I'm not an IIS or Active Directory expert by any means so I want to present a scenario here and see if what we want to accomplish is feasible.
We have an application hosted on Windows Server 2008 R2 with a series of web services exposed as an API through IIS. These services will be called by multiple external integration systems. If we configure the IIS services to use Basic authentication, will IIS validate the credentials we pass to it against Active Directory by default, is this a special configuration setting, or is this not possible? We'd like for those credentials to be validated against AD so we receive the token/principal in return, which can be sent to the underlying application on that server.
Thanks in advance. Any help is appreciated.
Best Answer
Basic authentication will work just fine for authenticating against AD - it authenticates against the IIS server's local account database; for a domain member, that includes the Active Directory domains in the forest that it's joined to.
You'll not get any kind of kerberos ticket in return - basic auth simply includes the password in the header of requests sent to the server, and the server does with it what it will - returning either the requested resource or a
401error.. but if you're looking for user identification within the web application within IIS, then that information (which user/domain they authenticated as) should be available to the code.Browsers will keep the entered password in memory for the life of the session, so you'll be covered for subsequent requests to that server, but not for any access to other systems or services.
There's information about configuring basic auth, including configuring the default domain and the prompt that users receive, here.