IIS Authentications

Commerce Server supports the following four authentication methods provided by Internet Information Services (IIS) 5.0:

Anonymous Authentication
Basic Authentication
Integrated Windows Authentication
Certificate Authentication

Anonymous authentication gives users access to the public areas of your Web site without prompting them for a user name or password. When a user attempts to connect to your public Web site, your Web server assigns the user to the Windows user account called IUSR_<computername>, where <computername> is the name of the server on which IIS is running.

The Basic authentication method is a widely used, industry-standard method for collecting user name and password information. Basic authentication proceeds as follows:
The Web browser on the client computer displays a dialog box where users can enter their previously assigned Windows 2000 account user names and passwords.

Integrated Windows authentication (formerly called NTLM or Windows NT Challenge/Response authentication) is a secure form of authentication because the user name and password are not sent across the network. When you enable integrated Windows authentication, the browser of the user proves its knowledge of the password through a cryptographic exchange with your Web server, involving hashing. (The authentication credentials pass through a one-way process, often referred to as hashing . The result of this process is called a hash, or message digest, and it is not feasible to decrypt it. That is, the original text cannot be deciphered from the hash.)

You can also use the Secure Sockets Layer (SSL) security features of your Web server for two types of authentication. You can use a server certificate to allow users to authenticate your Web site before they transmit personal information, such as a credit card number. Also, you can use client certificates to authenticate users requesting information on your Web site. SSL authenticates by checking the contents of an encrypted digital identification submitted by the Web browser for the user during the logon process. (Users obtain client certificates from a mutually trusted third-party organization.) Server certificates usually contain information about your company and the organization that issued the certificate. Client certificates usually contain identifying information about the user and the organization that issued the certificate.