user authentication protocol in Windows 2000
266080 Answers to frequently asked Kerberos questions
231789 Local logon process for Windows 2000

↑ Back to the top


Properties

Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.

↑ Back to the top


Keywords: kbinfo, KB287537

↑ Back to the top

Article Info
Article ID : 287537
Revision : 4
Created on : 6/19/2014
Published on : 6/19/2014
Exists online : False
Views : 460