You can require users attempting to establish an FTP or WWW (HTTP) connection with restricted content to provide a valid Windows NT account user name and password. This identification process, commonly called authentication, is an indispensable method for limiting access to your server content.
Normally, all users attempting to establish a WWW (HTTP) connection with your Web server log on as anonymous users. When a user establishes an anonymous connection, your Web server must log on the user with an anonymous or guest account (that is, a valid Windows NT user account to which you apply restrictions limiting the files and directories that the anonymous user can access).
For preventing anonymous users from connecting to your restricted content, you can configure your Web server to authenticate users. Authentication involves prompting users for unique user name and password information, which must correspond to a valid Windows NT user account, governed by Windows NT File System (NTFS) file and directory permissions that define the account's level of access.
Your Web server will authenticate users only under the following circumstances:
If either of the previous conditions are true, your Web server will refuse to establish an anonymous connection and attempt to identify users with the authentication method that you have enabled. Currently, your Web server supports Basic, Windows NT Challenge/Response, and SSL client certificate authentication. By enabling different combinations of these authentication methods, in addition to setting up the anonymous user account, you can establish varying levels of control in determining which users connect to your Web content.
The Basic authentication method is a widely used, industry-standard method for collecting user name and password information. When Basic authentication is enabled, the user's Web browser renders a dialog box where users can enter their previously assigned Window NT account user names and passwords. The Web browser then attempts to establish a connection using this information. If the server rejects the information, the Web browser repeatedly displays the dialog box (the number of times depends on the Web browser's configuration) until the user enters a valid user name and password, or closes the dialog box. After your Web server verifies that the user name and password correspond to valid Windows NT account, the user can establish a connection. For more information, see Enabling Basic Authentication.
Although widely used, this method is not recommended unless you are confident that the connection between the user and your Web server is secure. Web browsers using Basic authentication transmit user name and password information in an unencrypted form. A determined computer vandal attempting to compromise your security could use a network monitoring tool to intercept user names and passwords. (An alternative approach that enables you to use Basic authentication without compromising account information is to use your Web server's SSL secure communications features to encrypt password information. For more information, see Encryption.
Your Web server supports Windows NT Challenge/Response authentication, which authenticates users without requiring the transmission of actual passwords across a network. Currently, Microsoft Internet Explorer, version 2.0 or later, is the only Web browser that supports this authentication method.
When you enable Windows NT Challenge/Response authentication, the user's Internet Explorer browser proves its knowledge of the password through a cryptographic exchange with your Web server. The actual password never travels over the network and the user is not prompted for account information.
However, if the authentication exchange initially fails to identify the user, Internet Explorer will prompt the user for a Windows NT account user name and password, which it will process using the same Windows NT Challenge/Response method. Internet Explorer will continue to prompt the user until the user enters a valid user name and password, or closes the prompt dialog box.
Note
You will find Windows NT Challenge/Response authentication useful in an intranet environment, where both user and Web server computers are in the same domain, and where administrators can ensure that every user has the same version of Microsoft Internet Explorer.
You can also use your Web server's Secure Sockets Layer (SSL) 3.0 security features to authenticate users by checking the contents of an encrypted digital identification submitted by the user's Web browser during the logon process. Users obtain these digital identifications, called a client certificates, from a mutually trusted third-party organization. Client certificates usually contain identifying information about the user and the organization that issued the certificate. For more information, see About Client Certificates.
Note Your Web server also supports the Private Communication Technology (PCT) 1.0 protocol.
Your Web server has a client certificate mapping feature that authenticates users who log on with client certificates, without requiring the use of Basic nor Windows NT Challenge/Response authentication. A mapping relates the contents of a user's client certificate to a corresponding Windows NT account, a file defining the rights and access policies of the user. After you create and enable a mapping, each time a user logs on with a client certificate, your Web server automatically connects, or maps, that user to an appropriate Windows NT account. For more information, see Mapping Client Certificates to User Accounts.
With client certificates you can also regulate which users are allowed to establish an anonymous connection with your Web server. For example, limiting anonymous user connections may be useful if your Web site provides confidential information only to employees of a specific company. When a user attempts to establish an anonymous connection, your Web server can check whether the user submitted a client certificate, issued only to company employees.
By screening anonymous users with client certificate authentication, you can reduce your server's network traffic and maintain better control over the privacy of your Web content. For more information, see About Client Certificates.
To establish an FTP connection with your Web server, users must log on with a user name and password corresponding to a valid Windows NT account. If the Web server cannot verify a user's identity, the server returns a error message. FTP authentication is not secure because the user transmits password and user name across the network in an unencrypted form. For more information, see About Access Control.