1

i've some questions about Basic Authentication in Windows Server 2008.

I read that Basic Authentication send the passowrd as plain text, so it is insecure, but you can combinate it with SSL to improve security. In that case, what are differences between Basic Authentication with SSL and Integrate Windows Authentication? Differences considering the security (and also performance).

And what are differences between windows native authentication (basic) and an application authentication, like the most of web site uses? (even here, differences in security and performance)

Thank you

Matteo
  • 81
  • 1
  • 9

2 Answers2

2

Yes, Basic Authentication sends passwords in plain text. If your website runs over SSL, then this makes all communication (including the Basic Authentication) secure.

Integrated Windows Authentication just refers to the fact that IIS will check any incoming username/password combinations against Windows users (domain and or local users), rather than checking some other store. You can use integrated authentication with basic (plain text) or digest (md5 hash) styles of transferring credentials. The latter is more secure because the actual password isn't transmitted.

Unless you're running an intranet site where your clients already authenticated with the same Windows domain, I would steer clear of using Integrated Windows Authentication.

Application Authentication basically means you do the authentication yourself within your script/web application. This usually involves collecting a username and password in a normal html form, checking the username/password against your database, and setting a session value indicating the client has been authenticated. This is a portable approach, as it does not require any Windows users to be set up for your clients. Login forms should run over SSL, as forms will pass the password field in plain text.

Steve Mayne
  • 1,001
  • 6
  • 5
1

With Basic Authentication, the user gets a browser pop-up asking from credentials, which are then sent to the server using plain text, so unless you're using SSL, they can be captured.

With Integrated Windows Authentication, the browser automatically sends to the server the credentials with which the user is currently logged on to Windows; those credentials are not sent using plain text, but this of course only makes sense if the server and the client are in the same domain.

An application authentication is (basically) an HTML form which is submitted using a HTTP POST request; this also uses plain text, so it is not secure unless protected with SSL.

Massimo
  • 70,200
  • 57
  • 200
  • 323