IIS - Combine Windows Authentication with Basic Authentication

Question

I am using the latest IIS in combination with windows authentication. Now I have a 3rd party search engine which needs the basic authentication functionality. But the basic authentication of the search engine is only working when I disable the windows authentication. Is there a way to use both authentication methods parallel, or basic authentication as fallback?

I tried to enable both authentication methods, but this has no effect.

Answer 1

With Basic Authentication, the user must enter credentials, but they are not encrypted when transmitted over the network, so Basic Authentication is considered an insecure form of authentication.

Windows Integrated Authentication is more secure than Basic Authentication and works well in intranet environments where users have Windows domain accounts.

Prioritization of Authentication:

When the browser makes a request, it always considers the first request to be Anonymous. Therefore, it does not send any credentials. If the server does not accept Anonymous or if the Anonymous user account set on the server does not have permissions to the file being requested, the IIS server responds with an Access Denied error message and sends a list of the authentication types that are supported by using one of the following scenarios:

1?If Windows Integrated is the only supported method (or if Anonymous fails), then the browser must support this method to communicate with the server. If this fails, the server does not try any of the other methods.

2?If Basic is the only supported method (or if Anonymous fails), then a dialog box appears in the to get the credentials, and then passes these to the server. It attempts to send the credentials up to three times. If these all fail, the browser does not connect to the server.

3?If both Basic and Windows Integrated are supported, the browser determines which method is used. If the browser supports Kerberos or Windows NT Challenge/Response, it uses this method. It does not fall back to Basic. If Windows NT Challenge/Response and Kerberos are not supported, the browser uses Basic, Digest, or Fortezza if it supports these. The order of precedence here is Basic, Digest, and then Fortezza.

In your example, both Basic authentication and Windows authentication are enabled. Browser will then pick the best that it will supports. when windows authentication failed - it will not try basic authentication. But if the browser doesn't support Windows authentication at all, it will try basic authentication.

You can refer to this link? https://docs.microsoft.com/en-US/troubleshoot/developer/webapps/iis/www-authentication-authorization/iis-authenticates-browser-client