Configuring Basic Authentication

When Basic authentication is enabled, users are prompted to supply a username and password. This password is encoded using Base64 encoding and sent to the server. It is important to note that Base64 encoding is not encryption, and the use of an underlying transport security technology such as SSL/TLS, IPsec, or some VPN technology is recommended to ensure that credentials are not exposed to attackers or devices that are monitoring network traffic.

Basic authentication was introduced as part of the HTTP v1.0 protocol standard, and as such is supported by every major browser. Owing to its simplicity, Basic authentication can safely be used across proxy servers and through firewalls. When using Basic authentication, the server has the user's username and password and can directly access network resources (for example, a remote SQL Server or file server) on behalf of the user.

When accessing a file secured using Basic authentication, the browser will first make an anonymous request. The server will reply with an HTTP 401 (Unauthorized) HTTP status. (Some HTTP headers are not shown for brevity.)

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/8.0
WWW-Authenticate: Basic
Date: Wed, 25 Jul 2012 09:02:51 GMT

The WWW-Authenticate HTTP header indicates that the server supports Basic authentication for clients who want to authenticate.

If multiple authentication mechanisms are supported, multiple WWW-Authenticate headers will be returned—for example: ...

Get Professional Microsoft IIS 8 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.