Configuring authentication and authorization for IIS and applications running on top of IIS is one of the more complex IIS security operations. This is in part because of the number of different authentication options available, partly because both the previous version of IIS (6.0) and IIS 7.0 have offered multiple request processing pipelines, and in part because authentication and authorization are often conflated, even though they are distinct concepts.

Authentication is the process of identifying and proving that identity to a remote service (in this case IIS). Typically, a client or user will provide an identifier (for example, a Windows username) and then will be required to prove that identity. Typically, proof of identity takes the form of something you know (a password), something you have (security token), or something you are (some kind of biometric identification). Two-factor or multifactor authentication systems combine these concepts, requiring multiple pieces of authentication information to prove the end-user's identity.

Authorization occurs after authentication, and is the process by which a user requests permission to perform an operation (for example, view a file), and the system verifies that operation against an access control list (ACL) maintained for the file or resource. The ACL consists of a set of access control entries (ACEs) that define which users can or cannot perform certain operations. By "operations," we ...