Introducing Integrated Windows Authentication
|
|
|
To configure Integrated Windows Authentication, you need to be a member of the Administrators group on the local computer or you should be delegated the appropriate authority. As a security best practice, use an account that is not in the Administrator's group to log on to your computer. Then use the Run As command to run IIS Manager as an administrator. In the command prompt, type runas /User:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".
Websites in different worker processes that run under different identities can be isolated. IIS may behave in a different way, if Integrated Windows Authentication is used. Integrated Windows Authentication tries to use Kerberos, a network authentication protocol, which might not work, depending upon the identity of the worker process.
The use of
Kerberos authentication fails in two cases. They are:
1. Kerberos authentication fails when websites are isolated on a virtual
directory level, by configuring worker process identities as different
domain accounts.
2. If you want to use a local user account or a LocalService account as
a worker process identity, when using Integrated Windows Authentication
and not using a Windows Internet Name Service (WINS) or Domain Name System
(DNS) name for the server that runs the IIS, Kerberos authentication fails
as Active Directory does not trust the accounts.
When Kerberos authentication fails, you can force the IIS to use NTLM authentication. To do this, set the NTAuthenticationProviders metabase property to NTLM.